Secure Shell (SSH) Public Key Authentication (PKA)
Direct access from the Internet via SSH is only possible in exceptional cases
upon
request and with the
approval of the OU management (in this case, however, a 2FA solution should
definitely be used); for access from the VPN network, an activation
request by the IT officers
is sufficient.
We strongly recommend working only via VPN and
with SSH-PKA:
-
VPN prevents the SSH server from being directly attacked from the Internet,
-
the VPN solution is protected against phishing with a 2nd factor
and
-
Public Key Authentication (PKA) reduces the danger that the server can be
attacked from the TU Graz network, as a login is only possible with the
(password-protected) public key.
Public Key Authentication (PKA)
PKA (often just called
SSH key) requires that a key pair is created.
The private key (protected with a password) remains on the user's device
(
SSH client), the public key is stored on the
SSH server.
In order to log on to the server, the private key and the corresponding
password (the
passphrase) with which it was encrypted are needed.
SSH client
-
Open a terminal window (Windows e.g. Powershell) on your SSH client (the
computer with which you want to log on to the SSH server).
-
Enter the following command to create an RSA crypto key of length 4096 bits:
ssh-keygen -t rsa -b 4096
If this does not work under Linux, you must first install OpenSSH.
-
Enter - if you want - a file name, otherwise the default name in the
directory .ssh in the home directory will be used.
-
Enter a "passphrase" (the password used to protect your private key).
|
You can also enter nothing here (e.g. for machine-to-machine communication),
but you should only do this if you know what you are doing.
|
Enter the passphrase a second time for confirmation.
-
You now have 2 files in the directory .ssh in your home directory
(unless you have optionally specified a different directory above):
- id_rsa = your private key
- id_rsa.pub = your public key
-
You now need to transfer the public key from the SSH client to the SSH
server, there are several ways to do this:
-
Manual transfer:
Log in to the SSH server
server.tugraz.at with username and
password:
ssh username@server.tugraz.at
Change to the directory .ssh on the server and enter the content
of your public key into the file authorised_keys, e.g. with
copy&paste.
-
By calling
ssh-copy-id username@server.tugraz.at
or
ssh-copy-id -i /path/name.pub username@server.tugraz.at
(if you used a different path above), the public key is also entered into
the file authorised_keys on the SSH server.
-
Now test in another window whether the login with the key works:
ssh username@server.tugraz.at
or
ssh -i /path/name.pub username@server.tugraz.at
You should no longer be asked for the password on the server, but for the
passphrase you used to protect your private key.
If there are problems, check the access rights: Both at the SSH server and
at the SSH client, the directory .ssh (or
/path/) should have the rights
700 (rwx------) and the files the rights 600
(rw-------).
If you transfer the private key to other computers, you can then also log in
from these SSH clients without having to do the whole thing again.
SSH server
The SSH server should be configured so that it only accepts login with PCA:
-
If you have the appropriate rights, change to the directory
/etc/ssh/.
-
Open the file sshd_config there.
-
Look for the lines PasswordAuthentication,
ChallengeResponseAuthentication, and usePAM.
-
If it is commented out (#) remove the # comment character.
If there is no such line, add it.
-
Set the value to no.
The lines should now look like this:
PasswordAuthentication no
ChallengeResponseAuthentication no
usePAM no
-
Restart the SSH daemon, in many distributions e.g. by
systemctl restart ssh
