SSH - The secure way to remotely control linux

in #technology7 years ago


SSH is a well known and widely used protocol on linux server machines. It's basically a remote command shell to the machine. It's fast and secure, unlike telnet, which is another remote shell server. Telnet sends messages in clear text, meaning that an attacker can read passwords, commands and files sent over telnet. So that's why SSH is really good, it provides an encrypted connection between a server and a client. You still have to use passwords for your login, but the connection is encrypted at least. But today I'll show you how to setup SSH with asymmtric key authentication.


Server Setup

You don't need to pay for any SSL certs to use this feature. SSH has a utility called ssh-keygen. So to generate our new keys we need to execute just a simple command:
ssh-keygen -t rsa
-t rsa specifies that we want to create an RSA key. RSA is pretty much the standard for asymmetric crypto.
SSH will ask you questions about the key, for example email, country code etc... You can enter your real info here, but you can just press eneter to use the default options.

Key password

SSH will ask you for the password of the key. You can leave it empty or you can type in a secure long password. Having a password will prevent someone from using your key without your password. But you don't need to set a password, because giving the private key out is wrong by itself.

Setting up the user for ssh key authentication

My user for this post is named sshuser so SSH will generate the public and the private key under /home/sshuser/.ssh
A dot before a directory or file name means that, it's hidden. You can list hidden files with the ll alias or use ls -la to achive the same effect. Navigate to that directory by typing:
cd /home/sshuser/.ssh
Here you need to authorize that key. To do this we have to add the Public key to a file named authorized_keys.
If you don't have this file or you have just this one key you want to use for this user, then type:
echo $(cat id_rsa.pub) > authorized_keys
If you already have a key and you want to keep using it, then:
echo $(cat id_rsa.pub) >> authorized_keys
>> appends or creates a file, while > overrides or creates a file.

Setting up the server for ssh key authentication

It's ok that we have all this keys now, but we need the server to start using them, and ditch the password login to prevent bruteforcing.
Your ssh server's config file is located under /etc/ssh/sshd_config, notice it's sshd not ssh in the file name.
Open the file and add the following lines:

  • PermitRootLogin no disable password login for the root user
  • RSAAuthentication yesenable authentication using RSA
  • PubkeyAuthentication yes enable authentication using public keys
  • PermitEmptyPasswords no disable the login with empty passwords
  • PasswordAuthentication no disable password authentication completely

Save & Close the file.
Reload your ssh server by typing: service ssh reload
Note: This will not drop your exesting session!

Client setup

We need a client capable of connecting to our server with the generated keys.
I will use putty for this, it's a really good SSH client that I use every day.
We will need the putty client and the puttygen for this one. You can download both from putty's website.

Download our key

Transfer our Private Key from the server (/etc/sshuser/.ssh/id_rsa) to our client. You can do this in several ways. Just remember that nobody should see your private key. If you want to transfer it fast and secure, without 3rd party services check out my Secure FTP Tutorial.
Once you have the key open puttygen and select Conversions > Import key select you private key and press OK.
If you added a password to your key, then you need to type it in to Key passphrase and Confirm passphrase.
Now we can select Save private key. This will generate a putty private key or .ppk file. You can't share this one with anybody either. Close puttygen.

Setting up Putty

  • Enter the IP of your server or your hostname to the hostname field at the top
  • Select SSH below the IP field.
  • (Optional) On the left side under Connection > Data you can set the Auto-login username field to sshuser or you username to automatically perform the login after connecting.
  • On the left side under Connection > SSH > Auth press browser next to the Private key file for authentication field and select your .ppk file generated in the previous step.
  • (Optional) One the left side under Session you can set the Session Name field to anything you like and press Save, this will add the current options to the listbox next to the Save button. Next time you open putty, just select it from the list, and press Load to load you configurations.

After you configured putty or loaded your configuration, press Open to connect to your server.
You may need to specifiy your username, in this case I type in sshuser and press enter.
And voila, you're connected via an SSH encrypted connection to your server without passwords. How cool is that?

Summary

There's more to SSH and Putty than I said in this post, so if you're intrested check them in the sources section or comment if you want an SSH or Putty review. SSH is the bare minimum to run a remote server you have no physical access to. A secure connection is a must, because you operate with the system over the air, and you don't want others editing/looking at you commands, passwords, files etc... Many users know and use SSH but they don't have key authentication enabled. Some of the people even has the key authentication, but they forget to disable password logins, leaving their accounts still brute forcable through SSH.
Now go and secure your SSH if you haven't already.

Sources

PuTTY's website
sshd_config's Man Page
ssh-keygen's Man Page

Sort:  

Well explained! I still remember the first time I used SSH and PuTTY, took a while to get used to but I managed quickly.

Thank you for the kind words!
For the first time I had issues with the authorized_keys file, I didn't know about that file, and when I disabled password authentication on the SSH conf (yeah dumb move it was my first ever VPS) without testing the key authentication, I locked myself out from that box :). I needed to reset it via the shell provided by the VPS provider.

Coin Marketplace

STEEM 0.19
TRX 0.18
JST 0.034
BTC 89422.86
ETH 3144.72
USDT 1.00
SBD 2.76