SSH Public/Private key security

By | aprile 13, 2015

monitorAdding key security to SSH isn’t that difficult.  This increases security on your SSH connection tremendously, however you will have to have the key available to log in from different machines.  At that point the  physical security of the key becomes the concern.  I will pass phrase my key.  That adds security if its lost, at the cost of having to type th pass phrase every time.  This can be automated or skipped altogether.  I will test this using a windows box with PuTTY, PuTTY Gen, and Putty Agent (pageant) if desired.

Starting on the server, make sure you have a .ssh directory or create one as needed in your home directory.

ls -lha
mkdir .ssh
chmod 700 .ssh

generate the keys on the server with something like

ssh-keygen -t rsa

accept the file names it wants to use and enter a strong passphrase

Your passphrase should be 10 more characters and follow strong password rules, more is better.  Its a balancing act between memorability and security.  Balance this depending on your exposure and the nature of the data to be protected.  Next, create a blank key file and add the pub key to the authorized_keys

cat id_rsa.pub >> /home/user/.ssh/authorized_keys

check permissions on the ~/.ssh/authorized_keys file, and change as necessary.

chmod 600 authorized_keys

•    copy the private key (id_rsa) to your local windows machine.
•    Now PuTTY uses a slightly different key format, so if we are using a windows machine to connect, we ill need to use PuTTY Gen to modify the keyfile a bit first.  Load PuTTY Gen
•    under actions select “load” and load the id_rsa file
•    enter the passphrase you set when you generated the key.PuTTY Gen will convert the key to something PuTTY can use.
•    save that file to something like myserverkey.ppk
•    Change your putty settings under “connection > SSH > auth” to use myserverkey.ppk
This key should work for SFTP as well, using a client such as FireFTP.  Just point your client at the .ppk key file.

If your remote machine is a GNU/linux box the process is even easier.  as long as OpenSSH is installed on your client, you can ignore the PuTTY file conversion and just use (after generating and setting up the keys):

ssh user@remote.host
<enter-private-key-passphrase-at-prompt>

If you want to have the passphrase auto filled for you, you need to use SSH Agent, or PuTTY agent depending on your setup.

Ubuntu – GNU/Linux
eval ssh-agent
ssh-add
<enter-private-key-passphrase-at-prompt>
PuTTY setup
run pageant
Select Add Key
Add your .ppk private key
Enter passphrase
If you want Pageant to use your key automatically, modify the Pageant shortcut command line like thus:

C:PuTTYpageant.exe d:keyfile.key

When you start the SSH Agent on the server it will give you a pid number for the process. You can use this pid to kill the agent or run a ps -A command to obtain the pid.