Following up on our server security topic from last week, another great way to secure your server is through authentication using SSH keys.
Securing your server with SSH Keys is a great way to prevent brute force attacks as the keys tend to be much longer and complex. Having a pair of RSA keys will save you time on typing out your passwords and you won’t have to worry about any passwords expiring.
The way RSA keys work is having two sets of keys: a public and a private key. Since we need both a set of public and private, this is known as an asymmetric key as opposed to a symmetric key (using the same key on both ends). You will need to download and keep a file of the private key so that you can log in through SSH. You must also make sure to not lose this key as each private and public key is unique to one another.
With this guide, we are implementing the keys on a Windows client using PuTTY gen. This application will generate both a public and a private key which you will use when accessing your server as opposed to typing out the password. Of course, if you would like to opt for two-factor authentication, this would be more secure. This would mean that the passwords would be enabled and you would have to go through your server both with the RSA key and password. There are a few parts to this, such as generating the keys, inputting the public key, and configuring OpenSSH to disable passwords. To learn how to implement RSA keys, keep reading!
Requirements
- Install PuTTY gen
Generating RSA keys with a Windows Client
- Open PuTTY Key Generator on your Windows client.
- Be sure to select “SSH-2 RSA” key to generate and click “Generate.”
- To generate the key, you will need to move your cursor around randomly over the blank area continuously until the bar is fully green and completed.
- After, click to save both public and private key.
Implementing Public Key in Your CentOS Server
1. If you don’t already have a ~/.ssh directory, create one so that you can paste in the public key you have saved earlier.
#mkdir ~/.ssh
2. Begin creating the authorized_keys file by using any editing command you’re comfortable with (nano, vi, vim, etc.)
#nano ~/.ssh/authorized_keys
3. After, paste your entire public key from top to bottom, save, then exit. Your key should look something like this.
[Sample output of RSA public key]:
———————–
ssh-rsa
AAAAB3NzaC1yc2EAAAABJQAAAQEAu9f5Ks4idxebeQ2Frufqnc34hS3gY+2ciDbWvEC
DA3bkaiHixNHxBgD5Bxqb4rYFKqqYA2Qy6Lq3gySgiXsmxQD4VYNidn3hXhqARO3/y+0GstH97p8+
Am9BAwmzC/M4KvyoijsJsjs2jUukyDUsftLk1mVe4VuD5yo+XNBpjSr/R43w8LHaX5P+Tqzs+3/g2O
nmlqGJ0mgj34SkMBkybWb4107fnhH5Z4bhM84/hFgco0YRQAoW5AKUv85qmvPCFiDbVMhmDm
M3OP2Gb3++N0N58QOWhsA6IV6OGYgW/BrHZxEUyiXVbhCo+AUIxmXAfx/egOUc1fTmocKJnJk
WfQ== rsa-key-20180516
———————–
4. After saving and exiting the file, you must set the file permission so that only you as the owner can read, write, and execute.
#chmod 700 ~/.ssh
5. Now, we must set the permissions for the file we’ve created to read and write by the owner.
#chmod 600 ~/.ssh/authorized_keys
6. To set the SELinux context, type the following:
#restorecon -Rv ~/.ssh
Configure OpenSSH to Disable Passwords
1. Open sshd_config file in order to disable password authentication (if you still want two-factor authentication, you can leave this as yes.)
#nano /etc/ssh/sshd_config
Then look for below and change to “no”.
PasswordAuthentication no
2. Restart openssh using the following:
#service sshd restart
Connect Server through SSH (PuTTY)
- Enter server IP and port number.
- Expand SSH tree from the left-hand categories.
- Select Auth.
- Browse where you have saved your private key, hit select, and begin your connection.
That’s it! If you have any questions about securing your server with SSH Keys, feel free to ask them in the comments below so that we can help you.
Hi All at CWH … I love these excellent learning articles. Good job, well done. I had been using putty for whois and tail for years, yet had no idea it also had key gen functions. My question: Is the server installation exactly the same for a linuxcloud vps?
Hey Catherin! The putty key gen is separate from the putty you use to SSH with. You will need to install the key gen separately. If your cloud VPS is CentOS then the above steps should be fine. However, if it uses Ubuntu it may be slightly different.
[…] making it much harder for someone to gain access to your system. Previously, we went over how to secure your server with SSH keys on a Windows client using PuTTY gen. Today, we will be going over the steps of securing your server by generating RSA […]