Overview
It is very important to control who has access to your server. A great tool for locking down access to your server is requiring the use of public key authentication for SSH access. Public key authentication uses a set of two keys, a private key, and a public key to authenticate users connecting to your server. The public key resides on your server, and a private key that corresponds with that public key resides on the user’s machine. The private key is a secret file that matches with the public key to allow a connection. Only those with the private key will be able to connect.
Private keys can be encrypted using 1024-4096 bit encryption in either RSA or DSA format. These keys are so secure that supercomputers could take years to break even the least encrypted 1024 bit keys.
Some things to note when enabling public key authentication:
More difficult for users: You will need to instruct them on creating public and private keys and protecting their private key. Once they have their private key created and configured in their SSH program, there is no extra work involved. This added level of difficulty for users is definitely worth the extra security that public key authentication provides.
Private keys are precious: You and your users must treat private keys as highly secret items. They should never be given out as they are a key to accessing your server and anyone with access to a private key can access your server. This is why we recommend password protecting private keys so that only those who both have the key, and know the password, can connect.
Getting Started
OK, so now that we’ve convinced you that public key authentication is important to server security and that it is worth the extra bit of work, it’s time to get started. The first step to enabling public key authentication is notifying your users. You’ll need to make them aware of the change, and aware of the steps they need to take to work with this new system. Don’t worry, this is a simple step, and we’ve prepared some information for you:
Public Key Authentication Guide for Users
Click here for the guide.
Setting up Your Keys
You’ll need to create keys for your WHM user as well. To do this, go to Manage SSH Keys in WebHost Manager. You can then generate a key under Generate a New Key and use it according the the instructions in the guide for users.
Enabling Public Key Authentication and Disabling Password Authentication
Once you’ve created your public and private key pair, have downloaded it to your local machine, and are able to connect with your key through SSH, it’s time to turn off password authentication. To do this, go to Tweak Security in the Security section of WebHost Manager and configure the SSH Password Auth Tweak. Make sure this is set to disabled by clicking on Disable Password Auth.
Try connecting via ssh and to make sure it looks for a private key. You should not be able to connect without a private key.
Now, sit back and relax as hackers will no longer be able to gain ssh access through password cracking.