SSH & PuTTY Authentication Keys: Hide Data & Easy Login: VPS BIBLE




new password?
login
X

Encrypt Data with OpenSSH & Auto-Login with PuTTY

02 Feb 09
Secure PuTTY with OpenSSH image 1

Having Set Up A Terminal Connection using PuTTY and OpenSSH for our Windows PC to Linux VPS host, let’s secure that link using authentication keys and, at the same time, enabling a simple password-free login.

Basically, you have the link, and you have your VPS username, so are positioned to take the next step: to create a pair of keys, one for the local box, the other for the Linux server.

Setup Unmanaged VPS: The Ubuntu-Nginx Guide

Take your virtual private server from zero to hero

  .. from blank box to cute-as server ..  

with this easy-to-follow copy/paste guide.

22+ parts with video, here’s the index.

Encrypt Data with OpenSSH & Auto-Login with PuTTY

Allow me to spell out the beauty of this solution and, if I may, to pay tribute to the wise heads that produced the solution.

  1. These keys – this keyset – rely on each other to work, unlocking a unique connection.
  2. Because you no longer need it, we can disable your VPS’ password access. (A little tweak in Harden the Secure Shell (SSH) & Create a Firewall.)
  3. Other than those ports needed for websites and the like, only your key can achieve server access.
  4. What’s more, you can password-protect the local one, giving that password (actually, it’s a passphrase but same thing really) just once per local PC login (unless you choose to expire your local key.) You will see the value of this.
  5. And because we’re using super-duper SSH, care of the OpenSSH app, our easy-peasy link is scrambled, tunnelled.

When you think about the power of that, I have to say, it’s no wonder geeks get geeky! I mean, it’s pretty damn decent. Simple in theory, effective in practise.

So that’s nice.

Aside from the security factor, this keyset thing is a mighty handy time-saver because, in setting up our remote server, let alone managing it, there sure is a lot of logging in and out.

Have a video:-

Video: Easy PuTTY Login with Keys

Watch the, er, guvideo for a better idea of how to do this.


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

Now then. Do pay attention, there’s a good fellow. Some of this is fiddly and unforgiving. If you’re not precise, it won’t work.

Generate Public and Private Keys with PuTTYgen

On your Windows PC, click Start > All Programs > PuTTY > PuTTYgen, and open it up.

Secure PuTTY with OpenSSH image 2

Ensuring Parameters is set to SSH-2 RSA, click Generate. While generating, move the cursor about as directed, to create a random set of keys.

Secure PuTTY with OpenSSH image 3

Copy the public key, as highlighted here, to a text file. DON’T COPY the end of the line (referred to as the Key comment) which begins rsa-key- followed by the date, ie rsa-key-20090330 in this image.

Secure PuTTY with OpenSSH image 4

Enter and confirm a Key passphrase and click Save private key. Save the file in a local folder.

Don’t Pass up on a Passphrase

Should you close Pageant (another PuTTY module that we come to below) or reboot Windows, which closes Pageant in turn, then the next time you open it you’ll be prompted to give your passphrase. You can skip even this process, by not adding a passphrase in the above sequence. But. I recommend against this.

As it is, with the method outlined in this tutorial, the only security credential you will have to give manually is the passphrase, once per Pageant session (generally the same as a Windows session, from boot up to shut down). If you leave that out, and a hacker obtains your local, private key, then your server is legs akimbo. Then again, if you have a passphrase, and your key and IP details are stolen, the hacker must still guess your passphrase.

Of course, you can also sprinkle some $pEc1al characters into your passphrase as well.

Add the Public Key to Your Remote VPS

Login to your remote Linux box, using your new username, not root.

First, we create the directory to hold the public key file, so at the CLI, type:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

Now, we create the key file. Open a new file with the Nano text editor (far nicer than Vim, IMHO):-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

As an aside, that dot before ssh, so .ssh in the folder path means the folder is hidden. It’s a Linux thing.

