Server Security

SSH Key Authentication

One of the critical parts of administrating your server is being able to log into your server via SSH (or shell access) as root. By accessing your servers “on the command line,” you can roll up your proverbial sleeves and really dig in: installing software, changing system configurations, investigating problems, etc. But there is a server security concern when logging into a system with all that control when you’ve only got a single password protecting access. This is where key authentication comes in.

Instead of typing in a password, you can generate an encrypted key pair that is used to authenticate you when logging in. The server will look to see if you have this key file on your computer instead.

Key authenticaion is a great server security measure to implement as it allows you to control which systems can access your server. You can also turn password authentication off and your server will be immune to SSH password attacks. This is major step in security hardening and is highly advised.

This article is specifically for cPanel/WHM users, but can be adapted for users of other control panels.

Generating the Keys

To get started, we are going to need to generate a Key pair on your computer (the public and private key). Open a terminal window. (On a Mac, open Applications >> Utilities >> Terminal. If you work on a PC, it is simpler to complete this from the server side, assuming you are running cPanel.) In the shell run:

ssh-keygen -t rsa

It will ask where to save the key file. You can leave it at the default location.

Enter file in which to save the key (/Users/user/.ssh/id_rsa): id_rsa

Next, it will ask for a passphrase.

Enter passphrase (empty for no passphrase):

You can leave this blank if you simply want to leave the private key unlocked. This will make logins quite easy as you won’t have to type anything; you will “auto-login.” However, for an added layer of security, ServInt recommends that you set a password to unlock the private key.

It will ask for the passphrase again. (Press Enter to leave it blank.)

Enter same passphrase again:

Finally, it will output confirmation of the keys’ location and the fingerprint:

Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
7b:2d:25:c2:2e:2a:1a:ea:76:3a:96:ed:1a:29:8b:9b

Copying the Public Key

Now you will need to get a copy of the public key you just made. Simply cat the file by typing:

cat ~/.ssh/id_rsa.pub

The output will look something like this:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwsIU0uzZVu6uf2GgM9B4Z7sNn5jMEs1yDrjvdI
4ChXrkADegfltv0CESXknoU4NI57Dw0kyc3eJ7bADyI0uBH0PxDTZAOSKKyogsnRtgXbFLKHXpO
OyiG51M9tjobObNo6SDmzbeVD5GzlmnPpgMMUoqpjYe3P45g6ouw/3Gcwt+BwZG5loSknk9lknd
byTmhb5gc4jAMYIQ3QAWCtPES04jyUWMFZ/oUn5bMaTKG2aHCgn0wTYR8ih3Ewptp0XV2z77WUm
GnJV6t5wE1kZqltdh52aHTeRLoYAFoFWPt4i6sUjhFPufjeyxdXsSR5dsdqUFZRX1dsCJkGWZzf
Lb3w== user@computer.local

Copy this output to your Clipboard.

Importing Key to the Server

Next, you have to add the key to the server and authorize it, which tells the server that this particular key is allowed to access the server. Log into WHM and navigate to: Main >> Security Center >> Manage root’s SSH Keys. Click on ‘Import Key’

Import-key-300x295

On the next screen, you will want to scroll down and look for the last box that says “Paste the Public Key in this box:”. Paste your public key into that box. Leave the other boxes blank. It will automatically fill in the name. Hit ‘Import’.

Paste-key-240x300

On the next screen it will tell you the import was successful. Click on “Return to SSH Manager”. This brings you back to the Key management screen. Click on “Manage Authorization.”

manage-authorization-300x194

Finally, click the “Authorize” button.

authorize-key-300x136

You’re done. Try logging into SSH and it should look for your key.

Server Hardening – Disable Password Authentication

Now, you can take your security one step further and completely disable password logins for SSH. You will have no more fears of hackers trying to guess your SSH passwords.

Important Warnings:

If you enable key authentication without setting a password for that key and you disable password authentication for your server, anyone on your computer will have access to your server. Also, if you enable key authentication and only put your private key on one computer, you will need your webhost’s help in gaining access to your server should you lose access to your computer.  

To set this up, while still in WHM, navigate to: Main >> Security Center >> SSH Password Authorization Tweak. Click on “Disable Password Auth”

disable-password-300x119

And that is that. You have now taken an important step in hardening your server against attack.

Notes

The encryption method used for this was RSA, as opposed to DSA. RSA is natively implemented in more places (it is the default key type on most generators and commercial RSA certificates are much more widely deployed) and it defaults to 2048 bit key length. At the time of this writing, for DSA to be compliant, it has to be exactly 1024 bit, which is less secure. The general consensus is that both DSA and RSA are pretty equal in security quality and speed when used merely for authentication. Either choice will be fine as long as you follow safe security practices: use higher bit key encryption, only use SSH v2, keep your software up to date, and protect your private key.

