I needed to set up key based, rather than password based, access to SUSE Linux Enterprise Server. It’s more secure because it uses a public/private key pair rather than a password. The user’s private key is stored on the client. The private key for the user is stored on the Linux machines. When they connect using an SSH client there is no need to enter a password. You can optionally (and it’s recommended) store a passphrase with the private key so that it cannot be used without knowing the private key.
The solutions starts at the client. I normally used Putty but I couldn’t get it to work properly with this type of solution. Instead I turned to Poderosa. Using it I create a public and private key pair. From there I saved the public key in OpenSSH format and the private key.
Save the private key somewhere safe, e.g. a backed up location on your PC or on your home drive on a file server. Make sure the location is secure.
Now you need to copy the text of the public key. Note that it is a single line. Log into the SLES machine and browse to your home directory. For example:
- For root browse to ~/.ssh
- For any other user browse to /home/<username>/.ssh
Use a text editor (like vi) to create a file called authorized_keys in that home directory. Copy the text from your private key and paste it into the file. Save it.
You now need to enable SSH to allow logons using keys. The configuration for SSH is stored in a text file: /etc/ssh/sshd_config. Edit that and you’ll have a few entries to modify. We’ll start by allowing public keys to be used for authentication. This is done by setting PubkeyAuthentication to “yes”. I had to remove the # (comment/remark) symbol from the start of the line.
PubkeyAuthentication yes
I restarted the SSH daemon or service by running rcsshd restart. That’s required to load the new settings for authentication.
I configured the SSH client to log in as my user to this server with my private copy of the key. I started the connection and I was logged in without using a password. It authenticated me using the private key (and the passphrase for the key if you set it).
Now it is possible to disable log via SSH on using passwords. You’ll do this to force people to us their private key instead of a weaker password that could be subject to brute force attacks.
The first is to change PasswordAuthentication to have a value of “no”. You may need to remove the comment/remark symbol of # from the start of the line. I also found that I had to set UsePam to a value of “no”. That meant these two lines were in the file in different locations:
PasswordAuthentication no
UsePam no
Again I restarted SSH using rcsshd restart. Now I tested two things:
- I tried to login using Putty and my username and password. The initial connection failed.
- I logged in using my private key. That worked.
Perfect. Now I can use SSH to log into the Linux box without the worry of weak passwords being used by users on the machine. They are forced into using stronger public/private key pairs. And I can sleep safe knowing that the machine is not vulnerable to brute force password attacks.