Switching SSH Password to SSH-Keys Authentication

Have you created a VPS without SSH-keys? No worries, Switching SSH Password to SSH-Keys Authentication can be accomplished using simple steps, and you should be able to SSH to your VPS using SSH-Keys Authentication instead of SSH Password Authentication. This article assumes that you have already created and prepared your SSH-Keys pair using either Putty, or Linux or UNIX Like ssh-client.

Objectives:

1. Uploading Key’s Concept and Why Should be Uploaded to Your VPS

2. Uploading Public Key from Windows Admin Station to Your VPS

3. Uploading Public Key from Linux/UNIX Admin Station to Your VPS

Prerequisites:

A. Basic Debian or Red Hat Linux Knowledge

B. Login to your DigitalOcean or Vultr Account

Keep in mind:

a. If you haven’t created SSH-Keys yet, check the previous articles, which will guide you step by step to create SSH-Keys Pair using either Windows or Linux/UNIX Admin Station.

b. It’s crucial to disable “SSH Password Authentication” after you have successfully tested your SSH-Keys login, when you reach to Securing and Hardening SSH Server Configuration article.

Below, I will show you few simple steps needed to upload your Public Key (the 2nd part of your SSH-keys pair) to your VPS, hence, you can SSH using SSH-keys instead of Password Authentication.

Recommendations:

For better performance, use VPS with at least 2 CPUs, 4G Memory, 1G Bandwidth, and SSD Storage drive.

Uploading Key’s Concept and Why Should be Uploaded to Your VPS

Public Key is the second part of SSH-Keys Pair, it’s called Public Key since you can securely share this Key with the rest of the world. As far as I know, there is no similar 2 Public Keys in the world. Meaning, if you wanted me to help you setup your system, you would ask me to provide you my Public Key, therefore, you would grant me access to you system, and you will be sure it’s me since I own the other part of the pair – the Private Key.

When Public Keys uploaded to a VPS, they are saved in special file. Public Keys database file can hold One or Multiple SysAdmin Professionals (including you the Owner) to manage the system. The keys database should be saved under /root/.ssh/authorized_keys file. This file will contain all uploaded Public Keys you allow to access your Server. Public Keys will be and should be listed each on its own line.

When connection established to a SSH Server, it compares the Public Key that is being used by SSH client to the Public Keys listed under authorized_keys file, if it matches, then the client has demonstrated it is the owner of the SSH-keys pair, therefore, access will be granted.

The .ssh directory must carry only and only root access rights. It’s important to remember that SSH Server will always check the access right of .ssh directory and authorized_keys, if SSH server found out that other user got access to the directory or the file, then SSH Server suspect unauthorized access and ignore the authorized_keys file, therefore, access won’t be granted.

TIP: If one day the SSH server doesn’t work, check .ssh directory and authorized_keys permissions access rights.

Finally, authorized_keys usually modified by special commands using root privileges, therefore, if you ever edit or create this file manually, make sure that each Public key end with newline, to be in a safe side, always hit enter at the end of each public key and at the end of the file before saving authorized_keys file.

Below, I will show you step by step how safely you can upload a public to your VPS and start using SSH-Keys Authentication instead of SSH Password Authentication. Besides, since SSH-keys considered an identity, it’s highly recommended to renew your SSH-Keys pair every while, and update your co-workers, clients, and your VPS with the new Public Key.

Uploading Public Key from Windows Admin Station to Your VPS

In this article, I assume that you have created your VPS without SSH-keys and you are able to login using root user name. Nevertheless, even if you have created your VPS using SSH-keys, the following steps can be used at Windows Admin Station if you wanted to upload more Public Keys to your VPS. For instance, you have another Admin Station and you wanted to upload the Second Station’s Public key to your VPS.

To start, first login to your VPS as root, then follow the steps below.

Run the following steps ( 1 to 5)

1. At Your VPS, Create SSH Directory

mkdir -p /root/.ssh/

Note: If the directory already exist, then maybe the authorized_keys file already there. Remember, authorized_keys file will carry all root Public Keys in one file. Meaning, if you need to add another Public Key, just append it to the existence Public Keys. Very important to remember that each key must be on its line.

2. Create/Edit Public Keys Authorized File

nano /root/.ssh/authorized_keys

As you probably guessed, paste the public key (which you created using Putty) into authorized_keys file.

Very Important: At the end of the pasted public key, press enter to see your courser moved to a new line, then save the file.

Save: Ctrl-X, Hit Y Key, and Enter.

3. Allow Only Root Access

chmod 700 -R /root/.ssh/

4. List authorized_keys File Properties

ls -lah /root/.ssh/

Notice that only root must access either .ssh directory or authorized_keys, otherwise SSH server won’t accept any connection.

