Securing SSH with Keypairs

Securing a SSH conection via a Private/Public key pair is a very good idea. It allows you to disable password authentication on the server and is a highly recommended option if you are not behind a firewall. As best practice I usually put key pairs in place on all my servers, behind firewalls or not.

This guide will explain how to do this using a Windows machine that uses the Putty SSH client. I will also do a guide that covers creating a key pair for a Linux local machine at a later date. First of all you will need to generate the key pair that we will use. For this I use PuttyGen. PuttyGen is included with the standard Putty install for windows, to open it either navigate to the Putty install folder or search for PuttyGen from your start bar.

This will open up in a small window and give you several options:
Generate a key pair – this will lety ou make a new key
Load in an existing private key – This will let you view a key in an existing file
Save the generated key – this will be greyed out until we create the key pair type of key to generate.
RSA – This is the one we will be using, known as public key cryptography.

Number of bits in key – I make sure this is set to 2048 for my key generation, if it is set to 1024 increase the value.

 

Step 1

Click ‘generate key’ and it will ask you to move your mouse over the grey area to provide random input that will become the key. Once generated it will give you the Public-key, which we will need to add to the server. I usualy copy this to a .txt document that I delete once I have finished the key pair configuration.

You can add a comment to the key file, handy if you plan on setting up multi-key access, it will let you keep track of which key is used by which login. Setting a key passphrase will add a password that is required to use or access the key, another layer of security that is well worth adding. Make sure to save both the public and private keys, and make sure to keep them secure. Do not give these files to anyone other than the intended person who you are creating the access for.

 

Step 2

Now you need to access the server you want to add the key to, we need to create a new directory for the keys to be added in.

[user@server ~]$ mkdir ~/.ssh/

Change to that directory then enter pwd to bring the file patch up and it should be similar to: /home/user/.ssh

In this directory create a new file called “authorized_keys”

[user@server ~]$ cd ~/.ssh/
[user@server ~]$ nano authorized_keys

and in this file copy the public key you generated all on one line. If you add extra keys to this file make sure each key goes on a new line. Save and exit your editor then we need to set the permissions for the file.

[user@server ~]$ chmod 500 authorized_keys
[user@server ~]$ ls -a

Make sure that the user you are logged in as is the owner of the file.

[user@server ~]$ chown -R user:user ~/.ssh

 

Step 3

You now need to edit the ssh config file to allow logins that use keys. You need to be root to be able to edit this file.

[user@server ~]$ sudo -i
[root@server ~]$ nano /etc/ssh/sshd_config

You need to uncomment the line “PubkeyAuthentication yes” and make sure it is set to yes. Save and exit your changes then restart ssh.

[root@server ~]$ systemctl restart sshd

 

Step 3

At this point it is worth staying logged in as your user, and open a new Putty session to test they key allows you to login with it.

Open a new Putty connection and on the left dropdown menu select the option for SSH then click on Auth.

In here you have an option to “Browse” use this to find your private key that you saved earlier. Chose ‘open’ and the file path should appear in the browse box. Go back to the Session part of Putty (where you enter your server address) and try to connect to your server as normal, using your user name. It should conect to the server and display as follows:

login as: user
Authenticating with public key “key name”
Passphrase for key “key name”:

 

Step 4

Once you have verified that the key pair is working, you can go back to the ssh config file and disable password authentication on login. Again, you will need to be root to edit the config file.

[user@server ~]$ nano /etc/ssh/sshd_config

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no

Reload ssh and you no longer have to worry about password hacks on your server.

[root@server ~]$ systemctl restart sshd