{"id":61237,"date":"2021-06-09T15:45:00","date_gmt":"2021-06-09T20:45:00","guid":{"rendered":"https:\/\/blog.cpanel.com\/?p=61237"},"modified":"2021-06-09T15:45:00","modified_gmt":"2021-06-09T20:45:00","slug":"secure-your-cpanel-server-with-ssh-keys-and-public-key-cryptography","status":"publish","type":"post","link":"https:\/\/devel.www.cpanel.net\/blog\/tips-and-tricks\/secure-your-cpanel-server-with-ssh-keys-and-public-key-cryptography\/","title":{"rendered":"Secure Your cPanel Server With SSH Keys And Public Key Cryptography"},"content":{"rendered":"\n
cPanel & WHM is a complete server management solution, but you may occasionally need to log in to your server’s shell to run scripts or edit configuration options on the command line. The most secure way to remotely log in is with SSH. An SSH client on your local computer connects to a daemon on the server. SSH encrypts the commands you send to the server and the information it sends back.<\/p>\n\n\n\n
When you log in with SSH, you must supply authentication credentials. These are usually your cPanel account\u2019s username and password. However, password-based logins are not as secure as we might like. Users often choose easy-to-guess passwords. Even if they don\u2019t, malicious bots will bombard SSH with brute force and dictionary attacks, consuming the server\u2019s resources.<\/p>\n\n\n\n
SSH keys are an alternative way to authenticate using public-key cryptography and a pair of cryptographic keys\u2014one public and one private. SSH keys are more secure because they are not vulnerable to guessing attacks. We discussed SSH keys briefly in How To Use PuTTY SSH With cPanel<\/a>. In this article, we\u2019ll dig a little deeper into how public key cryptography works, show you how to generate public-private key pairs with cPanel, and how to use them to authenticate with SSH.<\/p>\n\n\n\n Cryptography is the science of secrecy. Cryptographers design secure communication systems, and encryption is their most important tool. Simply put, encryption scrambles messages so they can\u2019t be read. You start with a message called the plaintext and convert it to nonsense, which is called the ciphertext. Decrypting reverses the process, converting ciphertext back into readable plaintext.<\/p>\n\n\n\n Symmetric encryption is the most familiar type. You need two things to encrypt a message: a key and an encryption algorithm. The key is a string of letters and numbers. The algorithm is a set of instructions for combining the key with the plaintext to create the ciphertext. To decrypt the message, you give the same key and the ciphertext to a related algorithm, and it spits out the plaintext. Only someone with the key can decrypt the message.<\/p>\n\n\n\n For symmetric encryption to work, the sender and recipient have to share a secret, the key. But what if you want to encrypt a message where there is no shared secret? This is a common need on the internet. For example, I want to send a secret message to a friend. I can encrypt it, but how do I get the key to them? I can\u2019t just send it over the internet because someone spying on my connection could intercept it and decrypt the message too.<\/p>\n\n\n\n The solution is public-key cryptography, which is also called asymmetric encryption. With public-key cryptography, we use two keys, a public key and a private key. Only the private key can decrypt messages encrypted with the public key. Only the public key can decrypt messages encrypted with the private key.<\/p>\n\n\n\n When I want to send a secret message to my friend, I ask them to send me their public key. I use it to encrypt the message and send them the ciphertext. They use their private key to decrypt it. Provided they keep the private key secret, anyone with the public key can send a message only they can read.<\/p>\n\n\n\n Public key cryptography has two significant consequences. The first is that there are no shared secrets. The second is that the person with the private key can prove who they are by decrypting a message. If I encrypt a message that says \u201chello\u201d with a person\u2019s public key, and they tell me, \u201cYou said hello, \u201d I can be certain they have the private key. It might not be obvious why that matters yet, but it\u2019s the foundation of online security, including HTTPS encryption and SSH keys.<\/p>\n\n\n\n SSH key authentication uses the mechanism we just described to verify your identity when you want to log in to your server.<\/p>\n\n\n\n It works like this:<\/p>\n\n\n\n Provided you keep the private key secret, this method of authentication is reliable and secure. It isn\u2019t vulnerable to brute-force and dictionary attacks. It also helps avoid the problems that arise when users think \u201cpa55word\u201d is an ingenious solution to their password management problems. Of course, all bets are off if the private key is stolen, but that\u2019s a limitation of all authentication mechanisms.<\/p>\n\n\n\n To use SSH keys, you need a key pair. There are several ways to create key pairs, but one of the easiest is cPanel\u2019s SSH Access<\/em> tool, which you\u2019ll find in the Security<\/em> section of cPanel\u2019s main menu.<\/p>\n\n\n\n The next step is authorizing the public key so you can use it for SSH authentication.<\/p>\n\n\n\n Finally, we have to download the private key to our local machine (see below for Microsoft Windows\u00ae<\/sup> and PuTTY instructions).<\/p>\n\n\n\n The private key is downloaded to your browser\u2019s default download folder. You should move it from there to a safe location. If you would like to make it the default key for your local computer\u2019s user, move the file to the following directory on Mac and Linux, replacing \u201cusername\u201d with your local computer\u2019s username.<\/p>\n\n\n\n If you use PuTTY on Windows, you must first convert the private key to PuTTY\u2019s native PPK format.<\/p>\n\n\n\n If you have followed the walkthrough, you now have an authorized public key in place on your server. The private key is stored on your local machine. To use the keys, you simply tell SSH where to find the private key when you open a connection.<\/p>\n\n\n\n On Linux and Mac, the terminal command to initiate an SSH connection is:<\/p>\n\n\n\n Replace \u201cpath_to_private_key\u201d with the location of your new private key. You could omit this option if you stored the key file in the .ssh folder as your default.<\/p>\n\n\n\n SSH keys make your server more secure. They prevent poor password choices from exposing your server and its users to unnecessary risk. To further enhance security, server administrators may want to prevent users from logging in with passwords altogether with the SSH Password Authorization Tweak<\/em><\/a> in WHM\u2019s Security Center<\/em>.<\/p>\n\n\n\n As always, if you have any feedback or comments, please let us know. We are here to help in the best ways we can. You\u2019ll find us on Discord<\/a>, the cPanel forums<\/a>, and Reddit<\/a>. Be sure to also follow us on\u00a0Facebook<\/a>,\u00a0Instagram<\/a>, and\u00a0Twitter<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" cPanel & WHM is a complete server management solution, but you may occasionally need to log in to your server’s shell to run scripts or edit configuration options on the command line. The most secure way to remotely log in is with SSH. An SSH client on your local computer connects to a daemon on […]<\/p>\n","protected":false},"author":77,"featured_media":65785,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[289,61],"tags":[],"class_list":["post-61237","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general-knowledge","category-tips-and-tricks"],"acf":[],"yoast_head":"\nWhat is Public Key Cryptography?<\/strong><\/h2>\n\n\n\n
SSH Keys: SSH Authentication with Public Key Cryptography<\/strong><\/h2>\n\n\n\n
How to Generate Public and Private Keys with cPanel<\/strong><\/h2>\n\n\n\n
<\/figure>\n\n\n\n
<\/figure>\n\n\n\n
<\/figure>\n\n\n\n
\/home\/username\/.ssh<\/code><\/pre>\n\n\n\n
Log in To cPanel Servers with SSH Keys<\/strong><\/h2>\n\n\n\n
ssh -i path_to_private_key username@example.com<\/code><\/pre>\n\n\n\n