How-to: Secure ssh connections for a linux host or VM

Follow the steps below in order create a secure setup for connecting from Windows to any host or VM running Linux. You will see that the setup is quite easy and straightforward. You are just steps away from tight security of your hosts.

The only requirement is that the VM should support ssh connections (thus, running sshd).

The method used here is to generate a public/private key pair with a passphrase. The public key is installed on the Linux server/VM and the private key is installed in out putty session.

Generate key using PuTTYgen

First of all get PuTTYgen! There is no install procedure involved...it's just a tiny little program, similar to putty.

Run the program, and press the Generate button:

Now, just move the mouse as instructed, in order to generate randomness:

After some seconds you'll get the following screen:

This is the most important step in order to secure the connections to your VM.
Enter a passphrase, which will be used later to authenticate users who will be using the generated private key.
Finally press the "Save private key" button to save you new private key. This private key file can be distributed to any clients that will connect to your VM.

Import private key into putty

Ok, now we are ready to import our generated key into the required putty session. So we need to go to the SSH properties of the required session. The image below shows exactly the location of private key file setting.
Note that this setting is per session, thus you could have as many key as you want. So every connection could have a different key file, or - for simplicity - if you want you can use the same ppk file for all of your linux hosts.
Finally don't forget to save the session, otherwise the changes will be lost.

Install public key in host/VM

Create the users who should be able to connect to this vm.
Then decide which users will be able to run sudo commands or "su -" and add them to the corresponding group. For example in Debian/Linux this command below adds the user user1 and directly assigns him in the "sudoers" group:
useradd -G sudo -s /bin/bash -m -d /home/user1 user1
and create an .ssh directory in the home directory of each one of them and in this directory create a file named authorized_keys and copy there the generated public key. The value to copy in that file is the one shown in example below, under the title Public key for pasting
    Be careful: You need to scroll down the text box and copy the whole thing!
    Now if you cat the authorized_keys file, it should be in the form:
    ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAt3Tnp4oCf/yHQWDx2/CUu1WcwLt6ZfLETL/fFK+F91mx
    11111111111111111111111111111111UYexCSRHkYG7Ey3uffUOWuSn+BnHy+GVmYOM87SCR5Sl14dz
    XxvNffAw5IjDAUcAi8Um3jPPobSW/2345234552345234523kkkkkkkkkkkkkkkkkkkkkkkkkkkkk1op
    N3aFYpQU20rmWja6J6fPGXwTuTvd/rjJPlKGaz9w0r+hj7CbJU00FN/nAAy0/0000000000000000/xT
    CXRItzBH4SyWfZpfPMf/55555555555555+a505HFU2qPPRjSo15WnvIXw== imported-openssh-ke
    y
    Now save the file and connect from a separate window in order to test the connection.

    Host sshd configuration

    Disable SSH Password Authentication

    In /etc/ssh/sshd_config update or add the following entries:
    ChallengeResponseAuthentication no
    PasswordAuthentication no
    UsePAM no

    Disable ssh root access

    The last step to tight security is to disable ssh root access to this VM.
    This is done by modifying the file /etc/ssh/sshd_config and set the PermitRootLogin property to No:
    PermitRootLogin no

    Check your configuration

    The changes will be applied by restarting you sshd. But before doing so, do a final test of your configuration in order to check that indeed everything is working fine:
    • Connect securely using you ppk
    • You can execute sudo commands
    • You can "su -"
    Then restart your sshd by using the command
    /etc/init.d/ssh restart
    Check again. Now users won't be able to connect to this host using the usual username/password authentication.

    Voila! Now you are ready to use your super safe setup and sleep happily and calmly evereafter!

    1 comment: