Take one look at /var/log/secure on an Internet-connected server and you'll immediately understand the need for securing your root account. The bad guys are constantly attempting root and other usernames to attempt to login to your server using SSH or some other protocol. If you use a simple password, it's only a matter of time before your server is compromised by a password-guessing attack. Best practice is to disallow SSH logins by root, thus eliminating a big part of the risk. The problem is that doing so also eliminates a lot of convenience for sys admins and complicates the use of tools such as WinSCP for file copy from your Windows desktop or laptop to your Linux or UNIX server.



A fairly simple solution is to use public/private keypairs for authentication. The public key is stored on the Linux/UNIX server and the private key is stored on your local Windows computer. When you attempt to connect to the Linux/UNIX server from your Windows computer, authentication is done with the keypair instead of a password. Password authentication is actually disabled for root, so no amount of password guessing will work for authentication.

Here's how to do it:

Start by downloading the PuTTY Windows installer from http://the.earth.li/~sgtatham/putty/latest/x86/putty-0.60-installer.exe. Run the installer on your local Windows computer.

Now, you must generate the keypairs. The PuTTY Windows installer you just ran installs an application called PuTTYgen that you can use to generate the keypairs. The installer probably placed PuTTYgen (and the other PuTTY applications) in Start>>All Programs>>PuTTY.

When you run PuTTYgen for the first time, you must generate a new keypair. At the bottom of the PuTTYgen window are three parameters choices including SSH-1 (RSA), SSH-2 RSA, and SSH-2 DSA. SSH-2 RSA is the default choice with a default key length of 1024 bits. Longer key lengths are more secure, but require more processing power. 1024 bits is an acceptable compromise at this time (late 2008), but may not be acceptable in the future as computer processing power continues to increase.

Click the button labeled Generate to produce your public and private keys. (You must move your mouse pointer over the blank area at the top of the screen to generate some randomness for use in producing the keypair. Just move your mouse pointer in a cirular motion over the blank area until the progress bar reaches the far right side and PuTTYgen generates the keys.)

You can now save the private key on your local laptop or desktop computer and copy the public key to the remote Linux/UNIX server.

Enter and confirm a passphrase to protect the private key in the two fields in PuTTYgen.

Click the button labeled Save private key and select a location on your local hard drive to save the private key. (Remember to protect your private key by storing it securely!)

Copy the jibberish text that is the public key (at the top of the PuTTYgen window) and paste it into /root/.ssh/authorized_keys on your server (you'll might have to create the .ssh directory and you'll probably have to create the authorized_keys file).

On your Linux/UNIX server, inspect /etc/ssh/sshd_config to ensure that RSA authentication and public key authentication are both allowed. If not, change "no" to "yes" or uncomment the lines to allow said authentication. Also, ensure that the path to the authorized_keys file is set to "%h/.ssh/authorized_keys" and uncomment the line. (I found the three lines at line 43 on a RedHat system and line 29 on a Debian system.) When you're done, the lines should look like this:

RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile %h/.ssh/authorized_keys

Test the configuration by attempting to log on as root using PuTTY with private key authentication: From your Windows workstation, start PuTTY and enter the hostname or IP address of your server in the Host Name (or IP address) field.

In the left pane of the PuTTY window, under Category, expand SSH and click on Auth.

Click on the buttown labeled Browse... and find the private key file you saved earlier.

Click the button labeled Open to start the session When prompted for a username, enter "root"

If your configuration is correct, you'll be prompted for the private key passphrase. If you enter it correctly, you should be authenticated as root and see a privileged prompt (On systems using the BASH shell, you should see a pound sign (#).)

You must also disable root password authentication in order to limit the root account to private key authentication.

Open /etc/ssh/sshd_config for editing and modify the line that reads "PermitRootLogin yes" to read "PermitRootLogin without-password".

Restart the ssh daemon: #/etc/init.d/sshd restart on Red Hat systems or /etc/init.d/ssh restart on Debian systems

Attempt to do a password-based login on the Linux/UNIX server. It should be denied. Attempt to perform a private key-based login on the Linux/UNIX server as before. It should be successful.

You can use the private key with PuTTY and WinSCP. I ran into errors when I tried to use it with Tera Term, but Tera Term now includes a keygen utility which seems to work fine with Tera Term, if that's your preference.

Copyright (c) 2008 Don R. Crawley