Download puttygen into the Windows machine as shown in figure 1.
Figure 1: Download PuTTYGen
Then start the program and click on “Generate” button as shown in figure 2.
Figure 2: Run PuTTYGen
It is recommended to move the mouse randomly over the blank area as the key pair is being generated, as shown in figure 3.
Figure 3: Move mouse randomly over the blank area during key pair generation
Next, there is an option to enter a paraphrase or not to secure the key with. If you leave the passphrase blank, you’ll be able to use the private key for authentication without entering a passphrase. If you enter a passphrase, you will need both the private key and the passphrase to log in. In this tutorial, we’ll leave it blank, as shown in figure 4.
Figure 4: PuTTYGen Interface
Save the private key by clicking the “Save private key” button.
Then copy the highlighted text under “Public key for pasting into OpenSSH authorized_keys file” starting with “ssh-rsa” into clipboard, as shown in figure 4. This text will be used later on to create the public key in the remote Centos 7 server.
Now, ssh into the remote Centos 7 Server using putty.
Log into remote server
Download putty from its official website (https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) and install into the Windows machine as shown in figure 5.
Figure 5: Download PuTTy
Run the PuTTY application, enter the IP address of the remote Centos 7 server and enter the password on the putty’s interface prompt, as shown in figure 6.
Figure 6: Putty SSH interface
Install SSH package
As shown in figure 7, install ssh package by running the command:
$ sudo yum install –y openssh-server
Then start the sshd service and enable it at boot-time as shown in figure 8.
$ sudo systemctl start sshd
$ sudo systemctl enable sshd
Next step is to create copy the public key into the server.
Figure 7:Install ssh package
Figure 8: Start and Enable sshd service
Copy the SSH Public Key in the Remote Server
First, create the directory named “.ssh” in the home folder of user account “linuxuser”.
$ mkdir -p ~/.ssh
OR
$ mkdir -p /home/linuxuser/.ssh
Then, we’ll create file named “authorized_keys” by running the command.
$ nano ~/.ssh/authorized_keys
{In case you get an error that “nano command not found”, just install it, as shown in figure 9, by running command:
$ sudo yum install -y nano
Figure 9: Install nano command
Then paste the public key from the clipboard into nano editor and save by pressing “Ctrl-O”, as shown in figure 10.
Figure 10: Paste and save public key
Special Note: The key has to be all in one line. If it’s wrapped into more than one line, then there will be an error during connection.
Let’s now set the correct permissions of the directory and file.
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys
Then, restart the sshd service.
$ sudo systemctl restart sshd
Now, test if the ssh key pair is really working.
Test ssh key pair functionality
Close the current session and run putty program.
Go to SSH > Auth as shown in figure 11. Then browse for the location of the private key and load it. Finally, save the session with a name that you’ll use to identify it, then start the session.
Figure 11: Loading private key
It is indeed successful, as shown in figure 12, indicated by the text “Authenticating with public key”.
Figure 12: Successful key pair authentication
Since, it’s verified that the ssh key-pair is working as required, it’s a BEST practice to disable password authentication by editing the ssh configuration file “sshd_config”. This is to remove any risk of brute force attack via password cracking.
Edit the sshd_config file
Let’s edit the configuration file by running command:
$ sudo vi /etc/ssh/sshd_config
See figure 13. Set value of PasswordAuthentication to “no”
PasswordAuthentication no
Figure 13: Modify settings in sshd_config
Uncomment and set other important settings in the config file as follows and save the file. (See figure 13)
PubkeyAuthentication yes AuthorizedKeyFile .ssh/authorized_keys ChallengeResponseAuthentication no
Restart the sshd service to enable the changes in the config file by running command.
$ sudo systemctl restart sshd
From now on, it’s possible to log into the server using ssh keys ONLY and NOT PASSWORD. Zero risk!
This is not yet over. The firewall-cmd has to be set up to filter ssh through the firewall.
Configure firewall-cmd for ssh
In Centos 7, the default tool used to configure firewall policies is called firewall-cmd. It has replaced iptables that’s used in Centos 6.6 and earlier versions. Firewall-cmd uses firewalld service to enable configuration changes without stopping current connections.
Configure firewall-cmd to allow ssh connections.
To check status of firewall-cmd and start firewalld service, run commands.
$ sudo firewall-cmd --state
$ sudo systemctl start firewalld
To enable it to run at boot-time, run command:
$ sudo systemctl enable firewalld
Firewalld uses ‘zones’ concept to label trustworthiness of other hosts on the network. The labeling then enables assignment of different rules in relation to specific network. In this demonstration, we’ll adjust ssh policies for default zone. To check the default zone, run command.
$ sudo firewall-cmd --get-default-zone
To check all the services and ports that are allowed via firewalld filter, run command:
$ sudo firewall-cmd -list-all
Figure 14: Firewall-cmd commands
In our case, the default zone is trusted. We’ll now add ssh-service as an approved service in firewalld, by running the command.
$ sudo firewall-cmd --permanent --add-service=ssh
Then to enable and apply the changes to the default interface run:
$ sudo firewall-cmd --reload
If you desire to change the default port of ssh server from 22 to let’s say 4445, you can add port 4445 explicitly by running the commands below.
$ sudo firewall-cmd --permanent --remove-service=ssh $ sudo firewall-cmd --permanent --add-port=4445/tcp
Also, change the port from 22 to 4445 by editing the line in /etc/ssh/sshd_config file:
Port 4445
Save the file and restart the sshd service.
Check out the top 3 VPS services:
- Your search to the best windows hosting can end by clicking here.
