Secure Shell (SSH) Public Key Authentication (PKA)

Direct access from the Internet via SSH is only possible in exceptional cases upon request and with the approval of the OU management (in this case, however, a 2FA solution should definitely be used); for access from the VPN network, an activation request by the IT officers is sufficient.

We strongly recommend working only via VPN and with SSH-PKA:

  • VPN prevents the SSH server from being directly attacked from the Internet,
  • the VPN solution is protected against phishing with a 2nd factor and
  • Public Key Authentication (PKA) reduces the danger that the server can be attacked from the TU Graz network, as a login is only possible with the (password-protected) public key.

Public Key Authentication (PKA)

PKA (often just called SSH key) requires that a key pair is created. The private key (protected with a password) remains on the user's device (SSH client), the public key is stored on the SSH server.
In order to log on to the server, the private key and the corresponding password (the passphrase) with which it was encrypted are needed.

SSH client

  1. Open a terminal window (Windows e.g. Powershell) on your SSH client (the computer with which you want to log on to the SSH server).
  2. Enter the following command to create an RSA crypto key of length 4096 bits:
    ssh-keygen -t rsa -b 4096
    If this does not work under Linux, you must first install OpenSSH.
  3. Enter - if you want - a file name, otherwise the default name in the directory .ssh in the home directory will be used.
  4. Enter a "passphrase" (the password used to protect your private key).
    You can also enter nothing here (e.g. for machine-to-machine communication), but you should only do this if you know what you are doing.
    Enter the passphrase a second time for confirmation.
  5. You now have 2 files in the directory .ssh in your home directory (unless you have optionally specified a different directory above):
    • id_rsa = your private key
    • id_rsa.pub = your public key
  6. You now need to transfer the public key from the SSH client to the SSH server, there are several ways to do this:
    1. Manual transfer:
      Log in to the SSH server server.tugraz.at with username and password:
      ssh username@server.tugraz.at
      Change to the directory .ssh on the server and enter the content of your public key into the file authorised_keys, e.g. with copy&paste.
    2. By calling
      ssh-copy-id username@server.tugraz.at
      or
      ssh-copy-id -i /path/name.pub username@server.tugraz.at
      (if you used a different path above), the public key is also entered into the file authorised_keys on the SSH server.
  7. Now test in another window whether the login with the key works:
    ssh username@server.tugraz.at
    or
    ssh -i /path/name.pub username@server.tugraz.at
    You should no longer be asked for the password on the server, but for the passphrase you used to protect your private key.
    If there are problems, check the access rights: Both at the SSH server and at the SSH client, the directory .ssh (or /path/) should have the rights 700 (rwx------) and the files the rights 600 (rw-------).
If you transfer the private key to other computers, you can then also log in from these SSH clients without having to do the whole thing again.

SSH server

The SSH server should be configured so that it only accepts login with PCA:
  1. If you have the appropriate rights, change to the directory /etc/ssh/.
  2. Open the file sshd_config there.
  3. Look for the lines PasswordAuthentication, ChallengeResponseAuthentication, and usePAM.
  4. If it is commented out (#) remove the # comment character.
    If there is no such line, add it.
  5. Set the value to no.
    The lines should now look like this:
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    usePAM no
  6. Restart the SSH daemon, in many distributions e.g. by
    systemctl restart ssh