Building Professional Web Hosting Solution
<< Linux Basic Setup and Configuration Course
>> Configuring SSH-Key Based Authentication Section
- Understanding SSH-Keys Based Authentication
- Creating SSH-Keys using Putty Keys Generator
- Creating Public VPS Droplet using DigitalOcean
- Managing Linux VPS Instance via Putty SSH Client
- Managing Linux VPS Instance via WinSCP Client
- Creating SSH-Keys using Terminal Keys Generator
- Switching SSH Password to SSH-Keys Authentication
- Uploading Admins and Friends SSH-Keys to VPS
- Uploading SSH Public Keys using VPS Panel
- SSH Hopping using SSH Agent Forwarding
- Deploying Public VPS instance using Vultr Provider
- Securing and Hardening SSH Server Configuration
- SSH Server and Client Most Known Error Messages
Have you created a VPS without SSH-keys? No worries, Switching SSH Password to SSH-Keys Authentication can be accomplished using simple steps, and you should be able to SSH to your VPS using SSH-Keys Authentication instead of SSH Password Authentication. This article assumes that you have already created and prepared your SSH-Keys pair using either Putty, or Linux or UNIX Like ssh-client.
Objectives:
1. Uploading Key’s Concept and Why Should be Uploaded to Your VPS
2. Uploading Public Key from Windows Admin Station to Your VPS
3. Uploading Public Key from Linux/UNIX Admin Station to Your VPS
Prerequisites:
A. Basic Debian or Red Hat Linux Knowledge
B. Login to your DigitalOcean or Vultr Account
Keep in mind:
a. If you haven’t created SSH-Keys yet, check the previous articles, which will guide you step by step to create SSH-Keys Pair using either Windows or Linux/UNIX Admin Station.
b. It’s crucial to disable “SSH Password Authentication” after you have successfully tested your SSH-Keys login, when you reach to Securing and Hardening SSH Server Configuration article.
Below, I will show you few simple steps needed to upload your Public Key (the 2nd part of your SSH-keys pair) to your VPS, hence, you can SSH using SSH-keys instead of Password Authentication.
Recommendations:
For better performance, use VPS with at least 2 CPUs, 4G Memory, 1G Bandwidth, and SSD Storage drive.
Table of Contents
Uploading Key’s Concept and Why Should be Uploaded to Your VPS
Public Key is the second part of SSH-Keys Pair, it’s called Public Key since you can securely share this Key with the rest of the world. As far as I know, there is no similar 2 Public Keys in the world. Meaning, if you wanted me to help you setup your system, you would ask me to provide you my Public Key, therefore, you would grant me access to you system, and you will be sure it’s me since I own the other part of the pair – the Private Key.
When Public Keys uploaded to a VPS, they are saved in special file. Public Keys database file can hold One or Multiple SysAdmin Professionals (including you the Owner) to manage the system. The keys database should be saved under /root/.ssh/authorized_keys file. This file will contain all uploaded Public Keys you allow to access your Server. Public Keys will be and should be listed each on its own line.
When connection established to a SSH Server, it compares the Public Key that is being used by SSH client to the Public Keys listed under authorized_keys file, if it matches, then the client has demonstrated it is the owner of the SSH-keys pair, therefore, access will be granted.
The .ssh directory must carry only and only root access rights. It’s important to remember that SSH Server will always check the access right of .ssh directory and authorized_keys, if SSH server found out that other user got access to the directory or the file, then SSH Server suspect unauthorized access and ignore the authorized_keys file, therefore, access won’t be granted.
TIP: If one day the SSH server doesn’t work, check .ssh directory and authorized_keys permissions access rights.
Finally, authorized_keys usually modified by special commands using root privileges, therefore, if you ever edit or create this file manually, make sure that each Public key end with newline, to be in a safe side, always hit enter at the end of each public key and at the end of the file before saving authorized_keys file.
Below, I will show you step by step how safely you can upload a public to your VPS and start using SSH-Keys Authentication instead of SSH Password Authentication. Besides, since SSH-keys considered an identity, it’s highly recommended to renew your SSH-Keys pair every while, and update your co-workers, clients, and your VPS with the new Public Key.
Uploading Public Key from Windows Admin Station to Your VPS
In this article, I assume that you have created your VPS without SSH-keys and you are able to login using root user name. Nevertheless, even if you have created your VPS using SSH-keys, the following steps can be used at Windows Admin Station if you wanted to upload more Public Keys to your VPS. For instance, you have another Admin Station and you wanted to upload the Second Station’s Public key to your VPS.
To start, first login to your VPS as root, then follow the steps below.
Run the following steps ( 1 to 5)
1. At Your VPS, Create SSH Directory
mkdir -p /root/.ssh/
Note: If the directory already exist, then maybe the authorized_keys file already there. Remember, authorized_keys file will carry all root Public Keys in one file. Meaning, if you need to add another Public Key, just append it to the existence Public Keys. Very important to remember that each key must be on its line.
2. Create/Edit Public Keys Authorized File
nano /root/.ssh/authorized_keys
As you probably guessed, paste the public key (which you created using Putty) into authorized_keys file.
Very Important: At the end of the pasted public key, press enter to see your courser moved to a new line, then save the file.
Save: Ctrl-X, Hit Y Key, and Enter.
3. Allow Only Root Access
chmod 700 -R /root/.ssh/
4. List authorized_keys File Properties
ls -lah /root/.ssh/
Notice that only root must access either .ssh directory or authorized_keys, otherwise SSH server won’t accept any connection.
