Guide: Secure your linux server with SSH Keys

Introduction

Adding and using key pairs to log in over SSH improves your server security dramatically, having password authentication leaves your server vulnerable to brute force attacks. Creating a key pair allows you to place your public key on any server you want to strengthen the security for, as long as you make sure to keep your private key safe there should be no risk of people login in with your credentials.

In this guide, I will describe how to create a SSH key pair with a passphrase on an Ubuntu 16.04 server, securing the server with the key pair and how to use the keys with Bitvise SSH Client.

Prerequisites

Ubuntu 16.04 Server, and a SSH client that will support using our keys. I recommend Bitvise SSH Client (Tunnelier) or PuTTY.

The key will be created on the Ubuntu 16.04 server, so you will need a program to transfer the key to your personal machine.

I recommend using Bitvise SSH client as it comes with a SFTP client.

Step One – Creating our key pair

ssh-keygen -t rsa -b 2048

-t specifies type, we can pick between dsa, ecdsa, ed25519, rsa and rsa1.

I will be using rsa as it should work for all servers and clients. dsa keys have problems on OpenSSH 7.0 and newer due to changes in the SSH Standard (RFC 4251)

-b specifies the bits and strength of the key.

I recommend using 2048 as it’s supported on almost all systems, 4096 keys are stronger, but may cause problems on some systems that will not support it. With more Bits also comes more computational power, although on newer systems it’s only a fraction of a second.

Step Two – Storing our Key pair and Passphrase

You will be prompted where you wish to store it, you can leave this to the default path if you wish.

Enter file in which to save the key (/home/kenneth/.ssh/id_rsa):

my user is kenneth so the default path will be:

/home/kenneth/.ssh/id_rsa

Next you will be prompted to enter a passphrase, you can leave this blank if you wish to use the key pair without a passphrase but without it anyone who gains access to you key can use it freely. The passphrase adds an extra level of security on your key.

Enter passphrase (empty for no passphrase):

Once you have entered the passphrase 2 times your key should be generated and it should look similar to the image below:

Your public key is now located in /home/user/.ssh/id_rsa.pub

Your private key is located in /home/user/.ssh/id_rsa

Now move and rename your public key:

mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Now you need to transfer your private key to your own machine and store it safely there, once you have made sure the private key is safely and securely stored on your private machine remove it from the server.

rm ~/.ssh/id_rsa

Note if you lose the private key you will not be able to access the machine again once we are done with the next step! so be sure to test that the key works in your client before locking down the server.

Step Three – Disabled password logins

In this step we will disable all password logins to your server after this step only people with ssh key pairs for the server will be able to access it thus making it a lot more secure.

Use the following command to go into the SSH config and change it:

sudo nano /etc/ssh/sshd_config

Find the following line:

Change it to:

Save and exit, now restart SSH to refresh the config file.

sudo service ssh restart

Once done, log out from the server with your client, if you try to connect again via Bitvise using password authentication it should automatically prompt you to use your key pair.

Using your Key pair – Bitvise SSH Client

In the login window click “Client key manager”

Click “Import”

If you transferred the private key via SFTP/FTP or similar programs without converting it to a .bkp file, make sure you change file selection to All Files (*.*) so the program can find the key.