{"id":16,"date":"2015-07-20T19:18:58","date_gmt":"2015-07-20T19:18:58","guid":{"rendered":"http:\/\/www.ilovesecure.com\/?p=16"},"modified":"2018-10-05T18:53:18","modified_gmt":"2018-10-05T18:53:18","slug":"secure-ssh-login","status":"publish","type":"post","link":"https:\/\/www.ilovesecure.com\/index.php\/2015\/07\/20\/secure-ssh-login\/","title":{"rendered":"Secure Linux ssh login with public key"},"content":{"rendered":"<p>The main step to secure console login to your server are<\/p>\n<ul>\n<li>do not use any telnet server, use ssh<\/li>\n<li>do not use ssh with password<\/li>\n<li>tune the sshd to avoid root login and block login with password<\/li>\n<\/ul>\n<h3>1 &#8211; Remove password based ssh login<\/h3>\n<p>Login to your server via ssh using password is extremely insecure and even not very practical. We strongly suggest to move ssh login using public key. It is very easy to implement and it is supported by any device (Tablets, smartphones, etc).<\/p>\n<p><strong>How it works<\/strong><\/p>\n<p>You need to have 2 keys (2 small files) one called &#8220;private&#8221; key, the second called &#8220;public&#8221; key. What makes these 2 keys special is that a text message encrypted with the public key can only be decrypted with the private key. \u00a0When you ask to login via an ssh client into a server having your public key, the server encrypts a random message with your public key and ask your client to decrypt it to prove it has the correct private key. In this way the ssh client demonstrates to have the private key without showing it, keeping it as secret as possible. Public key can only verify the private as corrected, for this reason can be freely distributed to any server you need to log in, while you need to keep safe your private key because it is the prove of your identity. You can add an extra security level to your \u00a0private key, adding a password to use it, so even in case somebody stole your private key, he needs to know \u00a0you password to use it. Key Password protection is not a very strong protection, because finding the password is just a matter of time and cpu power.<\/p>\n<p><strong>How to create public and private key<\/strong><\/p>\n<p>There are many tools depending on the operative system you use. To create the private\/public key on windows you can use PuTTYgen, please refer to <a href=\"https:\/\/winscp.net\/eng\/docs\/ui_puttygen\">this document<\/a>. While to create keys with Linux or Mac, please refer to <a href=\"https:\/\/www.maketecheasier.com\/generate-public-private-ssh-key\/\">this document<\/a>.<\/p>\n<p><strong>How to setup your server<\/strong><\/p>\n<p>Here we will present how to setup a single server to allow login using public key. In case you have many servers located in the same environment we strongly suggest to introduce a centralized ldap to manage in a single location users and related keys (we will see it in a different post)<\/p>\n<p>Create the user<\/p>\n<div class=\"linux-command\">[root@myserver ~]# adduser myuser<\/div>\n<p>Create .ssh folder<\/p>\n<div class=\"linux-command\">[root@mysqrver ~]# su &#8211; myuser<br \/>\n[myuser@myserver ~]$ mkdir .ssh<\/div>\n<p>Create the key<\/p>\n<div class=\"linux-command\">[myuser@myserver ~]$ vi .ssh\/authorized_keys<\/div>\n<p>and paste the text of your public key.<br \/>\nFix the permission and ownership<\/p>\n<div class=\"linux-command\">[myuser@myserver ~]$chmod 700 .ssh<br \/>\n[myuser@myserver ~]$chmod 640 .ssh\/authorized_keys<\/div>\n<p>verify it works: in your PC (linux mac) you need to<\/p>\n<div class=\"linux-command\">[myuser@mypc ~]$ ssh -v myserver<\/div>\n<p>-v show you all the steps, so you can understand where is the problem in case.<\/p>\n<p>Into the server you can check \/var\/log\/secure understand any problem.<\/p>\n<h3>2 &#8211; Fix sshd configuration file<\/h3>\n<p>Once all the users in your server use the public key ssh login, you can remove the possibility to login using password, this to avoid any risk of security branches.<br \/>\nEdit sshd config file<\/p>\n<div class=\"linux-command\">[root@myserver ~]# vi \/etc\/ssh\/sshd_config<\/div>\n<p>and be sure of these 2 parameters<\/p>\n<div class=\"linux-command\">PermitRootLogin no<br \/>\n&#8230;.<br \/>\nPasswordAuthentication no<\/div>\n<p>save and restart sshd service<\/p>\n<div class=\"linux-command\">[root@myserver ~]$ service sshd restart<\/div>\n<p><strong>REMEMBER:<\/strong> when you do any change like this, use 2 consoles. With the 1st make your changes and with the second check if you are still able to login after the changes.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The main step to secure console login to your server are do not use any telnet server, use ssh do not use ssh with password tune the sshd to avoid root login and block login with password 1 &#8211; Remove password based ssh login Login to your server via ssh using password is extremely insecure [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[3],"tags":[9,7,10,8,5,11],"class_list":["post-16","post","type-post","status-publish","format-standard","hentry","category-linux","tag-dsa","tag-private-key","tag-public-key","tag-rsa","tag-ssh","tag-sshd","no-thumb"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Secure Linux ssh login with public key - I Love Secure<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.ilovesecure.com\/index.php\/2015\/07\/20\/secure-ssh-login\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Secure Linux ssh login with public key - I Love Secure\" \/>\n<meta property=\"og:description\" content=\"The main step to secure console login to your server are do not use any telnet server, use ssh do not use ssh with password tune the sshd to avoid root login and block login with password 1 &#8211; Remove password based ssh login Login to your server via ssh using password is extremely insecure [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.ilovesecure.com\/index.php\/2015\/07\/20\/secure-ssh-login\/\" \/>\n<meta