This article describes ways to generate and use secure shell (SSH) keys on a Windows computer to create and connect to a Linux virtual machine (VM) in Azure. To use SSH keys from a Linux or macOS client, see the quick or detailed guidance.
Overview of SSH and keys
SSH is an encrypted connection protocol that allows secure sign-ins over unsecured connections. SSH is the default connection protocol for Linux VMs hosted in Azure. Although SSH itself provides an encrypted connection, using passwords with SSH connections still leaves the VM vulnerable to brute-force attacks or guessing of passwords. A more secure and preferred method of connecting to a VM using SSH is by using a public-private key pair, also known as SSH keys.
When you use an SSH client to connect to your Linux VM (which has the public key), the remote VM tests the client to make sure it possesses the private key. If the client has the private key, it's granted access to the VM.
Depending on your organization's security policies, you can reuse a single public-private key pair to access multiple Azure VMs and services. You do not need a separate pair of keys for each VM or service you wish to access.
Your public key can be shared with anyone, but only you (or your local security infrastructure) should possess your private key.
Supported SSH key formats
Azure currently supports SSH protocol 2 (SSH-2) RSA public-private key pairs with a minimum length of 2048 bits. Other key formats such as ED25519 and ECDSA are not supported.
Windows packages and SSH clients
You connect to and manage Linux VMs in Azure using an SSH client. Computers running Linux or macOS usually have a suite of SSH commands to generate and manage SSH keys and to make SSH connections.
Windows computers do not always have comparable SSH commands installed. Recent versions of Windows 10 provide OpenSSH client commands to create and manage SSH keys and make SSH connections from a command prompt. Recent Windows 10 versions also include the Windows Subsystem for Linux to run and access utilities such as an SSH client natively within a Bash shell.
Other common Windows SSH clients you can install locally are included in the following packages:
You can also use the SSH utilities available in Bash in the Azure Cloud Shell.
Create an SSH key pair
The following sections describe two options to create an SSH key pair on Windows. You can use a shell command (
ssh-keygen ) or a GUI tool (PuTTYgen).
Create SSH keys with ssh-keygen
If you run a command shell on Windows that supports SSH client tools (or you use Azure Cloud Shell), create an SSH key pair using the
ssh-keygen command. Type the following command, and answer the prompts. If an SSH key pair exists in the chosen location, those files are overwritten.
For more background and information, see the quick or detailed steps to create SSH keys using
ssh-keygen .
Windows Generate Ssh Key For GitlabCreate SSH keys with PuTTYgen
If you prefer to use a GUI-based tool to create SSH keys, you can use the PuTTYgen key generator, included with the PuTTY download package.
To create an SSH RSA key pair with PuTTYgen:
Provide an SSH public key when deploying a VM
To create a Linux VM that uses SSH keys for authentication, provide your SSH public key when creating the VM using the Azure portal or other methods.
The following example shows how you would copy and paste this public key into the Azure portal when you create a Linux VM. The public key is typically then stored in the ~/.ssh/authorized_key directory on your new VM.
Connect to your VM
One way to make an SSH connection to your Linux VM from Windows is to use an SSH client. This is the preferred method if you have an SSH client installed on your Windows system, or if you use the SSH tools in Bash in Azure Cloud Shell. If you prefer a GUI-based tool, you can connect with PuTTY.
Use an SSH client
With the public key deployed on your Azure VM, and the private key on your local system, SSH to your VM using the IP address or DNS name of your VM. Replace azureuser and myvm.westus.cloudapp.azure.com in the following command with the administrator user name and the fully qualified domain name (or IP address):
If you configured a passphrase when you created your key pair, enter the passphrase when prompted during the sign-in process.
If the VM is using the just-in-time access policy, you need to request access before you can connect to the VM. For more information about the just-in-time policy, see Manage virtual machine access using the just in time policy.
Connect with PuTTY
If you installed the PuTTY download package and previously generated a PuTTY private key (.ppk) file, you can connect to a Linux VM with PuTTY.
Next steps
Before You BeginPurpose
This tutorial covers how to create a secure shell (SSH) key pair in two ways:
Time to Complete
Approximately 30 minutes.
Background
Oracle Cloud services such as Oracle Java Cloud Service and Oracle Database Cloud - Database as a Service are built on top of infrastructure and functionality that are provided by Oracle Compute Cloud Service. When you create a service instance of one of these Oracle Cloud services, all the Oracle Compute virtual machines (VMs) required to support the service instance are provisioned and configured for you.
