How to protect your server using SSH keys

2022-01-19
admin

Secure Socket Shell (SSH), also called Secure Shell, is a special network protocol leveraging public-key cryptography to enable authorized users to remotely access a computer or other device via access credentials called SSH keys. Because they are used to access sensitive resources and perform critical, highly privileged activities, it’s vital to properly manage SSH keys as you would other sensitive credentials.

While SSH keys are standard, and more frequently used, in Unix and Linux environments, they are also used in Windows systems.

Generating SSH Keys

Open your console and write:

ssh-keygen -t rsa -b 4096 -a 100 -f /home/debian/.ssh/<folder>/id_rsa

But before that you need to create folder to organize your keys inside .ssh folder. Just go in cd .ssh and mkdir .test folder and change permission to chmod 700 .test.

  • .ssh folder permission is 700 (drwx------)
  • public key permission is 644 (-rw-r--r--)
  • private key permission is 600 (-rw-------)

We are using keygen which is used as OpenSSH authentication key utility. Now let's brake what we did:

-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
Specifies the type of key to create. The possible values are “dsa”, “ecdsa”, “ecdsa-sk”, “ed25519”, “ed25519-sk”, or “rsa”.

-b bits
Specifies the number of bits in the key to create. For RSA keys, the minimum size is 1024 bits and the default is 3072 bits. Generally, 3072 bits is considered sufficient. DSA keys must be exactly 1024 bits as specified by FIPS 186-2. For ECDSA keys, the -b flag determines the key length by selecting from one of three elliptic curve sizes: 256, 384 or 521 bits. Attempting to use bit lengths other than these three values for ECDSA keys will fail. ECDSA-SK, Ed25519 and Ed25519-SK keys have a fixed length and the -b flag will be ignored.

-a rounds
When saving a private key, this option specifies the number of KDF (key derivation function) rounds used.  Higher numbers result in slower passphrase verification and increased resistance to brute-force password cracking (should the keys be stolen).  The default is 16 rounds.

-f filename
 Specifies the filename of the key file.

Next step is to copy your public SSH key to the server:

sudo ssh-copy-id -i '/home/debian/.ssh/.<folder>/id_rsa.pub' user@127.0.0.1

After you successfully copied public key on your server, it's time to try login with it.

ssh -i '/home/debian/.ssh/.<folder>/id_rsa' user@127.0.0.1 -v

Verify if your key is in authorized keys:

cat ~/.ssh/authorized_keys

Disable Password Authentication Altogether

Open file sshd_config and scroll until you see the line that starts with “#PasswordAuthentication yes.” Remove the hash # from the start of the line, change the “yes” to “no”, and save the file. 

Don't forget to also uncomment #PubkeyAuthentication, and change to true.

Restart the SSH daemon:

sudo systemctl restart sshd

Backup your SSH keys

Don't forget to backup your SSH keys, as you might lose them. First you can backup them just by using tar:

tar -cf ssh-keys.tar ~/.ssh/.alvosec

After that you can also encrypt them by using symmetric encryption:

openssl aes-256-cbc -salt -pbkdf2 -in ssh-keys.tar -out ssh-keys.tar.enc

To decrypt them, run:

openssl aes-256-cbc -d -pbkdf2 -in ssh-keys.tar.enc -out ssh-keys.tar

Now you also need to backup your password for encrypted archive. : )


Join our team

If you're interested in joining our team to assist in researching modern threats across web3, please don't hesitate to reach out to us.

Contact Us

Ready for Action?

Don’t hesitate to contact us if you need more information.
Let's Go!
ALVOSEC
BTC: bc1qnn4zfqqtexl4fkjk2vz6tk74sn92x326wwn0ph

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram