Setting up SSH with password and key authentication

Secure Shell (SSH) and using it effectively is paramount in secure remote device access and management. In this guide we'll first run through setting up password SSH access before disabling this and moving to the preferred method; key authentication.

Lab Setup

  1. GNS3 as the network emulation software.
    Network topology diagram showing Kali Linux and Windows 10 machines connected via a Cisco switch and home router
  2. I have my 2 PC's (Kali and Windows10).
  3. A CISCO layer 2 switch (Switch1).
  4. A home router.

IP Schema

The IP schema for this lab will be 192.168.122.0/24. This will give us 254 useable addresses (256 - broadcast address - network address). The subnet mask will be 255.255.255.0. My machines will be allocated IP addresses through the DHCP service running on my router.

SSH with password authentication

First, let's see what IP addresses my 2 PC's have been allocated; my Kali machine is: Kali Linux terminal showing ifconfig output with assigned IP address My Windows10 machine is: Windows 10 command prompt showing ipconfig output with assigned IP address We are going to enable SSH access on our Kali machine. To do this, we need to edit our SSH configuration to allow password authentication. We access this file with the following command:

sudo nano /etc/ssh/sshd_config

We are going to uncomment the following 2 settings, 'Port 22' and 'PasswordAuthentication yes'. sshd_config file with 'Port 22' line uncommented sshd_config file with 'PasswordAuthentication yes' line uncommented We now need to start the SSH server on the Kali machine: Kali terminal running 'sudo service ssh start' to start the SSH daemon At this point we ready to connect via SSH from our Windows10 machine. In this guide I am using an application called PuTTY - it has a ton of functionality, but I will just be using it for its SSH capability. PuTTY main window with the Kali machine IP entered in the Host Name field and port 22 selected All I have done is started up the application and entered the IP address of the Kali machine into the 'Host Name or IP address' field and the port of 22. Remember this is the port we uncommented out on our SSH config on the Kali machine. If we were to change this default SSH port, we would need to enter that port here also. All we need to do now is click 'Open' and PuTTY will attempt to establish a SSH session for us: PuTTY host key acceptance dialog on first connection PuTTY terminal prompting for kali username and password PuTTY opened a session for us and promoted us for a username and password, which is my case was 'kali' and 'kali' (press yes on the host key acceptance). Remember, the username and password are credentials that exist on the Kali machine not the Windows10 machine. At this point you now have a successful and authenticated SSH session from the Windows10 to Kali machines.

SSH with key authentication

While password authentication is a quick win, it's not the most secure. It is susceptible to password attacks such as bruteforce and offline hash cracking if password dumps have been acquired etc. The following process we are now going to follow is:

  1. Create a private/public key pair (4096-bits).
  2. Using the public key, setup an authorised key file on the Kali machine.
  3. Transfer the private key to the Windows10 machine.
  4. On the Windows10 machine, convert the private key to a PuTTY Private Key (.ppk) file for use with PuTTY.
  5. On the Kali machine re-configure the SSH configuration file to only accept key authentication.
  6. SSH into the Kali machine from Windows10 using PuTTY in conjunction with the private key file for authentication.
First we need to create a private/public key pair, to do this we use the following command: Kali terminal running ssh-keygen with RSA 4096-bit parameters Notice I have set the parameters to RSA at a strength of 4096-bits. You will also notice the keys have been saved in the directory /home/kali/.ssh/ not the directory I am currently in /etc/ssh. I am now going to create a file authorized_keys which will be a carbon copy of my public key file id_rsa.pub: Creating an authorized_keys file by copying id_rsa.pub on the Kali machine At this stage, make sure the permissions have been set correctly for this file, as well as the .ssh folder: Setting correct permissions on ~/.ssh directory (700) and authorized_keys file (600) The next step is to transfer our private key (id_rsa) to our Windows10 machine. Luckily for us PuTTY comes packaged with CLI tool that will allow us to easily do this. On my Windows10 host I open a CMD window and run the following: Windows CMD running pscp to copy the private key from the Kali machine Confirmation that id_rsa private key was copied to the Windows user directory All this is doing, is using the PuTTY Secure Copy (pscp) application to log into our Kali machine and download the directed file id_rsa. It is then placing it in my Windows10 accounts user directory. At this point we need to convert the private key to a PuTTY readable private key file. To do this we will use another application packaged with PuTTY called PuTTYgen. To find it simply open Start and start typing 'puttygen', it should quickly show up: Windows Start menu search showing the PuTTYgen application Load this application, select conversions and then import key: PuTTYgen Conversions menu with Import key option highlighted It will ask you to select the private key file you want to import - this will be the file we downloaded from the Kali machine: PuTTYgen file picker selecting the id_rsa private key for import Once loaded in, select save private key and choose a location to save to: PuTTYgen Save private key dialog after importing the OpenSSH key I chose not to protect it with a passphrase but in reality, you really should for the added protections. I saved my key to the desktop: Saved .ppk private key file on the Windows desktop Let's switch back to our Kali machine and get it ready for SSH key authentication. We are going to be editing the same SSH configuration file again:

sudo nano /etc/ssh/sshd_config

This time we will re-comment PasswordAuthentication: sshd_config file with PasswordAuthentication line re-commented to disable password auth We need to enable key authentication and tell our SSH service where to look for keys, I have highlighted them here: sshd_config file with PubkeyAuthentication enabled and AuthorizedKeysFile path set Notice the authorized_keys file is the one we created earlier containing our public key. Save the file and exit. At this point we best restart our SSH service:

sudo service ssh restart

Jumping back our Windows10 machine we are now ready to attempt a SSH session with key authentication. Load the PuTTY client and select auth > credentials. Click browse and select the private key file we created: PuTTY Auth > Credentials pane with the .ppk private key file selected for SSH authentication Once entered, move back up to session and in the hostname/IP we enter our username (username on the kali machine) followed by the IP address of the Kali machine. We also ensure port 22 is selected:

[email protected]

PuTTY Session pane with kali@192.168.122.29 as the host and port 22 selected I now click open and key authentication occurs: Successful SSH session into Kali via PuTTY using key-based authentication, no password prompt At this point we were straight into the Kali machine without the requirement of entering a username or password. The key pair itself authenticates us. At this stage we are pretty much ready to go - it goes without saying though, the private key file is now the key to the kingdom.