Optimizing Security: SSH Public Key Authentication

If your website uses weak passwords, your SSH server can easily be hacked using brute force techniques. Almost all paid hosting accounts in the most common web hosting companies do include the SSH feature. But the default SSH activation is not enough; it is still susceptible to brute force hacking attacks.

An SSH server (such as your hosting account) can be accessed in two ways: using password authentication, and using public key authentication. Password authentication is the most common method of accessing an SSH server. It requires users to enter the SSH username, password, hostname and SSH port number to authenticate the login.

Public key authentication, on the other hand, is the most secure and optimal in terms of website security. It works by importing a public key to the remote SSH server and then connecting to the server using the private key stored in your computer. This is passwordless authentication; it means you will be able to log in to your SSH server without entering a password. If you do not have the private key, you won't be able to log in to your server successfully. You will keep this private key in a secure location within your own computer.

Since public key authentication needs a private key for complete authentication, brute force attempts to guess passwords will be futile if you use public key authentication (assuming password authentication is disabled). There are still a lot of points that you need to observe while implementing public key authentication. These will be discussed throughout this article. This tutorial is for a total beginner looking for a complete step-by-step guide on how to use public key authentication.

What do you need to have?

This tutorial works best if you meet the following requirements (some are recommended but not required):

1. Dedicated hosting server – You will need to have read and write access to the SSH configuration files (sshd_config) in your remote server. If you are in a shared hosting environment, this tutorial still works for you, but with some limitations.

2. Web Host uses Linux/Unix OS – Check to see if your web host uses Linux/Unix as the operating system. This makes it easier for you to issue SSH/Shell commands and do some configuration. A Windows server will work, provided SSH functionality is included.

3. SSH enabled – This is required. You need to enable SSH for your hosting account first, before proceeding with the rest of the tutorial. If you have a paid hosting account and you do not know how to enable SSH, consult with your hosting support (provided the SSH feature is included in your purchased hosting package).

Once enabled, you can use password authentication first (this is the default for most web hosts), and then follow the steps in this tutorial to change it to public key authentication (passwordless login). If it requires public key authentication directly (which some hosts might), then proceed to the next section.

4. Encrypted drive in your local computer (TrueCrypt for example) - You can create a TrueCrypt container by following this tutorial: http://www.truecrypt.org/docs/?s=tutorial. You will store the generated private and public key in these containers for security purposes. You can store it anywhere on your computer, as long as it is secure, if you are not using TrueCrypt.

5. Your computer uses the Ubuntu/Linux Operating system – This makes it easy for you to create public and private key pairs. This tutorial uses Ubuntu Lucid Lynx.

Create the Public and Private Key Pair

Now that you have SSH enabled for your hosting account, and you can log in using password authentication, it's time to create public and private keys. Follow the steps below:
 
1. In your Ubuntu computer, go to Applications –> Accessories –> Terminal.

2. Issue this command:

ssh-keygen -t rsa -b 4096

You will then see the message below:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/codex-m/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/codex-m/.ssh/id_rsa.
Your public key has been saved in /home/codex-m/.ssh/id_rsa.pub.

Just leave “Enter file in which to save the key” blank. But enter the passphrase for the key file.

3. Go to /home/your_ubuntu_username/.ssh and you will find two keys there, namely: id_rsa (private key) and id_rsa.pub (public key). Cut and paste the two keys to an encrypted location, such as your TrueCrypt container.

Importing your Public Key to your Remote SSH server

For hosting accounts using Cpanel:

1. Log in to your Cpanel.

2. Go to Security –> SSH/Shell Access.

3. Click “Manage SSH Keys.”

4. Click “Import key.”

5. Choose a name (one word only).

6. Open id_rsa.pub, copy and paste the entire contents to under “Paste the Public Key in this box:”. It should start with ssh -rsa syntax.

7. Click “Import.”

8. Under “Public Keys,” you should see your public key imported. Under “Actions” beside it, click “Manage authorization.”

9. Click “Authorize.” Your public key is now ready to be used.

For other hosting accounts that do not use Cpanel:

1. Copy back the two files id_rsa and  id_rsa.pub to /home/your_ubuntu_username/.ssh/

Make sure id_rsa and id_rsa.pub are located on this path: /home/your_ubuntu_username/.ssh

2. Launch terminal and issue this command:

ssh-copy-id your_ssh_username@yourdomain.com

Replace “your_ssh_username” with your SSH username and replace yourdomain.com with your domain. If you are not using port 22 for SSH connectivity, then issue it like this (assuming you are using port 5678)

ssh-copy-id "your_ssh_username@yourdomain.com -p 5678"

3. You are then required to enter your SSH password.

4. Test by connecting to your SSH server. Issue this command:

ssh your_ssh_username@yourdomain.com

5. You are then asked to enter your passphrase.

6. If you are able to log in without any issues, then your public key authentication is working.