We need to secure our SSH local-to-remote server connection, in a bunch of ways, and we will.
First and now, we'll create the authentication key pairing. That allows for a password-free login, which is handy, but more importantly if means we can refuse passwords at the server, negating the common curse that is the brute force password attack, dictionary attacks and whatever other ruddy attacks.
Having setup a terminal using PuTTY, with your VPS username and your local to remote link, so can take the next step: create the pair of keys, one for the local PC, the other for the Linux server.
Aside from the security factor, this keyset thing is a mighty handy time-saver because, in setting up our remote server, let alone managing it, there sure is a lot of logging in and out.
Have a video:-
Video: Easy PuTTY Login with Keys
Now then. Do pay attention, there's a good fellow. Some of this is fiddly and unforgiving. If you're not precise, it won't work.
Generate Public and Private Keys with PuTTYgen
On your Windows PC, click Start > All Programs > PuTTY > PuTTYgen, and open it up.
Ensuring Parameters is set to SSH-2 RSA, click Generate. While generating, move the cursor about as directed, to create a random set of keys.
Copy the public key, as highlighted here, to a text file. DON'T COPY the end of the line (referred to as the Key comment) which begins rsa-key- followed by the date, ie rsa-key-20090330 in this image.
Enter and confirm a Key passphrase and click Save private key. Save the file in a local folder.
Don't Pass up on a Passphrase
Should you close Pageant (another PuTTY module that we come to below) or reboot Windows, which closes Pageant in turn, then the next time you open it you'll be prompted to give your passphrase. You can skip even this process, by not adding a passphrase in the above sequence. But. I recommend against this.
As it is, with the method outlined in this tutorial, the only security credential you will have to give manually is the passphrase, once per Pageant session (generally the same as a Windows session, from boot up to shut down). If you leave that out, and a hacker obtains your local, private key, then your server is legs akimbo. Then again, if you have a passphrase, and your key and IP details are stolen, the hacker must still guess your passphrase.
Of course, you can also sprinkle some $pEc1al characters into your passphrase as well.
Add the Public Key to Your Remote VPS
Login to your remote Linux box, using your new username, not root.
First, we create the directory to hold the public key file, so at the CLI, type:-
Now, we create the key file. Open a new file with the Nano text editor:-
What, no nano?
If that command threw an error then you don't have the nano text editor installed. You could use others but, seeing as nano is so very easy to use, let's have it:-
Just to be clear, let's break down that command:-
- sudo We switched user to the root superuser, just for this command, because only root has the privileges to install packages
- apt-get apt-get is our package manager of choice, the application we use to install, delete and manage most of our server applications
- install Having specified to use a package, such as apt-get here, we're using a switch to tell the app what to do such as, here, to install something
- nano Finally, the package manager will want to know what package to install
Having issued the install command you'll be prompted for your own user's password, so give it. Then you'll be prompted to confirm your choice, so do so, by hitting return. Then apt-get will install nano.
OK, let's try the failed command again. It looked like this:-
And carry on …
As an aside, that dot before ssh, so .ssh in the folder path means the folder is hidden. It's a Linux thing.
Second, paste the public key that you copied previously within the new text file.
Ensure there is only 1 space after ssh-rsa (not the original carriage return), followed directly by the key code, as seen here… *
* NB As I said above, ensure that, at the end of the key code, you did not include the text beginning rsa-key-. If you copied correctly as I nagged about above, you'll be fine.
Third, type CTRL-X to exit the Nano text file, then type y to confirm saving the file and hit return. .. And remember that method for saving text files in Nano. I won't repeat it. Well, I might.
OK. Now we'll give your username and your username's personal group the ownership of the .ssh directory and its contents:-
.. where guv:guv is to be replaced by your username:group (likely the same word for each, definitely so if you followed Create a Linux User & Set Permissions). Swap my user directory, guv, for yours too, course.
.. and tighten security with some permissions:-
.. again swapping my user directory for yours.
