Some recent security concerns regarding SSH access have motivated a move towards a more secure method of handling SSH access to our servers.
Our intention is to move away from password-based authentication to key-based authentication instead.
Key-based authentication is based on two separate keys which when combined together allow authorization. This is known as a public/private key combination.
To use this method of authentication, you must generate a public key and a private key. This page describes this process, and how to use those keys with the popular Windows-based SSH program 'Putty'.
When you generate a pair of keys, the public key will remain stored on the server. The private key must be stored on any machine that you wish to log in from. It is important that you store this private key in a secure location.
You must not give your private key to anyone, or leave it in a location where someone might find it.
Think of this public/private key combination as a door lock and a key. The lock on the door has a key hole (the 'public key'). It is public and anyone can see the key hole. Only you have the matching key (the 'private key') that fits into the key hole to turn the lock and open the door.
This is why it is so important for you to keep the private key secure - it is the key to your account, and everything in it (files, e-mails, databases, etc).
You may need to contact support first to have SSH access enabled on your account. We will need to know what IP address you will be connecting from. Ideally, this should be a static IP address allocated to you by your ISP.
These instructions make reference to the Windows 'Putty' SSH client because of its popularity. There are other SSH clients available. If you are using a different client then you may need to contact their online help or support for additional instructions. However, you should be able to read through this guide and get a general understanding of how SSH keys work.
To begin you will need to download the 'Putty' SSH client and the 'Pageant' SSH authentication agent. You can download these applications from the Putty website.
Direct links to the Windows versions of these files are provided below. If these links do not work you will need to use the link above to download these applications.
Download Putty
Once you log in you need to click the SSH/Shell Access icon. This icon will not appear on your control panel unless we have enabled SSH access for you. It will look like:
This will bring you to a page where you are given the option to Manage SSH Keys:
Click on this button.
This will bring you to another page where the SSH keys for your account are listed.
At this point you probably do not have any keys set up. This guide is written on the assumption that you are generating your first SSH key.
Near the top of the page find the link for Generate a new Key and click this link:
This will take you to a new page where a form will be displayed. The form will have several questions:
Filling out the form, it should look something like:
Once you generate a new key, use the Go Back link to go back to your SSH key list.
By default, cPanel does not automatically enable a public key and allow authorization through that key. To enable that public key you need to click the link Manage Authorization next to that public key. This will take you to a page that looks like:
Click on the Authorize button to authorize the key. Then click on the Go Back link.
Now you need to download the private key and because you are using the Putty SSH client you need to convert the private key into a Putty Private Key. