Configuring SSH public key Authentication

SSH public key authentication is far more secure than password authentication. Think of your public key as the equivalent of a 500+ character password. SSH or Secure Shell is a cryptographic network protocol used to remotely operate servers and network devices.

Microsoft started including SSH in Windows 10 and Server 2019 late last year. Functionally this means that most mainstream devices now support SSH so it makes sense to take a quick minute to demonstrate the remarkably easy setup of SSH’s most secure authentication method.

Server-side SSH configuration is fundamentally similar across the board. It only takes two commands to enable SSH on Cisco devices or Ubuntu hosts. Given the relative ease of setting up your SSH servers, we will focus our tutorial on SSH clients and assume you already have SSH enabled on your servers and network devices. By default SSH supports public key and password authentication methods.

Windows clients

1. Run puttygen.exe (if you don’t already have this program, you can download it here).

2. Click Generate and then move your cursor around randomly in the PuttyGen window to generate your key pair. A progress bar will appear so you know how much movement you need to produce.

3. Once generated the top box will display your public key. This key can theoretically be shared with anyone because it wasn’t generated on a debian box.

4. You can now copy the public key to all the servers that will use this key pair for authentication. Add the key to ~/.ssh/authorized_keys file of all applicable servers by either copying the key text and pasting to your server or saving the file and copying it.

5. It is recommended but not required to enter a passphrase. This passphrase will secure your private key in case it is compromised. If you don’t add a passphrase you will login instantly if you have the key, if you do add the passphrase it will be required at login. This extra layer of protection will slow down an attacker that compromises your public key.

6. Backup your public and private keys in a safe place.

7. Configure putty to use your private key by entering the filename (id.ppk in the example above) on the Auth tab.

8. If you’re using the same key pair for all your servers you can save your new config as default. If using different key pairs for different servers you can add host info and name the session appropriately before saving.

Linux clients

1. Generate your key pairs:

[tbienstman@testserver ~]$ ssh-keygen

2. Again it’s not required but certainly recommended to enter a passphrase. You will end up with a folder called .ssh, the private key, and the public key with the proper permissions.

3. Copy the SSH public key to the other server(s) this user needs to manage:

[tbienstman@testserver ~]$ ssh-copyid tbienstman@192.168.0.1

Cisco Clients

Now lets check out Cisco’s public key authentication… add these commands to your device:

ip ssh pubkey-chain
username tbienstman
key-string

Then copy and paste your public key.

Make sure you test your new authentication method while maintaining a separate open connection in case you missed a step so you don’t lock yourself out! That’s all it takes! You should be able to log into your devices with public key authentication!