Understanding SSH-Keys Based Authentication

SSH-Keys are form of Multifactor authentication mechanism. Understanding SSH-Keys Based Authentication will prepare you to manage your VPS via SSH, and explains how using SSH-Keys can be the first layer of security against Password Brute Force attacks. So, Linux Admins can use OpenSSH for secure communication without SSH-Keys, and your communication will be always secure, however, it doesn’t mean that intruders won’t be able to Brute Force root password. Using SSH-keys, you won’t give them a chance.

Objectives:

1. SSH-Keys are the First Line of Defense

2. SSH-Keys Authentication Concept

3. Putty, WinSCP, and Bitvise Programs

Prerequisites:

A. Basic Debian or Red Hat Linux Knowledge

B. Login to your DigitalOcean or Vultr Account

C. Linux VM/VPS Fundamental Configuration Section

Note: If you have already created your VPS instance without SSH-Keys, no worries, you can setup SSH-Keys and upload your Public Key to your VPS with easy steps. So, SSH is widely used on all Unix like systems such Cisco, FreeBSD, OpenBSD, and all Linux distribution.

SSH is an encrypted way of communication, therefore, no one will be able to sniff your credentials (Man in the Middle Attack) while you are authenticating to your VPS. Initially, this article will focus on the client side of SSH, there will be another article which will focus on the server side of SSH.

Recommendations:

For better performance, use VPS with at least 2 CPUs, 4G Memory, 1G Bandwidth, and SSD Storage drive.

SSH-Keys are the First Line of Defense

Understanding the 2 Factor authentication makes it easy to understand why SSH-Keys considered the first line of defense. The 2 factor authentication is simply: something you are, you own, or you know.

Since SSH encrypts communication between clients and servers, crackers can’t sniff your credentials anymore, therefore, they use different strategy to gain access to your system by using bruteforce attack through Worms and Bots to guess your root password.

Bots and Worms never ever get tired. If your VPS not configured properly with at least the minimum requirements of security, eventually Worms and Bots (which controlled by crackers) could guess your root password, then the cracker (the master guy) will be able to login through SSH using your root password.

SSH-Keys as 2 factor authentication can be a solid and reliable 2 factor Authentication, and it’s very simple to implement. Well, you might say, “I don’t need SSH-keys since I’ve set a very Strong root Password”. I agree, a complex root password can be very hard to Bruteforce or Crack, but nothing impossible. I assure you that bruteforce attempts by bots and worms are constant and they will never ever get tired.

It might take them sometime, maybe tomorrow, next month, next year, but eventually they will guess your root password. To stop these types of attacks, you have 2 choices: Either you block Public access to your SSH port using IPtables Firewall, or Use SSH-Keys to eliminate the 1 factor authentication.

Of course, we don’t want to block public SSH access to our VPS, therefore, let’s create and setup SSH-keys before creating any VPS, therefore, you won’t give the crackers even a chance to run bruteforce against your VPS.

SSH-Keys Authentication Concept

So, when SysAdmins started to use Secure Shell (SSH) which we can say it’s a form of Encrypted Telnet Tunnel, they were not worried anymore if someone in the middle of the line tries to sniff the user name and password. But crackers through the years came up with something called Brutefore, and since they can’t sniff your user name and password anymore, they will keep trying all combination (using Worms and Bots) to bruteforce and guess the root password.

Unfortunately, we can’t rename the Superuser (root), and by default, crackers know what user name they are after. So what left is the password to crack and penetrate the system using root privileges. As mentioned, the first layer of defense against bruteforce is setting SSH-Keys, which will include 2 parts: Private Key (kept on your Admin Station) and Public Key (used by the VPS) .

Private key must be created and saved securely on your laptop and backed up preferably on Encrypted USB Stick. Public key will be uploaded to your VPS provider Control Panel so you can create VPS instances using the Public Key. For those who created their VPS already, Public Keys can be copied to your VPS Servers if you have created some VPS instances without SSH-Keys.

SSH-Keys will allow you to have Multifactor Authentication since a Key and Passphrase are required. Besides, it can be saved and used straight from USB stick, however, that won’t be my approach at this article. Though, I used encrypted USB stick to backup my SSH-Keys pair which has passphrase as well.

Setting Private Key to be used straight of USB is more secure, but more complicated. For sake of simplicity, I will save my Private Keys on my Admin Station and use them straight from my station, but I highly recommend to back them up to encrypted USB stick. SSH-Keys eliminate using the One Factor way “Password Authentication”.

Using next articles and Labs, I will show you the steps you need to connect to your VPS using SSH-keys authentication instead of password authentication base, which will make your Linux System solid secure against Bruteforce and unauthorized access.

Putty, WinSCP, and Bitvise SSH Clients

Note: Most Linux/UNIX systems already have SSH Client installed as part of OpenSSH Package.

Install the following packages if you use Windows Station:

Putty: the most famous Secure Shell (SSH) client for Widows users. Download and install Putty from http://www.chiark.greenend.org.uk/~sgtatham/putty/ Windows Installer Package (putty-x.xx-installer.exe). As of this writing, the latest version is putty-0.64-installer.exe.

WinSCP: the most famous Secure Copy Protocol (SCP) and Secure File Transfer protocol (SFTP) File Manager for Windows users. Download and Install SCP from http://winscp.net/eng/download.php pick the latest version.

Bitvise: Advanced version of Putty plus SFTP Client – All In One Package. I really liked the Terminal of Bitvise – Crystal Clear Terminal. Besides, I liked the SFTP Client since I can assign Notepade++ to create or edit configuration files – Straight on the server. Download and Install Bitvise from http://www.bitvise.com/download-area

Subject Related

By Wikipedia SSH | About SSH | Debian HowTo SSH-Keys | CentOS HowTo SSH-Keys | IBM SSH Key management Part1 and Part2