Configure Public Key Authentication for SSH on Linux

Very recently, I acquired myself a cheap Linux based VPS for personal use. Since passwords are barely considered a method of security these days, I decided one of the first things I needed to do was secure my SSH setup.

My chosen method to SSH (and for many others) is via PuTTY. One of the handy things about PuTTY is the PuTTYgen application that comes along with it. PuTTYgen is used to generate and convert keys for use with PuTTY for authentication.

Go ahead and open up PuTTYgen and we will use it to generate both a public key (for the server) and private key (used for the client, keep this one secure).

  1. Click Generate, you will be then instructed to move your mouse around like a madmen to assist in generating the random key code.
  2. Upon generation, you will be given the opportunity to provide a passphrase for the key pair.
  3. Save both the public key and private key as well as copy the code listed under Public key for pasting into OpenSSH authorised_keys file into a text document

At this point we should have a public key for our Linux server, private key for use with PuTTY and the contents of the public key in a text document for easy copy/paste we will do later.

Now SSH into the server. Once in, we will create a hidden folder in our user’s home directory to store the public key and appropriately secure it.

mkdir ~/.ssh
chmod 700 ~/.ssh

Next, change directory to our new hidden folder, create and open up a file to store the key.

cd ~/.ssh/
nano authorized_keys

Once Nano text editor opens up, paste in the contents of the text document we created earlier with the contents of the public key and save.

Let’s now secure the file

chmod 600 authorized_keys

Now you are ready to SSH into the server with Public Key Authentication via PuTTY. To test this, open up PuTTy and fill in all the regular details for the server (IP address etc..). Under Category expand the SSH section and click on Auth. Now click the Browse button and navigate to the Private key we saved earlier. Once selection, hit Open to start the connection.

If everything was done correctly you should now be connected into your server (or prompted for the passphrase of the private key if you set one).

Can we go further?

I’m glad you asked; while we have just setup Public Key Authentication, it is still possible to authenticate with your plain old password. But, we can disable password authentication.

First, we are going to backup the current (hopefully default) SSH config by doing the following:

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup

Next, we will elevate and open up the running SSH config in the Nano text editor

sudo nano /etc/ssh/sshd_config

Once in, look for the following line

#PasswordAuthentication yes

and change to

PasswordAuthentication no

Last but not least, you can add a little security by obscurity by changing the default port to another of your choosing. Simply look for the following line

Port 23

And change 23 to a number of your choosing.

Don’t forget to restart the SSH service to allow the above changes to apply

sudo service ssh restart

Now your Linux server is just that little bit more secure.

Note: The above was tested on Ubuntu Server 14.04 LTS, your mileage may very on other versions and flavours

Advertisements
James Written by:

One Comment

  1. 31/07/2016
    Reply

    If anyone is trying this on CentOS 7, looks like ‘authorized_keys’ needs to be CHMOD’d to 644 and not 600.

    Found this out the hard way by running ‘cat /var/logs/secure’. Thankfully, the error messages are quite clear where the problem lies.

Helpful? Have a question on the above?