SSH Keys From Fedora30 to CentOS7

Linux - CentOS

tl;dr

Generate keys on fedora workstation "ssh-keygen -b 4096"
Copy the public key to the server "ssh-copy-id ServerUsername@ServerHostnameOrIPAddress"
Test you can access the server "ssh ServerUsername@ServerHostnameOrIPAddress"
Move to root "sudo -i"
Backup the SSH Config File "cp /etc/ssh/sshd_config /etc/ssh/2019-09-02_sshd_config.cma"
Set "PasswordAuthentication" property to "no" in the "/etc/ssh/sshd_config" file
Restart SSHD "systemctl restart sshd

What's this for?

SSH Keys From Fedora30 to CentOS7 is for when you want your SSH connections to be that bit more secure! Instead of relying on passwords to authenticate your session you will use a public/private key pair. You can also protect your private key (this is the one you need to keep to yourself) with a passphrase that must be entered before the key can be used.

Warning: This is one of those procedures you need to fully understand before implementing it in a production environment. If you get this procedure wrong there is a very good chance you might end up locked out of your server.

Demo Enviroment

The outputs below come from the following setup...

Client OS: Fedora 30
Server OS: CentOS 7
Date: 01-09-2019

SSH Keys From Fedora30 to CentOS7

So what were going to do in this ramblings is run through the steps needed to generate a public/private key pair on your Fedora30 PC. We will then take the public key and install it on your CentOS server so that you can use this for SSH connections. Once we have tested this we will then disable password authentication on the server.

First on our Fedora workstation we need to generate our SSH keys. Note: I have not installed anything special on this workstation I have just opened the console and typed "ssh-keygen". I personally have entered a passphase however this is not compulsary.

[tmorgan@nanai-ws001 ~]$ ssh-keygen -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/tmorgan/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/tmorgan/.ssh/id_rsa.
Your public key has been saved in /home/tmorgan/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:arAmIv+KcHqutO4Ek148EP+mwWLhcxKv2AbDxDiHxDU tmorgan@nanai-ws001.nagronia.lan
The key's randomart image is:
+---[RSA 2048]----+
|.o.E             |
|+oo .            |
|+*..             |
|++B .            |
|*B O.o  S        |
|==B =o .         |
|===.o o          |
|=Boo .           |
|*B+o.            |
+----[SHA256]-----+
[tmorgan@nanai-ws001 ~]$

This command has just copied your ~/.ssh/id_rsa.pub key into a file called authorized_keys in the remote account’s ~/.ssh/ directory.

Note: because the ssh directory starts with a "." its hidden and cant normally be seen.

Once you have generated your SSH keys you need to copy the public key to the server you are going to use it to connect to.

Note: you will only see the section in red if you have never connected to this server before. The Password you need to enter is the password you normally log into the server using, its not the passphrase you have just created for the ssh key.

[tmorgan@nanai-ws001 ~]$ ssh-copy-id admtmorgan@10.1.11.102
The authenticity of host '10.1.11.102 (10.1.11.102)' can't be established.
ECDSA key fingerprint is SHA256:zvAoLwOBKh6rV4IutVmW+jDC5QISIbDRQJa9uXGFbxs.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
********************************************************************
*                                                                  *
* This system is for the use of authorized users only.  Usage of   *
* this system may be monitored and recorded by system personnel.   *
*                                                                  *
* Anyone using this system expressly consents to such monitoring   *
* and is advised that if such monitoring reveals possible          *
* evidence of criminal activity, system personnel may provide the  *
* evidence from such monitoring to law enforcement officials.      *
*                                                                  *
********************************************************************




admtmorgan@10.1.11.102's password: 


Number of key(s) added: 1


Now try logging into the machine, with:   "ssh 'admtmorgan@10.1.11.102'"
and check to make sure that only the key(s) you wanted were added.


[tmorgan@nanai-ws001 ~]$

We can now try and SSH to our server using our ssh key.

[tmorgan@nanai-ws001 ~]$ ssh admtmorgan@10.1.11.102
********************************************************************
*                                                                  *
* This system is for the use of authorized users only.  Usage of   *
* this system may be monitored and recorded by system personnel.   *
*                                                                  *
* Anyone using this system expressly consents to such monitoring   *
* and is advised that if such monitoring reveals possible          *
* evidence of criminal activity, system personnel may provide the  *
* evidence from such monitoring to law enforcement officials.      *
*                                                                  *
********************************************************************

At this point, assuming you entered as passphrase fedora is going to ask you for it. You should then go straight into the server without having to enter a password.

[tmorgan@nanai-ws001 ~]$ ssh admtmorgan@10.1.11.102
Last login: Sun Sep 15 14:21:33 2019 from 10.1.20.102
[admtmorgan@nanai-vps02 ~]$

Once you have ensured all users have an SSH key setup you can disable password based authenitcation for SSH. To start off we need to move into sudo mode as we are now going to make changes that are going to impact more than just our user!

[admtmorgan@nanai-ipm01 ~]$ sudo -i
[sudo] password for tmorgan: 
[root@nanai-ipm01 ~]#

Next we need to edit the configuration file for the SSH daemon so it no longer accepts passwords. We start by taking a backup

[root@nanai-imp01 ~]# cp /etc/ssh/sshd_config /etc/ssh/2019-09-02_sshd_config.cma
[root@nanai-ipm01 ~]#

We can then edit the /etc/ssh/sshd_config config file and changing the password settings. Remember its "a" to append a file and then ":wq" to write and quit from the file. If you think you have made a mistake then you can use :q! to exit without saving.

[root@nanai-ipm01 ~]# vi /etc/ssh/sshd_config

From:

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

To:

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no

Once this is updated you just need to restart the SSH service for the changes to take effect.

[root@nanai-ipm01 ~]# systemctl restart sshd
[root@nanai-ipm01 ~]#

That should be it, simple!