Using Public Key Authentication

Introduction

Public key authentication is a more secure alternative to passwords. It uses a challenge/response mechanism that prevents even the server from gaining access to the authentication information. This section will describe how to configure ThinLinc to use it.

Key Generation

In order to use public key authentication, a pair of encryption keys must be generated. Tools to accomplish this should be included with the SSH server. On Linux, that server is normally OpenSSH and the tool to generate keys is called ssh-keygen.

Example:

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/johndoe/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/johndoe/.ssh/id_rsa.
Your public key has been saved in /home/johndoe/.ssh/id_rsa.pub.
The key fingerprint is:
e1:87:0d:82:71:df:e9:4a:b0:a8:e3:cd:e8:79:58:32 johndoe@example.com

Remember that the private key (id_rsa in the example) is a password equivalent and should be handled with care. The public key (id_rsa.pub in the example) does not need to be kept secret.

Note

The SSH key format is not standardised, so it may be required to convert the keys depending on which servers you will be using.

Server Configuration

All SSH servers must support public key authentication, so any SSH server will work. It is important, however, to verify that public key authentication is not disabled. Refer to the documentation for your SSH server for instructions on how to do this.

Next, the public keys need to be associated with the correct users. For OpenSSH, you must store a copy of the public key in the users’ home directory, specifically in the file ~/.ssh/authorized_keys. This file can contain multiple keys, each on a separate line.

Client Configuration

The client must have a copy of the private key associated with the public key stored on the server. The key can be stored anywhere, although on Linux it is commonly stored as ~/.ssh/id_rsa. The user will be able to specify where the key is located in the ThinLinc Client interface.

Note

The client currently only supports the OpenSSH key format. If your keys are in another format, e.g. for PuTTY, then they must first be converted before they can be used with ThinLinc.