Genzis - Blog

Home

Blog

system admin

Setting up an SSH public key authentication to connect to a remote Ubuntu Server

Setting up an SSH public key authentication to connect to a remote Ubuntu Server

post-details

Working with remote servers is a very common thing among system administrators. Through SSH, we are always required to provide a password. But did you know there was a way to bypass the password by setting up an SSH public key authentication? Using ssh public key authentication, we are able to login in a remote server without being require the server password. This allows for stronger security as only the user owning the private key corresponding to the public key on the server can access the latter. 

 

As such, attacks such as brute force or even knowing the server password won’t be effective. 

 

Today we will be walking through the steps to achieve this, and allow ourselves to remotely connect to an ubuntu server. 

 

Environment setup

 

Our client for this lab is a windows 10 computer with OpenSSH installed. We have a virtual ubuntu server on our local network, and both the client and the server are on the same local network. 

 

For this lab, we will be generating our ssh key pair with windows openssh. However, any other ssh clients like putty can be used for this task. We will not go over generating putty ssh key pair in this article. 

 

Installing openssh on Windows 

 

If your windows client is not recent enough (upgrades from 2018 or later), you may need to install openssh before proceeding. Doing so is relatively easy from the apps & features menu in windows settings. 

 

From there, choose the optional features submenu, click on add a feature and then search openssh. After installation, reboot your system if need be. 

 

Another method involves using PowerShell and typing the following command

 

Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

 

Note: To check if you have openssh installed you can use the same method and search openssh among the installed optional features. 

 

Step one: Generating the Key pair on Windows

 

The command to generate a public/private key pair on the windows command line is:

 

ssh-keygen

 

With no parameters specified, this operation will by default generate a 3072 bits RSA key pair. We will stick to that as this is a lab environment. However, current standards recommend using the following : 

 

ssh-keygen -t ed25519 

 

Where -t allows you to specify the encryption algorithm to be used. Available algorithms are DSA, RSA, ECDSA, and Ed25519. The Ed25519 is currently the strongest algorithm for this type of operation. As such, it must be used in production environments. 

 

The resultant of the command above will be: 

 

C:\Users\username\Documents>ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\username/.ssh/id_rsa):

 

Where username is your username on your local windows machine. 

 

The requested file corresponds to the folder and file name your keys will be saved under. It is okay and recommended for this lab to leave this empty, in which case the keys will be saved under the .ssh hidden folder at C:\Users\username\Documents as specified in the keygen command output above

 

With no file names specified, the public key will be saved as id_rsa.pub and the private key will be id_rsa with no extensions. 

 

Note: the key pairs can be renamed and copied. However, this may cause some applications to stop functioning if they were already dependent of the keys pair location and names. 

 

After this, you will be prompted to add a passphrase that will be used for MFA purposes. again, the passphrase can be left empty for the purpose of this lab. However, its important to set a passphrase and remember it in production or sensitive setups, as it allows for a better security. 

 

With that being done, we are ready to move to the next step, keeping in mind the location and names of the key pair we just created. 



Step two: Deploying your public key to the ubuntu server

 

During this process, make sure to publish the public key you generated. The private key is only meant for your windows client, while the public key can be shared to any server or application you may want to communicate or authenticate to. 



Let’s open a terminal window and connect to the remote server via ssh. You will ofcourse be prompted to enter the remote server password. 

 

ssh username@ip_address

 

Once connected to the server, navigate to the hidden folder .ssh  in your home directory. Open the authorized_keys file with an editor of your choice. 

 

Note: in case neither the .ssh folder nor the authorized_keys file exist, proceed to creating them with the same names as provided. Check your ssh configuration file at /etc/ssh/sshd_config to confirm your authorized_keys file location. 

 

nano authorized_keys

 

For fresh installs of ubuntu, the file should be empty. But it may happen that your file already contains loads of other public keys. 