Secure PuTTY with OpenSSH image 5

Second, paste the public key that you copied previously within the new text file.

Ensure there is only 1 space after ssh-rsa (not the original carriage return), followed directly by the key code, as seen here… *

* NB As I said above, ensure that, at the end of the key code, you did not include the text beginning rsa-key-. If you copied correctly as I nagged about above, you’ll be fine.

Third, type CTRL-X to exit the Nano text file, then type y to confirm saving the file and hit return. .. And remember that method for saving text files in Nano. I won’t repeat it. Well, I might.

OK. Now we’ll give your username and your username’s personal group the ownership of the .ssh directory and its contents:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

.. where guv:guv is to be replaced by your username:group (likely the same word for each, definitely so if you followed Create a Linux User & Set Permissions). Swap my user directory, guv, for yours too, course.

.. and tighten security with some permissions:-


Please sign up for automatic premium content access.

Just $15/year* will save you hours, maybe days!

Alternatively, the vpsBible forum is free and you are welcome.

.. again swapping my user directory for yours.

How to Test Authentication Keys

Open PuTTY. Provide the following data under the Categories sections:-

  • Connection > Data: For Auto-login username enter your new username (not root)
  • Connection > SSH > Auth: Where it says Private key file…, browse for the private key we created above
  • Session: For Host name (or IP address) add either of those; for Connection type select SSH; for Port select 22 (we’ll change that eventually in the next tutorial, if you’d been wondering)
  • Session: For Saved sessions add a profile name of your choice, and click Save
Secure PuTTY with OpenSSH image 6

Your profile name will have appeared in the larger box beneath Saved sessions, like this. Mine says ‘Guvnr Settings’..

Double click that new profile name, else select it and click Open.

The command line interface will open and, instead of asking for your user name and password, will ask for your passphrase. Give it, and you’re in.

Even Faster Login Using Pageant

Let’s streamline further, because otherwise the passphrase for every CLI instance is a pain.

On your Windows box, in a suitable directory, or perhaps on your desktop, do this:-

Right mouse click > New > Shortcut

In the dialogue box called Create Shortcut, it asks us to type the location of the item. We will include two items to open at the same time. One is that PuTTY module called Pageant, and the other is our private key.

…So, you need to locate those 2 files, pasting their locations to the Shortcut dialogue box. Your private key is wherever you browsed for it above, in PuTTY, so you know that. Pageant will be wherever you installed it, in the same folder as PuTTY, so you can find that. Typically, you will have something similar to this, and paste it accordingly:-

Type the location of the item: “C:\Program Files\PuTTY\pageant.exe” “C:\Documents and Settings\Administrator\Desktop\key\privatekey.ppk”

Click Next and give your shortcut a name, such as My Virtual Private Server.

Click Finish.

Now, and subsequently, the first time you want a remote CLI instance after a reboot of your local machine, double-click your new shortcut, and you will be prompted for your passphrase, so give that then.

Following that, a new icon will appear to the bottom right of your screen, next to the clock. This icon is a picture of a computer monitor wearing a hat, kinda like a spaghetti-western character.

Whenever you want a new CLI instance, right-click the icon, and select New session. As you can see, PuTTY pops up.

Under Saved sessions, double click on your new profile, and the CLI will open. You need type nothing to instigate this new and subsequent sessions until you close Pageant or reboot Windows.

More importantly, this means your authentication keys are working, and your dataflow is encrypted as well already.

How ruddy cool is that?

Review: Setting up the SSH Local-Remote Link – Windows vs Linux

You know, I don’t want to sound partisan, but if you’d followed the Linux guide rather than the Windows guide you’d have had that connection set up in about 10 minutes, rather than 1 hour and “er, is this gonna work?” Sorry, just the way it is.

After years of the MS marketers doing their job, these days I use and thoroughly recommend Ubuntu Desktop with XP (happily downgraded from Sheister Vista) running within it virtually, and they both have good and bad points.

