arrow_upward

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 5
  • 4
  • 3
  • 2
  • 1
How to create PuttyGen keys for accessing a VPS and disable password authentication
#2
Quote:Navigate to the link below and download PuttyGen for either 32 or 64 bit VPS

Whether you need the 32 Bit or 64 Bit version of PuTTYGen actually depends on the Windows version that the machine where you will run PuTTYGen to generate the keys is running on. For a 32 Bit Windows version you will of course need the 32 Bit version of PuTTYGen while a 64 Bit Windows version will happily take 32/64 Bit PuTTYGen. The architecture of the VPS doesn't really matter at all in this case.

A small thing I thought that should be edited or corrected because it sounds rather weird in this context.


I see that in the first pictures SSH2-RSA with a key length of 1024 bits is used. Which seems to be a default of PuTTYGen. So nothing to blame on you here.

SSH2-RSA is also fine while SSH1-RSA should be avoided at all cost due to massive security flaws in the outdated SSH1 protocol (I wonder why it is even STILL included in SSH clients and tools after so many years). Nowadays I would strictly recommend to use atleast 2048 bits key length or go even higher to values such as 4096 bits, 8192 bits and etc. Oh, SSH2-DSA is also fine.

It might take a bit more time to generate the keys but the security level of 2048, 4096 bits and etc is much higher vs 1024 bits. Don't go too high though or it will take a hit on performance.


After the keys have been generated I would also recommend to apply an extra layer of security to them by adding a passphrase to them. You can easily do this when saving the private.ppk file. PuTTYGen will ask if you wish to apply a passphrase to secure the key pair.


A small note regarding adding SSH keys to the necessary files on Linux. Always use this SSH format like in PuTTYGen and be careful with formatting. If whatsoever the format is wrong or the formatting of the key is broken with something simple as a breakline... well, you will lock yourself out of your own server because SSH cannot recognize the public key and match it to the provided private key. BE CAREFUL!

That's just some important trivia everyone should keep in mind. In the past it happened so often to me that I pasted the key from PuTTYGen into a notepad that didn't honor the formatting... Then I copied it from that notepad tool into authorized_keys and it simply never worked. Locked myself out a few times this way. Since that I usually directly copy the key from PuTTYGen and paste it directly into authorized_keys in nano or vi.


One last thing. At the end you set "passwordauthentication yes" to "passwordauthentication no" which is absolutely correct. However there are a few other things that should be atleast reviewed when editing sshd_config for SSH key authorized login.
  • Uncomment (if commented) "PermitRootLogin yes" and set it to "PermitRootLogin without-password" to allow root to login with SSH key authorization. In this case be sure you added your public key to the authorized_keys on the root user profile, too!
  • Uncomment (if commented) "RSAAuthentication yes" to allow RSA keys. If it is set to no set it to yes.
  • Uncomment (if commented) "PubkeyAuthentication yes" to actually enabled the public key authentication feature. Set it to yes if it is set to no.
  • Uncomment (if commented) "AuthorizedKeysFile .ssh/authorized_keys" to set the default path for the authorized_keys file to the .ssh folder inside the user home folder.


I think that's it. Pretty sure someone else with more knowledge on security could add more points to improve SSH security but you're very good to go once you disabled password login and successfully setup SSH public key authentication with a strong and passphrase protected key pair.
[Image: zHHqO5Q.png]



Possibly Related Threads…
Thread
Author
Replies
Views
Last Post
2,539
07-27-2019, 04:42 PM
Last Post: Manal

person_pin_circle Users browsing this thread: 1 Guest(s)
Sponsors: VirMach - Host4Fun - CubeData - Evolution-Host - HostDare - Hyper Expert - Shadow Hosting - Bladenode - Hostlease - RackNerd - ReadyDedis - Limitless Hosting