This article is provided as a courtesy for web adminsitrators to enhance the server security. Installing, configuring, and troubleshooting SSH keys is outside the scope of support provided by Centrora Security.
Overview
An SSH key will let you automatically log into your server from one particular computer without needing to enter your password. This is convenient if you make frequent SSH and scp connections to your server.
Results
You will create an SSH key on your computer, and then configure your server to accept it. This will allow you to automatically log into your server from this computer, without being prompted for your password.
CAUTION:
Please do not set up an SSH key on a public or shared computer that does not use individual profiles. This will allow strangers to easily access your server.
Instructions
Windows users using Putty (credits to MediaTemple for this tutorial)
Requirements
- PuTTY
- PuTTYgen
- Pageant
1. Generate the Key
Run PuTTYgen.exe.
Click “Generate” and move your mouse.
Once the key is generated, enter your key passphrase.
Then click ‘Save public key’ and ‘Save private key.’
2. Select & configure your user
Let’s choose a user for which to create the SSH key. In our example, the user is “root” for “mt-example.com.”:
Connect to your server as the root user.
su- mkdir ~/.ssh cd ~/.ssh vi authorized_keys #or nano authorized_keys
Cut and paste on one line your public ssh key.
It should look similar to the following:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBvo93MZvQS8gtB5+fy8yPT+6SrZfJAA4C4lJYydp/pf8KfXTU303xLiTSrXcwDOSUykBi7DVdloOIpZQtQOFJMEwXx+wMWausxp0T5W//pfMfZYTg4ZDDQwWG4bUAl+l6pFDwQwEtm2KN6C4lyfJNMDNqdtjqw9/HvAfO5xoyceQ==
You will want to protect the file and change its ownership.
chmod 600 ~/.ssh/authorized_keys && chmod 700 ~/.ssh/
3. Add the private key
Run Pageant.exe.
This application runs in the background. When it loads, it should be displayed in your tray.
Right click the icon and click on “Add Key.”
4. Turning off the Password Authentication for the SSH server:
Open the SSH Deamon Configuration file:
nano /etc/ssh/sshd_config
Search PasswordAuthentication, change it to ‘no’, and ‘Port’, change it to a random number, e.g. 6799, save the file by using ‘CTRL + X’
Then restart the SSH Daemon, e.g.
service sshd restart // Or /etc/init.d/sshd restart
Now, stay connected to the remote server, do NOT logged off from the server at this stage.
5. Connect using your SSH key with PuTTY
Open PuTTY and connect as “root@yoursite.com.”
Since Pageant.exe has your passphrase stored, you connect without entering your password:
Linux users using Terminal
1. This step is performed in your server.
Make sure that you logged in as root in your server’s SSH terminal, then create the paired key in the terminal:
mkdir ~/.ssh cd ~/.ssh ssh-keygen -t rsa -b 2048 -f myKey -C "myKey"
It will ask for a password for the key file so only you can access it, please enter a password and note down the password. Then the command will generate two files: a) the myKey.pub and b) myKey. The myKey file is a private key (like the key that you open your doors) and the myKey.pub is a public key (you can consider this as a lock of your door and only your private key can open this lock).
Now lcopy the content of the myKey file by using the vi or nano function, e.g.
vi myKey //or nano myKey
You can now copy-paste the content of the myKey file into a text file in your own PC, and save it as myKey in your PC (and better to make a backup of the key into a backup hard drive).
Once the private key ‘myKey’ is copied and backup in your PC, you can delete the myKey file in the server:
rm myKey
Next, we need to add the public key into the authorized_keys file (adding this new lock into the door) so our new private key can log in (so you can use this new private key to open the lock)
cat myKey.pub >> authorized_keys // Then delete the public key rm myKey.pub
Now, let’s make sure the permissions of the authorized_key is correct.
chmod 600 ~/.ssh/authorized_keys && chmod 700 ~/.ssh/
2. Turning off the Password Authentication for the SSH server:
Open the SSH Deamon Configuration file:
nano /etc/ssh/sshd_config
Search PasswordAuthentication, change it to ‘no’, and ‘Port’, change it to a random number, e.g. 6799, save the file by using ‘CTRL + X’
Then restart the SSH Daemon, e.g.
service sshd restart // Or /etc/init.d/sshd restart
Now, stay connected to the remote server, do NOT logged off from the server at this stage.
3. Testing if the key is working correctly
First, open a NEW terminal, we need to load the key in your PC, now make sure you open the terminal in your local PC by logging in as root, e.g.
su -
Once you enter your password and logged in, add the private key, assuming that your key is stored in this folder: /keys/myKey:
exec ssh-agent bash ssh-add keys/myKey
Now, try to login to your server:
ssh -P6799 69.64.69.65
If you can login without entering the root password, that indicates your paired key is working correctly. If not, repeat step 1.
The post Using SSH keys on your server appeared first on Centrora Security - Your All-in-one Central Security Management System.