.. well, Windows’ good point is actually Adobe, which bugs out on Linux, but there must be something else that’s good…..I guess I’ll have to get back to you on that. Haven’t tried Windows 7. I hear that’s good.

Tell you what though, here’s a tip, particularly as I suspect you will become somewhat fond of your Ubuntu Server (and believe you me their Desktop is a sinch by comparison): take a peek at another bible of mine, this time Ubuntu Desktop for Noobs:-

HOW-TO Install & Perfect Ubuntu 9.10 [KARMIC KOALA BIBLE #1 of 25] – GUVNR

.. Detailing every aspect over 25 parts, this reference guide helps you set up and use the ultimate installation of Ubuntu’s superb new operating system.

Besides, there are a raft of cross-over tips there that you can bring to your use of the terminal.

Now before I get myself on a total rant, and LOL I guess I sound like an ex-smoker talking tabs! …

And Now for Something Completely .. Similari-ssh!

That, my dears, is your connection set up. Possibly the most time-consuming element of this tutorial series, which is saying something considering we’re about to get high tech.

But having created our connectivity – beautifully, technically – it’s now time to use that connection, and secure the server itself.

In Harden the Secure Shell (SSH) & Create a Firewall we’ll concentrate and finalise your servers security settings, adding a firewall and tweaking the sshd_config file. It’ll take about 15 minutes or 5 if you’re quick. That’s a Linux thing ;)

Then, PHP5, MySQL, the superruddysexy Nginx web server, special configuration for platforms like WordPress, adding multi-sites & blogs, subversion, secure FTP, bits, bobs, fun, frolics. Anybody would think it was a Sunday. Index ..

Setup Unmanaged VPS: The Ubuntu-Nginx Guide

Take your virtual private server from zero to hero

with this easy-to-follow copy/paste guide.

“My local PC runs Windows” Show me for Linux

22+ parts with video, here’s the index ..

Manage Unmanaged VPS: Ubuntu-Nginx Administration

Already set it up? We’d best maintain it then.

Toggle to the ..  Ubuntu-Nginx Admin Index

Manage Unmanaged VPS: Ubuntu-Nginx Administration

Maintain your virtual private server with ..

.. cheatsheets, tutorials, tips & guides.

Head back to the ..  Ubuntu-Nginx Installation Index

Nginx Admin: In the Works ..

This lot’s marked for addition already:-

  • Setup or Edit DNS using Bind
  • Network Tools Troubleshooting Guide
  • The Comprehensive Permissions Guide
  • Configuring Nginx Rewrites
  • Custom Website Error Page
  • Setting up Cron Jobs
  • Rsync for Incremental Remote-to-Local Backup
  • Cron & Rsync for Automatic Backup
  • Cron & mysqldump for Auto DB Backup
  • Safeguard Bandwidth with Hotlink Protection
  • Block Access with Nginx’ IP Deny


»

Got a Question? Want to Comment?

This site has no comments system. We've got a better system!

Please use the link at the top of the post and goto this topic's forum thread:-

  • to help build community
  • for a superior knowledge base
  • to keep info in one place, not diluted between forum & comments.

For those posts ported from Guvnr.com (pre-Feb/2010), archive comments remain.

Handy info from these comments is in the process of being ported to the forum and attributed to the original author.

If you think this idea sucks, let me know.

Thank you.

  • Tarak August 2nd, 2009 at 5:36 am

    Questions (oh wonderous guru – thats the ego booster) – I have an unmanaged VPS (Debian 5) and been wonder in the abyss of linux for a few months doin things half hearted – time to get the house in order:

    1. Do I have to do things in the order of your tutorial (eg – I’ve been using root now created a super user – do I need to reistal MySQL etc?)

