CCNA HUB

CCNA and Linux Training Hub!

CCNA and Linux Training Hub!

  • Home
  • R&S
    • IP Fundamentals
    • Switching
    • Routing
    • IPv4 Suite
    • IPv6 Suite
    • Labs
  • Linux
    • Virtualization 101
    • Basic Configuration
    • Security Measures
    • Database Server
    • Web Server
    • HTTP Tuneup
    • FTP Server
    • Mail Server
    • DNS Server
    • Control Panels
    • Monitoring
    • Backup and Maintenance
  • WordPress
  • About
    • Contact Us
    • Be part of It
    • Under the Hood
CCNA HUB > Blog > Linux > Configuring SSH-Key Based Authentication > Switching SSH Password to SSH-Keys Authentication

Switching SSH Password to SSH-Keys Authentication

By Imad Daou Leave a Comment

Post Views: 4,457

Building Professional Web Hosting Solution
<< Linux Basic Setup and Configuration Course
>> Configuring SSH-Key Based Authentication Section

section table
  1. Understanding SSH-Keys Based Authentication
  2. Creating SSH-Keys using Putty Keys Generator
  3. Creating Public VPS Droplet using DigitalOcean
  4. Managing Linux VPS Instance via Putty SSH Client
  5. Managing Linux VPS Instance via WinSCP Client
  6. Creating SSH-Keys using Terminal Keys Generator
  7. Switching SSH Password to SSH-Keys Authentication
  8. Uploading Admins and Friends SSH-Keys to VPS
  9. Uploading SSH Public Keys using VPS Panel
  10. SSH Hopping using SSH Agent Forwarding
  11. Deploying Public VPS instance using Vultr Provider
  12. Securing and Hardening SSH Server Configuration
  13. SSH Server and Client Most Known Error Messages
Switching SSH Password to SSH-Keys Authentication
Image Source

Have you created a VPS without SSH-keys? No worries, Switching SSH Password to SSH-Keys Authentication can be accomplished using simple steps, and you should be able to SSH to your VPS using SSH-Keys Authentication instead of SSH Password Authentication. This article assumes that you have already created and prepared your SSH-Keys pair using either Putty, or Linux or UNIX Like ssh-client.

Objectives:

1. Uploading Key’s Concept and Why Should be Uploaded to Your VPS

2. Uploading Public Key from Windows Admin Station to Your VPS

3. Uploading Public Key from Linux/UNIX Admin Station to Your VPS

Prerequisites:

A. Basic Debian or Red Hat Linux Knowledge

B. Login to your DigitalOcean or Vultr Account

Keep in mind:

a. If you haven’t created SSH-Keys yet, check the previous articles, which will guide you step by step to create SSH-Keys Pair using either Windows or Linux/UNIX Admin Station.

b. It’s crucial to disable “SSH Password Authentication” after you have successfully tested your SSH-Keys login, when you reach to Securing and Hardening SSH Server Configuration article.

Below, I will show you few simple steps needed to upload your Public Key (the 2nd part of your SSH-keys pair) to your VPS, hence, you can SSH using SSH-keys instead of Password Authentication.

Recommendations:

For better performance, use VPS with at least 2 CPUs, 4G Memory, 1G Bandwidth, and SSD Storage drive.

Table of Contents

  • Uploading Key’s Concept and Why Should be Uploaded to Your VPS
  • Uploading Public Key from Windows Admin Station to Your VPS
  • Uploading Public Key from Linux/UNIX Admin Station to Your VPS

Uploading Key’s Concept and Why Should be Uploaded to Your VPS

Public Key is the second part of SSH-Keys Pair, it’s called Public Key since you can securely share this Key with the rest of the world. As far as I know, there is no similar 2 Public Keys in the world. Meaning, if you wanted me to help you setup your system, you would ask me to provide you my Public Key, therefore, you would grant me access to you system, and you will be sure it’s me since I own the other part of the pair – the Private Key.

When Public Keys uploaded to a VPS, they are saved in special file. Public Keys database file can hold One or Multiple SysAdmin Professionals (including you the Owner) to manage the system. The keys database should be saved under /root/.ssh/authorized_keys file. This file will contain all uploaded Public Keys you allow to access your Server. Public Keys will be and should be listed each on its own line.

When connection established to a SSH Server, it compares the Public Key that is being used by SSH client to the Public Keys listed under authorized_keys file, if it matches, then the client has demonstrated it is the owner of the SSH-keys pair, therefore, access will be granted.

The .ssh directory must carry only and only root access rights. It’s important to remember that SSH Server will always check the access right of .ssh directory and authorized_keys, if SSH server found out that other user got access to the directory or the file, then SSH Server suspect unauthorized access and ignore the authorized_keys file, therefore, access won’t be granted.

TIP: If one day the SSH server doesn’t work, check .ssh directory and authorized_keys permissions access rights.

