DE EN

State-of-the-art Cloud solutions
by Softronics

Set up public and private key

In this article we will tell you how you can set up the SSH-Login on a Linux Server by means of Public and Private Key. 

By default, the Linux Server get set up with a SSH-Login with username and password. To ensure more security, you can use an authentication method with key -pairs. In comparison to username/password authentication this method has several advantages:

  • Fully automatic login (no need for passphrases
  • Since a key -pair is being used for the Login, getting hacked by a Brute-Force Attack becomes impossible. However, the Passphrase login method must be deactivated.
  • You can create a private key for every user and activate it on the Server.

Step 1: Generating a key -pair

The required key -pair can be easily generated in the Shell with a simple command:

 

ssh-keygen

 

Without any further specifications this will generate a key -pair using the RSA algorithm with a length of 2048 bit.

 

  • rsa The RSA encryption method is a widely used encryption method, because it's very safe. It is one of the asymmetrical encryption methods. The keys have a length of 2048 or even better 4096 bits.
  • dsa
  • ecdsa
  • ed25519

With the option -t you can define which algorithm is to be used and with -b define the length of the key.

 

ssh-keygen –t rsa –b 4096
ssh-keygen –t dsa
ssh-keygen –t ecdsa –b 521
ssh-keygen –t ed25519

 

Step 2: Creating the Key and the Passphrase

There are few questions that you need to answer after the command has been entered.

 

Enter file in which to save the key (/root/.ssh/id_rsa):

 

Press enter if the file shouldn’t be changed.

 

Enter passphrase (empty for no passphrase) :
Enter same passphrase again :

 

Decide whether you want to use a passphrase or not. When using a passphrase, the security provided by the key will increase. If the key should fall into the wrong hands one would still need the passphrase. The drawback is that the key -pair must be entered every time the key -pair is used.

 

Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
ea:a1:ff:3b:ce:6d:af:b2:5f:34:10:35:7a:ee:4e:ed user@test.mydomain.tld

 

The key has been generated and has been saved in the defined file.

 

Step 3: Removing the Private key from the server

The private key has been saved in .ssh/id_rsa. We recommend you remove this file from the server and back it up in a safe place.

 

Step 4: Depositing the Public key for the Login

To make a Login with a Private key possible you will have to deposit the Public key in your home-directory in the sub-directory “.ssh” into the file “authorized_keys”. That way you can deposit multiple public keys into this file to enable Logins for multiple users.
The public key can be found in the directory /root/.ssh/ in the file id_rsa.pup.
The file must be renamed.

 

# mv id_rsa.pup authorized_keys

 

Now the permissions must be edited.

 

# chmod 0700 ~/.ssh –R

 

Step 5 Test the Login

Test the login with the private key. If it doesn’t work, then an error has occurred during the installation. Do you need assistance? Then please contact our Support.

 

Step 6: Deactivating the password login

After a successful ssh login with the key you can increase security by removing the SSH login with username/password.

Open the SSH-config-file

 

# sudo nano /etc/ssh(sshd_config)

 

Look for the line with PasswordAuthentification yes and change it to PasswordAuthentification no, to disable username/password logins.

 

To activate these changes, enter the command:

 

# restart ssh

 

Login with PuTTY

In the SSH client "PuTTY", a private key can be selected before attempting to connect.
To do so choose your private key in "Connection", "SSH", "Auth". After that you can make the connection as usual. If you have secured your key with a passphrase you will have to enter it each time the connection is established.

 

Generate key on local computer for the server

The key pair can be generated on a local Linux computer as well. The procedure is the same as described above. However, in this case, the key must be copied and activated on the server. Step 3 can be skipped. You can instead copy the key on the server

 

SSH-copy-id user@host