How to setup Ubuntu Linux Server OpenSSH (private/public key pair only authentication) and access through SSH from Windows
This is a quick tutorial especially for Windows users who would like to configure Ubuntu Linux to only allow SSH private/public key access and it is also a HowTo for Windows users to access Ubuntu Linux with only SSH private/public key.
- The version of Ubuntu Linux used as a server in this tutorial is 13.04 “Raring” (new, raw and bare installation). However, the same method of approach may apply to other version of Ubuntu Linux and other Linux distributions as well.
- User is assumed to have basic Unix/Linux administrative skills.
- The user who performs the SSH connection is assume to be running on a Windows machine.
This article won’t touch on the background and mechanisms of Public key cryptography. If you desire more information about this, you may read it on Wikipedia: http://en.wikipedia.org/wiki/Public-key_cryptography.
Windows Machine: Tools Required
Before attempting this tutorial, do equip yourself with a few tools stated below for SSH works on your Windows machine (you may download them at http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html):
- PuTTY (The SSH Client – http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe)
- PuTTYgen (The tool to generate SSH private/public key – http://the.earth.li/~sgtatham/putty/latest/x86/puttygen.exe)
- Pageant (This is the agent which runs in background that performs the authentication – http://the.earth.li/~sgtatham/putty/latest/x86/pageant.exe)
Ubuntu Linux: Tools Required
Ubuntu itself doesn’t come with pre-installed openssh-server. To install the OpenSSH server, just perform this (Since you can’t SSH into the server without OpenSSH Server, please do this on the server itself):
$ sudo apt-get install openssh-server
Windows Machine: Generating the Public and Private SSH Keys through PuTTYgen
To generate the public and private SSH keys for SSH key authentication, the PuTTYgen is the tool to be used. Perform the following:
- Execute PuTTYgen. The PuTTYgen Key Generator window will seem strange at first sight (with a large key panel area).
- Under the Parameter panel section, you may be able to choose a between a few algorithms. Just click on SSH-2 RSA, which is by far the most secured.
- In the Number of bits in generated key input box, you may stick with the default of 1024. But if you require a more secure key, you may increase this value to e.g. 2048 or 4096. But do remember, the greater the value you’ve given, the more time the generator requires to generate the SSH key pair.
- In the Action panel, click on the Generate button, then the program will tell you to move your mouse randomly around the large key area, so just move your mouse around there.
- Once done, it will show you the public key for the server (which is a bunch of text) shown below:
- For better security, you may enter a passphrase in the Key passphrase input box. Let’s just enter “passwd123456“, which is the same password as the ubuntu_user for now. The passphrase need not be the same as the Linux’s user password. Make sure you confirm the passphrase in the Confirm passphrase input box.
- Here’s how to save the keys. Please note that there is no restriction as to which directory to save the keys, and there is no restriction to the key’s filename as well. For simplicity, let’s have them save at “C:\My-SSH-Keys\” for now:
- Public Key: In the Key panel, there will be a bunch of text generated, for example:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBaf9tHTCcqDPgQG4/h0UjwUPJ5iglWIX/xB68k9thUkThHJ9/r3Bf3WGtNoAPj4wWDgX5qtYFAXm8baBfPNQ2wPoQE58EqAZOoEsbYgyee+psKgZGaZ951XlkrF9ZtnerGgLw5vLbSx+TyIvemu2TlGiDwhGxJZGHtQqeovjphuw== rsa-key-20131102
This should be the public key (in OpenSSH format) to be place in the Linux server. Copy the bunch of text and save it in a text file call “authorized_keys” in the directory “C:\My-SSH-Keys\”.
- Private Key (for PuTTY tools): Save it by clicking on the Save private key button in the Action panel. Save the file as “ubuntu_user-ssh2-ras.ppk” (take note on the file extension .ppk) in the directory “C:\My-SSH-Keys\”.
- Private Key (for OpenSSH): Click on the menu Conversions -> Export OpenSSH Key. Save the file as “ubuntu_user-ssh2-rsa.ossh” in the directory “C:\My-SSH-Keys”.
- Public Key: In the Key panel, there will be a bunch of text generated, for example:
Now, you have 3 sets of keys. Just a quick idea of what the keys are for:
- Public Key (authorized_keys) – this is to be loaded and be resided in the Ubuntu Linux Server specifically in your ubuntu_user user account.
- Private Key (ubuntu_user-ssh2-ras.ppk) – this is to be loaded by Pageant for authentication processing whenever you perform a SSH connection through PuTTY to the Ubuntu Linux Server (we’ll discuss about this later). It is supposed to be kept for yourself and only for your own use.