[...]
-rwx------ 1 root root 403 May 19 02:23 authorized_keys

5. Restart SSH Server

Debian Base

service ssh restart

CentOS Base

service sshd restart

Uploading Public Key from Linux/UNIX Admin Station to Your VPS

When it comes to Linux or UNIX, there are 2 optimized Methods to upload the Public Key to your VPS. Determining which Method to use is based on the Admin Station you are working on. Method1 below usually used by Linux, Method2 usually used by both – Linux and UNIX. Pick the method that suits your Linux/UNIX Admin Station.

Note: Since all public keys are appended to each other and saved under one file called authorized_keys, using scp command will over write authorized_keys file which results will of loosing all the public keys that have been appended to this file, hence, I don’t use scp command to upload Public Keys. Besides, make sure your Admin station’s Firewall allows In-bound and Out-Bound SSH services in order to connect to your VPS.

Run the following steps ( 1 to 7)

1. Upload Your Public Key

Method1 – Using ssh-copy-id command

At your Linux Admin Station, upload the public key to your VPS using ssh-copy-id command. (Requires OpenSSH Package)

Note: Replace YOUR-VPS-IP-ADDRESS using your VPS IP Address.

ssh-copy-id [email protected]

Method2 – Using Native Linux/UNIX Commands

Note: Replace YOUR-VPS-IP-ADDRESS using your VPS IP Address.

cat /root/.ssh/id_rsa.pub | ssh [email protected] "mkdir -p /root/.ssh/ && cat >> /root/.ssh/authorized_keys && chmod 700 -R /root/.ssh/"

2. Either Method, You will be prompted by Authenticity Message

The authenticity of host 'YOUR-VPS-IP-ADDRESS(YOUR-VPS-IP-ADDRESS)' can't be established.
ECDSA key fingerprint is 0f:d4:22:d8:82:cb:54:b4:57:c1:8d:90:97:7c:05:5d.
Are you sure you want to continue connecting (yes/no)?

Each Server in this world got a unique fingerprint. At ECDSA line, write down the first and last 2 digits of this fingerprint, in my case 0f: and :5d. Therefore, before typing Yes, go to your VPS’s Web Console and retrieve Server’s Key ECDSA Fingerprint as shown below.

3. From your VPS Web Console

Run the following commands to retrieve ECDSA Server’s Key fingerprint before typing Yes as shown below:

[email protected]:~# cd /etc/ssh/
[email protected]:/etc/ssh# ssh-keygen -lf ssh_host_ecdsa_key.pub
256 0f:d4:22:d8:82:cb:54:b4:57:c1:8d:90:97:7c:05:5d ssh_host_ecdsa_key.pub (ECDSA)
[email protected]:/etc/ssh#

The following image below, shows that I have logged in to my Vultr’s instance to verify ECDSA fingerprint before clicking Yes. Notice, that 0f and 5d matched with the above authenticity message, therefore, it’s safe to type Yes and continue entering root password.

4. Enter root Password

After you have confirmed that you are logging in to the right server, type Yes to continue. Once you enter your root password, the upload or copy process will start. Once it’s done, you will see the following message. This message indicates that the upload/copy has been successful.

Now try logging into the machine, with "ssh '[email protected]'", and check in:

  ~/.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

5. SSH to Your VPS to Verify the Public Key

After uploading the Public Key, you need to SSH again using new ssh session to verify that you will be prompted to Enter Private Key Passphrase instead of regular root password.

ssh [email protected]

TIP: by default the name of the created private key id_rsa if you haven’t set a name during SSH-Keys creation, however, if you have created multiple private keys using different names, then use -i switch to specify the key path and name. For Example:

ssh -i /root/.ssh/YOUR-PRIVATE-KEY [email protected]

Since you have uploaded the Public key at step1, you should be prompted to enter Private Key’s Passphrase to login.

Enter passphrase for key '/root/.ssh/id_rsa':

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jun 12 11:54:49 2015
[email protected]:~#

6. Display authorized_key file

Displaying all uploaded Public Keys to confirm that you have uploaded the right key is good practice. look at each Public key’s comment to confirm to whom the Public Key belongs.

cat /root/.ssh/authorized_keys

7. Allow Only Root Access

chmod 700 -R /root/.ssh/

Verify authorized_keys file Permission

Make sure only root user has access as shown below, otherwise, ssh server won’t accept connections.

ls -lah /root/.ssh/

[...]
-rw------- 1 root root  403 May 19 02:19 authorized_keys

Subject Related

By Wikipedia SSH | About SSH | Debian HowTo SSH-Keys | CentOS HowTo SSH-Keys