How to Set Up SSH on a CentOS 7 VPS from a Windows Client

Download puttygen into the Windows machine as shown in figure 1.

Figure 1: Download PuTTYGen

Then start the program and click on “Generate” button as shown in figure 2.

Figure 2: Run PuTTYGen

It is recommended to move the mouse randomly over the blank area as the key pair is being generated, as shown in figure 3.

Figure 3: Move mouse randomly over the blank area during key pair generation

Next, there is an option to enter a paraphrase or not to secure the key with. If you leave the passphrase blank, you’ll be able to use the private key for authentication without entering a passphrase. If you enter a passphrase, you will need both the private key and the passphrase to log in. In this tutorial, we’ll leave it blank, as shown in figure 4.

Figure 4: PuTTYGen Interface

Save the private key by clicking the “Save private key” button.

Then copy the highlighted text under “Public key for pasting into OpenSSH authorized_keys file” starting with “ssh-rsa” into clipboard, as shown in figure 4. This text will be used later on to create the public key in the remote Centos 7 server.

Now, ssh into the remote Centos 7 Server using putty.

Log into remote server

Download putty from its official website (https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) and install into the Windows machine as shown in figure 5.

Figure 5: Download PuTTy

Run the PuTTY application, enter the IP address of the remote Centos 7 server and enter the password on the putty’s interface prompt, as shown in figure 6.

Figure 6: Putty SSH interface

Install SSH package

As shown in figure 7, install ssh package by running the command:

$ sudo yum install –y openssh-server

Then start the sshd service and enable it at boot-time as shown in figure 8.

$ sudo systemctl start sshd
$ sudo systemctl enable sshd

Next step is to create copy the public key into the server.

Figure 7:Install ssh package

Figure 8: Start and Enable sshd service

Copy the SSH Public Key in the Remote Server

First, create the directory named “.ssh” in the home folder of user account “linuxuser”.

$ mkdir -p ~/.ssh

OR

$ mkdir -p /home/linuxuser/.ssh

Then, we’ll create file named “authorized_keys” by running the command.

$ nano ~/.ssh/authorized_keys

{In case you get an error that “nano command not found”, just install it, as shown in figure 9, by running command:

$ sudo yum install -y nano

Figure 9: Install nano command

Then paste the public key from the clipboard into nano editor and save by pressing “Ctrl-O”, as shown in figure 10.

Figure 10: Paste and save public key

Special Note: The key has to be all in one line. If it’s wrapped into more than one line, then there will be an error during connection.

Let’s now set the correct permissions of the directory and file.

$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys

Then, restart the sshd service.

$ sudo systemctl restart sshd

Now, test if the ssh key pair is really working.

Test ssh key pair functionality

Close the current session and run putty program.

Go to SSH > Auth as shown in figure 11. Then browse for the location of the private key and load it. Finally, save the session with a name that you’ll use to identify it, then start the session.

Figure 11: Loading private key

It is indeed successful, as shown in figure 12, indicated by the text “Authenticating with public key”.

Figure 12: Successful key pair authentication

Since, it’s verified that the ssh key-pair is working as required, it’s a BEST practice to disable password authentication by editing the ssh configuration file “sshd_config”.  This is to remove any risk of brute force attack via password cracking.

Edit the sshd_config file

Let’s edit the configuration file by running command:

$ sudo vi /etc/ssh/sshd_config

See figure 13. Set value of PasswordAuthentication to “no”

PasswordAuthentication no

Figure 13: Modify settings in sshd_config

Uncomment and set other important settings in the config file as follows and save the file. (See figure 13)

PubkeyAuthentication yes
AuthorizedKeyFile    .ssh/authorized_keys
ChallengeResponseAuthentication no

Restart the sshd service to enable the changes in the config file by running command.

$ sudo systemctl restart sshd

From now on, it’s possible to log into the server using ssh keys ONLY and NOT PASSWORD. Zero risk!

This is not yet over. The firewall-cmd has to be set up to filter ssh through the firewall.

Configure firewall-cmd for ssh

In Centos 7, the default tool used to configure firewall policies is called firewall-cmd. It has replaced iptables that’s used in Centos 6.6 and earlier versions. Firewall-cmd uses firewalld service to enable configuration changes without stopping current connections.

Configure firewall-cmd to allow ssh connections.

To check status of firewall-cmd and start firewalld service, run commands.

$ sudo firewall-cmd --state
$ sudo systemctl start firewalld

To enable it to run at boot-time, run command:

$ sudo systemctl enable firewalld

Firewalld uses ‘zones’ concept to label trustworthiness of other hosts on the network. The labeling then enables assignment of different rules in relation to specific network. In this demonstration, we’ll adjust ssh policies for default zone. To check the default zone, run command.

$ sudo firewall-cmd --get-default-zone

To check all the services and ports that are allowed via firewalld filter, run command:

$ sudo firewall-cmd -list-all

Figure 14: Firewall-cmd commands

In our case, the default zone is trusted. We’ll now add ssh-service as an approved service in firewalld, by running the command.

$ sudo firewall-cmd --permanent --add-service=ssh

Then to enable and apply the changes to the default interface run:

$ sudo firewall-cmd --reload

If you desire to change the default port of ssh server from 22 to let’s say 4445, you can add port 4445 explicitly by running the commands below.

$ sudo firewall-cmd --permanent --remove-service=ssh
$ sudo firewall-cmd --permanent --add-port=4445/tcp

Also, change the port from 22 to 4445 by editing the line in /etc/ssh/sshd_config file:

Port 4445

Save the file and restart the sshd service.

 

Check out the top 3 VPS services:

Was this article helpful?