Following on from the previous SSH security ramblings, one of the most secure methods of security is public/private key-based authentication.
g up key based SSH logins for two reasons;
- They are more secure. You aren’t prompted for a password which could be brute forced or sniffed via man in the middle attacks for example
- We’re lazy. We don’t want to type username/password combinations into each server.
Most SSH servers I setup;
- Accept Key-Based SSH Logins only
- Are firewalled to accept connections from certain IPs
- Root login disabled
- Have a brute force detection method set, ie/ BFD or cpHulk
Anyway, lets setup public/private key-based authentication on our SSH server.
We need to generate a public/private key pair. Open your PuTTY Key Generator, it was installed when you installed PuTTY! Click Generate. You’ll need to move your mouse randomly to generate some data to encrypt the key pairs.
When the private/public key pair has been generated you need to put a passphrase in. You’ll need that passphrase in one or two situations that we’ll discuss later.
You’ll need to save the public key and private key to your computer. Save it in a safe place!
Then copy the public key from the PuTTYgen window over to our Linux server.
Login to your Linux server with your username and password combo
mkdir ~/.ssh (It may already exist).
chmod 700 ~/.ssh (It may already exist and be secured).
Paste the public key into your file. It may paste over in 3 lines, make sure its on a single line, this is very important
Save and exit.
Now we’ll try connecting via PuTTY. We need to tell PuTTY to use a Private Key File. Select SSH->Auth-> Browse and point it to your private key.
Login and test! If all goes well thats Stage 1 complete.
Stage two we actually need to secure the SSH Server to not allow Password Authentication.
Edit your sshd_config
Change PasswordAuthentication yes to no.
Restart SSH /etc/init.d/ssh restart
Done. See SSH Authentication with Pageant for extra laziness.