Finally, authorized_keys usually modified by special commands using root privileges, therefore, if you ever edit or create this file manually, make sure that each Public key end with newline, to be in a safe side, always hit enter at the end of each public key and at the end of the file before saving authorized_keys file.

Below, I will show you step by step how safely you can upload a public to your VPS and start using SSH-Keys Authentication instead of SSH Password Authentication. Besides, since SSH-keys considered an identity, it’s highly recommended to renew your SSH-Keys pair every while, and update your co-workers, clients, and your VPS with the new Public Key.

Uploading Public Key from Windows Admin Station to Your VPS

In this article, I assume that you have created your VPS without SSH-keys and you are able to login using root user name. Nevertheless, even if you have created your VPS using SSH-keys, the following steps can be used at Windows Admin Station if you wanted to upload more Public Keys to your VPS. For instance, you have another Admin Station and you wanted to upload the Second Station’s Public key to your VPS.

To start, first login to your VPS as root, then follow the steps below.

Run the following steps ( 1 to 5)

1. At Your VPS, Create SSH Directory

mkdir -p /root/.ssh/

Note: If the directory already exist, then maybe the authorized_keys file already there. Remember, authorized_keys file will carry all root Public Keys in one file. Meaning, if you need to add another Public Key, just append it to the existence Public Keys. Very important to remember that each key must be on its line.

2. Create/Edit Public Keys Authorized File

nano /root/.ssh/authorized_keys

As you probably guessed, paste the public key (which you created using Putty) into authorized_keys file.

Very Important: At the end of the pasted public key, press enter to see your courser moved to a new line, then save the file.

Save: Ctrl-X, Hit Y Key, and Enter.

3. Allow Only Root Access

chmod 700 -R /root/.ssh/

4. List authorized_keys File Properties

ls -lah /root/.ssh/

Notice that only root must access either .ssh directory or authorized_keys, otherwise SSH server won’t accept any connection.

[...]
-rwx------ 1 root root 403 May 19 02:23 authorized_keys

5. Restart SSH Server

Debian Base

service ssh restart

CentOS Base

service sshd restart

Uploading Public Key from Linux/UNIX Admin Station to Your VPS

When it comes to Linux or UNIX, there are 2 optimized Methods to upload the Public Key to your VPS. Determining which Method to use is based on the Admin Station you are working on. Method1 below usually used by Linux, Method2 usually used by both – Linux and UNIX. Pick the method that suits your Linux/UNIX Admin Station.

Note: Since all public keys are appended to each other and saved under one file called authorized_keys, using scp command will over write authorized_keys file which results will of loosing all the public keys that have been appended to this file, hence, I don’t use scp command to upload Public Keys. Besides, make sure your Admin station’s Firewall allows In-bound and Out-Bound SSH services in order to connect to your VPS.

Run the following steps ( 1 to 7)

1. Upload Your Public Key

Method1 – Using ssh-copy-id command

At your Linux Admin Station, upload the public key to your VPS using ssh-copy-id command. (Requires OpenSSH Package)

Note: Replace YOUR-VPS-IP-ADDRESS using your VPS IP Address.

ssh-copy-id [email protected]

Method2 – Using Native Linux/UNIX Commands

Note: Replace YOUR-VPS-IP-ADDRESS using your VPS IP Address.

cat /root/.ssh/id_rsa.pub | ssh [email protected] "mkdir -p /root/.ssh/ && cat >> /root/.ssh/authorized_keys && chmod 700 -R /root/.ssh/"

2. Either Method, You will be prompted by Authenticity Message

The authenticity of host 'YOUR-VPS-IP-ADDRESS(YOUR-VPS-IP-ADDRESS)' can't be established.
ECDSA key fingerprint is 0f:d4:22:d8:82:cb:54:b4:57:c1:8d:90:97:7c:05:5d.
Are you sure you want to continue connecting (yes/no)?

Each Server in this world got a unique fingerprint. At ECDSA line, write down the first and last 2 digits of this fingerprint, in my case 0f: and :5d. Therefore, before typing Yes, go to your VPS’s Web Console and retrieve Server’s Key ECDSA Fingerprint as shown below.

3. From your VPS Web Console

Run the following commands to retrieve ECDSA Server’s Key fingerprint before typing Yes as shown below:

[email protected]:~# cd /etc/ssh/
[email protected]:/etc/ssh# ssh-keygen -lf ssh_host_ecdsa_key.pub
256 0f:d4:22:d8:82:cb:54:b4:57:c1:8d:90:97:7c:05:5d ssh_host_ecdsa_key.pub (ECDSA)
[email protected]:/etc/ssh#

The following image below, shows that I have logged in to my Vultr’s instance to verify ECDSA fingerprint before clicking Yes. Notice, that 0f and 5d matched with the above authenticity message, therefore, it’s safe to type Yes and continue entering root password.

Switching SSH Password to SSH-Keys Authentication

4. Enter root Password

After you have confirmed that you are logging in to the right server, type Yes to continue. Once you enter your root password, the upload or copy process will start. Once it’s done, you will see the following message. This message indicates that the upload/copy has been successful.