[...] -rwx------ 1 root root 403 May 19 02:23 authorized_keys
5. Restart SSH Server
Debian Base
service ssh restart
CentOS Base
service sshd restart
Uploading Public Key from Linux/UNIX Admin Station to Your VPS
When it comes to Linux or UNIX, there are 2 optimized Methods to upload the Public Key to your VPS. Determining which Method to use is based on the Admin Station you are working on. Method1 below usually used by Linux, Method2 usually used by both – Linux and UNIX. Pick the method that suits your Linux/UNIX Admin Station.
Note: Since all public keys are appended to each other and saved under one file called authorized_keys, using scp command will over write authorized_keys file which results will of loosing all the public keys that have been appended to this file, hence, I don’t use scp command to upload Public Keys. Besides, make sure your Admin station’s Firewall allows In-bound and Out-Bound SSH services in order to connect to your VPS.
Run the following steps ( 1 to 7)
1. Upload Your Public Key
Method1 – Using ssh-copy-id command
At your Linux Admin Station, upload the public key to your VPS using ssh-copy-id command. (Requires OpenSSH Package)
Note: Replace YOUR-VPS-IP-ADDRESS using your VPS IP Address.
ssh-copy-id root@YOUR-VPS-IP-ADDRESS
Method2 – Using Native Linux/UNIX Commands
Note: Replace YOUR-VPS-IP-ADDRESS using your VPS IP Address.
cat /root/.ssh/id_rsa.pub | ssh root@YOUR-VPS-IP-ADDRESS "mkdir -p /root/.ssh/ && cat >> /root/.ssh/authorized_keys && chmod 700 -R /root/.ssh/"
2. Either Method, You will be prompted by Authenticity Message
The authenticity of host 'YOUR-VPS-IP-ADDRESS(YOUR-VPS-IP-ADDRESS)' can't be established. ECDSA key fingerprint is 0f:d4:22:d8:82:cb:54:b4:57:c1:8d:90:97:7c:05:5d. Are you sure you want to continue connecting (yes/no)?
Each Server in this world got a unique fingerprint. At ECDSA line, write down the first and last 2 digits of this fingerprint, in my case 0f: and :5d. Therefore, before typing Yes, go to your VPS’s Web Console and retrieve Server’s Key ECDSA Fingerprint as shown below.
3. From your VPS Web Console
Run the following commands to retrieve ECDSA Server’s Key fingerprint before typing Yes as shown below:
root@vultr:~# cd /etc/ssh/ root@vultr:/etc/ssh# ssh-keygen -lf ssh_host_ecdsa_key.pub 256 0f:d4:22:d8:82:cb:54:b4:57:c1:8d:90:97:7c:05:5d ssh_host_ecdsa_key.pub (ECDSA) root@vultr:/etc/ssh#
The following image below, shows that I have logged in to my Vultr’s instance to verify ECDSA fingerprint before clicking Yes. Notice, that 0f and 5d matched with the above authenticity message, therefore, it’s safe to type Yes and continue entering root password.
4. Enter root Password
After you have confirmed that you are logging in to the right server, type Yes to continue. Once you enter your root password, the upload or copy process will start. Once it’s done, you will see the following message. This message indicates that the upload/copy has been successful.
Now try logging into the machine, with "ssh 'root@YOUR-VPS-IP-ADDRESS'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
5. SSH to Your VPS to Verify the Public Key
After uploading the Public Key, you need to SSH again using new ssh session to verify that you will be prompted to Enter Private Key Passphrase instead of regular root password.
ssh root@YOUR-VPS-IP-ADDRESS
TIP: by default the name of the created private key id_rsa if you haven’t set a name during SSH-Keys creation, however, if you have created multiple private keys using different names, then use -i switch to specify the key path and name. For Example:
ssh -i /root/.ssh/YOUR-PRIVATE-KEY root@YOUR-VPS-IP-ADDRESS
Since you have uploaded the Public key at step1, you should be prompted to enter Private Key’s Passphrase to login.
Enter passphrase for key '/root/.ssh/id_rsa': The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Jun 12 11:54:49 2015 root@vultr:~#
6. Display authorized_key file
Displaying all uploaded Public Keys to confirm that you have uploaded the right key is good practice. look at each Public key’s comment to confirm to whom the Public Key belongs.
cat /root/.ssh/authorized_keys
7. Allow Only Root Access
chmod 700 -R /root/.ssh/
Verify authorized_keys file Permission
Make sure only root user has access as shown below, otherwise, ssh server won’t accept connections.
ls -lah /root/.ssh/
[...] -rw------- 1 root root 403 May 19 02:19 authorized_keys
Subject Related
By Wikipedia SSH | About SSH | Debian HowTo SSH-Keys | CentOS HowTo SSH-Keys
Building Professional Web Hosting Solution
<< Linux Basic Setup and Configuration Course
>> Configuring SSH-Key Based Authentication Section
- Understanding SSH-Keys Based Authentication
- Creating SSH-Keys using Putty Keys Generator
- Creating Public VPS Droplet using DigitalOcean
- Managing Linux VPS Instance via Putty SSH Client
- Managing Linux VPS Instance via WinSCP Client
- Creating SSH-Keys using Terminal Keys Generator
- Switching SSH Password to SSH-Keys Authentication
- Uploading Admins and Friends SSH-Keys to VPS
- Uploading SSH Public Keys using VPS Panel
- SSH Hopping using SSH Agent Forwarding
- Deploying Public VPS instance using Vultr Provider
- Securing and Hardening SSH Server Configuration
- SSH Server and Client Most Known Error Messages
LEAVE A COMMENT