While internally we use ssh for remote connections with password authentication, on external servers it's more secure to use public key authentication.
Remember that Security is a priority and we must not sacrifice it for any reason.
Today I will explain how can configure SSH to use public key authentication instead of password authentication.
How to generate SSH public/private key pairs
The first step for ssh public key authentication is to generate the public/private keys in the client's PC. The private key must be stored on the windows client's PC in a secure place. The public key must be stored on the OpenSSH Server.
To generate the public/private keys we will use the ssh-keygen command in the windows pc with an OpenSSH client installed.
Hold a minute!!! What type of key should be used? RSA or Ed25519? Which is more secure?
I won't go into deep but after research, I found that the Ed25519 it's more secure. Based on Wikipedia the EdDSA was designed to be faster without sacrificing security. Additionally, this is the recommendation from Microsoft.
So I will generate an Ed25519 key.
- Open PowerShell as Administrator and type the following command:
sshd-keygen -t ed25519
- You can press enter to accept the default values or specify a path where you would like to save the key pairs.
- For now leave it to the default path.
- You can type a passphrase also, and use it like a multi factor authentication. Every time that you will use the key for authentication you will need to type the passphrase.
- The use if a passphrase depends of your requirements.
- For now we will not use a passphrase.
- The keys are generated to the path "C:\users\<username>\.ssh" as you will see.
Let's continue with the next step to store the private key in the user pc securely.
How to securely store the private key on the client
Now that we have the private key our first priority is to keep it in safe place. You must remember that the private key is like your password.
To do this we will use the ssh-agent command to securely store the private key.
- Because the ssh agent service is disabled by default we must revert to Automatic and start the Service.
- So type the following commands.
Set-Service ssh-agent -StartupType automatic
- Now type the following command to store the private key into the ssh agent.
- After adding the key to ssh agent keep the private key somewhere safe and deleted from the client PC that will use it for the ssh connection.
- Remember that the private key can't be retrieved from the ssh agent. If for any reason lose the private key and need to use it on another pc then you must generate a new key pair.
How to copy public key to the Open SSH Server
Public key must be saved on the OpenSSH Server in a specific location depends of the user type.
If the user is a Standard user then the public key must be saved into C:\users\<username>\.ssh in text file with the name authorized_keys.
If the user is an Administrator the the public key must be saved in C:\ProgramData\ssh in text file as administrators_authorized_keys.
Let's try to do a test with both user types.
First ,I will try with the administrator account
- Copy/Paste the Public key in the path C:\ProgramData\ssh" and rename the public key to administrators_authorized_keys.
- Don't forget to delete the extension .pub
- Right click and select Properties.
- Go in the Tab Security and verify that in the publik key has access only the Administrators Group and the SYSTEM user. Any other user must be deleted.
- Or you can run the following command to give the appropriate access.
icacls.exe ""$env:ProgramData\ssh\administrators_authorized_keys"" /inheritance:r /grant ""Administrators:F"" /grant ""SYSTEM:F""
If you want to to connect remotely with a standard user instead of an administrator then the only step that need to do is the following:
- Copy/Paste the Public key in the path C:\users\<username>\ssh"
- Rename the public key to authorized_keys
- Delete the extension .pub.
How to enable Public Key Authentication on the OpenSSH Server
By default the Public Key Authentication it's not enabled on the OpenSSH Server.
To enable the Public Key Authentication you must edit the sshd_config file which located in C:\Programdata\ssh and change from no to yes the line with the PubKey Authentication.
Don't forget to disable the Password authentication while changing the value from Yes to No.
After the changes, save the file and restart the OpenSSH Server to take the changes.
How to connect remotely with the SSH
Now that we have configure everything we can proceed to connect remotely from the client.
- Open the Powershell and type the following command
- Only the first time you must type yes to add the fingerprint of the SSH Key in the trusted list.
How to check Event Logs for SSH Connections
If you want to check the Event Logs to verify the connection or troubleshoot any issue, you can open the Event Logs -- Application and Services Logs -- OpenSSH.
Click on Informational and you will find all the logs that you need.
I hope to learn something valuable or help you to resolve an issue.