    2. (tute 5 – encryption) will this limit me to accessing the VPS only from one machine – be great if I could keep everything on a USB stick.
    :) – ego boosting aside – these are brilliant tutorials – thanks

  • the_guv August 2nd, 2009 at 12:40 pm

    @Tarak .. big tx, most kind of you, Sir.

    There are some things that should be done in order, others won’t matter. If you are in any doubt, I advise you go in order. Then again, in your case, it *sounds* like you needn’t reinstall MySQL. Then again, again!, for the sake of a couple of hours, from A-Z, you could learn a lot from going in order and having less headache along the way .. follow the guide word for word, and there will be no headache, it’s all thoroughly tested.

    Re Part 5, openSSH can be set up in many ways but, jolly convenient, you can share your private key between local machines, or even on a storage card for convenience. Just read the security caveats I’ve mentioned, er, in Part 6 as well I think.

    If you have specific problems let me know. Also, for Debian, the Ubuntu forums are your friend. Great community there.

  • Breaker August 26th, 2009 at 7:20 am

    Guvnr, a million thanks for this guide… very useful.

    I’m decently linux literate, but Putty/SSH/RSA and “live server” green. I believe I followed every step in this chapter to a T, but not without snags.

    as root: When attempting chmod 600 ~/.ssh/authorized_keys
    I get a:
    chmod: cannot access ‘/root/.ssh/authorized_keys’: No such file or directory

    Any thoughts? Should I replace ‘~/’ with ‘/home/’?

    I attempted that… and continued – the new PuttyCLI resulted in a “The server refused our key” response.

    Any input would be greatly appreciated.

  • Ashesh August 27th, 2009 at 8:43 am

    Hi Guvnr,

    What a wonderful person you are. Thanks a lot of such a useful guide.

    Just got an error while setting up public key so thought to inform you.

    It seems only copying the whole text of public key works rather “NB As I said above, ensure that, at the end of the key code, you did not include the text beginning rsa-key-.” instructed by you. I might be wrong because I have been trying for last two hours. Another thing I did was “chmod 700 .ssh”. I do not know if any one of them or both made the thing work.

    Thanks again for this bible.

  • the_guv August 27th, 2009 at 12:36 pm

    @Ashesh & @Breaker .. thx very much.

    Damn, I cocked up here. Really sorry everyone. Dunno why but I left out some important steps. What a bozo :P

    It should all be working fine now.

    Thank you for for bringing this to my attention.

  • Ben September 18th, 2009 at 3:05 pm

    Wow, so glad I found this site! VERY well put togther, followed this step by step and now have secure login via pagent.

    Was following another tutorial on ssh keys on another site, and nowhere near as easy as this.

    Onto the next step….keep you the good work, its aprpeciated.

  • Install/Upgrade WORDPRESS with SUBVERSION - VPS Bible #15 - GUVNR November 2nd, 2009 at 12:02 am

    [...] Encrypt Data with OpenSSH & Auto-Login with PuTTY  * [...]

  • Alaettin December 28th, 2009 at 11:25 pm

    Hey,

    That is really good tutorial serie. Actually, this is the best I’ve ever seen. I see now why linux is much better than windows. I was thinking of installing debian but this tutorial changed my mind. I will go with Ubuntu and make it sharp with this “bible”.

    I think that you are the super-hero of all noob sysadmins!

  • Configure FileZilla’s SFTP – better than FTP: VPS BIBLE - vpsBible April 23rd, 2010 at 4:59 pm

    [...] up our connection using the password-protected private authentication key we created in the guide Encrypt Data with OpenSSH & Auto-Login with PuTTY. In other words, with a couple of clicks, you’re into your SFTP in just the same way we log [...]

  • LOCK LINUX! – Configure SSH & an iptables Firewall: VPS BIBLE - vpsBible May 18th, 2010 at 11:21 am

    [...] the last part of this series Encrypt Data with OpenSSH & Auto-Login with PuTTY we secured dataflow between our local to remote machines, as well as simplifying the login process. [...]