In a previous example, I listed two simple ways to enhance SSH server security in your Linux VPS.
The article did not go into enough detail on how to generate and use the ssh rsa key pair, but it mentioned that the user holds the private key and that the server holds the public key.
This is the sequence of commands:
user@vps:~$ cd .ssh
user@vps:~/.ssh$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
The key's randomart image is:
+--[ RSA 2048]----+
| .+*+oo |
| .+.== . |
| . +ooo |
| . o. |
| E S .. |
| + o . |
| + . |
| . .. |
| o. |
user@vps:~/.ssh$ ls -la
drwx------ 2 root root 4096 Nov 17 23:47 .
drwx------ 6 root root 4096 Nov 17 23:33 ..
-rw-r--r-- 1 root root 797 Nov 17 23:47 authorized_keys
-rw------- 1 root root 1766 Nov 17 23:47 id_rsa
-rw-r--r-- 1 root root 393 Nov 17 23:47 id_rsa.pub
-rw-r--r-- 1 root root 1108 Nov 17 23:41 known_hosts
user@vps:~/.ssh$ cat id_rsa.pub >>authorized_keys
user@vps:~/.ssh$ ssh 10.1.1.53 -p 10022 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Nov 17 23:04:47 2014 from 10.1.1.54
I started off by changing directory to ~/.ssh. Then I used “ssh-keygen” to generate the ssh public and private key in my Linux VPS.
I also chose to use a passphrase for my private key in case it gets compromised only I will know the passphrase (unless I was the victim of a keylogger or other malware) – to have an unprotected private key, just press enter at the passphrase prompt, as instructed in the output.
Next, the public key needs to be appended to the “~/.ssh/authorized_keys” file and to test your work.
The ssh command is based on ssh config changes from previous article, and it uses the “-i” switch to instruct ssh client what private key to use. After entering the passphrase, I am logged in.
Now it’s up to you if you want to keep this private key on the server or take it with you and delete it from server.
Note: Putty ssh client needs this key converted to a format to it’s understanding using puttygen.exe. This is subject of another article in the future.
Comments are welcome.
You can actually try those SSH activation steps on our platform in few minutes utilizing our PCS (Private Cloud Solution) which allows you to have VPSie(s) on a private network – NAT – Port forward – traffic control for inbound and outbound – multiple gateway IPs which you could use for the load-balancing and failover.