# ssh keys

## eleanor

How can I use only key loggins, so that only the members who has the key would be able to connect to my ssh server?

Now I have private and public key and I want to create a ssh server which let's to connect only the person who has a ssh key and refuse other connections. And I would send the ssh key to the person which would I trust in order to let him connect to my ssh server?

----------

## truc

Assuming you already know how ssh keys work, In sshd_config, you should set UsePAM no , and then 

PasswordAuthentication no and ChallengeResponseAuthentication yes (this one is yes by default )

The thing is to disable PAM or compile openssh without pam support, since PAM overide some behaviour (eg: sshd asks for a password although you set      PasswordAuthentication  to no )

http://gentoo-wiki.com/HOWTO_Remove_PAMLast edited by truc on Sun Dec 25, 2005 2:31 pm; edited 2 times in total

----------

## tuxmin

Make sure you have the following lines in /etc/ssh/sshd_config

```

UsePAM no

PasswordAuthentication no

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile     .ssh/authorized_keys

```

Furthermore, instead of distributing one private key I recommend to have any user create his own key pair and to put the according public key in the file authorized_keys of the appropriate user on your ssh server.

Alex!!

----------

## eleanor

I have some problems. I did what you said before and I appreciate that, it works? But the problem is that it won't allow anybody to login into the server. I created dsa key and put id_dsa.pub (my public key on server) into the ~/.ssh/authorized_keys (on the client machine) and the thing is that it won't connect. Look at this:

 *Quote:*   

> Are you sure you want to continue connecting (yes/no)? yes
> 
> Warning: Permanently added 'xxx.xxx.xxx.xxx'list of known hosts.
> 
> Permission denied (publickey,keyboard-interactive).
> ...

 

----------

## tuxmin

The private key belongs to the client machine. It should by all means only be accessible by a certain user. Anyone who can get his hand on a private key can login to your server once you install a related public key. It is adviseable to password protect the private key for that reason. The public key must be placed in authorized_keys on the server!

The idea behind this is, that the root user of the server has full control over who is allowed to login and who's not by simply adding or removing the public keys...

Hth, Alex!!!

----------

## eleanor

So, I place id_dsa.pub key in authorized keys on server (in the certain user directory under .ssh). 

What about the client machine? Where do I put id_dsa.pub?

And is anything wrong if I simply delete private key, so that I'll not have to worry about getting in wrong hands?

----------

## tuxmin

You don't need to hide the public key, that's why it's called public. It's not needed by the client for the authentication process. However, it is best practice to store it in the same location with the private key so you know where to find it.

You should delete the private key on the server, though. As I metioned earlier, this one has to be kept secret.

You might want to google for some docs to get deeper insight in public key authentication, there should be lots of good quality readins around.

Hth, Alex!!!

----------

## sundialsvc4

Here's the scenario...

A machine owner who wishes for his (guest) machine to connect to your ssh generates a private/public key pair.  He submits the public key to you.  You, after verifying that this nefarious scoundrel  :Wink:  really should be given access, place that public key into the appropriate place.

You see, this exchange scenario requires that the owner of the guest machine furnish to you something that he has no reason whatsoever to need to conceal.  He can send you the public key, and as long as you are certain that the key you received really is the one that he sent, it does not matter if anyone else intercepted the message.  All that matters is that the private key of the pair is securely retained by the guest-machine's owner.

If, during the key exchange process, SSH receives a message that can be successfully decrypted using such-and-such public key, which it has been instructed to accept, then SSH knows that said message must have been encrypted using the corresponding private key.  This is taken as evidence that the connection request is authentic.

----------

