Securing your SSH Server with Private Keys

Have a look at /var/log/auth.log, and find all those little Chinese servers trying to brute force your box… no bueno.  One of the most common issues I see doing Linux server administration is bad passwords, the same passwords, no service isolation, and misconfigured private services running on public IP addresses.These things all must be considered when working with client’s and your own private information (Clinton email server!?).. Hey you? Yes you. This is entirely your responsibility to protect you or your client’s information, as well as the rest of the internet from you, possibly becoming part of a botnet.

Your first line of defense can be your Private Keys, here’s how to generate private keys and disallow password login on your SSH server. These steps will be extremely similar, but the file locations are distribution specific. You should be able to the SSH daemon configuration in /etc/ssh/sshd_config, or possibly /etc/sshd, etc.
First thing which needs to be done, is to generate yourself a private key. NEVER share this key, essentially without a passphrase, anyone can use this key to gain access to your server and any other servers using your public key.

Windows Client

Download PuTTY. Make sure you either download the installer, or download both PuTTY and PuTTYgen. PuTTYgen is necessary to generate our private keys on Windows.

Open PuTTYgen. Once you’ve opened PuTTYgen you may leave the default settings and click generate, then move your mouse over the blank area to generate a random key.

While optional, using a passphrase is imperative to your security. If anyone gets access to this private key file, the passphrase is a barrier for entry. Without a passphrase, anyone with this private key can access your machine. Guard it.

Make sure you save the public key and private key to a safe location on your hard drive.

Copy the entire contents of the box labeled “Public key for pasting into OpenSSH authorized_keys file” and either keep it in your clipboard, or paste it somewhere you won’t lose it, you’ll need to have this later in this tutorial. This is your public key. You may now close PuTTYgen.

Now we need to configure PuTTY to use your private key.

Open PuTTY and navigate the left menu to Connection > SSH > Auth.

Select your private key file under Authentication Parameters. “Private key file for authentication,” click Browse.

Last, go back to Session on the left menu and enter your server IP under hostname.
Now, under Saved Sessions, type a name for this connection, and hit save.

You are finished with the client configuration, time for the server side of things!

Linux/Mac OS X Client

Assuming you’ve already installed the OpenSSH packages, setting up private key authentication on a *nix box is very simple.

Open your favorite terminal, and type ssh-keygen.

You should see an output similar to the following:

[adamjonesay@ash1 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/adamjonesay/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

If you’ve never generated a key before, you may just press enter after it asks where to save the key, but if you’ve generated one before, you’ll need to specify a new name.

While optional, using a passphrase is imperative to your security. If anyone gets access to this private key file, the passphrase is a barrier for entry. Without a passphrase, anyone with this private key can access your machine. Guard it.

You should see a message saying such:

Your identification has been saved in /home/adamjonesay/.ssh/id_rsa.
Your public key has been saved in /home/adamjonesay/.ssh/id_rsa.pub.

Take note of the contents of ~/.ssh/id_rsa.pub. You’ll need this later. This is your public key.

OpenSSH Server

The server side configuration (if you may even call it that) is the simplest of all, find your OpenSSH private keys, which you created earlier, and paste it into ~/.ssh/authorized_keys on the user(s) which you’d like to login to with your SSH client.

To improve security even further, you can also add fail2ban, or also disable password authentication

Comments and suggestions are greatly appreciated.

Advertisements


Categories: Linux, Security

Tags: , , , , ,

3 replies

  1. The git-shell feels more nixy on Windows

    Like

Trackbacks

  1. Securing your SSH Server with Private Keys – Technology and Computing
  2. Links 17/7/2016: Lithuanian Police Switches to GNU/Linux, Blockchain on LinuxONE | Techrights
%d bloggers like this: