The use of encrypted private keys is one of the strongest defense methods you can use to protect your server from attack by brute force password hacking. By enabling the use of encrypted keys and disabling the use of passwords to connect to the SSH service you eliminate the possibility of a weak password being compromised and the server being exploited.
Creating Encrypted Key Pairs
To implement this security feature you must first create the public/private key pair. To generate the key pair from a Windows workstation you can do this from an application such as PuTTY Key Generator. The PuTTY suite of software if free to download from the developer, just search for "putty download" in your favorite search engine. Once you have installed the suite of software you can generate a key pair using the PuTTY Key Generator. Launch the application from the application start menu and click the "Generate" button. While the key generates move your mouse rapidly over the application windows to generate randomness and speed up the generation process.
Once the generation process completes click the "Save private key" button, You can specify a passphrase when prompted, if you specify a passphrase you will be prompted for the passphrase each time you use the key. You can save the key with no passphrase and the use of the key will not prompt you for a passphrase. For most servers the security provided by the key is enough and the passphrase can be left blank. Use the next window to save the key somewhere safe and where you will remember where it is. Repeat the saving process for the public key, but do not save them in the same location.
Saving the Encrypted Keys
Once you have the public key you must copy it to the server you want to connect to. Create the required directory to store the key with " mkdir ~/.ssh" and create the public key file "touch ~/.ssh/authorized_keys". Now we must copy the public key into this file. There are several ways to do this but the simplest methods require that you copy the key into your local Windows clipboard. Do this by highlighting the public key in the PuTTY Key Generator, right click the highlighted text and choose "Copy". Go back to the SSH connection connected to the server and type "echo " then paste the key from your clipboard into the ssh window, the complete the command with " >> ~/.ssh/authorized_keys". An example of a complete command would look something like this:
echo ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAmvZTON87B1Vc333wPwFsvqZW2hFuNhUsRV4ejtegLdB1LFispQLkLZ47a P3NYS60R5mS3vnw+6dAJ5lj4PvTjWNgx4TCwE3V/86yUOFYdQPTqctD9paCqN+Ch8hGa9BlZGTjxsgMoKJkW IB62Re4/eHplz5beALaa9dnQo6oKw0= rsa-key-20110413 >> ~/.ssh/authorized_keys
You can verify the file was updated by typing "cat ~/.ssh/authorized_keys" and reviewing the output.
To secure the keys use these commands to change the permissions to the required settings:
To update the selinux settings and allow use of the encrypted key type "restorecon -Rv ~/.ssh".
Connecting via an Encrypted Key
Using your encrypted key pair to connect to the server via SSH is a simple matter of configuring the SSH connection details in an SSH client like PuTTY. Since you already have it installed from the previous steps we'll use PuTTY to connect to the server using your new key pair. In the programs list on your Windows PC open "PuTTY". Once open is open you can fill in the Host Name (IP address) field and provide a name for the Saved Session field. Ensure the SSH port is the port your server is configured to answer SSH on. Click "Save" to keep these details in your profile for use later without entering all of the details again.
In the Category list on the left side of the page expand "Connection" if it not already expanded and select "Data". On the right side of the application window In the "Auto-login username" field enter the user name which you log into the server as. This username should be the same one you used when you configured the public key in the authroized_key file.
Continuing in the Category list on the left side of the page in the expanded "Connection" area expand the "SSH" section and click on the "Auth" category (do not expand AUTH). Next to the field titled "Private key file for authentication:" click "Browse and navigate to the private key file you saves in PuTTY Key Generator. Before you click "Open" return to the top of the left pane and click "Session" and "Save". Now the configuration will be available each time you open PuTTY.