Security of your server – and hence your data – should be one of the most important things to manage, no matter what you use the server for. Having your server compromised can be an issue ranging from a minor annoyance and temporary drop of service – for example if your site gets defaced, as you’d have to clean it up, restore some files etc. – to a full blown root-level compromise leading to a complete loss of data, and loss of days worth of time, money and nerves

What are ssh keys

Today we’re going to be talking about SSH keys – what are they, why use them, and how to set them up.

So what exactly are SSH keys? SSH keys are essentially two files that each hold an encryption key in them – one public, one private. Only the private key can decrypt messages encrypted with the public key, and vice versa, ensuring only the holder of the key has access to the server. This type of encryption method is also called Public Key Cryptography or Assimetric Cryptography. With the added benefit of setting a passphrase for the private key (that encrypts it’s content on disk, so no one can see or use it even if they get a hold of it), SSH keys are much safer than password authentication in most use-cases.

Now that we know what they are, let’s move on to how to create them. We’ll cover 2 ways of doing that – using a key generator in WHM, and manually creating them in shell using ssh-keygen command.

Creating SSH keys in WHM

This process is fairly simple – you generate a key, authorize it for use, copy the private key to your local machine, and that’s pretty much it!

To create a keypair, navigate to WHM > Security Center > Manage Root’s SSH Keys > Generate a New Key

The key name defaults to id_rsa (if you leave the Key Name field blank), but feel free to name it whatever you want to make it easier to distinguish from other keys. Set a passphrase – feel free to use the included password generator – and copy it somewhere safe. Leave the Key Type and Key Size at default, and click on Generate Key.

Next, we have to authorize the new key, so go back a page, find your key (it will probably be the only one you have) and click on Manage Authorization > Authorize

The final step is copying your private key to your local machine. Again, go back a page, find your key amongst Private Keys, and click on View/Download Key. You’ll be presented with the following screen:

SSH keys are usually kept in ~/.ssh directory (on Linux, Mac, and Windows if you’re using Cygwin) – so navigate to that directory, open up your favourite text editor, and paste the whole key in that file. If this is the only key you have, name it id_rsa.key, and it should be used automatically when you connect to SSH.

If you have more than one key, it would be prudent to name it something easily distinguishable from other keys, like server_hostname.key. Since I have more than one, I’ve named this key randomtestserver.tld.key

-rw------- 1 user None 1766 Jun 17 13:57 randomtestserver.tld.key

Make sure you set the permissions of that file to 600, so it’s readable only by you!

To connect to the server, use ssh  command as you usually would, with the addition of -i  flag to specify the key to use:

Enter your passphrase, and you’re in!

Disabling password authentication

Keep in mind that password authentication is still enabled – meaning you (or anyone else) can still connect to the server using the root password instead of the key we just created. As that basically defeats the purpose of the key, let’s turn off password authentication for root.

Simply navigate to WHM > Security Center > SSH Password Authorization Tweak and click on Disable Password Auth button.

And there you have it. Now only the holder of the private key and it’s passhprase can connect to SSH on your server, considerably raising the level of security.

Creating keys for specific cPanel users (as opposed to root user) works the exact same way, except you’ll want to go to cPanel > Home > Security > SSH Access and create the keys there.

Generating SSH keys with ssh-keygen

This approach is a bit more complicated, but is quite useful, especially when running a non-cPanel server. It works by creating both the private and public key on your machine, then uploading the public key to the server – in reverse of the previous approach.

Fire up your shell, and type in ssh-keygen :

 

Here I left the key name at default (id_rsa and id_rsa.pub) and have set no passphrase.

On to uploading the public key to the server. You have several options here – using WHM, ssh-copy-id , manual copy method, etc. – but we’ll cover only the first of those in this article.
Navigate to WHM > Home > Security Center > Manage root’s SSH Keys, and click on Import Key. Remember, this time we need to import the public key, so cat out the public key, and copy it over to the server.

Remember to authorize this key, and disable root’s password authentication, as described previously!

benefits of ssh keys

Using SSH keys is only one option for making sure only authorized persons have access to the server, and has many added benefits besides that. Having password authentication disabled on the server renders botnet brute-force attacks virtually useless, as they’ll never have the chance to try to log in as they don’t have the private key. Likewise, the private key and it’s passphrase never get sent over the network, as opposed to a password which the server has to authenticate, so there’s practically no possibility of a man-in-the-middle attack. That’s not to say they’re completely secure – if your local machine and passphrase get compromised, one could gain unauthorized access.

They can also be used in automation scripts to automatically connect to servers, and management of multiple keys is made easy by various keyring applications. Though not suitable for every use-case, SSH keys are a great choice for having that extra layer of security without much hassle.

Facebooktwittergoogle_plusredditpinterestlinkedinmail