Public key authentication

[Update: November 1, 2018]

The following is information on Public key authentication.

Overview

Public key authentication is an authentication method in which only a person (device) with a private key generated to pair with a public key is authorized to log in to the device possessing the public key. Unlike password authentication that is vulnerable to attack/unauthorized login, unless the private key is stolen, risk of breached authenication is significantly reduced.

In SAKURA Cloud, public keys can be registered to the server through one of the following methods.

  1. Registering a public key to the control panel
  2. Direct entry of a public key at the time of server creation or disk modification

This page describes the key generation required to introduce public key authentication, public key authentication settings for the SSH daemon, and public key registration using the above two methods.

Key creation procedure

With public key authentication, authentication is performed using private and public keys generated in pairs, by giving a private key to the client connecting via SSH and registering the public key to the target server..

The following outlines the procedure for generating a private key saved to the client and corresponding public key saved to the server.

Enter the following command to generate both keys.

# ssh-keygen -t rsa

You will be prompted to save the key file. Enter the password for the save location. If there is no problem with the default location, press Enter to continue. In this article, the storage location of the key file is described as “/root/.ssh/”.”

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):

You will be asked to enter a passphrase. Enter your passphrase twice, pressing Enter each time to continue.

Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

*If a passphrase is not set, there is a high risk of unauthorized use in the event that a private key is stolen. If passphrase has been set, it will be required when using the private key, improving security.

The following output indicates a key file has been generated successfully.

Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
<後略>

The content of /root/.ssh/id_rsa.pub will be the public key. Make a copy of this content. *Please be careful not to leave the content on the computer in a text file/other formats.

# cat .ssh/id_rsa.pub
ssh-rsa
<後略>

Key registration

The following outlines the procedure for setting a generated public key for a server to which you want to log in by Public Key Authentication.

SAKURA Cloud has a function enabling you to register the public key to be used when logging in the administrative user/creating a new server/or changing the OS configuration information in the disk using Disk Modification. Multiple public keys can be registered and managed on the control panel settings screen. Selecting a registered key at the time of server creation or disk modification renders it eligible for registeration as the public key for the administrator user.

※ディスク内のOSや設定状況により、ディスク修正が行えない場合があります

1. Public key registration on the control panel

  1. Click Option.
  2. Click Public Key.
  3. Click Add.

Paste the content of id_rsa.pub mentioned above in the red framed text box then click Add.

The registered key will be listed as a public key.

1. Generate public key on control panel

  1. Click Option.
  2. Click Public Key.
  3. Click Add.

Click the radio button Generate, enter a relevant passphrase and name, and then click Generate on the bottom right.

Download a private key on the Private Key Download screen. Please note that for security reasons, a private key can be downloaded only once.

At the Public Keys list, you can confirm that the generated public key has been successfully added.

2. Specifying the public key when creating the server

By clicking the radio button Select in the public key section on the Add Server screen, registered keys will be displayed. Click the box on the left.

Additionally, you can limit SSH login to Public Key Authentication by enabling the Prohibit SSH Login Via Password/Challenge Response checkbox.

*Please note that users will be unable to connect via SSH to servers by password authentication.

2. Public key entry at the time of server creation

On the Add Server screen, click the Enter radio button to display the public key text box in which you can paste the content of id_rsa.pub mentioned above. In this case, public key registration through Settings → Public Key as described in step one is not required.

3. Public key registration through disk modification

In SAKURA Cloud, public key registration is possible at the time of server creation as well as afterward through Disk Modification. Click Modify Disk on the disk Details screen.

As on the Add Server screen, two methods of public key registration are available - selecting a registered key and direct entry.

The following is an example of public key registration by selecting a registered key.

The following is an example of public key registration by direct entry.

SSH login by public key authentication

Log in via SSH to the server in possession of the public key paired with the client’s private key.

$ ssh root@10.0.0.12

For the initial SSH login, the fingerprint of the public key set on the connected destination server will be displayed. If there is no problem, enter “yes”.

The authenticity of host '10.0.0.12 (10.0.0.12)' can't be established.
RSA key fingerprint is [フィンガープリント]
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.12' (RSA) to the list of known hosts.

The following output confirms that SSH login by Public Key Authentication was successful.

Now try logging into the machine, with "ssh 'root@10.0.0.12'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
 [root@localhost ~]#