Now try logging into the machine, with "ssh '[email protected]'", and check in:

  ~/.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

5. SSH to Your VPS to Verify the Public Key

After uploading the Public Key, you need to SSH again using new ssh session to verify that you will be prompted to Enter Private Key Passphrase instead of regular root password.

ssh [email protected]

TIP: by default the name of the created private key id_rsa if you haven’t set a name during SSH-Keys creation, however, if you have created multiple private keys using different names, then use -i switch to specify the key path and name. For Example:

ssh -i /root/.ssh/YOUR-PRIVATE-KEY [email protected]

Since you have uploaded the Public key at step1, you should be prompted to enter Private Key’s Passphrase to login.

Enter passphrase for key '/root/.ssh/id_rsa':

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jun 12 11:54:49 2015
[email protected]:~#

6. Display authorized_key file

Displaying all uploaded Public Keys to confirm that you have uploaded the right key is good practice. look at each Public key’s comment to confirm to whom the Public Key belongs.

cat /root/.ssh/authorized_keys

7. Allow Only Root Access

chmod 700 -R /root/.ssh/

Verify authorized_keys file Permission

Make sure only root user has access as shown below, otherwise, ssh server won’t accept connections.

ls -lah /root/.ssh/
[...]
-rw------- 1 root root  403 May 19 02:19 authorized_keys

Subject Related

By Wikipedia SSH | About SSH | Debian HowTo SSH-Keys | CentOS HowTo SSH-Keys

Building Professional Web Hosting Solution
<< Linux Basic Setup and Configuration Course
>> Configuring SSH-Key Based Authentication Section

section table
  1. Understanding SSH-Keys Based Authentication
  2. Creating SSH-Keys using Putty Keys Generator
  3. Creating Public VPS Droplet using DigitalOcean
  4. Managing Linux VPS Instance via Putty SSH Client
  5. Managing Linux VPS Instance via WinSCP Client
  6. Creating SSH-Keys using Terminal Keys Generator
  7. Switching SSH Password to SSH-Keys Authentication
  8. Uploading Admins and Friends SSH-Keys to VPS
  9. Uploading SSH Public Keys using VPS Panel
  10. SSH Hopping using SSH Agent Forwarding
  11. Deploying Public VPS instance using Vultr Provider
  12. Securing and Hardening SSH Server Configuration
  13. SSH Server and Client Most Known Error Messages
  • Was this information helpful?
  • Yes(0)   No(0)

Filed Under: Linux, Configuring SSH-Key Based Authentication Tagged With: SSH-Keys, OpenSSH, SSH, SSH Client

About Imad Daou

CCNA HUB Founder, Imad has been in IT field since 2007. Currently holding A+, Network+, Server+, Security+, and Storage+. HP, Dell, and IBM Hardware Certified. Pursuing Linux+, LPIC-2, RHCSA, RHCE, AWS, CCNA, and JNCIA.

LEAVE A COMMENT Cancel reply

We're glad you have chosen to leave a comment. All comments are moderated according to our comment policy. Use your real name and not keywords in the name field. Let's have a personal and meaningful conversation.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Categories

Get CCNA HUB Updates!

MISSION

CCNA, Linux, and Wordpress Training Hub. For Students, Network Pros, DevOps, Linux/Wordpress Lovers, and Entrepreneurs. CCNA HUB Articles and Labs will help you build a solid foundation in Network, Linux, and Wordpress. E.g. Linux WHS will show you how to build a Professional Web Hosting Solution using DigitalOcean or Vultr VPS provider.

TAG CLOUD

SSH Agent Forwarding wordpress.org CMS udp sockets transport layer protocols transmission control protocol virtual circuit understanding switching SSH Client TCP T1 switches Wordpress Hosting Hub sudo tcp sockets WAN transport layer VLSM su understanding Routing Wordpress Multisite VPS Hosting wide area network subnet mask wordpress CMS TCP/IP

RSS UPDATES

  • IP Fundamentals
  • CCNA R&S
  • CCNA Labs
  • Linux WHS
  • Wordpress
  • All CCNA HUB Topics

Copyright © 2023 ·Genesis Sample Theme - Genesis Framework by StudioPress - WordPress - Log in

This website uses cookies. By continuing to browse the site, you are agreeing to our use of cookies
  • Home
  • R&S
    • IP Fundamentals
    • Switching
    • Routing
    • IPv4 Suite
    • IPv6 Suite
    • Labs
  • Linux
    • Virtualization 101
    • Basic Configuration
    • Security Measures
    • Database Server
    • Web Server
    • HTTP Tuneup
    • FTP Server
    • Mail Server
    • DNS Server
    • Control Panels
    • Monitoring
    • Backup and Maintenance
  • WordPress
  • About
    • Contact Us
    • Be part of It
    • Under the Hood