How to Test Authentication Keys
Open PuTTY. Provide the following data under the Categories sections:-
- Connection > Data: For Auto-login username enter your new username (not root)
- Connection > SSH > Auth: Where it says Private key file…, browse for the private key we created above
- Session: For Host name (or IP address) add either of those; for Connection type select SSH; for Port select 22 (we'll change that eventually in the next tutorial, if you'd been wondering)
- Session: For Saved sessions add a profile name of your choice, and click Save
Your profile name will have appeared in the larger box beneath Saved sessions, like this. Mine says ‘Guvnr Settings'..
Double click that new profile name, else select it and click Open.
The command line interface will open and, instead of asking for your user name and password, will ask for your passphrase. Give it, and you're in.
Even Faster Login Using Pageant
Let's streamline further, because otherwise the passphrase for every CLI instance is a pain.
On your Windows box, in a suitable directory, or perhaps on your desktop, do this:-
Right mouse click > New > Shortcut
In the dialogue box called Create Shortcut, it asks us to type the location of the item. We will include two items to open at the same time. One is that PuTTY module called Pageant, and the other is our private key.
…So, you need to locate those 2 files, pasting their locations to the Shortcut dialogue box. Your private key is wherever you browsed for it above, in PuTTY, so you know that. Pageant will be wherever you installed it, in the same folder as PuTTY, so you can find that. Typically, you will have something similar to this, and paste it accordingly:-
Type the location of the item: “C:\Program Files\PuTTY\pageant.exe” “C:\Documents and Settings\Administrator\Desktop\key\privatekey.ppk”
Click Next and give your shortcut a name, such as My Virtual Private Server.
Now, and subsequently, the first time you want a remote CLI instance after a reboot of your local machine, double-click your new shortcut, and you will be prompted for your passphrase, so give that then.
Following that, a new icon will appear to the bottom right of your screen, next to the clock. This icon is a picture of a computer monitor wearing a hat, kinda like a spaghetti-western character.
Whenever you want a new CLI instance, right-click the icon, and select New session. As you can see, PuTTY pops up.
Under Saved sessions, double click on your new profile, and the CLI will open. You need type nothing to instigate this new and subsequent sessions until you close Pageant or reboot Windows.
More importantly, this means your authentication keys are working, and your dataflow is encrypted as well already.
How ruddy cool is that?
Review: Setting up the SSH Local-Remote Link – Windows vs Linux
You know, I don't want to sound partisan, but if you'd followed the Linux guide rather than the Windows guide you'd have had that connection set up in about 10 minutes, rather than 1 hour and “er, is this gonna work?” Sorry, just the way it is.
After years of the MS marketers doing their job, these days I use and thoroughly recommend Ubuntu Desktop with XP (happily downgraded from
Sheister Vista) running within it virtually, and they both have good and bad points.
.. well, Windows' good point is actually Adobe, which bugs out on Linux, but there must be something else that's good…..I guess I'll have to get back to you on that. Haven't tried Windows 7. I hear that's good.
Tell you what though, here's a tip, particularly as I suspect you will become somewhat fond of your Ubuntu Server (and believe you me their Desktop is a sinch by comparison): take a peek at another bible of mine, this time Ubuntu Desktop for Noobs:-
.. Detailing every aspect over 25 parts, this reference guide helps you set up and use the ultimate installation of Ubuntu's superb new operating system.
Besides, there are a raft of cross-over tips there that you can bring to your use of the terminal.
Now before I get myself on a total rant, and LOL I guess I sound like an ex-smoker talking tabs! …
And Now for Something Completely .. Similari-ssh!
That, my dears, is your connection set up. Possibly the most time-consuming element of this tutorial series, which is saying something considering we're about to get high tech.
But having created our connectivity – beautifully, technically – it's now time to use that connection, and secure the server itself.
In Harden the Secure Shell (SSH) & Create a Firewall we'll concentrate and finalise your servers security settings, adding a firewall and tweaking the sshd_config file. It'll take about 15 minutes or 5 if you're quick. That's a Linux thing 😉
Then, PHP5, MySQL, the superruddysexy Nginx web server, special configuration for platforms like WordPress, adding multi-sites & blogs, subversion, secure FTP, bits, bobs, fun, frolics. Anybody would think it was a Sunday. Index ..