property=\"og:site_name\" content=\"I Love Secure\" \/>\n<meta property=\"article:published_time\" content=\"2015-07-20T19:18:58+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-10-05T18:53:18+00:00\" \/>\n<meta name=\"author\" content=\"secureadm\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"secureadm\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.ilovesecure.com\/index.php\/2015\/07\/20\/secure-ssh-login\/\",\"url\":\"https:\/\/www.ilovesecure.com\/index.php\/2015\/07\/20\/secure-ssh-login\/\",\"name\":\"Secure Linux ssh login with public key - I Love Secure\",\"isPartOf\":{\"@id\":\"https:\/\/www.ilovesecure.com\/#website\"},\"datePublished\":\"2015-07-20T19:18:58+00:00\",\"dateModified\":\"2018-10-05T18:53:18+00:00\",\"author\":{\"@id\":\"https:\/\/www.ilovesecure.com\/#\/schema\/person\/4f0f645b7843e70f478415155f2b0b07\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.ilovesecure.com\/index.php\/2015\/07\/20\/secure-ssh-login\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.ilovesecure.com\/index.php\/2015\/07\/20\/secure-ssh-login\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.ilovesecure.com\/index.php\/2015\/07\/20\/secure-ssh-login\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.ilovesecure.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Secure Linux ssh login with public key\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.ilovesecure.com\/#website\",\"url\":\"https:\/\/www.ilovesecure.com\/\",\"name\":\"I Love Secure\",\"description\":\"Security step by step\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.ilovesecure.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.ilovesecure.com\/#\/schema\/person\/4f0f645b7843e70f478415155f2b0b07\",\"name\":\"secureadm\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ilovesecure.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/7ae680ceca3544c8a37149e6254db758ee7c1ecefd5c6ad34aa972b9c5bfd1d0?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/7ae680ceca3544c8a37149e6254db758ee7c1ecefd5c6ad34aa972b9c5bfd1d0?s=96&d=mm&r=g\",\"caption\":\"secureadm\"},\"url\":\"https:\/\/www.ilovesecure.com\/index.php\/author\/secureadm\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Secure Linux ssh login with public key - I Love Secure","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.ilovesecure.com\/index.php\/2015\/07\/20\/secure-ssh-login\/","og_locale":"en_US","og_type":"article","og_title":"Secure Linux ssh login with public key - I Love Secure","og_description":"The main step to secure console login to your server are do not use any telnet server, use ssh do not use ssh with password tune the sshd to avoid root login and block login with password 1 &#8211; Remove password based ssh login Login to your server via ssh using password is extremely insecure [&hellip;]","og_url":"https:\/\/www.ilovesecure.com\/index.php\/2015\/07\/20\/secure-ssh-login\/","og_site_name":"I Love Secure","article_published_time":"2015-07-20T19:18:58+00:00","article_modified_time":"2018-10-05T18:53:18+00:00","author":"secureadm","twitter_card":"summary_large_image","twitter_misc":{"Written by":"secureadm","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.ilovesecure.com\/index.php\/2015\/07\/20\/secure-ssh-login\/","url":"https:\/\/www.ilovesecure.com\/index.php\/2015\/07\/20\/secure-ssh-login\/","name":"Secure Linux ssh login with public key - I Love Secure","isPartOf":{"@id":"https:\/\/www.ilovesecure.com\/#website"},"datePublished":"2015-07-20T19:18:58+00:00","dateModified":"2018-10-05T18:53:18+00:00","author":{"@id":"https:\/\/www.ilovesecure.com\/#\/schema\/person\/4f0f645b7843e70f478415155f2b0b07"},"breadcrumb":{"@id":"https:\/\/www.ilovesecure.com\/index.php\/2015\/07\/20\/secure-ssh-login\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.ilovesecure.com\/index.php\/2015\/07\/20\/secure-ssh-login\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.ilovesecure.com\/index.php\/2015\/07\/20\/secure-ssh-login\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.ilovesecure.com\/"},{"@type":"ListItem","position":2,"name":"Secure Linux ssh login with public key"}]},{"@type":"WebSite","@id":"https:\/\/www.ilovesecure.com\/#website","url":"https:\/\/www.ilovesecure.com\/","name":"I Love Secure","description":"Security step by step","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.ilovesecure.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.ilovesecure.com\/#\/schema\/person\/4f0f645b7843e70f478415155f2b0b07","name":"secureadm","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ilovesecure.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/7ae680ceca3544c8a37149e6254db758ee7c1ecefd5c6ad34aa972b9c5bfd1d0?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7ae680ceca3544c8a37149e6254db758ee7c1ecefd5c6ad34aa972b9c5bfd1d0?s=96&d=mm&r=g","caption":"secureadm"},"url":"https:\/\/www.ilovesecure.com\/index.php\/author\/secureadm\/"}]}},"_links":{"self":[{"href":"https:\/\/www.ilovesecure.com\/index.php\/wp-json\/wp\/v2\/posts\/16","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ilovesecure.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ilovesecure.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ilovesecure.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ilovesecure.com\/index.php\/wp-json\/wp\/v2\/comments?post=16"}],"version-history":[{"count":16,"href":"https:\/\/www.ilovesecure.com\/index.php\/wp-json\/wp\/v2\/posts\/16\/revisions"}],"predecessor-version":[{"id":193,"href":"https:\/\/www.ilovesecure.com\/index.php\/wp-json\/wp\/v2\/posts\/16\/revisions\/193"}],"wp:attachment":[{"href":"https:\/\/www.ilovesecure.com\/index.php\/wp-json\/wp\/v2\/media?parent=16"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ilovesecure.com\/index.php\/wp-json\/wp\/v2\/categories?post=16"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ilovesecure.com\/index.php\/wp-json\/wp\/v2\/tags?post=16"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}