Write Review

How to Set Up SSH on a CentOS 7 VPS from a Windows Client

Download puttygen into the Windows machine as shown in figure 1.

Figure 1: Download PuTTYGen



Then start the program and click on “Generate” button as shown in figure 2.

Figure 2: Run PuTTYGen



It is recommended to move the mouse randomly over the blank area as the key pair is being generated, as shown in figure 3.

Figure 3: Move mouse randomly over the blank area during key pair generation



Next, there is an option to enter a paraphrase or not to secure the key with. If you leave the passphrase blank, you’ll be able to use the private key for authentication without entering a passphrase. If you enter a passphrase, you will need both the private key and the passphrase to log in. In this tutorial, we’ll leave it blank, as shown in figure 4.

Figure 4: PuTTYGen Interface



Save the private key by clicking the “Save private key” button.

Then copy the highlighted text under “Public key for pasting into OpenSSH authorized_keys file” starting with “ssh-rsa” into clipboard, as shown in figure 4. This text will be used later on to create the public key in the remote Centos 7 server.

Now, ssh into the remote Centos 7 Server using putty.

Log into remote server


Download putty from its official website (https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) and install into the Windows machine as shown in figure 5.

Figure 5: Download PuTTy



Run the PuTTY application, enter the IP address of the remote Centos 7 server and enter the password on the putty’s interface prompt, as shown in figure 6.

Figure 6: Putty SSH interface

Install SSH package


As shown in figure 7, install ssh package by running the command:

$ sudo yum install –y openssh-server


Then start the sshd service and enable it at boot-time as shown in figure 8.

$ sudo systemctl start sshd

$ sudo systemctl enable sshd


Next step is to create copy the public key into the server.

Figure 7:Install ssh package



Figure 8: Start and Enable sshd service

Copy the SSH Public Key in the Remote Server


First, create the directory named “.ssh” in the home folder of user account “linuxuser”.

$ mkdir -p ~/.ssh


OR

$ mkdir -p /home/linuxuser/.ssh


Then, we’ll create file named “authorized_keys” by running the command.

$ nano ~/.ssh/authorized_keys


{In case you get an error that “nano command not found”, just install it, as shown in figure 9, by running command:

$ sudo yum install -y nano


Figure 9: Install nano command



Then paste the public key from the clipboard into nano editor and save by pressing “Ctrl-O”, as shown in figure 10.

Figure 10: Paste and save public key

Special Note: The key has to be all in one line. If it’s wrapped into more than one line, then there will be an error during connection.


Let’s now set the correct permissions of the directory and file.

$ chmod 700 ~/.ssh

$ chmod 600 ~/.ssh/authorized_keys


Then, restart the sshd service.

$ sudo systemctl restart sshd


Now, test if the ssh key pair is really working.

Test ssh key pair functionality


Close the current session and run putty program.

Go to SSH > Auth as shown in figure 11. Then browse for the location of the private key and load it. Finally, save the session with a name that you’ll use to identify it, then start the session.

Figure 11: Loading private key



It is indeed successful, as shown in figure 12, indicated by the text “Authenticating with public key”.

Figure 12: Successful key pair authentication



Since, it’s verified that the ssh key-pair is working as required, it’s a BEST practice to disable password authentication by editing the ssh configuration file “sshd_config”.  This is to remove any risk of brute force attack via password cracking.

Edit the sshd_config file


Let’s edit the configuration file by running command:

$ sudo vi /etc/ssh/sshd_config


See figure 13. Set value of PasswordAuthentication to “no”

PasswordAuthentication no


Figure 13: Modify settings in sshd_config



Uncomment and set other important settings in the config file as follows and save the file. (See figure 13)

PubkeyAuthentication yes
AuthorizedKeyFile    .ssh/authorized_keys
ChallengeResponseAuthentication no


Restart the sshd service to enable the changes in the config file by running command.

$ sudo systemctl restart sshd


From now on, it’s possible to log into the server using ssh keys ONLY and NOT PASSWORD. Zero risk!

This is not yet over. The firewall-cmd has to be set up to filter ssh through the firewall.

Configure firewall-cmd for ssh


In Centos 7, the default tool used to configure firewall policies is called firewall-cmd. It has replaced iptables that’s used in Centos 6.6 and earlier versions. Firewall-cmd uses firewalld service to enable configuration changes without stopping current connections.

Configure firewall-cmd to allow ssh connections.

To check status of firewall-cmd and start firewalld service, run commands.

$ sudo firewall-cmd --state

$ sudo systemctl start firewalld


To enable it to run at boot-time, run command:

$ sudo systemctl enable firewalld


Firewalld uses ‘zones’ concept to label trustworthiness of other hosts on the network. The labeling then enables assignment of different rules in relation to specific network. In this demonstration, we’ll adjust ssh policies for default zone. To check the default zone, run command.

$ sudo firewall-cmd --get-default-zone


To check all the services and ports that are allowed via firewalld filter, run command:

$ sudo firewall-cmd -list-all


Figure 14: Firewall-cmd commands



In our case, the default zone is trusted. We’ll now add ssh-service as an approved service in firewalld, by running the command.

$ sudo firewall-cmd --permanent --add-service=ssh


Then to enable and apply the changes to the default interface run:

$ sudo firewall-cmd --reload


If you desire to change the default port of ssh server from 22 to let’s say 4445, you can add port 4445 explicitly by running the commands below.

$ sudo firewall-cmd --permanent --remove-service=ssh
$ sudo firewall-cmd --permanent --add-port=4445/tcp


Also, change the port from 22 to 4445 by editing the line in /etc/ssh/sshd_config file:

Port 4445

Save the file and restart the sshd service.

 

Check out the top 3 VPS services:


Was this article helpful?