- Private Key (ubuntu_user-ssh2-rsa.ossh) – this is for the use of any OpenSSH client to connect to the Ubuntu Linux Server. You don’t need this now, but just keep it when the need arise. It is still a private key and do keep it for yourself and only for your own use.
Accessing the Ubuntu Linux Server through PuTTY (without SSH key authentication)
For this tutorial, I have setup my Ubuntu Linux to be running on IP 192.168.2.41 and the sudo user is “ubuntu_user” and password is “passwd123456“. We will begin by accessing the Ubuntu Linux server through PuTTY (one of the things that I like with PuTTY is the ability to copy and paste text from Windows to the targeted serve through PuTTY just with the shortcut keys and mouse clicks. It comes in handy many ways). To gain the initial access (without SSH key authentication for now), do this:
- Execute PuTTY.exe
- First, the PuTTY Configuration window will appear, just key in the following details:
- Host name (or IP address): The IP address of the server (in my case, it is 192.168.2.41)
- Port: 22 (which is the default port)
- Connection type: Click on SSH
- Click on the Open button to initiate the connection.
- Just key in the username (“ubuntu_user“) and password of the sudo user (“passwd123456“) to login to the server.
The below steps are all performed through PuTTY as ubuntu_user.
Upload the Public Key (through PuTTY and/or FTP)
To load the public key into the specific user account of Ubuntu Linux, perform the below:
- Change the working directory to the user’s home directory, make a new directory call “.ssh” and cd into it:
$ cd ~ $ mkdir .ssh $ chmod 700 .ssh $ cd .ssh
- Create a file call “authorized_keys“, copy and paste the contents from the public key file (C:\My-SSH-Keys\authorized_keys) in your local machine to the remove server. You may perform this with the vi editor or you can FTP the “authorized_keys” file directly to the /home/ubuntu_user/.ssh folder.
- You have to change the authorized_keys file permission to 644:
$ chmod 644 authorized_keys
Configure OpenSSH to only allow private/public key authentication
The next thing to do is to configure the OpenSSH to only allow private/public key authentication. Do remember that after performing this step, the normal ssh password authentication and FTP authentication will not work as it only requires the SSH key to be authenticated (SSH and SFTP works). Do the following:
- Change the working directory to “/etc/ssh“:
$ sudo cd /etc/ssh
- Edit the sshd_conf file (You need super user permission to perform this):
sudo vi sshd_conf
- Uncomment (delete the ‘#’ character) the line with “AuthorizedKeysFile %h/.ssh/authorized_keys“
- Locate the line “UsePAM yes“, change it to “UsePAM no“.
- Uncomment the line with “PasswordAuthentication yes“, change that to “PasswordAuthentication no“
- Save the changes to the file and restart the OpenSSH server:
sudo service ssh restart
Accessing Ubuntu Linux through private/public key SSH authentication (via PuTTY and Pageant)
You may need to close all opened SSH terminals and start a new one again, but from now onwards, it is with the help of Pageant. To access the server with only private/public key authentication, just follow the below:
Add Private Key (.ppk key file) to Pageant:
- Execute Pageant.exe. Pageant (PuTTY Authentication Agent) is actually a background agent that allows you to first load your private keys so that PuTTY could read it whenever the need to perform key pair authentication. You should be able to see a small icon in the Windows Notification area. Double click on it and the Pageant Key List window will appear.
- To load the private key, just click on the Add Key button and select the “ubuntu_user-ssh2-rsa.ppk” file, which you have generated previously. It will ask for the passphrase which you have entered while generating the key (if any).
SSH To The Ubuntu Linux Server via PuTTY:
- Execute the PuTTY.exe file again to bring up the SSH Terminal Client (with Pageant running in the background).
- The terminal will prompt you to enter the username.
Once you’ve keyed in the username, it will automatically log you in without prompting for password. You’ll get something like the below:
login as: ubuntu_user Authenticating with public key "rsa-key-20131102" from agent Last login: Sat Nov 2 13:37:49 2013 from 192.168.2.66 $
You may perform SFTP access to the server on the same port as SSH (Port 22) with Pageant running on the background. PuTTY, PuTTYgen and Pagent are popular tools that provides easy and quick SSH access to other systems. The same principle or way of approach could be used for different Linux distribution or PaaS variant in the market which requires SSH private/public key pair access.
Hope that you’ve found this tutorial useful.