The Tech Bench: SSH Key Authentication
One of the critical parts of administrating your server is being able to log into your server via SSH (or shell access) as root. By accessing your servers “on the command line,” you can roll up your proverbial sleeves and really dig in: installing software, changing system configurations, investigating problems, etc. But there is a server security concern when logging into a system with all that control when you’ve only got a single password protecting access. This is where key authentication comes in.
Instead of typing in a password, you can generate an encrypted key pair that is used to authenticate you when logging in. The server will look to see if you have this key file on your computer instead.
Key authenticaion is a great server security measure to implement as it allows you to control which systems can access your server. You can also turn password authentication off and your server will be immune to SSH password attacks. This is major step in security hardening and is highly advised.
This article is specifically for cPanel/WHM users, but can be adapted for users of other control panels.
Generating the Keys
To get started, we are going to need to generate a Key pair on your computer (the public and private key). Open a terminal window. (On a Mac, open Applications >> Utilities >> Terminal. If you work on a PC, it is simpler to complete this from the server side, assuming you are running cPanel.) In the shell run:
ssh-keygen -t rsa
It will ask where to save the key file. You can leave it at the default location.
Enter file in which to save the key (/Users/user/.ssh/id_rsa): id_rsa
Next, it will ask for a passphrase.
Enter passphrase (empty for no passphrase):
You can leave this blank if you simply want to leave the private key unlocked. This will make logins quite easy as you won’t have to type anything; you will “auto-login.” However, for an added layer of security, ServInt recommends that you set a password to unlock the private key.
It will ask for the passphrase again. (Press Enter to leave it blank.)
Enter same passphrase again:
Finally, it will output confirmation of the keys’ location and the fingerprint:
Your identification has been saved in id_rsa. Your public key has been saved in id_rsa.pub. The key fingerprint is: 7b:2d:25:c2:2e:2a:1a:ea:76:3a:96:ed:1a:29:8b:9b
Copying the Public Key
Now you will need to get a copy of the public key you just made. Simply cat the file by typing:
The output will look something like this:
Copy this output to your Clipboard.
Importing Key to the Server
Next, you have to add the key to the server and authorize it, which tells the server that this particular key is allowed to access the server. Log into WHM and navigate to: Main >> Security Center >> Manage root’s SSH Keys. Click on ‘Import Key’
On the next screen, you will want to scroll down and look for the last box that says “Paste the Public Key in this box:”. Paste your public key into that box. Leave the other boxes blank. It will automatically fill in the name. Hit ‘Import’.
On the next screen it will tell you the import was successful. Click on “Return to SSH Manager”. This brings you back to the Key management screen. Click on “Manage Authorization.”
Finally, click the “Authorize” button.
You’re done. Try logging into SSH and it should look for your key.
Server Hardening – Disable Password Authentication
Now, you can take your security one step further and completely disable password logins for SSH. You will have no more fears of hackers trying to guess your SSH passwords.
If you enable key authentication without setting a password for that key and you disable password authentication for your server, anyone on your computer will have access to your server. Also, if you enable key authentication and only put your private key on one computer, you will need your webhost’s help in gaining access to your server should you lose access to your computer.
To set this up, while still in WHM, navigate to: Main >> Security Center >> SSH Password Authorization Tweak. Click on “Disable Password Auth”
And that is that. You have now taken an important step in hardening your server against attack.
The encryption method used for this was RSA, as opposed to DSA. RSA is natively implemented in more places (it is the default key type on most generators and commercial RSA certificates are much more widely deployed) and it defaults to 2048 bit key length. At the time of this writing, for DSA to be compliant, it has to be exactly 1024 bit, which is less secure. The general consensus is that both DSA and RSA are pretty equal in security quality and speed when used merely for authentication. Either choice will be fine as long as you follow safe security practices: use higher bit key encryption, only use SSH v2, keep your software up to date, and protect your private key.
http://www.linuxforums.org/forum/security/48093-openssh-user-host-authentication-rsa-versus-dsa-provides-stronger-security.html#post498142The Tech Bench is an ongoing blog series featuring the answers to common questions the ServInt MST fields everyday. You can also find more great tech tips in the ServInt KnowledgeBase.