 

Copy the content of your id_rsa file from windows into the authorized_keys file on ubuntu

 

The content should look similar to this: 



ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQD9WvpJ7Zkig0cCDf46sby/muo3JFqdADSbjhFW4rI0paeF0X8ujL4Iu/I+BQxtfW8kSyBpgslt0NcM78RxrxB1Be+/zFa5UTRwR3sa6CcDWsT7xh3IX4lrC/LtXwyeE3GLT8VVlcsqv2O6gcTxF97Lcyb8U4RCdVBBqCoNH64T60O8Sn9Sr5pD2XZl0a9gQtpKdpobrIBLnMwDA4yBlly6vCRSU+mWX+U94GJ26M8tlQMF/YPR5uoLUY5LCUOPilvvLzDCWsJM9iBZyf4BjtX/n42XH6pNyxQLJ9TTdwNNDZMTEKmZ8u6rO1RMTYRTDBJR2mpi54n5Vw4bZQufPuGI/yxMLEGNlNqpuY/rg8QVz7oHlcraxuqqMM2ZfWtrPQReaPyQq1Dz/5l3dkzy/2JDoELsTgaaVJyxbPb5ZTTBluCTJKQMt4prS0WC1ZO/iThrbmfweYqz1jjRdhRSN4TVU7cDNRro3CdJ11/cBFqzQPpKMNgL3dlBimvoYXyH1qM= username@unserComputerName



Save and exit the file. 

 

Step three: editing the sshd_config file

 

Next thing we want to do is edit the ssh configuration file at /etc/ssh/sshd_config. Once in th file, make sure public key authentication is uncommented and enabled, and disable password authentication by setting it value to no. Before making any edits, my recommendation would be to make a backup copy of the sshd-config file for easy restauration in case there was a mistake. 

 

~/.ssh$ cd /etc/ssh
/etc/ssh$ sudo nano sshd_config

 

Edits; 

 

PubkeyAuthentication yes 
#this will allow public key authentication for clients with their public key in the authorized_keys #file
PasswordAuthentication no
#this will disable the password prompt when logging in via ssh

 

Step four: testing our configurations

 

Let’s test the deployment by opening up a new command prompt and attempting to connect to our account on the server via ssh. 

 

ssh username@ip_address 

 

This should log you in without prompting you for a password. A successful login mean our configuration were properly made. 

 

Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-56-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.comWelcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-56-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Dec 21 04:17:42 AM UTC 2022
  System load:             0.0
  Usage of /:              30.0% of 9.75GB
  Memory usage:            7%
  Swap usage:              0%
  Processes:               120
  Users logged in:         1
  IPv4 address for enp1s0: 192.168.1.30
  IPv6 address for enp1s0: 2604:f580:17f:d100::1024

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

3 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

Last login: Wed Dec 21 03:41:10 2022 from 192.168.1.130

 

With our configurations working, we can restart our ssh service or even reboot our server. 

 

Note: with configurations being done remotely, it is essential to never restart the ssh service while in session or reboot the host. Instead, open a new session on a different terminal if need be and test all changes. If an error occurs, you will still be able to make changes via your first session. 



Step five: configuring root authnetication with no password

 

One additional thing we may want to do is allow for root login without password via the public key authentication. 

 

The procedure is the same. We will first access the root directory as root, then add our public key into the authorized_keys file in the root/.ssh folder. 

 

Configurations in sshd_config should remain unchanged. 

 

Note: to access the root home directory, you need change directory as the root himself with: 

 

sudo su

 

Then

 

cd /root/.ssh

 

After adding the public key to /root/.ssh/authorized_keys, save and restart the ssh service. From now on, attempting to ssh your remote server as root should go through without issue. 




NOTES: authorized_keys file permission settings;

 

Most commonly, there is no need to change your file permissions. However, if you run into an issue that seem to be related to file rights, check to make sure the file persmissions are set to 700 for the .ssh folder and to 600 for the authorized_keys file. These are actually maximum security permission setting for the folder and file. Editing them to higher priviledges may cause security issues in production environments.  


Don’t Forget to Share the Article

All Rights Reserved.

arrow

Back to the top