Simple SSH Setup Guide for Linux

Simple SSH Setup Guide

Client Side

Get yourself an X.509 certificate (these days, ideally with a WebID / Personal HTTP URI in the Certificates Subject Alternative Name slot that points to the location of a TLS accessible profile document)

Extract the Certificates public key (in ssh key format) for use in the server side section that follows.

Note: the last step is geeky, so the easiest way around the problem is to use a WebID oriented certificate generator [1] which writes your public key to a document while also denoting said public key with its own HTTP URI (hyperlink). Thus, you can leverage HTTP content negotiation to specify the mime type (content format) you desire when de-referencing (looking up) the public key's URI .

Example:

Given the Personal URI / WebID: http://id.myopenlink.net/about/id/entity/http/www.linkedin.com/in/kidehen .

Follow-your-nose (via 'Owns' property value) to: http://id.myopenlink.net/about/id/entity/http/www.linkedin.com/in/kidehen#cert955F1F95A29C4A9ADA4630E6F926FB169A65543B ,

and then goto (via 'Public Key' property value): http://id.myopenlink.net/certgen/key/3238 .

You get the ssh key format representation of the public key via curl, as follows:

curl -i -H "Accept: application/x-ssh-key" http://id.myopenlink.net/certgen/key/3238

Sample output:

HTTP/1.1 200 OK
Server: Virtuoso/06.04.3132 (Linux) x86_64-generic-linux-glibc25-64  VDB
Connection: Keep-Alive
Date: Wed, 05 Sep 2012 20:56:36 GMT
Accept-Ranges: bytes
Content-Type: application/x-ssh-key
Content-Length: 372

AAAAB3NzaC1yc2EAAAADAQABAAABAQDHtgYYxNtSS19GQ+jondUkP1iRB1rwRqhT8MnL2M+sUhROC5zov7TTEVDdjD4yjES6ZkQZIV7H7GItfFPLOHspTUtxro4R+UpETfglhyT0NzoiwCnYZhof5hQ7AwB+zONVe9jXk8T8yqonP2QCJY135r/EOPq0DOt9fw6lVaHsiCwXahCk59EGw60zImRazL7WiVNuwfJBVlTEjpEhz5rDaYakbj2nzT2qGdZxUIbeXrP4wuAo76bdVdUwH4yVFvLQm470vvlto1Io/5MXYBzHo/Akay7SLWOwvpGpOW8dvGAUBzLARgDmRGHwHCDTWBOT27tcBjh8sFGCWJM07OZ

Note: this is an rsa-ssh public key.

Server Side (Linux)

Log on to your server and then perform the following steps:

* login -- this places you in your home directory
* create a sub-directory named: .ssh
* cd (change directory) to the newly created ".ssh" directory
* create a file named: authorized_keys 
* open the newly created "authorized_keys" file and add content in the following form to the file (for each identity associated with a public and private key pair): ssh-rsa {your-public-key}
* save and exit your file editor
* set the file permissions to 700 using the command: chmod 700 authorized_keys 
* done.

authorized_keys file content example

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHtgYYxNtSS19GQ+jondUkP1iRB1rwRqhT8MnL2M+sUhROC5zov7TTEVDdjD4yjES6ZkQZIV7H7GItfFPLOHspTUtxro4R+UpETfglhyT0NzoiwCnYZhof5hQ7AwB+zONVe9jXk8T8yqonP2QCJY135r/EOPq0DOt9fw6lVaHsiCwXahCk59EGw60zImRazL7WiVNuwfJBVlTEjpEhz5rDaYakbj2nzT2qGdZxUIbeXrP4wuAo76bdVdUwH4yVFvLQm470vvlto1Io/5MXYBzHo/Akay7SLWOwvpGpOW8dvGAUBzLARgDmRGHwHCDTWBOT27tcBjh8sFGCWJM07OZV MyLinkedInWebID

Using SSH for Secure Logins

Now that you've completed the client and server side setup activities, you can make a secure login from your client to a server using the following command pattern:

ssh -v -i <PEM-File-Holding-Public-And-Private-Key-Data> <username-on-server>@<server-hostname-or-ip-address>

note: the -v option is used for verbosity which aids troubleshooting. Once your connection works you don't need that option anymore. 

Example

In this case my PEM file is named: MyLinkedInWebID.pem and my target host is named: myserver.com

ssh -v -i MyLinkedInWebID.pem kidehen@myserver.com

Related

1. http://bit.ly/Q91MfT -- "Deceptively Simple" Certificate Generator for WebID, NetID/YouID protocols

2. http://bit.ly/OdXrHI -- Man pages for Mac OS X implementation of ssh-add (SSH Agent)

3. http://bit.ly/P0HVdI -- Benefits of having a URI for your Public Key.


#WebID #SSH #TLS #X509 #Security #Identity #PKI #Privacy #AWWW #Linux #HOWTO
Shared publiclyView activity