SSH Keys From Windows10 to CentOS7
Linux - CentOS
tl;dr
- Generate the private key in PuTTYgen on your Windows PC
- Connect to your CentOS server and create the authorized_keys file (remember permissions!)
- Copy your SSH public key from your Windows PC to your CentOS servers authorized_keys file
- Test SSH using your private key from your Windows PC
- Disable password authentication on your CentOS server
- Restart the SSH daemon
What's this for?
SSH Keys From Windows10 to CentOS7 is for when you want your SSH connections to be that bit more secure! Instead of relying on passwords to authenticate your session you will use a public/private key pair. You can also protect your private key (this is the one you need to keep to yourself) with a passphrase that must be entered before the key can be used.
Warning: This is one of those procedures you need to fully understand before implementing it in a production environment. If you get this procedure wrong there is a very good chance you might end up locked out of your server.
Demo Enviroment
The outputs below come from the following setup...
- Client OS: Windows 10
- Server OS: CentOS 7
- Date: 01-09-2019
SSH Keys From Windows10 to CentOS7
So what were going to do in this ramblings is run through the steps needed to generate a public/private key pair on your Windows 10 PC. We will then take the public key and install it on your CentOS server so that you can use this for SSH connections. Once we have tested this we will then disable password authentication on the server.
I am going to do this using PuTTY however other tools are available. If you don't have PuTTYgen you normally get it when you install PuTTY. If you don't have PuTTY installed just whack "putty" into a search engine of your preference and you should find it.<
Start by opening PuTTYgen.exe and update the "Number of bits in a generated key: " to 4096.
Next hit generate. It will ask you to randomly move the mouse over the window. This will be followed by it generating the key.
After this you will be asked for some more information. For the comment I normally stick with the Linux "ssh-keygen" programs idea and make it the username@device-fqdn. I then enter a pass-phrase, you don’t have to do this but its a very good idea to do this. Once everything is filled in remember to save the public and private keys. Make sure the private key is somewhere only you can get to it, especailly if you havnt put a pass-phase on it!
You then need to SSH onto your CentOS server. Once on you then need to create (if it doesn't already exist) and the edit the authorised_hosts file. Start by logging into your server.
login as: admtmorgan
Pre-authentication banner message from server:
| ********************************************************************
| * *
| * This system is for the use of authorized users only. Usage of *
| * this system may be monitored and recorded by system personnel. *
| * *
| * Anyone using this system expressly consents to such monitoring *
| * and is advised that if such monitoring reveals possible *
| * evidence of criminal activity, system personnel may provide the *
| * evidence from such monitoring to law enforcement officials. *
| * *
| ********************************************************************
|
|
End of banner message from server
admtmorgan@10.1.11.102's password:
Last login: Sun Sep 1 15:57:41 2019 from 10.1.20.102
[admtmorgan@nanai-ipm01 ~]$Check to see if the authorized_keys file already exists.
[admtmorgan@nanai-ipm01 ~]$ ls ~/.ssh/authorized_keys
ls: cannot access /home/admtmorgan/.ssh/authorized_keys: No such file or directoryIf you don't see this error message you can skip the next few steps down until "Finally lets go into the authorized_keys file and add our key."
Then make the .ssh directory.
[admtmorgan@nanai-ipm01 ~]$ mkdir ~/.ssh
[admtmorgan@nanai-ipm01 ~]$ We then need to set the permissions on this directory so we have full access to it and no one else can do anything with it.
[admtmorgan@nanai-ipm01 ~]$ chmod 700 ~/.ssh
[admtmorgan@nanai-ipm01 ~]$We then want to make the file to contain the authoized ssh keys.
[admtmorgan@nanai-ipm01 ~]$ touch ~/.ssh/authorized_keys
[admtmorgan@nanai-ipm01 ~]$Next we want to modify this file so, we can read and write to the file users in the group owner read the file and everyone else can also read the file.
[admtmorgan@nanai-ipm01 ~]$ chmod 0644 ~/.ssh/authorized_keys
[admtmorgan@nanai-ipm01 ~]$Finally lets go into the authorized_keys file and add our key. You can find the key in the "Public key for pasting into" from the PuTTYgen window. You just need to paste this into the bottom of the file. Remember its "a" to append a file and then ":wq" to write and quit from the file.
[admtmorgan@nanai-ipm01 ~]$ vi ~/.ssh/authorized_keysWe should now be able to connect to our server. Open a new PuTTY window and type navigate to Connect -> SSH -> Auth and browse to the location of your private key file. We should now be able to connect to our server. Open a new PuTTY window and type navigate to Connect -> SSH -> Auth and browse to the location of your private key file.
This step is optional but I then save this configuration as "Default - WithSSHKeys" so I don't have to do this again.
Then enter the IP / Hostname of the server you want to connect to and press open.
At this point you should be able to enter your username and then be prompted for your passphase for the SSH Key rather than the password associated with your CentOS user.
login as: admtmorgan
Pre-authentication banner message from server:
| ********************************************************************
| * *
| * This system is for the use of authorized users only. Usage of *
| * this system may be monitored and recorded by system personnel. *
| * *
| * Anyone using this system expressly consents to such monitoring *
| * and is advised that if such monitoring reveals possible *
| * evidence of criminal activity, system personnel may provide the *
| * evidence from such monitoring to law enforcement officials. *
| * *
| ********************************************************************
|
|
End of banner message from server
Authenticating with public key "username@domain.tld"
Passphrase for key "username@domain.tld":
Last login: Sun Sep 1 16:10:35 2019 from 10.1.20.56
[admtmorgan@nanai-ipm01 ~]$Once you have ensured all users have an SSH key setup you can disable password based authenitcation for SSH. To start off we need to move into sudo mode as we are now going to make changes that are going to impact more than just our user!
[admtmorgan@nanai-ipm01 ~]$ sudo -i
[sudo] password for tmorgan:
[root@nanai-ipm01 ~]# Next we need to edit the configuration file for the SSH daemon so it no longer accepts passwords. We start by taking a backup
[root@nanai-imp01 ~]# cp /etc/ssh/sshd_config /etc/ssh/2019-09-02_sshd_config.cma
[root@nanai-ipm01 ~]# We can then edit the /etc/ssh/sshd_config config file and changing the password settings. Remember its "a" to append a file and then ":wq" to write and quit from the file. If you think you have made a mistake then you can use :q! to exit without saving.
[root@nanai-ipm01 ~]# vi /etc/ssh/sshd_configFrom:
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yesTo:
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication noOnce this is updated you just need to restart the SSH service for the changes to take effect.
[root@nanai-ipm01 ~]# systemctl restart sshd
[root@nanai-ipm01 ~]#That should be it, simple!