Results 1 to 11 of 11
  1. #1

    * Tutorial to use SSH keys instead of password

    Hello all,


    A Short tutorial to use SSH keys instead of plain password to login.


    1. Logon to WHM and goto Main >> Security >> Security Center
    2. Under "SSH Password Auth Tweak" and disable the Password Authentication.
    3. Under "Manage SSH Keys" click on Generate new key.
    4. Give a Key name and Generate a good password (remember it). Choose KeyType as DSA since it's more secure than RSA.
    5. Once done, you will see a pair of public private keys. Authorize the public key to connect.
    6. View/Download the private key to your system. If you're using putty it can also generate in relevant format.
    7. Save the key in a secure place in your local system and chmod to 600 so that no one can read it.
    8. Next, connect to your server:


    Code:
    [email protected] ~]# ssh -i /path-to-file/file.key [email protected]
    It should ask for the password, if you have used in step 4.

    Enter and Enjoy your box.

  2. #2
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,978
    Does WHM let you select the number of bits for the key? That could be more important for security than choosing DSA over RSA. Thanks for sharing this WHM/Cpanel tutorial.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  3. #3
    Yes, you can select the key size 1024, 2048 or even 4096.

  4. #4
    FYI, DSA does not do encryption. It is only a signature algorithm. RSA can do both encryption and signing.

  5. #5
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,978
    Quote Originally Posted by vinbase View Post
    FYI, DSA does not do encryption. It is only a signature algorithm. RSA can do both encryption and signing.
    Just as another FYI, SSH uses RSA/DSA keys for identification and not for encryption.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  6. #6
    Join Date
    Feb 2006
    Location
    Kusadasi, Turkey
    Posts
    3,273
    So can someone tell my why we should use SSH keys? I know it is more secure, but I didn't really find much time to learn about the exact benefits. Does it both require a key file and a password to authenticate? Or just the key file? So does it add another layer of security?
    Fraud Record - Stop Fraud Clients, Report Abusive Customers.
    █ Combine your efforts to fight misbehaving clients.

    HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
    █ Large and awesome portfolio, just visit and see!

  7. #7
    Hello

    You have two files one public and one private. The public one goes on the server and the private one stay on your PC.

    When you login using these keys you will be asked for a pass phrase, the one you created when you made the key. You can cache the pass phrase on your pc 'per session' so you don't have to keep typing it in.

    We use Putty and Pageant for this. it makes logging in as simple as one click (once your pass phrase is cached).

  8. #8
    Join Date
    Apr 2002
    Posts
    930
    Well I think the principle is that it requires that you have a private key to authenticate against. Its another step in avoiding problems due to a weak password.

    For example, if you have an account with SSH, and say for some reason you want to use a very weak password like joe. Well if you just set the account's password to joe and if SSH is enabled on the account, then its an easy password for someone to guess.

    Now if you are using SSH with SSH key, then you would generate a public/private key. You would upload the public key to the server and keep the private key to yourself. This is actually what you are authenticating. The public and private keys will match and allow access, but if you put a passphrase on the private key, then you have to validate yourself by telling the client that you know the password to the private key. In this solution you can set a passphrase to joe and its not that bad.

    Now the important step is that password authentication for SSH has to be turned off for this to be effective. If the account password is joe and the private key passphrase is joe and password authentication is still enabled on the SSH server, then a malicious user just has to bypass the public/private key login and use the password. If password authentication is disabled, then a malicious user has to have a matching private key that is also on the account.

    Of course, this can be circumvented, if a malicious user knows the password to the account, then they could still gain access to the account via FTP. If they can gain FTP access, they can upload their own public key and still access SSH.

    The key is to always use very secure and hard to guess passwords for your account. Then if you want to use something easier to remember for an SSH key, as long as you are the only person that (or you know and trust the individuals that do have) has access to the private key. You don't have to use a passphrase in a SSH key, but I don't really recommend it. I also don't really recommend setting an SSH key passphrase to something as simple as joe as I have mentioned, but the passphrase can be a lighter password because anyone using that passphrase also has to have the private key.

  9. #9
    Quote Originally Posted by SPaReK View Post
    I also don't really recommend setting an SSH key passphrase to something as simple as joe
    The key is in the name I guess, passphrase not password...

  10. #10
    Join Date
    Jul 2004
    Location
    Athens, Greece
    Posts
    203
    I would suggest to rename thread's title to something like: "cPanel Tutorial to use SSH keys instead of password" so it won't confuse non-cPanel users
    SharkTECH Internet Services
    http://www.sharktech.net
    DDOS Firewalled Dedicated Servers
    Managed Services / IRC Allowed

  11. #11
    Yep, I forgot.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •