SSH - Secure Shell¶
With SSH you can access a system via User/Password or an SSH Key Pair which is the preferred and most secure way. Such a Key Pair consists of a Public Key (which is basically a lock in material terms) and a Private Key (which fits to this lock).
The Private Key is on your notebook and smartphone to access the remote system where the Public Key is authorized. The Private Key is your secret, don’t share it with anybody.
To make your Private Key even more secure (in case it’s stolen after all) you can encrypt your Private Key with a Passphrase only you know. It means in this case a stolen - with the Passphrase encrypted - Private Key won’t fit to the Public Key and therefore it’s worthless for the thief.
You only need to create a Key Pair once, and you can use it with as many remote systems as you want to connect to.
There are a few different algorithms to create such a Key Pair. Currently the most secure algorithm is called ED25519 which creates amazingly short keys and uses a similar technique like many crypto projects such as Bitcoin, Ethereum or Monero use to create their Key Pairs.
Create SSH Key Pair on Windows¶
There's no build-in option to create an SSH Key Pair on Windows. To do so you have to install separate software. Here's the way to create one with puttygen.exe.
Download puttygen.exe (or the whole PuTTY package if you want to use it as SSH Client): https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
- Open puttygen.exe and select ED25519 as key type.
- Generate the Key Pair by pressing the Generate button and moving the mouse to add randomness.
- Add a comment which will be added to the Public Key just to help you identifying it in the future. To add additional security (like mentioned above) it's recommended to set a Passphrase.
- Copy the Public Key and save it in a secure place like a Password Manager.
- Save the Private Key by selecting Conversions / Export OpenSSH key (force new file format) to a file of your choice. - Copy the whole content of this file to the same secure place as the Public Key and use it in Termius (under Keychain). Save the Passphrase there as well.
Now you can add the Public Key on your host provider (New/Add SSH Key) for creation of your server.
Create SSH Key Pair on Linux (Ubuntu, Debian)¶
If you already installed a virtual server but still use password to access your system, you have everything at hand to create an SSH Key Pair and start using them - at first as an additional option.
Creating a Key Pair is simply done by
ssh-keygen -t ed25519 -C "befranz for OT Node Access"
where you change the string after -C (means Comment) to your needs. This string is just added to the Public Key as a reference. You are asked to input an optional Passphrase (which encrypts your Private Key for additional security in case you lose the key).
This command created two files:
~/.ssh/id_ed25519.pub # this contains the Public Key ~/.ssh/id_ed25519 # this contains the Private Key
As with all secrets...
Store Private Key, Public Key and Passphrase in more than one safe place.
Only the Public Key will be stored on the Server
Since we only want to use this Key Pair to access the server from your local devices (home computer and smartphone), only the Public Key will stay on the server. The Private Key will be moved to the local devices.
Prepare Server for SSH Key Access¶
To allow an SSH Key Pair to be used for a specific user on the server, there has to be this file with one or several Public Keys in it:
Since you never used SSH Keys on this server before, this file doesn't even exist yet.
To create this file and add the Public Key we just generated, you call these commands:
cat ~/.ssh/id_ed25519.pub >> ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys
This adds the Public Key to ~/.ssh/authorized_keys and sets the file rights that only the user itself can read/write it. To check if it worked run this command
where you should now see the Public Key with the comment you set when you created the Key Pair.
Your server is now ready for access via SSH Key Pair!
Disallow Password Authentication¶
For better security you should eliminate password access when you are sure all your SSH clients are setup correctly for Key Pair access and have already accessed the server via keys.
To remove password authentication on your server run this command:
sed -i.bak 's/[#]*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
Make sure it is set correctly by
grep "PasswordAuthentication " /etc/ssh/sshd_config
where you should get the following line:
If this is ok, restart the SSH service to activate the changes by
service ssh restart
Now open an additional connection from your SSH client to test it. If there is anything wrong with the connection, you still have your other connection open to revert what you just did by
# Just in case something went wrong, this will undo the previous changes cp /etc/ssh/sshd_config.bak /etc/ssh/sshd_config service ssh restart
If you established a new connection, your server is set to key access only! Congratulations!
Remove Key Pair from Server¶
After you setup SSH for your server by putting the Public Key into the file authorized_keys and stored the SSH Key Pair plus Passphrase in safe places, you can now remove the two key files you generated before by
rm ~/.ssh/id_ed25519 ~/.ssh/id_ed25519.pub