After changing your SSH port number and disabling root logins, the next step in server security is to use SSH keys for logging into your server instead of passwords. SSH keys are special files that come in pairs – one resides on your server, and the other resides on your computer. When properly setup, SSH keys provide not just security, but convenience.
Advantages of Using SSH Keys to Login
Human beings are bad at passwords. We don’t generate them randomly enough, and we don’t remember truly random passwords either. So each time you log into your VPS remotely, you have to either:
- Copy/Paste a complex password from something like an e-mail
- Use a less secure password that’s easy to enter and remember
The first is inconvenient, and the second is insecure. There are ways to create memorable and complex passwords, but that takes a lot of time and effort. So the first benefit of SSH keys is that it allows you to sign in securely without the difficulty of remembering and entering complex passwords all the time.
The second benefit is that SSH key security prevents certain kinds of brute force attacks on your server. When there’s no password in the first place, hackers are stopped cold and can’t try and force their way in.
Finally, SSH keys change the paradigm of security vis-a-vis passwords from something you know (password) to something you have (key). It can also combine the two by requiring a passphrase to unlock the private key.
Generating the Key Pairs
As mentioned above, SSH key authentication requires at least two keys that come in a pair. One is a public key, and the other is a private key. The former is stored in a special location on the server, and the latter is kept on your local computer. When connecting, you specify the location of your private key, and the rest happens magically.
The tool that’s most popular for creating public/private key pairs on Windows is called PuTTYgen – it’s part of a suite of PuTTY tools and can be downloaded from this location.
Once you’ve downloaded PuTTYgen, simply execute the file and you’ll be asked to generate a new key pair. First, we need to choose the encryption we want to use. For this example, I’m using SSH-2 RSA encryption. Click “Generate”, and you’ll be asked to move your mouse around to create random noise in order to generate the key pair:
Keep moving your mouse until the green bar fills up, and then PuTTYgen will finish creating the keypair that you can then download to your computer as shown here:
Creating the Public Key for OpenSSH
The public key that PuTTY generates isn’t compatible with OpenSSH. So you need to copy everything in the field labeled “Public key for pasting into OpenSSH authorized_keys file”, and paste it into a text file that I will call “public_rsa”.
This is our public key.
Upload the Public Key to Your Server
The next step is to upload the public key to your server. We can do this using the “pscp.exe” tool found on the PuTTY homepage from the same place where you downloaded puttygen.exe. Download pscp.exe, then open a command prompt to the folder where it’s located.
Note: You need to enable root access for this command to work. If you’ve previously disabled root, temporarily enable it first! You can disable it again afterward.
We want to copy the public key to the following folder:
Also, I’ve changed my SSH port to 2208 instead of 22. So I run the following command:
pscp -P 2208 C:\Users\Bhagwad\Desktop\public_rsa [email protected]xxx.xxx.xxx.xxx:/root/.ssh/public_rsa
Here, change 2208 to whatever port you now use for SSH. Replace public_rsa with the name you’ve given to your public key, and change xxx.xxx.xxx.xxx to the IP address of your server. If all goes well, you should be prompted for your root password. Enter it, and the file will upload to your server.
You can confirm this by logging into your server, navigation to /etc/.ssh and checking for yourself as shown here:
As you can see, the public key named “public_rsa” has been uploaded to the specified destination on the server.
In Part II of this series, we’ll see how to add this key to our authenticated folder, and how to initiate a connection from PuTTY to the server via our private/public keypair!
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!
Thanks, looking forward to PartII & beyond
Bhagwad Park says
Here’s part II: