VPS Notes

Security Tutorial - Replace Password Login with Key Based SSH Login

The most common attack to servers is to brute force guess your password. An effective way to counter this is to disable login via username password. An alternative way to login after doing that isto use ssh key pair login.
It is assumed that you have basic knowledge on how to use PuTTY. You can read this for an introduction to PuTTY.

Create a User

For added security, we will disable root login. We need to create another account for login purposes in the future. This is how to create a user with username john usig the adduser command. Supply the password and you can skip the other details by just hitting ENTER.
$ adduser john
Adding user `john' ...
Adding new group `john' (1000) ...
Adding new user `john' (1000) with group `john' ...
Creating home directory `/home/john' ...
Copying files from `/etc/skel' ...
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
Changing the user information for john
Enter the new value, or press ENTER for the default
	Full Name []: 
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n]

Make the user a sudoer:
adduser john sudo
A sudoer is a user that have System Administrator privileges like root.

SSH Key Pair

A key pair is a set of 2 very long strings. One will be copied/stored in the server (public key), while the other will be kept in your local computer (private key). When you login via PuTTY, the private key in your computer will be sent to the server. If it matches a public key stored in the server, the login is permitted.
This matching of private and public keys will replace our password logins. But before we disable password logins, we must first establish logins using ssh key pair. Otherwise, we will be locked out of the system.

Generate Key Pair

First, you need to generate a key pair. This requires some complex computation. Assuming you are using Windows, you need a program called PuTTYgen to do this. You can find and download the latest version from here. Here is also a direct link of the exe.
Run PuTTYgen and click generate button:
Key will be generated. For added security, type in a "key passphrase" (and confirm passphrase). This is like a password on top of your key pair. Note that this is optional but highly recommended.
Click on "Save public key" and "Save private key" buttons to save the key pair:

Copy You Public Key to Server

This section assumes you know how to use PuTTY. Read this for an introduction to PuTTY.
Login to server using user john and create .ssh/authorized_keys (full path is /home/john/.ssh/authorized_keys):
$ mkdir -p .ssh
$ nano .ssh/authorized_keys

And copy paste the public key:
Click CTRL+O and then ENTER to save the file, or just simply CTRL-X and ENTER to save the file and exit. The server now will be able to recognize you when you try to login using your private key.

Login Using Private Key

Using PuTTY, go to Connection and then Data. Type your username in Auto-login username field. This must be done so that PuTTY will not ask your username everytime you try to login.
Then go to Connection, then SSH, then Auth. Browse to your saved private key in the steps shown above with PuTTYgen:
Go back to Session. You can give a name to your session and then save. In the case below, I just used my ip address as Session Name.
When you click open, it will connect to the server without you requiring to key-in your password. However, if you used a passphrase with PuTTYgen above, you need to provide your passphrase. The passphrase is not related to your account in the server. It is a security on top of the keypair, to make it harder to crack.

Disable Password Login

Now that we can login using key pair, we can disable password login using the command:
$ sudo sed -i "/PasswordAuthentication/cPasswordAuthentication no" /etc/ssh/sshd_config

And disable root login for added security:

$ sudo sed -i "/PermitRootLogin/cPermitRootLogin no" /etc/ssh/sshd_config

Now when you reboot your system, password and root logins are prohibited.


Tags: key pair, putty, PuTTYgen, security, ssh