While internally we use ssh for remote connections with password authentication, on external servers it's more secure to use publickey authentication.
Remember that Security is a priority and we must not sacrifice it for any reason.
Today Iwill explain how can configure SSH to use publickey authentication instead of password authentication.
If you have already installed an Open SSH Server andOpen SSH Client then you can continue to read the article. Otherwise please read the articles and come back to continue.
How to generate SSH public/private key pairs
The first step for ssh public key authentication is to generate the public/private keys in the client's PC. The private key must be stored on the windows client's PC in a secure place. The public key must be stored on the OpenSSH Server.
To generate the public/private keys we will use the ssh-keygen command in the windows pc with an OpenSSH client installed.
Hold a minute!!! What type of key should be used? RSA or Ed25519? Which is more secure?
I won't go into deep but after research, I found that the Ed25519 it's more secure. Based on Wikipedia the EdDSA was designed to be faster without sacrificing security. Additionally, this is the recommendation from Microsoft.
So I will generate an Ed25519 key.
- Open PowerShell as Administrator and type the following command:
sshd-keygen -t ed25519 - You can press enter to accept the default values or specify a path where you would like to save the key pairs.
- For now leave it to the default path.
- You can type a passphrasealso, and use it like a multi factor authentication. Every time that you will use the key for authentication you will need to type the passphrase.
- The use if a passphrase depends of your requirements.
- For now we will not use a passphrase.
- The keys are generated to the path "C:\users\<username>\.ssh" as you will see.
Let's continue with the next step to store the private key in the user pc securely.
How to securely store the private key on the client
Now that we have the private key our first priority is to keep it in safe place. You must remember that the private key is like your password.
To do this we will use the ssh-agent command to securely store the private key.
- Because the ssh agent service is disabled by default we must revert to Automatic and start the Service.
- So type the following commands.
Set-Service ssh-agent -StartupType automatic
Start-Service ssh-agent
- Now type the followingcommand to store the private key into the ssh agent.
ssh-add $env:USERPROFILE\.ssh\id_ed25519
- After adding the key to ssh agent keep the private key somewhere safe and deleted from the client PC that will use it for the ssh connection.
- Remember that the private key can't be retrieved from the ssh agent. If for any reason lose the private key and need touse it on another pc then you must generate a new key pair.
How to copy public key to the OpenSSH Server
Public key must be saved on the OpenSSH Server in a specific location depends of the user type.
If the user is a Standard user then the public key must be saved into C:\users\<username>\.ssh in text file with the name authorized_keys.
If the user is an Administrator the the public key must be saved in C:\ProgramData\sshin text file asadministrators_authorized_keys.
Let's try to do a test with both user types.
First ,Iwill try with the administrator account
- Copy/Paste the Public key in the path C:\ProgramData\ssh" and rename the public key toadministrators_authorized_keys.
- Don't forget to delete the extension.pub
- Right click and select Properties.
- Go in the Tab Security and verify that in the publik key has accessonly the Administrators Group and the SYSTEM user. Any other user must be deleted.
- Or you can run the following command to give the appropriate access.
icacls.exe ""$env:ProgramData\ssh\administrators_authorized_keys"" /inheritance:r /grant ""Administrators:F"" /grant ""SYSTEM:F""
If you want to to connect remotely with a standard user instead of an administrator then the only step that need to do is the following:
- Copy/Paste the Public key in the path C:\users\<username>\ssh"
- Rename the public key toauthorized_keys
- Delete the extension .pub.
How to enable Public Key Authentication on the OpenSSH Server
By default the Public Key Authentication it's not enabled on the OpenSSH Server.
To enable the Public Key Authentication you must edit the sshd_config file which located in C:\Programdata\ssh and change from no to yes the line with the PubKey Authentication.
Don't forget to disable the Password authenticationwhile changingthe value from Yes to No.
After the changes, save the file and restart the OpenSSH Server to take the changes.
How to connect remotely with the SSH
Now that we have configure everything we can proceed to connect remotely from the client.
- Open the Powershell and type the following command
ssh <username>@<ipaddress> - Only the first time you must type yes to add the fingerprint of the SSH Key in the trusted list.
How to check Event Logs for SSH Connections
If you want to check the Event Logs to verify the connection or troubleshoot any issue, you can open the Event Logs -- Application and Services Logs -- OpenSSH.
Click on Informational and you will find all the logs that you need.
That's it!!!
I hope to learn something valuable or help you to resolve an issue.
I invite you to follow me onTwitterorFacebook. If you have any questions, send me an email ati[email protected]
As someone deeply entrenched in the realm of cybersecurity and system administration, I understand the critical importance of secure communication protocols, particularly when it comes to remote connections. The use of SSH (Secure Shell) is a cornerstone in this regard, and I can confidently guide you through the process of configuring SSH for public key authentication, a more secure alternative to password authentication.
Let's delve into the concepts highlighted in the provided article:
-
SSH and Password vs. Public Key Authentication: The article emphasizes the importance of security, advocating for public key authentication over password authentication, especially for external servers. This is a well-established best practice in the field of cybersecurity. Passwords are susceptible to various attacks, while public key authentication provides a stronger layer of security.
-
Generating SSH Public/Private Key Pairs: The article correctly outlines the first step in configuring public key authentication — generating key pairs using the
ssh-keygen
command. It wisely recommends using the Ed25519 algorithm due to its enhanced security features and Microsoft's endorsem*nt. -
Storing Private Keys Securely: Security is further reinforced by instructing users to securely store private keys using the
ssh-agent
command. The article goes on to highlight the necessity of keeping the private key in a safe place, treating it as equivalent to a password. -
Copying Public Key to the OpenSSH Server: The article provides clear instructions on where and how to save the public key on the OpenSSH Server, distinguishing between Standard users and Administrators. Proper access control is emphasized, ensuring that only authorized entities have access to the public key.
-
Enabling Public Key Authentication on the OpenSSH Server: The article correctly identifies that Public Key Authentication is not enabled by default on the OpenSSH Server. It guides users through editing the
sshd_config
file to enable this feature and emphasizes the need to disable password authentication. -
Connecting Remotely with SSH: Once the configurations are in place, the article succinctly explains how to connect remotely using the
ssh
command, emphasizing the importance of adding the SSH key fingerprint to the trusted list during the first connection. -
Checking Event Logs for SSH Connections: The article provides an additional layer of accountability by instructing users on how to check Event Logs for SSH connections. This is a crucial step in monitoring and troubleshooting any potential issues.
By following the outlined steps, users can establish a robust and secure SSH configuration, contributing to a more resilient and protected system. I hope this breakdown provides clarity and confidence as you embark on implementing public key authentication for your SSH connections. If you have any further questions or need additional guidance, feel free to ask.