SSH Key-Based Authentication

Now we are going to set up a way to authenticate your log in with a specific SSH key for extra security.

1. Create a Private SSH Key

If you haven't already, download Putty that should come with PuTTYgen, the Key Generator.

1

Launch PuttyGen

2

Generate the Key Pair

  1. Start Key Generation: Click the "Generate" button.

  2. Move the Mouse Cursor: To create randomness, move your mouse cursor around the blank area in the PuTTYgen window. This process helps generate a secure key.

  3. Completion: Once the progress bar is full and the key is generated, PuTTYgen will display the public key.

  4. Add a Passphrase: Enter a strong passphrase in the "Key passphrase" and "Confirm passphrase" fields. This adds an extra layer of security by encrypting your private key.

3

Save the Private Key

  1. Click "Save private key":

  2. Choose a Secure Location: Save the .ppk file (PuTTY Private Key) in a secure directory on your local machine.

4

Save the Public Key

  1. Click "Save private key"

  2. Choose a Secure Location: Save the .ppk file (PuTTY Private Key) in a secure directory on your local machine

5

Copy the Public Key for Remote Server

  • In the PuTTYgen window, locate the "Public key for pasting into OpenSSH authorized_keys file" section.

  • Select and Copy: Highlight the entire key and copy it to your clipboard (Ctrl+C) or have it ready to copy if you're going to be copying the commands below.

2. Switch to notarb user

Back in your Ubuntu terminal, let's switch to the notarb user.

sudo su - notarb

3. Create the .ssh directory:

mkdir ~/.ssh
chmod 700 ~/.ssh

4. Add Your Public SSH Key

We are going to take the copied Public Key text and paste it into the authorized_keys file. We'll use nano to edit the file.

1

Open the authorized_keys file:

 nano ~/.ssh/authorized_keys
2

Paste the public key you copied. One line is one public key.

3

Save and Exit: Press Ctrl + O to save, then Ctrl + X to exit.

5. Configure PuTTY to Use Your Private Key

We'll now set up PuTTY so it will log in using your key.

1

Open PuTTY

Launch PuTTY: Open PuTTY from the Start menu or desktop shortcut.

2

Enter Connection Details

Under Session Settings, enter the following:

  • Host Name (or IP address): Enter your remote server's hostname or IP.

  • Port: Typically 22 for SSH.

  • Connection Type: Ensure SSH is selected.

3

Save the Session

Under "Saved Sessions", enter a name.

Best practice to save which provider it is, with its location and another identifier in case you decide to scale up later.

Example: OVH-AMS1

Click "Save" to reuse these settings in the future.

4

Specify the Private Key for Authentication

  • Navigate to SSH Authentication Settings:

    In the left sidebar, expand "Connection" > "SSH" > "Auth".

  • Browse for Private Key:

    • Click "Browse..." next to "Private key file for authentication".

      • Select the .ppk file you saved earlier (e.g., id_rsa.ppk).

5

Save the Session:

Select the Session category and save the session again for the changes to take effect.

6. Connect to the Remote Server Using Your SSH Key

  1. Start the Connection:

    • Click "Open" to initiate the SSH session.

    • If prompted with a security alert about the server's host key, verify it and click "Yes" to proceed.

  2. Login with Username:

    • When prompted, enter your username on the remote server.

    • If You Set a Passphrase: You'll be prompted to enter the passphrase for your private key.

  3. Successful Authentication:

    • Upon successful authentication, you'll gain access to the remote server without needing to enter your password.

7. Configure Server SSH Login Options

Before proceeding, ensure you have at least one non-root user account with sudo privileges. This is crucial to prevent being locked out of your server. We've already set up notarb user, so make sure we can already log in with notarb.

Setting Up Logins with SSH Key

Time to configure our login so we don't have to enter a password every time and instead use our key.

1

Open SSH Daemon Config File

sudo nano /etc/ssh/sshd_config
2

Allow AuthorizedKeysFiles by removing the #

Change from:

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2

To:

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2
3

Save and Exit the Editor

Press Ctrl + O to save, then Ctrl + X to exit.

4

Restart the SSH Service: 

sudo systemctl restart sshd

If you get the message:

Failed to restart sshd.service: Unit sshd.service not found.

Try the following below:

sudo systemctl restart ssh
5

Test the configuration by logging in on another terminal.

Open up another terminal and try accessing your server again. Ensure that the following settings are in place:

  • Connection>Data>Auto-login username: notarb

  • Connection>SSH>Auth>Credentials>Private key for authentication: set to your private key

You should be able to log in without having to enter a password

Disable root login

Now that we've ensured that we can log in with another user, we can safely disable root login access remotely.

We can still use the root user under the current settings. We must log in through another user and then switch to root after.

1

Open SSH Daemon Config File

sudo nano /etc/ssh/sshd_config
2

Disable root Login

Find PermitRootLogin and ensure it's set to no and is uncommented. Change from:

#PermitRootLogin no

To

PermitRootLogin no

You can now try to log in using the root user and you should get an Access Denied response. Time to set up firewall and login protection.

PreviousUser ManagementNextSetting up UFW

Last updated