Who should read this?
This tutorial is for novice to intermediate linux users who want to go beyond basic password security. Security professionals recommend using ssh keys to make authentication into ssh sessions faster, easier and more secure. As passwords become longer and more complex they become more difficult to use and manage.
Key based access is more secure and easier to manage for individuals. For teams and organizations key based access has some challenges around rotation and user hygiene that are outside of the scope of this tutorial.
What are we talking about ?
This tutorial will walk you through the basic procedures on setting up and utilizing SSH keys on your servers and how to use those keys with common windows ssh tools like putty or on OSX, or Linux.
SSH is a client server protocol originally developed to replace the insecure and unencrypted telnet protocol. SSh1 was originally developed in 1995 by Tatu Ylonen, a researcher at the Helsinki University of Technology. Tatu went on to found ssh.com. SSH went on to become one of the most widely used security and administration tools in modern technology.
OpenSSH was a derivative work forked (by the OpenBSD project) from earlier versions of the SSH server application that had less restrictive licensing.
Why
Using SSH keys makes system access fast, easy, secure and scalable. It’s pretty much the only way to fly if you’re serious about being a linux administrator.
What are SSH Keys?
SSH keys are a public and private key pair used for authenticating users whom are trying to remotely login to systems to perform administrative tasks and actions. The public key is placed on the remote server and the private key is held as a secret on the user’s local machine.
Pre-requisites
This tutorial is based on Ubuntu 18.04 running the latest
$ sudo apt-get update && apt-get upgrade
If you are using windows you’ll need:
Putty https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html ### You need at least putty v0.70 to use ED25519
WinSCP https://winscp.net/eng/download.php
Puttygen https://winscp.net/eng/download.php This is included in the WinSCP installer
Step 1
$ mkdir -p ~/.ssh $ chmod 0700 ~/.ssh $ ssh-keygen -t ed25519 -C "VPS server #101" ### https://ed25519.cr.yp.to/ if you are wondering what ED25519 is Generating public/private ed25519 key pair. Enter file in which to save the key (/root/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): #haha I can't type Enter same passphrase again: Passphrases do not match. Try again. Enter passphrase (empty for no passphrase): #still can't type DEnter same passphrase again: Your identification has been saved in /root/.ssh/id_ed25519. Your public key has been saved in /root/.ssh/id_ed25519.pub. The key fingerprint is: SHA256:+EgRgp7QUWicc/vjjYfl8iW/HW1E5PkzOYY7TmCMlYU VPS server #101 The key's randomart image is: +--[ED25519 256]--+ | o.*o . ... | |. O .. Eoo . | | + + ... o + | | o . O + .+..| | .o S. + ..*.| | .oo. . .oo +| | ..Bo . .+o | | = ++ .oo. | | +. o... | +----[SHA256]-----+ $ ls -al ~/.ssh total 16 drwx------ 2 root root 4096 Apr 30 04:12 . ### Agree to pretend that I didn't run this as root drwx------ 7 root root 4096 Apr 30 04:11 .. -rw------- 1 root root 411 Apr 30 04:12 id_ed25519 ### THIS IS YOUR PRIVATE KEY DO NOT SHARE -rw-r--r-- 1 root root 97 Apr 30 04:12 id_ed25519.pub ### THIS IS YOUR PUBLIC KEY - GOES ON REMOTE DEVICES
Step 2
You need to add your public key to the ~/.ssh/authorized_keys file on any server you want to login to.
$ cat id_ed25519.pub >> ~/.ssh/authorized_keys #APPENDS THE CONTENTS OF FILE_1 to FILE_2
Use WinSCP or SCP to download your private key to your workstation.
On Windows
Open PuttyGen and load the private key that you downloaded from the VPS. Make sure you select the ED25519 parameter if that is the key type that you generated!
Then hit Save Private Key, save the id_ed25519.ppk key file somewhere smart.
Open Putty and navigate to SSH > Auth in the left hand menu, browse to and load your private key file
Go back to Session and save the session so that you don’t have to specify the key file over and over again like a robot.
If your session throws an error “Unable to load private key file .ppk (file format error)” your version of putty probably is too old and doesn’t support ED25519.
On Linux / OSX
Downloading your keys on your linux workstation is pretty simple.
user@workstation:~$ scp user@192.168.1.101~/.ssh/id_ed25519 ~/.ssh/
user@192.168.1.101’s password:
id_ed25519 100% 411 15.4KB/s 00:00
user@workstation:~$ ssh root@192.168.1.101 #type your passphrase and boom you are in
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-38-generic x86_64)
References
- https://www.openssh.com/history.html
- https://www.ssh.com/ssh/
- https://ed25519.cr.yp.to/ if you are wondering what ED25519 is
About the Author
Sean Richards, CISSP, is a 20 year Technology enthusiast and security practitioner. Loves family, animals, BBQ, and bicycles.
https://www.linkedin.com/in/seangrichards/
https://github.com/seangrichards/
https://twitter.com/seangrichards
Related Posts:
- World Host Group Expands Again with Nimbus Hosting Acquisition - October 30, 2024
- OVHcloud’s 2024 Annual Performance: The Growth Continues - October 29, 2024
- Looking for a VPN?We’ve Got a Thread for You - December 7, 2021
Leave a Reply