What SSH Keys Are, And How To Use Them With A Linux Server – Part 2
In a previous article we looked at what SSH keys are, and how they work to help improve the security of using SSH to manage your server. We also looked into how you can create an SSH key on Linux or Mac OSX and copy the public key over to your server. This time we’ll cover how you can generate keys in Windows when using the PuTTY client, and how to configure your server to only allow keys as an authentication method.
Installing PuTTY
When you install PuTTY it comes with a number of applications alongside the main PuTTY client that you use to connect to servers. One of these is PuTTYgen, the tool used to create SSH keys. You can open it by going to to the start menu, scrolling to the PuTTY folder in the menu and clicking PuTTYgen.
The interface is fairly basic, and for the most part you don’t really need to make any changes. The bottom of the screen has the parameters for any keys to be generated, RSA and 2048 bits is fine. Click the Generate button to create the key. It will ask you to wave your mouse about to create some random data to seed the random number generator after which the key will be generated. There will be fields for you to add a passphrase to the private key as required. You can then use the “Save private key” button to save your private key to the computer, and the “Save public key” button to save the public key. At the top of your page you also have the public key in a text box that you can copy and paste to the server.
Configuring PuTTY for SSH Keys
Now you need to configure PuTTY to use your keys to log in. So fire up PuTTY, and start by putting in your server’s IP address or domain name into the Host Name field. Next, in the menu on the left select the Connection -> Data option and on the screen that opens fill in your username in the “Auto-login username” field. Now go to the SSH -> Auth section and click the “Browse” button, and select the private key that you saved earlier. Finally, go back to the Session section at the top of the menu and in the “Saved Sessions” section enter a name for this session. Your server’s name is a good option. Click save. In the future, you can load the session details by selecting the name in the box underneath. With that done, you can connect to your server using your password as before to configure the SSH key at that end.
Once you have connected to the server you need to change to your .ssh directory in your home directory:
cd .ssh
If that doesn’t exist you will need to create it first:
mkdir .ssh
cd .ssh
With the file made you can now add the key. First open the authorized_keys file for editing:
nano authorized_keys
Now paste in the public key that you copied earlier from PuTTYgen. Then save and exit the file.
You should now be able to disconnect from the server, then reconnect. This time you should be prompted for the passphrase for your private key (if you set one), and then be connected to your server.
Once you have your user set up with SSH keys to connect, and any other users of your server, the final thing to do is disable password logins. If you don’t do this your server will be no more secure from brute force attacks than it was before you made the keys To do this you need to edit the SSH configuration file:
sudo nano /etc/ssh/sshd_config
Scroll down the file to find the line starting with “PasswordAuthentication” and change the “yes” to a “no”. With that done you can save and exit the file, then reload the SSH server with the following command:
sudo systemctl reload ssh
Having completed these steps. I’d recommend not disconnecting from the server yet, but to create a new connection to the server first just to be sure that all is working as expected, as if you find there is a problem and you disconnect, you may not be able to get back in.
Now that everything is working, your server is now secured using SSH keys, meaning that only people with the valid private keys and their passphrases can access the server.