In today's article Im going to explain how to setup cryptographic authentication keys for Linux.
Our environment is VirtualBox and we have a Linux Ubuntu server with Apache2 installed and a Windows 10 machine, we also have a Windows Server 2022 machine. These are running on my intel Apple iMac within Virtual Box. I have setup a NAT network and all VM's have been attached to the NAT network so that they can communicate with each other and the internet. Description
SSH is a secure communication protocol that allows two machines to communicate over a network. In this lab example we have Linux web server running Ubuntu and Apache 2. We are using a Windows 10 machine to SSH into the Linux machine and perform actions on the Linux server.
By default, SSH uses the Linux user’s password to authenticate and either grant or deny access. The problem with this is that in theory any password, no matter how secure it is could be brute forced, particularly with the advent of super powered GPU’s available in the cloud and with the advent of quantum computing in the not too distant future. By removing password authentication and enabling a cryptographic private and public key authentication we are essentially only allowing the authorised computer (with the matching key) access to the Linux server. This public/private key can be backed up to a secure USB or a non-networked machine or drive if desired.
Prerequisites: Windows 10 standalone machine fully updated.
Linux Ubuntu with Apache 2 installed.
Both VM’s inside VirtualBox on a NAT network (this is how your lab should be setup anyway)
Start both machines and perform a ping from Windows to Linux (don’t bother other way around as the Windows firewall blocks ICMP packets by default). Assuming you get a response, continue. If you do not get a response, you will need to fix your NAT Network settings first.
In my commands below I create a non-root user, “davidgilmore” – replace my chosen username with yours.
Preparing the Linux Machine (many commands may require sudo)
Switch to the root user in the Terminal like this:
$ su
Insert your password and then you can use sudo in any of the subsequent commands.
Open the terminal
$ ip a
Make note of your IP address
Add a standard account (I am using my full name in this example)
$ adduser davidgilmore
$ usermod -aG sudo davidgilmore
Install SSH Server
$ sudo apt-get update
$ sudo apt-get install openssh-server
Check SSH installed
$ ssh -v
$ sudo systemctl start ssh
Check UFW Firewall not blocking ssh port 22
S$ sudo ufw allow ssh
Check you can ssh from windows (the > symbol just denotes the PS command prompt)
Open Powershell
> ssh davidgilmore@192.0.2.5
Type “yes” to accept adding the connection
Enter the password for that username
You should now see the Linux command prompt - $
Close Powershell
Create a .ssh folder on Ubuntu
Back to the Linux terminal
$ su – davidgilmore
$ mkdir /home/davidgilmore/.ssh
Change .ssh folder permissions
$ chmod 700 /home/davidgilmore/.ssh
Edit ssh permissions
$ sudo nano /etc/ssh/sshd_config
Remove the hash (to uncomment the entry) and add ‘no’ at the end: PasswordAuthentication no
Next find #PermitRootLogin
Again uncomment and add no at the end :
PermitRootLogin no
Now press CTRL + X on your keyboard
Select Y to overwrite and close Nano
Restart shh server
$ sudo systemctl restart sshd
Create the authentication keys
Open PowerShell (leave off the > symbol below, this just denotes the PowerShell command line)
> ssh-keygen -b 4096
Powershell will return a message “Enter file in which to save the key” Just press enter
Press enter to leave creating a password as blank (DO NOT ENTER A PASSWORD)
Enter again
> cd .ssh
> dir
You will now see your two keys and a host file.
Publish the key to the Linux server
Enter this command as one line with a space after rsa.pub
> scp $env:USERPROFILE\.ssh\id_rsa.pub davidgilmore@10.0.2.15:/home/davidgilmore/.ssh/authorized_keys
This will securely publish the key to the Linux machine.
Now close PowerShell and re-open (just be sure no caching of login information)
> ssh davidgilmore@10.0.2.15
If the key is installed properly, you will have access straight away to the Linux server and will see the command prompt $. If you have not set this up properly you will either not have access or you may be asked for a password.
Let’s test our authentication keys by trying to login with an unauthorised device
Shut down the windows 10 standalone machine
Boot any other machine you have on the same network (remember it must be on the same NAT Network)
Open PowerShell
> ssh davidgilmore@10.0.2.15
Your connection should be refused.