SSH - The secure way to remotely control linux
SSH is a well known and widely used protocol on linux server machines. It's basically a remote command shell to the machine. It's fast and secure, unlike telnet, which is another remote shell server. Telnet sends messages in clear text, meaning that an attacker can read passwords, commands and files sent over telnet. So that's why SSH is really good, it provides an encrypted connection between a server and a client. You still have to use passwords for your login, but the connection is encrypted at least. But today I'll show you how to setup SSH with asymmtric key authentication.
Server Setup
You don't need to pay for any SSL certs to use this feature. SSH has a utility called ssh-keygen
. So to generate our new keys we need to execute just a simple command:
ssh-keygen -t rsa
-t rsa
specifies that we want to create an RSA key. RSA is pretty much the standard for asymmetric crypto.
SSH will ask you questions about the key, for example email, country code etc... You can enter your real info here, but you can just press eneter to use the default options.
Key password
SSH will ask you for the password of the key. You can leave it empty or you can type in a secure long password. Having a password will prevent someone from using your key without your password. But you don't need to set a password, because giving the private key out is wrong by itself.
Setting up the user for ssh key authentication
My user for this post is named sshuser
so SSH will generate the public and the private key under /home/sshuser/.ssh
A dot before a directory or file name means that, it's hidden. You can list hidden files with the ll
alias or use ls -la
to achive the same effect. Navigate to that directory by typing:
cd /home/sshuser/.ssh
Here you need to authorize that key. To do this we have to add the Public key to a file named authorized_keys
.
If you don't have this file or you have just this one key you want to use for this user, then type:
echo $(cat id_rsa.pub) > authorized_keys
If you already have a key and you want to keep using it, then:
echo $(cat id_rsa.pub) >> authorized_keys
>>
appends or creates a file, while >
overrides or creates a file.
Setting up the server for ssh key authentication
It's ok that we have all this keys now, but we need the server to start using them, and ditch the password login to prevent bruteforcing.
Your ssh server's config file is located under /etc/ssh/sshd_config
, notice it's sshd not ssh in the file name.
Open the file and add the following lines:
PermitRootLogin no
disable password login for theroot
userRSAAuthentication yes
enable authentication using RSAPubkeyAuthentication yes
enable authentication using public keysPermitEmptyPasswords no
disable the login with empty passwordsPasswordAuthentication no
disable password authentication completely
Save & Close the file.
Reload your ssh server by typing: service ssh reload
Note: This will not drop your exesting session!
Client setup
We need a client capable of connecting to our server with the generated keys.
I will use putty for this, it's a really good SSH client that I use every day.
We will need the putty client and the puttygen for this one. You can download both from putty's website.
Download our key
Transfer our Private Key from the server (/etc/sshuser/.ssh/id_rsa
) to our client. You can do this in several ways. Just remember that nobody should see your private key. If you want to transfer it fast and secure, without 3rd party services check out my Secure FTP Tutorial.
Once you have the key open puttygen and select Conversions
> Import key
select you private key and press OK.
If you added a password to your key, then you need to type it in to Key passphrase
and Confirm passphrase
.
Now we can select Save private key
. This will generate a putty private key or .ppk
file. You can't share this one with anybody either. Close puttygen.
Setting up Putty
- Enter the IP of your server or your hostname to the
hostname field at the top
- Select
SSH
below the IP field. - (Optional) On the left side under
Connection
>Data
you can set theAuto-login username
field tosshuser
or you username to automatically perform the login after connecting. - On the left side under
Connection
>SSH
>Auth
press browser next to thePrivate key file for authentication
field and select your .ppk file generated in the previous step. - (Optional) One the left side under
Session
you can set the Session Name field to anything you like and pressSave
, this will add the current options to the listbox next to theSave
button. Next time you open putty, just select it from the list, and pressLoad
to load you configurations.
After you configured putty or loaded your configuration, press Open
to connect to your server.
You may need to specifiy your username, in this case I type in sshuser
and press enter.
And voila, you're connected via an SSH encrypted connection to your server without passwords. How cool is that?
Summary
There's more to SSH and Putty than I said in this post, so if you're intrested check them in the sources section or comment if you want an SSH or Putty review. SSH is the bare minimum to run a remote server you have no physical access to. A secure connection is a must, because you operate with the system over the air, and you don't want others editing/looking at you commands, passwords, files etc... Many users know and use SSH but they don't have key authentication enabled. Some of the people even has the key authentication, but they forget to disable password logins, leaving their accounts still brute forcable through SSH.
Now go and secure your SSH if you haven't already.
Sources
PuTTY's website
sshd_config's Man Page
ssh-keygen's Man Page
Well explained! I still remember the first time I used SSH and PuTTY, took a while to get used to but I managed quickly.
Thank you for the kind words!
For the first time I had issues with the authorized_keys file, I didn't know about that file, and when I disabled password authentication on the SSH conf (yeah dumb move it was my first ever VPS) without testing the key authentication, I locked myself out from that box :). I needed to reset it via the shell provided by the VPS provider.