How to set up the SSH keys on CentOS 7?


SSH can be called as an encrypted protocol which is used to administer and communicate with the cloud servers. When a person works with a CentOS server, there are chances that you will be spending most of the time in terminal session which is connected to the server through an SSH.

Here we will be focusing on setting up the SSH keys for the vanilla CentOS 7 cloud server installation. The SSH keys provide provide the most straight and secure way of logging into the server and is recommended to all the users.


Creation of RSA key pair

This is the first step of creating a key pair on the client machine.

$ - ssh-keygen

Here by default the ssh-keygen will create an 2048-bit RSA key pair, which is secured for most of the use case you will optionally be able to pass in the -b 4096 flag for creating a larger 4096 bit key.

Once you have entered the command you will be able to see the following prompt:

Output

Generating public/private rsa key pair.

Enter file in which to save the key (/your_home/.ssh/id_rsa):


Now you need to press Enter for saving the key pair into the .ssh/ subdirectory in the home directory or you can even specify the alternate path.
If the SSH key has previously been generated then you will be able to see the following prompt:

Output
/home/your_home/.ssh/id_rsa already exists.
Overwrite (y/n)?

If you are looking to overwrite the key on disk, then you will be able to authenticate it using the previous key anymore. Hence one should be careful while selecting an yes, as this could be a destructive process which one cannot reverse.
Here you should be able to see the following prompt:

Output
Enter passphrase (empty for no passphrase):


Here you might be able to enter a secure passphrase, which is recommended highly. A passphrase is able to add an additional layer of security for preventing the unauthorized users from logging in. You will be able to see the following prompt:

Output

Your identification has been saved in /your_home/.ssh/id_rsa.
Your public key has been saved in /your_home/.ssh/id_rsa.pub.
The key fingerprint is:
a9:49:2e:2a:5e:33:3e:a9:de:4e:88:11:38:b6:70:36 username@remote_host
The key's randomart image is:

+--[ RSA 2048]----+
| ..o |
| E o= . |
| o. o |
| .. |
| ..S |
| o o. |
| =o.+. |
|. =++.. |
|o=++. |
+-----------------+


You are now having a public as well as private key which can be used to authenticate. The next step would be place the public key on the cloud server so that you will be able to use the SSH-key-based authentication for logging in.


Copying the Public key to the CentOS Server

The best and the quickest way of copying the public key to the CentOS host is by using the utility named as ssh-copy-id. Mainly due to its simplicity this type of method is highly recommended if it is available. If you are not having the ssh-copy-id available to you on the client machine then you can use one or two alternative methods which is provided i.e copying via password-based SSH or manually copying the key.


Copying the public key using ssh-copy-id

The ssh-copy-id tool which is included by default in many operating systems so that it can be available on the local systems. For this method to work one must be having the password based SSH access to the server.

For using the utility you will be required only the specified the remote host which you would like to connect to the user account and that you are having the password SSH access. This is the account where public SSH key will be copied.

Here the syntax is

$ ssh-copy-id username@remote_host

There is a chance that you will be able to see the following message

 

Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:66:fe:72:84:e1:44:00:ad:d6:6d:21:fe.
Are you sure you want to continue connecting (yes/no)? Yes

This would mean that the local computer is not able to recognize the remote host. This happens for the first time when you are connecting to a new host. Now you need to Type “yes” and the press ENTER to continue.

Now the utility will be able to scan the local account for the id_rsa.pub key that has been created earlier. When the key is found it will prompt the user for password of the remote user account.


Output
/usr/bin/ssh-copy-id: : attempting to log in with the new key(s), for filtering out any that are already installed
/usr/bin/ssh-copy-id: : 1 key remains to be installed -- if you have been prompted now it is to install the new keys
This email address is being protected from spambots. You need JavaScript enabled to view it..1's password:


Now you need to type the password one should remember that the typing will not be displayed for security purposes and then press ENTER. Here the utility will be connecting to the account which is on the remote accounts home ~/.ssh directory which is called as the authorized_keys.


Now you will be able to see the following output.

Output
Number of key(s) added: 1

Now you can try logging into the machine, with an ssh This email address is being protected from spambots. You need JavaScript enabled to view it..1
and check to make sure that only the key(s) you wanted were added.

Now at this point the id_rsa.pub key will be uploaded to the remote account. Now you can continue to next step.


If you are not having the sshcopy-id available but if you are having the password-based SSH access to an account on the server, then you will be able to upload the keys by using a conventional SSH method.

One can do it by using the cat command for reading the contents of the public SSH key on the local computer and then piping that through an SSH connection to the remote cloud server.