You can access the service instances and resources provided by the VMs by logging into the machine through a secure shell (SSH). To do so, you need an SSH public/private key pair for the VM. You will need the public key when creating a service instance, and you will need the paired private key when you access it using an SSH utility. This tutorial shows how to create the key pair.
Note: You can associate a single SSH public key with multiple service instances. However, you cannot associate an SSH public key with a service instance after you have created the instance.
Windows 10 Generate Ssh KeyScenario
You are ready to create an Oracle Cloud service instance, and you need to create an SSH public key to use when creating it. Later, you will need the paired private key to access the VM remotely.
What Do You Need
Before starting this tutorial, you should have:
Generating an SSH Key Pair Using PuTTY Key Generator
To generate an SSH key pair using the PuTTY Key Generator,
Creating an SSH Key Pair on the Command Line
To create an SSH key pair on the command line using
ssh-keygen :
Want to Learn More?
The use of OpenSSH is ubiquitous with secured access to client devices over a network. The purpose of SSH is straight-forward: To securely encapsulate the management traffic between two end-points, in this case using the server-client model for authentication.
More about cybersecurity
While SSH may be enabled to work over clients, which are joined to the same domain, say using Active Directory credentials, this is not possible when attempting to communicate to devices such as network switches or routers, which are not natively part of any domain infrastructure. Instead, these devices and Linux-based clients use a public/private key pair to verify the user attempting to connect to the client and perform authentication before providing remote access.
© Provided by CBS Interactive Inc. istock-859761306.jpg
SEE: Information security policy (Tech Pro Research)
In this article, we will use this use case as it is often considered to be a more secure method of obtaining access, which lends itself seamlessly to Windows and non-Windows devices alike. By generating and managing SSH key pairs, IT will be able to remotely connect to clients in a secure manner while ensuring confidentiality and non-repudiation for each user, using a unique key pair tied to the individual's Windows login account for secure storage.
© Provided by CBS Interactive Inc. 201916-figure-a.jpg
Install the OpenSSH module for PowerShell
1. Log in to the Windows computer with an admin-level account and launch PowerShell with admin privileges.
2. Enter the following cmdlet to install the OpenSSH module. If this is the first time the module has been installed on the device, you may be prompted to download and install some additional tools. Type 'Y' to allow the tools to be installed.
Install-Module -Force OpenSSHUtils
3. Next, enter the cmdlet to start the ssh-agent service for securely storing privately generated SSH keys.
Start-Service ssh-agent
4. Last, enter the cmdlet to start the sshd service, which will generate the first pair of host keys automatically.
Start-Service sshd
Note: By default, the OpenSSH Server app in not installed, so it must first be installed. Also, the ssh-agent service is set to Disabled and must be changed before the cmdlets above will work. Host keys are stored at the %HOMEDRIVE%ProgramDatassh directory.
SEE: PowerShell scripting: Seven tips to reduce errors (free PDF) (TechRepublic)
Generate user key pair
1. In PowerShell, change directories to the path above where the SSH keys are stored, then enter the cmdlet below to being generating the key pair.
ssh-keygen
2. In order to generate a unique set of key pairs and store them, you will be prompted to provide a directory where the key pair will be stored, or you may press enter to choose the default location provided.
3. Next, you'll be prompted to choose a passphrase to encrypt the key pair with. While providing a passphrase is optional, it is highly advised to enter one as it serves the secondary purpose of acting as a form of two-factor authentication when utilizing the key pair to establish remote connections.
4. Once the process is completed, two files will be generated alongside the SHA256 fingerprint, and the key's random art image will be displayed on-screen and should look like this (Figure A):
Copying the public key securely
The OpenSSH tools include the SCP and SFTP utilities to make transferring keys completely secure. In order to properly configure a Windows client for authenticating via SSH keys, the public key (.PUB) file must be transferred to the client device's .ssh directory and stored in the authorized_keys text file.
1. Begin the process by executing the following command in PowerShell to create the .ssh directory within the user's profile folder.
ssh [email protected] mkdir C:Usersusername.ssh
2. Using the SCP utility, enter the following command to securely copy the public key from the server to the client device.
scp C:Usersusername.sshid_rsa.pub [email protected]:C:Usersusername.sshauthorized_keys
Windows Generate Ssh Key
3. Lastly, modify the ACL on the authorized_keys file on the server by entering the following command.
ssh --% [email protected] powershell -c $ConfirmPreference = 'None'; Repair-AuthorizedKeyPermission C:Usersusername.sshauthorized_keys
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |