Authentication by public key for SSH connection

Summary

From November 15, 2011, the gateway to go into the gateway server (sshsolar.nro.nao.ac.jp) of Nobeyama Sola Radio Observatory from the outside of National Astronomical Observatory of Japan is available to only public key authentication of ssh (pubkey).

Because the conventional password authentication is in weak the attack from the outside, there are some cases by which accounts are abused by brute force attack actually.

Please write in a public key "only one" at new user registration with the following way. After logging in once, you can add some keys to ~/.ssh/authorized_keys. When inputting some keys by mistake at user registration, only first one is effective.

The making method of new public key pair is as follows. Please make the RSA key of SSH2 and register it.

Note: After login to sshsolar, you can login to the other servers (ex. burst1) by password authentication.

Setting up public key authentication over SSH

1. How to make your public key of RSA for SSH connection

• Case of UNIX (include Mac OS X and the Cygwin on MS-Windows)
  
  1. First, prepare for openssh at your host (ex: local.somewhere.ac.jp).
     OpenSSH Web Site:http://www.openssh.com/
  2. Please enter the following command at local.somewhere.ac.jp.
     

     ssh-keygen -t rsa
     

     After command input as follows.

     % ssh-keygen -t rsa
     Generating public/private dsa key pair.
     Enter file in which to save the key (/home/yourname/.ssh/id_rsa):
     

     You are asked saving file name. Unless you made id_dsa already, you shall save default (~/.ssh/id_rsa). In this case, just as it is Enter. Next, you are asked as follows.
     

     Enter passphrase (empty for no passphrase):
     

     "The passphrase of the key pair named id_rsa" is established. A login password is the password established by the login host, but this passphrase is the code character string to use id_dsa key belonged to your host. Please input some character strings which are not forgot. These character strings are not indicated.
     

     Enter same passphrase again:
     

     Reconfirmation can be asked, so please input same character strings. If it has to be able to input these,
     

     Passphrases do not match.  Try again.
     Enter passphrase (empty for no passphrase):
     

     it will be a repeat. When it succeeds,
     

     Your identification has been saved in /home/yourname/.ssh/id_rsa.
     Your public key has been saved in /home/yourname/.ssh/id_rsa.pub.
     The key fingerprint is:
     12:34:56:78:90:ab:cd:ef:fe:dc:ba:98:76:54:32:10 yourname@localhost
     The key's randomart image is:
     +--[ RSA 2048]----+
     |                 |
     |                 |
     |             .   |
     |            . .  |
     |        S  o   o.|
     |         .. . oo |
     |         .oo  .Eo|
     |        . +o=o..o|
     |      ...o +OX. .|
     +-----------------+
     % 
     

     it is shown as above. The command finish.
     

  ---

• Case of Windows
  

  In case of Windows, it is different in a registration method of the public key by used application at registration. A registration method of a public key using PuTTY is explained by the following.

  1. PuTTYgen is downloaded from here http://www.chiark.greenend.org.uk/%7Esgtatham/putty/download.html.
  2. PuTTYgen is started.
     "PuTTY Key Generator" window opens.
     Lower "Parameters" is chosen as "SSH-2_RSA" and "Generate" in the frame of "Actions" is clicked. Next, instructions are written as "Please generate some randomness by moving the mouse over the blank area" at "Key". Please keep moving a mouse properly until an indicator reaches right end with these instructions.
     
  3. When it is completed, the space in which passphrase and the confirmation are put opens, so please establish pass phrase. This phrase will be "passphrase for the key pairs".
     
  4. "Save private key" is clicked.
     You ask where to save it, so please save it at the place which is not seen by other people. Please make the extension ppk. For example, it is saved as id_rsa.ppk.
     
  5. A character string is showing under the title as "Public key for pasting into OpenSSH authorized_keys file". This character string is the public key of the openssh form. When you submit user account application, please enter it in the "public key" space. Also, please copy this character string in a text file, and save it as "id_rsa.pub".
     

---

2. How to put your public key on sshsolar.nro.nao.ac.jp for SSH connection

At first, please transfer your public key (id_rsa.pub) to sshsolar.nro.nao.ac.jp using "scp" command. Then, please add your public key to ~/.ssh/authorized_keys, as follows.


[foobar@burst4]$ cat id_rsa.pub >> ~/.ssh/authorized_keys

If there is no ~/.ssh/authorized_keys in your home directory, please rename the id_rsa.pub, as follows


[foobar@burst4]$ mv id_rsa.pub ~/.ssh/authorized_keys
[foobar@burst4]$ chmod go-rwx ~/.ssh/authorized_keys