SSH-key authorization

Brute-force (brute-force attack) is one of the most common threats on the Internet. Even advanced users often use passwords that are too simple, which makes them vulnerable to attack by intruders. Usually bots guess a password automatically. They scan subnets, determine active IP addresses, and then try to login using the found address.

It is recommended to create a password of at least 9 random characters (such  password will not be found quickly). You can check the strength of your password on a special website, for example, here.

SSH key authorization is more secure than using a password. The SSH key is much easier to use when authorizing on multiple servers.

You can create a key using online services (for example, here) or on a personal computer using special utilities.

Generating an SSH key (Windows)

1. It is recommended to use the PuTTYgen application (installed with PuTTY). Once launched, specify the RSA key type (SSH2-RSA in older versions), and click Generate.

ssh-key-authorization

2. While creating keys, move the mouse cursor several times in the program window (to generate random values ​​used in keys).

ssh-key-authorization1

 3. At the end of generation process, save private and public keys by clicking “Save public key” and “Save private key” (when saving the Private key, agree to save without using a security phrase).

ssh-key-authorization2

  

ssh-key-authorization3

Generating an SSH key (Linux/MacOS)

1. Install the "Openssh" utility

2. Open the Terminal utility and run the command:

ssh-keygen -t rsa -b 2048

3. Select the path to save the key pair.

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):

Pressing "Enter" will save the keys to the .ssh directory of your home directory.

4. If you do not want to enter a passphrase every time you use a private key, just press "Enter".

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

5. The key pair has been created. Additional information will be displayed on the screen.

id_rsa is the standard name of the private key file.

id_rsa.pub is the standard name of the public key file. This key must be copied to the servers to which you want to get access when using the private key.

Placing keys on the server (Windows)

Copy the public key (has the .pub extension) to the server, into the authorized_keys file. It is recommended to use WinSCP or another utility to work with files on a remote Linux server).

1. Open two files at the same time with a text editor:

  • authorized_keys file via WinSCP on the server,
  • the file where the Public key was saved on the local computer.

2. Copy the contents of the key to authorized_keys.

3. Save and close authorized_keys file in WinSCP.

Placing keys on the server (Linux/MacOS)

1. After keys creating run the command in the Terminal utility:

ssh-copy-id -i ~/.ssh/id_rsa user@host

where ~ /.ssh/id_rsa is the path to the private key

user - username

host - server IP address

2. Enable key authentication on the server instead of password.

• Connect to the server using a password.

• Open the file /etc/ssh/sshd_config.

• Check the correctness of the path to the public keys.

• Set the PasswordAuthentication parameter to no.

3. Restart the sshd service on the server:

service sshd restart

or

service ssh restart

depending on the OS version.

Sign in using a key (Windows)

1. In PuTTY, specify the path to the private key on your computer (Connections tab> Auth).

ssh-key-authorization4

2. When connecting, you will receive a message that the key was not used earlier for authorization on this server.

Click Yes. 

ssh-key-authorization5

  

ATTENTION! You should see a warning ONLY the first time you enter the key!

If this occurs on a server, on which you have already logged in with the key, then the keys have been changed on the server or the server has been replaced.

3. If authentication is successful using the key you will get access to the server command line and a message like:

Authenticating with public key "key-010103232"

key-010103232 is the name of your private key as specified in the authorized_keys file.

Sign in using a key (Linux/MacOS)

To enter, run the command:

ssh -i ~/.ssh/id_rsa user@host

where ~/.ssh/id_rsa – path to private key

user - username

host - server IP

If you have any questions, please create a ticket to technical support.