Secure shell access to the VPS

After setting up the bare VPS, it is time to gain secure access to our Ubuntu Server running on the VPS through a secure shell connection (SSH).

From the standard RFC 4252 that defines SSH:

The Secure Shell Protocol (SSH) is a protocol for secure remote login and other
secure network services over an insecure network.

Of course, the insecure network here is the internet.

We will setup SSH access in two phases:

  1. Setup basic SSH with the normal login credentials
  2. Secure access further with a key


But first, we have to switch on the VPS again:

Start the VPS

And then click on the ubuntuĀ  TestVPS button to start the TransIP console. Now Ubuntu boots and we are greeted with the login screen again. I usually check for updates after logging in by performing the commands:

$ sudo apt-get update
$ sudo apt-get upgrade

SSH is already running since I selected it to be installed in the previous article. Before we go any further I would enable the firewall and close every port for now, by entering:

$ sudo ufw enable
$ sudo ufw status

Status: active is what we are aiming at. When we are done with configuring SSH, we mustn’t forget to open the SSH port, otherwise no connection will be possible. We should be secure enough for now.

Setting up basic SSH

We want to get SSH access as quick as possible. Our first step is to go over the SSH server settings:

$ nano /etc/ssh/sshd_config

and we change the following:

PermitRootLogin yes => PermitRooLogin no

Then restart the ssh service:

$ sudo service ssh restart

Then, remember that we need to open the ssh port (22) on the firewall. We do this by issuing:

$ sudo ufw allow OpenSSH
$ sudo ufw status

Connecting from Windows with PuTTY

When you normally work from a Windows PC, you will need PuTTY. PuTTY is always the second tool I install on any Windows machine (right after Notepad++, a free but extremely capable text editor). PuTTY may look a bit odd if you are not used to it, but once you get the hang of connecting to your VPS, you will never look back.

Retrieve your IP address by looking at the information page of the VPS provider, or by simply typing:

$ ifconfig

And searching for the line that starts with “inet addr:” in the eth0 section.

Then start PuTTY, fill in your IP address, enter a session name, save the session and the click Open:

The very first time you connect to an SSH server, you will get the following warning:

We trust our own server. Press yes and you are greeted with:

Login with your credentials and you are in. From this moment on we will only need the TransIP console in case we seriously screw up.

Connecting from another Linux machine

This is even easier. Open a console and type:

Setting up public key authentication

With SSH we login with a key instead of password. If you don’t have a key at all, you will not get in. No retries, nothing.

I am going to describe two ways to get where we want to be:

  1. Create the key pair on Windows and use PuTTY to connect to the VPS from Windows
  2. Create the key pair on Linux and use the Linux console to connect to the VPS

Setting up public key authentication from Windows

We need PuTTYgen, which comes with a PuTTY installation. Start PuTTYgen and Select SSH-2 RSA and a bit length of 2048 (the default is 1024)

Click generate and move your mouse as instructed:

Enter a comment, and a passphrase. The private key must be accessible to you only. If someone gains access to the private key, he can connect without any restrictions to the server. By adding a passphrase you setup one more speed bump: now the private key is only useful if you know the passphrase. Bottom line: do not leave it empty.

Now save the private to a file; we need it in a bit to setup profiles in PuTTY and WinSCP. The public key we need to transfer to the server now, with the PuTTYgen window still open.

On the console make sure to be in your home directory:

$ pwd

This shows /home/bart in my case. If not, type

$ cd

and check again. Now:

$ mkdir .ssh
$ nano .ssh/authorized_keys

Right-click in PuTTYgen on the upper key and select all. Right-click again and select Copy. Now paste this key in the authorized_keys file by right-clicking in Nano. Then press Ctrl-X to close Nano and type “y” to save the file.

Test access from Windows

We have to add our previously saved private key to the PuTTY configuration.

First select the PuTTY configuration and click Load.

Fill in the path to the private key.

Fill in the auto-login username:

Then save the configuration again.

Now, when you connect to the VPS you only need to fill in the passphrase for your private key.

So far, so good, but we’re not quite finished. See Finish the configuration

Setting up public key authentication from Linux

From Linux the process is very similar. We configure the public and private keys on the local machine and then transfer the public key to the VPS.

First the key generation. The command below stores the private key in the file id_rsa.testvps and the public key in the file id_rsa.testvps.pub. I did not choose the default file id_rsa because that one was already in use. The bit behind -C is the key comment. Like in the section before, I also use a passphrase to protect the private key.

Now we need to transfer the public key to the VPS machine. We use scp for this.

On the VPS we now find the public key in the home directory. I am going to add the contents to the .ssh/authorized_keys file.

Now we can try to connect from Linux again. Note that I use an extra command parameter, because my desktop contains multiple private keys. An article in the links discusses a way to make multiple private keys easier to use.

In my case on Linux Mint, a window popped up to ask me for my passphrase.

This approach also works, but do not forget to finish the configuration.

Finish the configuration

We can securely connect to the VPS now with public key authentication. With that we do not want the password authentication anymore. Disabling password authentication happens in the SSH server configuration.

sudo nano /etc/ssh/sshd_config

In this file change the line from

#PasswordAuthentication yes

to:

PasswordAuthentication no

Restart the SSH server to read the configuration

If you now try to connect with a user that does not exist or without providing a private key you will get stopped at the door:

The log file /var/log/auth.log will no longer show invalid users trying to log in, it will just mention that a connection was closed with the explanation [preauth].

Now the VPS is secure to connect to via SSH, but the VPS itself doesn’t do anything interesting yet. I will describe some uses in next articles.

Loose ends

Changing a passphrase

Every once in a while you should change the passphrase on your private keys. After changing the passphrase nothing needs to be copied.

On Linux

ssh-keygen -p -i ~/.ssh/id_rsa

On Windows

Start PuTTYgen. Click Load and open the private key. Change both passphrase fields and click Save.

Links

 


Leave a Reply

Your email address will not be published. Required fields are marked *