Knowledge Article View - Service Portal

Article Description

This articles describes

______________________________________________________________________________________________________________________________________________________

The IT Security Office recommends SSH servers be configured to accept SSH keys only (not passwords).

Client setup (Use a unique key for each client)

SSH Key creation / generation algorithm choices:

DSA: Not Recommended
RSA with key size of at least 4096 bits
ECDSA: Not Recommended
EdDSA

Use PuTTYgen to generate the public/private key pair.

Choose the SSH Key creation / generation algorithm
a. Confirm "SSH-2 RSA key" is selected from the Key dropdown menu. Use key size of at least 4096 bits b. EdDSA (Ed25519)
Generate the keys
Create a passphrase for the key that meets or exceeds the VT password complexity rules.
Save the Private Key to a secure location on the client such as C:\Users\hokie\.ssh\gobbler-private.ppk
Save the Public Key to a secure location on the client such as C:\Users\hokie\.ssh\gobbler-public. In this format the key will need to be converted to be used on a Linux/UNIX host.
Copy and save the text in the "Public key for pasting into OpenSSH authorized_keys file:" box as a plain text file on the client (C:\Users\hokie\.ssh\gobbler-public.txt). The plain text version of the public key will not need to be converted to use on a Linux/UNIX host.

Install the public key on the server and test

Open a connection to the Remote host with PuTTY.

Add the public key to /home/hokie/.ssh/authorized_keys on the remote server. If .ssh/authorized_keys does not exist, the directory and file will need to be created.

Paste in the text from the "Public key for pasting into OpenSSH authorized_keys file:" section of the PuTTY Key Generator.

hokie@Remote:~$ mkdir .ssh
hokie@Remote:~$ vi .ssh/authorized_keys
hokie@Remote:~$ chmod 700 .ssh
hokie@Remote:~$ chmod 600 .ssh/authorized_keys

*** Permissions on the directory .ssh need to be 700 (chmod 700 .ssh) and on the file authorized_keys 600 (chmod 600 authorized_keys). ***

Close the connection to the remote host.

Configure PuTTY to use the private SSH Key

Reconnect to the remote host to test. If the Remote host is configured to use PubkeyAuthentication you will be prompted to accept the server's host key.

Configure the remote server to allow logins via SSH Keys

Open two connections to the remote server. Use one to make the configuration changes and the other as a way to recover from a mis-configuration.

Add SSH banner text
sudo vi /etc/ssh/sshd_banner
---
Notice!!!

Access to computer systems and networks owned or operated by Virginia Tech is governed by VT Policy 7000 'Acceptable Use of and Administration of Computer and Communication Systems' as well as other University policies. Usage may be monitored, recorded and subject to audit. Unauthorized use is prohibited and may be subject to criminal and/or civil penalties. Use of this system indicates consent to monitoring and recording.
---

Edit sshd_config to enable PubkeyAuthentication by setting the following options.

sudo vi /etc/ssh/sshd_config

StrictModes yes
PubkeyAuthentication yes
ChallengeResponseAuthentication no
PermitRootLogin no
Banner /etc/ssh/sshd_banner

Restart SSH service

Ubuntu: sudo systemctl restart ssh
CentOS/RedHat/Fedora: sudo systemctl restart sshd

Test for connectivity and proper function.

---
Notice!!!

Disable PasswordAuthentication

Edit sshd_config to disable PasswordAuthentication by setting the following option.

sudo vi /etc/ssh/sshd_config

PasswordAuthentication no

Restart SSH service

Ubuntu: sudo systemctl restart ssh
CentOS/RedHat/Fedora: sudo systemctl restart sshd

Test for connectivity and proper function.

Using SSH Keys with PuTTY