Optimizing Security: SSH Public Key Authentication

The main benefit of SSH Public Key authentication is that your website will be protected against brute force attacks, and enjoy the benefits of encrypted communication. Brute force attacks are automated random guessing of passwords in your SSH server in an attempt to access it illegally. This tutorial will show you how to use public key authentication.

If your website uses weak passwords, your SSH server can easily be hacked using brute force techniques. Almost all paid hosting accounts in the most common web hosting companies do include the SSH feature. But the default SSH activation is not enough; it is still susceptible to brute force hacking attacks.

An SSH server (such as your hosting account) can be accessed in two ways: using password authentication, and using public key authentication. Password authentication is the most common method of accessing an SSH server. It requires users to enter the SSH username, password, hostname and SSH port number to authenticate the login.

Public key authentication, on the other hand, is the most secure and optimal in terms of website security. It works by importing a public key to the remote SSH server and then connecting to the server using the private key stored in your computer. This is passwordless authentication; it means you will be able to log in to your SSH server without entering a password. If you do not have the private key, you won’t be able to log in to your server successfully. You will keep this private key in a secure location within your own computer.

Since public key authentication needs a private key for complete authentication, brute force attempts to guess passwords will be futile if you use public key authentication (assuming password authentication is disabled). There are still a lot of points that you need to observe while implementing public key authentication. These will be discussed throughout this article. This tutorial is for a total beginner looking for a complete step-by-step guide on how to use public key authentication.

What do you need to have?

This tutorial works best if you meet the following requirements (some are recommended but not required):

1. Dedicated hosting server – You will need to have read and write access to the SSH configuration files (sshd_config) in your remote server. If you are in a shared hosting environment, this tutorial still works for you, but with some limitations.

2. Web Host uses Linux/Unix OS – Check to see if your web host uses Linux/Unix as the operating system. This makes it easier for you to issue SSH/Shell commands and do some configuration. A Windows server will work, provided SSH functionality is included.

3. SSH enabled – This is required. You need to enable SSH for your hosting account first, before proceeding with the rest of the tutorial. If you have a paid hosting account and you do not know how to enable SSH, consult with your hosting support (provided the SSH feature is included in your purchased hosting package).

Once enabled, you can use password authentication first (this is the default for most web hosts), and then follow the steps in this tutorial to change it to public key authentication (passwordless login). If it requires public key authentication directly (which some hosts might), then proceed to the next section.

4. Encrypted drive in your local computer (TrueCrypt for example) – You can create a TrueCrypt container by following this tutorial: http://www.truecrypt.org/docs/?s=tutorial. You will store the generated private and public key in these containers for security purposes. You can store it anywhere on your computer, as long as it is secure, if you are not using TrueCrypt.

5. Your computer uses the Ubuntu/Linux Operating system – This makes it easy for you to create public and private key pairs. This tutorial uses Ubuntu Lucid Lynx.

Create the Public and Private Key Pair

Now that you have SSH enabled for your hosting account, and you can log in using password authentication, it’s time to create public and private keys. Follow the steps below:
 
1. In your Ubuntu computer, go to Applications –> Accessories –> Terminal.

2. Issue this command:

ssh-keygen -t rsa -b 4096

You will then see the message below:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/codex-m/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/codex-m/.ssh/id_rsa.
Your public key has been saved in /home/codex-m/.ssh/id_rsa.pub.

Just leave “Enter file in which to save the key” blank. But enter the passphrase for the key file.

3. Go to /home/your_ubuntu_username/.ssh and you will find two keys there, namely: id_rsa (private key) and id_rsa.pub (public key). Cut and paste the two keys to an encrypted location, such as your TrueCrypt container.

Importing your Public Key to your Remote SSH server

For hosting accounts using Cpanel:

1. Log in to your Cpanel.

2. Go to Security –> SSH/Shell Access.

3. Click “Manage SSH Keys.”

4. Click “Import key.”

5. Choose a name (one word only).

6. Open id_rsa.pub, copy and paste the entire contents to under “Paste the Public Key in this box:”. It should start with ssh -rsa syntax.

7. Click “Import.”

8. Under “Public Keys,” you should see your public key imported. Under “Actions” beside it, click “Manage authorization.”

