SSH, secure shell, is a network protocol used to access remote Linux machine. You can execute commands on the remote server by connecting using SSH protocol.
There’re different types of authentication modes for SSH.
a) Password authentication
b) Key based authentication
Password Authentication – Simply we can use root password directly to access SSH.
Key based Authentication – In key-based authentication rather than password we use SSH keys. As its name refers, the server identifies the key stored in the client machine and then the server authenticates the login. Hence password-less authentication!
We always prefer the most secure way of connection to our servers. To protect the confidentiality of our servers we always use the best method to connect to our servers and I believe password less authentication is the best one.
Password-less? How?
Yeah, I’ll try to explain you in simple steps that how we can access our server in a secure method. Here we use Public key Cryptography technology to accomplish it. Client machine is identified by the key. The private key in the client machine should match with the public key on the server for authentication. Basically, that’s how it works! OpenSSH server provides this setup and is installed by-default in a Linux based machine.
Requirements:
1. OpenSSH server
2. OpenSSH client on Linux (Assuming your workstation is a Linux based one)
Refer the topic below, if your local machine has Windows OS.
How to enable key based authentication – using Putty?
Are you ready with your requirements? Yeah, let’s start!
1. Generating SSH keys
This has to be done in the client-side, which means in your local machine. Here we use the command ssh-keygen to generate RSA keys.
Open your terminal and go to .ssh folder of your home directory. If .ssh folder is not there, then please create it.
# mkdir .ssh
# chmod 0700 .ssh
Now we can create the SSH key:
# ssh-keygen
It’ll ask for a file to save your RSA key, I recommend to use the default one. Then, it’ll ask for a passphrase. Please set a passphrase. If you don’t want to set it, then you can hit “enter” key.
Once this is done, the /home/user/.ssh folder will have 2 additional files, id_rsa and id_rsa.pub. The file id_rsa has the private key and id_rsa.pub has the public key in it.
Private key should be stored on our local machine itself and the public key should be copied to our server.
2. Installing public key on the server.
We can use scp command to copy public key to the server’s authorized_keys file and the private key should remain in the local machine itself. The public key on the authorized file of the server should match with the private key on the local machine. This is how authentication works. Also, please don’t ever share your private key with anyone.
# scp .ssh/id_rsa_pub [email protected]:/home/user/.ssh/authorized_keys
Assuming, you already have SSH access to your server. This time, it’ll ask for the password. Also, please be sure to set the permission of authorized_keys file to 600 and the .ssh folder should have 700 permission.
# chmod 700 .ssh
# chmod 600 .ssh/authorized_keys
If the public key is copied to authorized keys file, then we can test the key based authentication by trying SSH to the server. It’ll ask your passphrase if you have set it. If it won’t ask for a password then your key based authentication is success!
For enabling key based authentication for root user, then copy your id_rsa.pub to /root/.ssh/authorized_keys file.
Now, if you don’t want password authentication any more in your server, we can make the necessary changes on the server. Yeah, it’s time to change our SSH settings on the server.
SSH hardening on cPanel servers
3. Server settings – disabling password authentication on the server
After copying the public key to the server, assuming you’re able to access the server with your key. But still password authentication is active on your server, which means the server is still exposed to brute-force attacks. Now we can disable password authentication. Open SSH config file and make the following changes:
# vi /etc/ssh/sshd_config Search for PasswordAuthentication and set it to no. PasswordAuthentication no
This will disable password logins for accounts on this server and it’s effective for root too.
Restart SSH service on the server
# service sshd restart
Once this is done, the SSHD daemon will respond to SSH keys only.
30 plus SSH interview questions and answers – compiled