How to: SSH secure key authentication on Ubuntu

Open SSH is the most widely used SSH server on Linux. Using SSH, one can connect to a remote host and gain a shell access on it in a secure manner as all traffic is encrypted.

A neat feature of open SSH is to authenticate a user using a public/private key pair to log into the remote host. By doing so, you won’t be prompted for the remote user’s password when gaining access to a protected server. Of course you have to hold the key for this to work. By using key based authentication and by disabling the standard user/password authentication, we reduce the risk of having someone gaining access to our machine/s. For more info on data access management, visit sites like https://cyral.com/data-access-governance/. And if you need comprehensive visibility to enable compliance and secure data sharing, you might want to read more here to learn more. Moreover, if you need Cyber Security Solutions in charge of data protection of your company, you may look for a time-limited privileged access management system that evaluates each access request. You may click here to find out more.

Implement NIST Cybersecurity Framework in 3 weeks using CyberArrow. CyberArrow is a technology first solution that automates the evidence collection for NIST CSF controls. CyberArrow can be used by any type of organization.

So if you are not using SSH with public/private key pair, here is how to get this rolling. If you are using AWS (Amazon Web Services) you would have been forced to use this method. This is great! The instructions below will teach you a bit about this and provide insight into setting this up on your dev VM or a server which doesn’t have this level of security turned on.

Useful commands to note

Accessing server using key

ssh -i ./Security/PRIVATEKEY USERNAME@SERVER -p PORT

Example:

ssh -i ./Security/aws/myname_rsa root@127.0.0.1 -p 22345

Restart SSH server

sudo /etc/init.d/ssh restart

Install & Setup SSH Security Access

Note: This section is for admins only.

On your Server (remote host) Locally on your box
1. Install SSHOnly if not already installed.
sudo apt-get install openssh-server
sudo apt-get install openssh-client

Make sure you change your server (and firewall is present) it to listen on port 22345 (or similar port of your liking in the high range) vs the standard unsecure 22.

Via Shell

sudo nano /etc/ssh/sshd_config
sudo /etc/init.d/ssh restart

OR

In Webmin >SSH Server > Networking > Listen on port = 22345

How to install Webmin instructions are here: http://www.theroadtosiliconvalley.com/technology/building-ubuntu-lamp-web-server-vm/

On your Server (remote host) Locally on your box
2. Create a public/private key pair.
ssh-keygen -t rsa

This will generate the keys using a RSA authentication identity of the user. Why RSA instead of DSA? RSA is 2048 bit key vs DSA 1024 bit key restricted. Read here: http://security.stackexchange.com/questions/5096/rsa-vs-dsa-for-ssh-authentication-keys

By default the public key is saved in the file:~/.ssh/id_rsa.pub,
while private key is:~/.ssh/id_rsaeg.

3. Copy the generated myname_rsa.pub file to the remote host. Use SFTP and from:
/Users/name/.ssh/myname_rsa.pub drop it into remote host path:
/root/.ssh/myname_rsa.pubNote: If that folder doesn’t exist then create it.
sudo mkdir /root/.ssh/
On your Server (remote host) Locally on your box
4. SSH into remote host and append it to ~/.ssh/authorized_keys by entering:
cat /root/.ssh/myname_rsa.pub >> ~/.ssh/authorized_keys
rm /root/.ssh/myname_rsa.pub
4.1. Check the permissions on the authorized_keys file.Only the authenticated user should have read and write permissions. If the permissions are not correct change them by:
chmod 600 ~/.ssh/authorized_keys
5. Enable SSH public/private key pair access.
sudo nano /etc/ssh/sshd_config

Make sure you have the following:RSAAuthentication yesPubkeyAuthentication yesSave when exiting.

6. Reload new configuration.
/etc/init.d/ssh reload (or)
service ssh reload
On your Server (remote host) Locally on your box
7. Protect your private key file.Locally on your machine assuming you moved the private key file to folder ./Security/
chmod 0600 ./Security/myname_rsa
8. Test your new setup.Login to your remote host from your machine:
ssh -i ./Security/KEYFILE USERNAME@SERVER -p PORTNO

where ./Security/KEYFILE is the location of your private key file.eg.

ssh -i ./Security/myname_rsa root@1.1.1.1 -p 22345

You should be granted access immediately without password requirements.

On your Server (remote host) Locally on your box
9. Disable authentication by password.
sudo nano /etc/ssh/sshd_config

Make sure you have the following:

ChallengeResponseAuthentication no 
PasswordAuthentication no
UsePAM no

Save when exiting.

10. Reload new configuration.
/etc/init.d/ssh reload (or)
service ssh reload
On your Server (remote host) Locally on your box
11. Test #2 your new setupLogin to your remote host from your machine:
ssh -i ./Security/KEYFILE USERNAME@SERVER -p PORTNO

where ./Security/KEYFILE is the location of your private key file.eg.

ssh -i ./Security/myname_rsa root@1.1.1.1 -p 22345

You should be granted access immediately without password requirements.Also test using the old method which should prohibit access.

ssh root@1.1.1.1 -p 22345

Should yield: Permission denied (publickey).
Server is now protected against brute-force attacks.

Finally make sure you adjust your development tools so they tool can gain access to your secured server.

Tools

Your choice of tools my vary but the process is very similar. The following are my most used tools and how to tweak them to allow SSH key entry to my secured server.

FileZilla – SFTP

To enable FileZilla to access the server under the new configuration do this:

  1. FileZilla > Preferences…
  2. Settings window opens. Select “Connection > SFTP” (left hand navigation).
  3. In the right pane, click on “Add keyfile…”. Navigate to your private keyfile and click on it to add.
  4. You may be asked by FileZilla to “Convert keyfile” to a supported FileZilla format. This is fine and just click “Yes”. Save the output file to the same location as your private key file.
  5. Click OK on the Settings file to save final changes.

SublimeText2 – IDE

To enable SublimeText2 to access the server under the new configuration do this.

In your solutions sftp-settings.json configuration file enable key file access like this:

"ssh_key_file": "~/.ssh/id_rsa",

Example:

"ssh_key_file": "~/Security/myname_rsa",

And that’s it. Happy development!

~ Ernest