9. Click “Authorize.” Your public key is now ready to be used.

For other hosting accounts that do not use Cpanel:

1. Copy back the two files id_rsa and  id_rsa.pub to /home/your_ubuntu_username/.ssh/

Make sure id_rsa and id_rsa.pub are located on this path: /home/your_ubuntu_username/.ssh

2. Launch terminal and issue this command:

ssh-copy-id your_ssh_username@yourdomain.com

Replace “your_ssh_username” with your SSH username and replace yourdomain.com with your domain. If you are not using port 22 for SSH connectivity, then issue it like this (assuming you are using port 5678)

ssh-copy-id "your_ssh_username@yourdomain.com -p 5678"

3. You are then required to enter your SSH password.

4. Test by connecting to your SSH server. Issue this command:

ssh your_ssh_username@yourdomain.com

5. You are then asked to enter your passphrase.

6. If you are able to log in without any issues, then your public key authentication is working.

{mospagebreak title=Connecting securely to SSH server with private key in TrueCrypt}

If you are not using TrueCrypt, you can still follow the steps in this section provided your private key file is in a secure location. Follow the steps below to connect to an SSH server using public key authentication with a private key file stored in a TrueCrypt container.

Using the Shell/Command line method -Terminal:

1. Get the path of the private key file to the TrueCrypt container, or any secure folder you are using. This will look like this:

/media/truecrypt10/SSHKEYS/id_rsa

In the above example, truecrypt10 is the name of the truecrypt container when mounted in Ubuntu.

2. Launch terminal and issue this command:

ssh -i <path_to_private_key_file> your_ssh_username@yourdomain.com
 
Using the path example above, it will be:

ssh -i /media/truecrypt10/SSHKEYS/id_rsa your_ssh_username@yourdomain.com

If you are not using port 22, then you should also specify port -p parameter. For example, if you are using port 5678:

ssh -i /media/truecrypt10/SSHKEYS/id_rsa -p 5678 your_ssh_username@yourdomain.com

3. Press enter to connect to your SSH server. You will need to enter the pass phrase.

Using Filezilla:

1. Launch Filezilla.

2. Go to Edit –> Settings.

3. Click “SFTP.”

4. Click “Add Keyfile.”

5. Browse to the private key file stored in your TrueCrypt container. Select it and open.

6. If you receive a “convert keyfile,” select yes. Enter your pass phrase.

7. Save it to the same path, but with a different filename (no file extension), for example privatekeyforfilezilla.

8. Click OK.

9. Go to Filezilla Site Manager:

  • Make sure Logontype is set to “Normal.”
  • Put in your SSH host, port number and username.
  • Leave the password field BLANK.

10. Now try connecting to your remote SSH server using Filezilla and public key authentication. You should be able to connect without providing any password.

Disable Password Authentication on your SSH Hosting Server

Now that you are sure your public authentication is fully working in both the command line and Filezilla (GUI), you can safely disable password authentication.

For virtual dedicated hosting:

1. Log in to your SSH server using command line method. Login as root su-

2. Locate your sshd_config file. This is usually found in /etc/ssh/, so try going to that path. If you have problems locating this file, you can ask your web host for support.

3. Open sshd_config file and make sure:

#PasswordAuthentication yes

Is changed TO:

PasswordAuthentication no

4. Also check that the following parameters are set as below:

PubkeyAuthentication yes
RSAAuthentication yes

5. Save changes to sshd_config file and then restart SSH:

sudo /etc/init.d/ssh restart

6. Try logging in with a password-based authentication only and not using public/private key. It should be denied.

7. For more security, you can even restrict the SSH access by IP address. You can read that here: http://bit.ly/q3afxE

For Shared Hosting

Unfortunately, not all shared hosting allows you to disable password authentication after you have completely set up public key authentication. A good example is GoDaddy shared hosting. Even though you can configure your SSH server to use public key authentication, you cannot disable password authentication without using their virtual dedicated hosting.

But some hosting services, such as Ubiquity hosting, default to public key authentication if you use SSH. And by default, I mean that they disable password authentication also. So all you need to do is create public and private keys, as illustrated in this tutorial. Then import the public key through their Cpanel and access the remote server using either Filezilla or command line.

[gp-comments width="770" linklove="off" ]

chat sex hikayeleri Ensest hikaye