Results 1 to 11 of 11
-
01-19-2008, 10:37 AM #1WHT Addict
- Join Date
- Dec 2005
- Posts
- 144
Tutorial to use SSH keys instead of password
Hello all,
A Short tutorial to use SSH keys instead of plain password to login.
1. Logon to WHM and goto Main >> Security >> Security Center
2. Under "SSH Password Auth Tweak" and disable the Password Authentication.
3. Under "Manage SSH Keys" click on Generate new key.
4. Give a Key name and Generate a good password (remember it). Choose KeyType as DSA since it's more secure than RSA.
5. Once done, you will see a pair of public private keys. Authorize the public key to connect.
6. View/Download the private key to your system. If you're using putty it can also generate in relevant format.
7. Save the key in a secure place in your local system and chmod to 600 so that no one can read it.
8. Next, connect to your server:
Code:root@localhost ~]# ssh -i /path-to-file/file.key root@server.ip.address
Enter and Enjoy your box.
-
01-19-2008, 02:31 PM #2Web Hosting Master
- Join Date
- Nov 2001
- Location
- Ann Arbor, MI
- Posts
- 2,979
Does WHM let you select the number of bits for the key? That could be more important for security than choosing DSA over RSA. Thanks for sharing this WHM/Cpanel tutorial.
-Mark Adams
www.bitserve.com - Secure Michigan web hosting for your business.
Only host still offering a full money back uptime guarantee and prorated refunds.
Offering advanced server management and security incident response!
-
01-19-2008, 05:44 PM #3WHT Addict
- Join Date
- Dec 2005
- Posts
- 144
Yes, you can select the key size 1024, 2048 or even 4096.
-
01-19-2008, 05:56 PM #4WHT Addict
- Join Date
- Dec 2005
- Posts
- 144
FYI, DSA does not do encryption. It is only a signature algorithm. RSA can do both encryption and signing.
-
01-19-2008, 06:32 PM #5Web Hosting Master
- Join Date
- Nov 2001
- Location
- Ann Arbor, MI
- Posts
- 2,979
-Mark Adams
www.bitserve.com - Secure Michigan web hosting for your business.
Only host still offering a full money back uptime guarantee and prorated refunds.
Offering advanced server management and security incident response!
-
01-19-2008, 06:36 PM #6Web Hosting Master
- Join Date
- Feb 2006
- Location
- Kusadasi, Turkey
- Posts
- 3,379
So can someone tell my why we should use SSH keys? I know it is more secure, but I didn't really find much time to learn about the exact benefits. Does it both require a key file and a password to authenticate? Or just the key file? So does it add another layer of security?
█ Fraud Record - Stop Fraud Clients, Report Abusive Customers.
█ Combine your efforts to fight misbehaving clients.
█ HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
█ Large and awesome portfolio, just visit and see!
-
01-19-2008, 06:48 PM #7Disabled
- Join Date
- Jan 2005
- Location
- UK
- Posts
- 132
Hello
You have two files one public and one private. The public one goes on the server and the private one stay on your PC.
When you login using these keys you will be asked for a pass phrase, the one you created when you made the key. You can cache the pass phrase on your pc 'per session' so you don't have to keep typing it in.
We use Putty and Pageant for this. it makes logging in as simple as one click (once your pass phrase is cached).
-
01-19-2008, 07:00 PM #8Web Hosting Master
- Join Date
- Apr 2002
- Posts
- 1,789
Well I think the principle is that it requires that you have a private key to authenticate against. Its another step in avoiding problems due to a weak password.
For example, if you have an account with SSH, and say for some reason you want to use a very weak password like joe. Well if you just set the account's password to joe and if SSH is enabled on the account, then its an easy password for someone to guess.
Now if you are using SSH with SSH key, then you would generate a public/private key. You would upload the public key to the server and keep the private key to yourself. This is actually what you are authenticating. The public and private keys will match and allow access, but if you put a passphrase on the private key, then you have to validate yourself by telling the client that you know the password to the private key. In this solution you can set a passphrase to joe and its not that bad.
Now the important step is that password authentication for SSH has to be turned off for this to be effective. If the account password is joe and the private key passphrase is joe and password authentication is still enabled on the SSH server, then a malicious user just has to bypass the public/private key login and use the password. If password authentication is disabled, then a malicious user has to have a matching private key that is also on the account.
Of course, this can be circumvented, if a malicious user knows the password to the account, then they could still gain access to the account via FTP. If they can gain FTP access, they can upload their own public key and still access SSH.
The key is to always use very secure and hard to guess passwords for your account. Then if you want to use something easier to remember for an SSH key, as long as you are the only person that (or you know and trust the individuals that do have) has access to the private key. You don't have to use a passphrase in a SSH key, but I don't really recommend it. I also don't really recommend setting an SSH key passphrase to something as simple as joe as I have mentioned, but the passphrase can be a lighter password because anyone using that passphrase also has to have the private key.
-
01-19-2008, 07:04 PM #9Disabled
- Join Date
- Jan 2005
- Location
- UK
- Posts
- 132
-
01-19-2008, 08:44 PM #10Junior Guru
- Join Date
- Jul 2004
- Location
- Athens, Greece
- Posts
- 209
I would suggest to rename thread's title to something like: "cPanel Tutorial to use SSH keys instead of password" so it won't confuse non-cPanel users
SharkTECH Internet Services
http://www.sharktech.net
DDOS Firewalled Dedicated Servers
Managed Services / IRC Allowed
-
01-19-2008, 08:46 PM #11WHT Addict
- Join Date
- Dec 2005
- Posts
- 144
Yep, I forgot.