Securing Access To a Linux Server With SSH Private Keys
As a cloud managed services provider we deploy and manage Linux infrastructure for our cloud customers. In many of the cases we manage the infrastructure ourselves and help the customers deploy their applications so no direct access to the servers is necessary.
Other times our customers need direct access to the servers so they can do their work, deploy applications and other type of application maintenance.
In this case we setup access through ssh and we require for the obvious reasons the issuance, setup and management of private/public key pairs for the users in need to access the servers.
So here is a guide on how to setup the secure ssh access to a CentOs 7.
Private key generation
To setup ssh authentication to access a linux server each user must generate his own private and public key pair.
Once the keys have been generated the public key must be provided to the owner of the Linux server the user needs access to so the public key is setup in that server.
The public ssh keys must be properly managed so you don’t keep old keys in the server as for example in the case a user has left the company. You don’t want a rogue user using his private key to access a server and create havoc in it.
You can create your key pair with PuTTYgen. You can download the Putty installation package from here. This install for Windows will install the Putty tool that you’ll use to ssh into the linux server and Puttygen the tool you need to generate the key pair.
Creating a new key pair
To create a new key pair, select the type of key to generate from the bottom of the screen (using SSH-2 RSA with 2048 bit key size is good for most people; another good well-known alternative is ECDSA).
Then click Generate, and start moving the mouse within the Window. Putty uses mouse movements to collect randomness. The exact way you are going to move your mouse cannot be predicted by an external attacker. You may need to move the mouse for some time, depending on the size of your key. As you move it, the green progress bar should advance.
Once the progress bar becomes full, the actual key generation computation takes place. This may take from several seconds to several minutes. When complete, the public key should appear in the Window. You can now specify a passphrase for the key.
You should save at least the private key by clicking Save private key. It may be advisable to also save the public key, though it can be later regenerated by loading the private key (by clicking Load).
We strongly recommended using a passphrase for private key files intended for interactive use. If keys are needed for automation (e.g., with WinSCP, then they may be left without a passphrase.
Installing the public key as an authorized key on a server
As an example, we are going to setup a key for a user to access a server as a root user.
In the terminal create the folder .ssh if one doesn’t exist.
In this folder create the file authorized_keys:
Copy the user’s public key to the server and open the key file with a text editor.
Just a word of caution! The key might paste as a multiline string. Make sure the pasted key is a one lined string. See the screenshot below. Also prefix the string with ssh-rsa.
Configure Putty to access with the private key
Start Putty, in the Session category type the name or ip address of the host. The default ssh port is ssh. Make sure you have allowed this port in the server’s firewall.
In the Connection>Data category type the Auto-login user name.
Select the Connection>SSH>Auth category and add the path to the private key. If you want to save the information you have just added to the configuration file don’t click the Open button. Select the Session category at the top and click the save button.
Click the Open button to open the ssh session to the server. The first time you login you will be prompted for the passphrase for the key. This is the passphrase you used to generate the keys.