Introduction

This post is to secure your SSH connection between systems. Instead of using password based authentication, which should not be enabled even in a dev or test environment, but rather to use your Public Key pair to safely authenticate your systems during SSH. This post is dedciated to Windows, however if you are looking for Linux.

Setting the Stage

For the sake of this post, I am going to assume two servers, Server 1 that I will address as control node and Server 2 that I will address as host node. This procedure can be scaled.

As you are all aware, as long as you know the username and password, you can ssh from server 1 to server 2. However, passwords should be avoided at all costs, as it is very common for these to be stolen and can lead to vulnerabilities and unauthorized access. To prevent this, you can leverage SSH using Public Key Pair, meaning Server 1 is able to authenticate and connect via SSH using Private and Public Key pairs. Security can be further enhanced using passphrases as well.

Important

The most important part of this post, is the fact that the Private Key generated should never be shared anywhere.

Foundation

What is an SSH Key Pair?

  • An SSH key pair is a secure access credential used in the Secure Shell (SSH) protocol.
  • It relies on public key infrastructure (PKI) technology, which is the gold standard for digital identity authentication and encryption.
  • The key pair consists of two related but asymmetric keys: a public key and a private key.

Public Key and Private Key:

  • Public Key:
    • The public key is freely shared with any SSH server you want to connect to.
    • It is used for encryption.
    • When you connect to a remote server, your public key is sent to the server.
    • The server uses it to encrypt messages that only you can decrypt.
    • For example, if Bob wants to send you a secret message, he encrypts it using your public key.
    • The public key ensures confidentiality.
  • Private Key:
    • The private key is kept secret and known only to you.
    • It is used for decryption.
    • When you receive an encrypted message from the server, you use your private key to decrypt it.
    • The private key remains on your local system.
    • Only you can decrypt messages encrypted with your public key.
    • Private-key cryptography ensures that only authorized parties can read the original message.

Deployment

  • Once you’ve located a secure location for your private key, generate it using the following command (depending on your requirements and encrytption)
ssh-keygen -t rsa -b 4096 -C "[email protected]" (must run your terminal as administrator).

  • Your id_rsa and id_rsa.pub files will be placed under C:\Users\your_username\ by default, otherwise you can choose to save them in a specific location, by appending the name of the key with the location.

  • Choose not to save a passphrase , if you wish to. alt text

  • Now, we are ready to copy the ‘Public Key’ over to the server that we would like to connect in the future using this SSH key pair. To do this via the terminal window itself and not using any other tools, complete the following steps.

type $env:USERPROFILE\.ssh\id_rsa.pub | ssh username@linux_server_ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
  • If you have saved your key’s in a custom location
type LOCATION\KEY.pub | ssh username@linux_server_ip "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
  • THis will prompt you to ssh into the server using password.
  • Post this , using putty or tools like Termius, you would be now be able to login using SSH Key Pair.

Enhance Security

Disable Password Authentication:

  • Edit the SSH configuration file on your Linux server (/etc/ssh/sshd_config):
PasswordAuthentication no
  • Restart the SSH service:
sudo systemctl restart sshd

Use Non-Default Port:

  • Change the default SSH port (22) to a custom port in /etc/ssh/sshd_config:
Port 2222
  • Remember to update your firewall rules accordingly.

Summary

  • Do not ever COPY your Private key onto a Public Repository - even if it is private !
  • There are some good strategies around backing up and protecting your private key - Password managers, Vaults, Key Vaults are some of the choices.
  • Set up your SSH using Key Pair - you dont need to setup passwords.