Category: System Administration
Using Public Key Cryptography and SSH Tools for Smooth Log In
To log in to an SSH server without the needing to enter a password each time can be done in different ways. One way is to to configure your server to allow certain users (or certain users from certain hosts/networks/ip addresses [or ranges]) but another preferred method I am going to demonstrate involves encryption keys and the Diffi-Helmen Key Exchange.
(See also PKI)
Primarily one needs an encryption key to verify his or her identity. There are different algorithms that exist by which a key can be created (I won’t go into them here), but a popular and often recommended one is the RSA algorithm which I will use in my example.
On a POSIX (Unix/Unix Like) system with an SSH server in a typical configuration, this is the process to create an rsa encryption key:
> ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Created directory '/home/user/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: a9:9d:f8:df:63:64:68:11:00:13:f1:bb:2d:76:5d:5b user@gnu-linux
Once our key has been created (client side), we need to copy our public key into the proper directory on the SSH server. DO NOT DISTRIBUTE YOUR PRIVATE KEY, KEEP IT SAFE! When performing public key authentication, by default the server checks in the users home directory (
$HOME) for a directory named ‘.ssh’. Inside that directory the server is looking for a file named ‘authorized_keys’. This file is where we place a copy of our public key, on a single new line.
The public key can be distributed automatically with the
> ssh-copy-id Usage: /usr/bin/ssh-copy-id [-h|-?|-n] [-i [identity_file]] [-p port] [[-o
] ...] [user@]hostname > > ssh-copy-id firstname.lastname@example.org
To do it manually:
---In the home directory on the client machine--- > cat .ssh/id_rsa.pub > pubkey > scp pubkey email@example.com: ---output omitted--- > ssh firstname.lastname@example.org ---output omitted--- ---On server in home directory--- > cat pubkey >> .ssh/authorized_keys > exit
Okay. This takes care of half of the puzzle. This will allow our server to use our rsa key to verify our identity, but (assuming a passphrase was entered when prompted above) we will still need to enter the passphrase for this key each time we attempt to log into the server. What we can do to get around this is utilize the
ssh-agent which is part of the SSH client.
Our key can be added to the ssh-agent one time and future requests for access to SSH servers will be handled by the agent. When our rsa key was created, we opted to store it in the default location. The ssh-agent will likewise by default look in the default storage location for our encryption keys. So all one needs to do to load their key into the ssh-agent is issue the
ssh-add command – Windows users can setup a profile in Putty to accomplish the same result.
> ssh-add Enter passphrase for /home/user/.ssh/id_rsa: Identity added: /home/user/.ssh/id_rsa (/home/user/.ssh/id_rsa)
Now with our key loaded into the ssh-agent, we can access any SSH server where our public key is authorized without needing to enter our passphrase.
Otherwise known as a LAMP server, the LAMP software stack consists of GNU\Linux as the operating system, Apache as the Web server, MySql for a database, and PHP (or possibly Pearl or Python) as the programming language used to host a Web application.
I’m going to assume a minimal install (I’ll be using debian-7.6.0-i386-CD-1.iso)
First we’ll need to make sure we have all the necessary repos in our
/etc/apt/sources.list file. If you installed from a complete
installation image you probably won’t need to mess with this, but
cat out the sources list and make sure you have the following or
root@debian32-base:# cat /etc/apt/sources.list deb http://ftp.us.debian.org/debian stable main contrib non-free deb http://ftp.debian.org/debian/ wheezy-updates main contrib non-free deb http://security.debian.org/ wheezy/updates main contrib non-free
Okay, now update
apt and install our software packages.
You will need to set a password for MySql’s root user.
root@debian32-base:# apt-get update ---output omitted--- root@debian32-base:~# apt-get install apache2 mysql-client mysql-server php5 libapache2-mod-php5 Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common libaio1 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libdbd-mysql-perl libdbi-perl libhtml-template-perl libmysqlclient18 libonig2 libqdbm14 mysql-client-5.5 mysql-common mysql-server-5.5 mysql-server-core-5.5 php5-cli php5-common ssl-cert Suggested packages: apache2-doc apache2-suexec apache2-suexec-custom php-pear libipc-sharedcache-perl libterm-readkey-perl tinyca openssl-blacklist The following NEW packages will be installed: apache2 apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common libaio1 libapache2-mod-php5 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libdbd-mysql-perl libdbi-perl libhtml-template-perl libmysqlclient18 libonig2 libqdbm14 mysql-client mysql-client-5.5 mysql-common mysql-server mysql-server-5.5 mysql-server-core-5.5 php5 php5-cli php5-common ssl-cert 0 upgraded, 27 newly installed, 0 to remove and 2 not upgraded. Need to get 16.1 MB of archives. After this operation, 115 MB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://security.debian.org/ wheezy/updates/main mysql-common all 5.5.38-0+wheezy1 [78.6 kB] ---output omited---
Right about now, you get hit with the ncurses screen
And then the installation will finish uninterrupted
---output omitted--- Creating config file /etc/php5/apache2/php.ini with new version [ ok ] Restarting web server: apache2 ... waiting . Setting up libhtml-template-perl (2.91-1) ... Setting up mysql-client (5.5.38-0+wheezy1) ... Setting up mysql-server (5.5.38-0+wheezy1) ... Setting up php5 (5.4.4-14+deb7u12) ... Setting up php5-cli (5.4.4-14+deb7u12) ... Creating config file /etc/php5/cli/php.ini with new version update-alternatives: using /usr/bin/php5 to provide /usr/bin/php (php) in auto mode Setting up ssl-cert (1.0.32) ... root@debian32-base:~#
Now you should be able to navigate to the server with a Web Browser. Just type
the computer’s IP address into the address bar.
What we don’t know for sure at this point is if PHP is working. Let’s rename
index.html file to a PHP file (
(FYI: to rename in the terminal, we use the move
Then we can open it with a text editor and add some PHP code and see if it’s
root@debian32-base:~# mv /var/www/index.html /var/www/index.php root@debian32-base:~# vim /var/www/index.php
<html><body><h1>It works!</h1> <p>This is the default web page for this server.</p <p>The web server software is running but no content has been added, yet.</p> </body> <?php echo('Hello World'); ?> </html>