Secure SSH With Public/Private Keys
Secure SSH With Public/Private Keys
by Jeff on July 15th, 2015 No Comments »
 , , ,

This article will walk you through the setup to Secure SSH With Public/Private Keys and how to load them into PuTTY for easy SSH access. We will also cover the following

  • Create a non-privileged user for SSH
  • Create a new SSH Public and Private key pair for the new user
  • Convert the private key to a PPK format for PuTTY to use
  • Disable Root login
  • Enforce the use of certificates for SSH

Create a non-privilged User SSH

Create a new SSH Public and Private Key Pair

We need to be logged into the server as the ‘it’ user to generate the key pair. This can be accomplished by entering the following while logged in as root

[root@server /]# su it

And set a password for the is user

[root@server /]# passwd it

Now lets generate a new key pair

[it@server /]$ cd ~/.ssh
[it@server .ssh]$ ssh-keygen -t rsa

When asked for a file in which to save the key, press enter

Generating public/private rsa key pair.
Enter file in which to save the key (/home/it/.ssh/id_rsa):

For security, you should also enter a passphrase when prompted. This will encrypt the private with a passphrase. Do not lose the passphrase, or else the key will be unusable. It’s also important to note that the passphrase will ahve to be entered each time you authenticate to the server with this private key.

Now you should have the following files

[it@server .ssh]$ ls
id_rsa id_rsa.pub

The id_rsa is your private key and should be kept safe, this is what you will use to authenticate with. The rsa.pub is your public key that needs to be added to the authorized_keys file.

[it@server .ssh]$ cat id_rsa.pub >> authorized_keys

We can now remove the id_rsa.pub file from the server

[it@server .ssh]$ rm -rf id_rsa.pub

Let’s set some security on the newly created files

[it@server .ssh]$ chmod 0700 *
[it@server .ssh]$ chmod 0644 authorized_keys

Ensure that the SELinux contexts are set

[it@server .ssh]$ restorecon -Rv ~/.ssh

Now, let’s save the private key to our desktop. I find the easiest way is to dump the contents to the screen, copy and paste

[it@server .ssh]$ cat id_rsa

Copy that and paste it into notepad. Let’s save this notepad file as IT-PrivateKey.txt. Remember where you saved this file, it will be needed in the next section.

Convert Private Key to PPK for PuTTY

PuTTY uses a different format for the private key, so we have to convert our key to the PPK format. To perform this, we need to download PuTTYGen.

Open PuttyGen and click the “Load” button. This will open a file browser dialog for you to choose your private key (IT-PrivateKey.txt). Now that the file is loaded, click the “Save private key” button and save the file as IT-PrivateKey.ppk. This is the new private key file that will be loaded into PuTTY.

Open PuTTY and either create a new session or load an existing session. Click on the + sign next to “SSH” on the left then click on “Auth”. Click on the “Browse…” button and select IT-PrivateKey.ppk. Scroll up on the left and click on the “Session” link then click “Save”. Your private key will now be sent to the server when this saved session is used.

Disable Root Login

Now that we have an unprivileged user named it, we should disable root access. We will still be able to act as the root user by issuing the su command. As a root user, open the sshd_config file

[it@server .ssh]# vi /etc/ssh/sshd_config

Change the following line

PermitRootLogin yes

To

PremitRootLogin no

Enforce the use of Certificates for SSH

While editing the sshd_config file

[it@server .ssh]# vi /etc/ssh/sshd_config

Uncomment the following line

#PasswordAuthentication no

Should now read

PasswordAuthentication no

Finally, save the file and restart the ssh service. IMPORTANT: make sure you can connect to the server with a new PuTTY session before closing the current session.

[it@server .ssh]# service sshd restart
Tag List
 , , ,