Following up on our server security topic from last week, another great way to secure your server is through authentication using SSH keys.
Securing your server with SSH Keys is a great way to prevent brute force attacks as the keys tend to be much longer and complex. Having a pair of RSA keys will save you time on typing out your passwords and you won’t have to worry about any passwords expiring.
The way RSA keys work is having two sets of keys: a public and a private key. Since we need both a set of public and private, this is known as an asymmetric key as opposed to a symmetric key (using the same key on both ends). You will need to download and keep a file of the private key so that you can log in through SSH. You must also make sure to not lose this key as each private and public key is unique to one another.
With this guide, we are implementing the keys on a Windows client using PuTTY gen. This application will generate both a public and a private key which you will use when accessing your server as opposed to typing out the password. Of course, if you would like to opt for two-factor authentication, this would be more secure. This would mean that the passwords would be enabled and you would have to go through your server both with the RSA key and password. There are a few parts to this, such as generating the keys, inputting the public key, and configuring OpenSSH to disable passwords. To learn how to implement RSA keys, keep reading!
- Install PuTTY gen
Generating RSA keys with a Windows Client
- Open PuTTY Key Generator on your Windows client.
- Be sure to select “SSH-2 RSA” key to generate and click “Generate.”
- To generate the key, you will need to move your cursor around randomly over the blank area continuously until the bar is fully green and completed.
- After, click to save both public and private key.
Implementing Public Key in Your CentOS Server
1. If you don’t already have a ~/.ssh directory, create one so that you can paste in the public key you have saved earlier.
2. Begin creating the authorized_keys file by using any editing command you’re comfortable with (nano, vi, vim, etc.)
3. After, paste your entire public key from top to bottom, save, then exit. Your key should look something like this.
[Sample output of RSA public key]:
4. After saving and exiting the file, you must set the file permission so that only you as the owner can read, write, and execute.
#chmod 700 ~/.ssh
5. Now, we must set the permissions for the file we’ve created to read and write by the owner.
#chmod 600 ~/.ssh/authorized_keys
6. To set the SELinux context, type the following:
#restorecon -Rv ~/.ssh
Configure OpenSSH to Disable Passwords
1. Open sshd_config file in order to disable password authentication (if you still want two-factor authentication, you can leave this as yes.)
Then look for below and change to “no”.
2. Restart openssh using the following:
#service sshd restart
Connect Server through SSH (PuTTY)
- Enter server IP and port number.
- Expand SSH tree from the left-hand categories.
- Select Auth.
- Browse where you have saved your private key, hit select, and begin your connection.
That’s it! If you have any questions about securing your server with SSH Keys, feel free to ask them in the comments below so that we can help you.