SSH login to Linux server

SSH login with provide more security to the server. It provides extra layer of security for the server. It uses public – private key authentication with server which prevents anyone login to the server with out private key. That means login with simple username and password can be depreciated and new two level of security can be added.

Generate public / private key:

We can generate keys by different ways. For better understanding please click here.

Create SSH login for User.

ssh-keygen rsa -f  newuser

a) Copy your public key to authorized_keys

i)  If you are trying to get SSH login for root then copy it to root .ssh folder.

cat mykey.pub >> /root/.ssh/authorized_keys

ii) If you are setting for particular user then copy it to that user folder

cat mykey.pub >> /<user folder>/.ssh/authorized_keys

b) Restart sshd server:

service sshd restart

Enable SSH only login:

vi  /etc/ssh/sshd_config

Set:

PasswordAuthentication no

If we need to set SSH login to particular users only then, set that user name in Allowusers parameter.

AllowUsers root, newUser

SSH private / public key pair & self sign certificate.

One of the most common forms of cryptography today is public-key cryptography helps to communicate two system by encrypting information using the public key and information can be decrypted using private key. These keys are using mainly on login to server securely and also transferring data securely.

We can generate these private public keys by various ways.

1) By using openssl.

openssl genrsa -out mykey.pem 1024

with password encryption

 openssl genrsa -des3 -out mykey.pem 1024

1024 is the key encryption bytes, more value means more secure it is.

Generate public key:

 openssl rsa -in mykey.pem -pubout > publickey.pub

now mykey.pem is prvate key , and publickey.pub is public key

2) By using ssh keygen

ssh-keygen -t rsa
 ssh-keygen -t rsa -b 2048
 -b gives bytes of encoding.
 Generating public/private rsa key pair.
 Enter file in which to save the key (/root/.ssh/id_rsa):( give new path or hit enter key)
 Enter passphrase (empty for no passphrase): [Press enter key]
 Enter same passphrase again: [Pess enter key]
 Your identification has been saved in /root/.ssh/id_rsa.
 Your public key has been saved in /root/.ssh/id_rss.pub.

3) using putty-gen for windows.

Download puttyGen from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html and run it.

You can select one of the key types, SSH-1, SSH-2, and SSH-2 DSA.
SSH-2 is probably better than others but you have to make sure if your system supports SSH-2, if your system ( server) doesnt support it then you better off with SSH-1.

Level of encryption can be set from “Number of bits in a generated key” . Security level can be enhance by using 2048 but again make sure where you are using it and thus follow the recommendation for this value. I prefer 2048 but even with 1024 is much more secure.

Click on generate to create keys. Move your mouse over the empty space to help puttygen to genereate random variables.

Once the key is generated you will see following window.

If you want to login without password ( in case of ssh login) you can put your passphase empty. click on Save Public key and Save private key to save your keys.

When you save private key it will be saved in ppk format which you can use putty to login to your system.

We can get private key for openSSH by clicking on Conversions->Export OpenSSH key

If you want to use ssh to login with these generated key / pair then
copy public key ( mykey.pub) to .ssh/authorized_key.

Generating Self sign certificate:

 openssl req -new -x509 -key mykey.pem -out certificate.cer -days 1825

 Enter PEM pass phrase: - type your passphrase here.
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.


 Country Name (2 letter code) []:< country short code>
 State or Province Name (full name) []:<state>
 Locality Name (eg, city) []:<city name>
 Organization Name (eg, company) []:<organization name>
 Organizational Unit Name (eg, section) []:
 Common Name (eg, your websites domain name) []:<host name >
 Email Address []:<youremail@email.com>