References

http://security.stackexchange.com/questions/5096/rsa-vs-dsa-for-ssh-authentication-keys/5100#5100

http://encryptme.wordpress.com/2011/05/25/ssh-keys-rsa-vs-dsa/

http://www.linuxforums.org/forum/security/48093-openssh-user-host-authentication-rsa-versus-dsa-provides-stronger-security.html#post498142

Photo by Joseph Novak

Find out more about ServInt solutions

Starting at $25

Comments
  1. Hello, Louis-Philippe, I am one of the tech with ServInt's Managed Services department. Since you setup your SSH key to use a passphrase you should definitely be getting a prompt for it. If you are a ServInt customer please open up a ticket regarding this issue and we would be happy to figure out what is going on.
  2. Hi, great tutorial. Thanks! I set up my public key with my passphrase (on my mac), but I don't know why, terminal never ask me for it when I'm connecting to the server... any idea why?
    Louis-Philippe /
  3. [...] wonderful hosting company that I use, ServInt, recently published an article titled “SSH Key Authentication“. The article explains how to setup SSH key authentication for your server. By doing so, you [...]
    SSH Key Authentication – Larry Ullman /
  4. @Ryan, that is correct. If you set a passphrase, the user would have to enter it in everytime they want to unlock their private key in order to be authenticated. This would happen for terminal and Filezilla.
    Jacob "Boom Shadow" Tirey /
  5. @scmeeven, actually that first option I gave would be a regular FTP connection, but using SSL. Whether or not SSH had password authentication on would not affect that first option because it uses the FTP server's settings. If you have a bunch of users, using FTP with SSL (FTPES) is probably the easier option.
    Jacob "Boom Shadow" Tirey /
  6. @Jacob So every time they want to connect, they'd have to enter in the passphrase? Would it prompt them in Terminal/FileZilla respectively, if that was enabled?
  7. @Jacob, thank you for the tips. I would have been hard pressed to find them myself. I suppose another option is to have my clients connect to FTP over SSL? But, that would need password authentication to remain enabled, correct?
  8. @scmeeven, as you stated, SFTP is merely a wrapper for an SSH connection. So, yes, if you disabled password authentication, it WILL affect SFTP connects as well. There are two options for you. 1. You can have users connect over FTPES (Require explicit FTP over TLS). This will will still secure the connection, but use FTP protocols for authentication. 2. You can use import your private key into Filezilla so that it uses the key for authentication. In your FileZilla settings/preferences go to "SFTP", click on "Add keyfile", and navigate to your PRIVATE key. It will likely need to save a converted version of the key. Save it and close out of the settings. Now, go to your Site Manager and change the 'Logon Type' for the saved site. Change it to "Interacive". It will now default to using your imported key and it will not ask for a password.
    Jacob "Boom Shadow" Tirey /
  9. @Ryan, Are you talking about is skipping the last step "Server Hardening"; instead of disabling password authentication, you would leave it enabled? Or are you asking about having a user need to use both a key AND a password? If you mean the first one, then yes, you can simply skip the step for disabling password authentication, leaving that option enabled and users will be able to authenticate with either password or key. If you mean the second option, where a user would need both, that can be achieved by setting a passphrase when you generate the key. In order to unlock the private key, they will have to enter in the passphrase. If you want to ensure that your users adhere to this policy, you can always generate the keys with a passphrase for them. You can send the keys to them to add to their local computer.
    Jacob "Boom Shadow" Tirey /
  10. I am curious about the impact of disabling password authentication and enabling only key authentication for SSH. On a ServInt VPS, all my clients connect to FTP through SSH on a non-standard port. They simply use their cPanel account user name and password to connect and the majority use the SFTP over SSH2 protocol in Filezilla. How will they be able to login to FTP over SSH if password authentication is disabled?
  11. Can you use both a password and a key to authenticate? That way, only authorized computers and users could access the server.
  12. @Marc, I'll work on getting Plesk specific instructions up next. Security is something that should transcend hosting panels. I'll update when I have that for you.
    Jacob "Boom Shadow" Tirey /
  13. [...] written for the ServInt blog as part of the ‘Tech bench’ series. You can view it on the ServInt blog here. Used with permission. Related Posts:How to forward/archive all email for a userChange a [...]
    SSH Key Authentication | BoomShadow.net /
  • Hosting Advice
  • The New York Times
  • The Hill
  • Bloomberg
  • The Seattle Times
  • Computer World
  • Ars Technica
  • MSNBC

To engage with the ServInt Sales Team use the following chat icon. Normal sales hours are Monday-Friday 9am-5pm EST but feel free to leave a message and we will follow up as soon as possible.

Sales Chat



To engage with the ServInt Support Team you must be logged into our Customer Portal for identity verification and have a ticket opened about your request or there will only be limited support offered.

Support Chat

CLOSE