On the other hand one can make sure that the ssh directory exists and is having the correct permissions under the account that is being used.

One can output the content that is piped over into the file which is called as the authorized keys with the directory. This can be used to redirect the rthe symbols to append the contents instead of overwriting it. This will let the user in adding the keys without destroying the previously added keys.

The full command looks like

cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys"

You will be able to see the following message as well:

Output
Here the authenticity of host '203.0.113.1 (203.0.113.1)' is not being established.

ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes


This would mean that the local computer is not able to recognize the remote host. This could happen for the first time when it is being connected to the new host. One can type “yes” and then press ENTER to continue.

Then you will be prompted to enter the remote user account password.

Output
This email address is being protected from spambots. You need JavaScript enabled to view it..1's password:

Once the password is entered the content of the id_rsa.pub key will now be copied to the end of the authorized keys file of the remote users account. Now you can continue on the next step if it was successful.

If you are not having the password based SSH access to the cloud server available then you will have to complete the process manually.


We will manually append the content of your id_rsa.pub file to the ~/.ssh/authorized_keys file on your remote machine.
To display the content of your id_rsa.pub key, you need to type the following in your computer


$ cat ~/.ssh/id_rsa.pub

Below you will be able to see the key’s content which will be looking as follows:

Output
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== demo@test


Access to the remote host using any method that is available.

Once you are given the access to the account on the remote server, one must make sure that the ~/.ssh is existing. This command will be able to create the directory if it is necessary, or it should do nothing if it is already existing:

$ mkdir -p ~/.ssh

Now you will be able to create or modify the authorized_keys file which is within the directory. You will be able to add the contents of the id_rsa.pub file till the end of the authorized key file for creation by using the command shown below:

$ echo public_key_string >> ~/.ssh/authorized_keys

In the command shown above you need to substitute the public key with the output from the cat ~/.ssh/id_rsa.pub command that is being executed on the local system. It should be starting with ssh-rsa AAAA…..

Finally it has to be ensured that the ~/.ssh directory as well as the authorized key file is having the appropriate permission set:


$ chmod -R go= ~/.ssh

This will remove all the group as well as other permission for the ssh directory. If you have been using the root account for setting up the keys for a user account then it is also very important that the ssh directory is belonging to the user and not to the root:

$ chown -R yummy:yummy ~/.ssh

Here we will be naming the user as yummy however you should substitute that with an appropriate username in the command mentioned above.
Now one can attempt the authentication without password in the Ubuntu servers.


Authenticating to the CentOS Server by using the SSH keys

I it has been successfully completed any of the procedures, then you will be login to the remote host without any remote accounts password.
Here the basic process would be the same:

$ ssh username@remote_host

If it has been the first time when it is connected to the host, then you will be able to see something as shown below:

Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:66:fe:74:84:e1:44:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes


This would mean that the local computer is not able to recognize the remote host. You need to type “yes” and then press the ENTER for continuation.

If the passphrase has not been supplied for the private key when it has been created then passphrase needs to be entered. Once the authentication is done there will be a new shell that will open with that of the configured account on the CentOS server.

If the key based authentication succeeds then you need to continue on learning how to secure the system by disabling the password authentication.


Disabling the Password Authentication on the Server

If you have been able to login into the account by using the SSH without any password then you have successfully configured the SSH-key authentication to the account. Here the password based authentication will remain active which means that the server will still be exposed to the brute force attacks.

By completing these steps one must make sure that you are having an SSH-key-based authentication which is configured for the root account on the server or you are having the SSH-key-based authentication configured for a non root account on the server by having the sudo privileges. Here the password based logins will be locked down hence ensuring that you are able to get the administrative access.

Once it has been confirmed that the remote account is having administrative privileges then you need to log into the remote server with the SSH keys. By either having root with the account with sudo privileges. Now you will be able to open the SSH configuration file:
sudo vi /etc/ssh/sshd_config


Once you are inside you need to search for a directive which is known as PasswordAuthentication. This can be commented out Now you need to Press i for inserting the text, and then you need to uncomment the line and the set the value to “no”. Here it will disable the ability for logging in via SSH by using the account password:

/etc/ssh/sshd_config
...
PasswordAuthentication no
...


When the changes have been made you need to press ESC and then :wq for writing the changes to the file and then quit. For actually implementing these changes one needs to restart the sshd service:

$ sudo systemctl restart sshd.service

As a precautionary measure you need to open up the new terminal window and then test the SSH service is functioning correctly before making it close:

$ ssh username@remote_host

Once the SSH service has been verified you will safely be able to close all the current cloud server sessions.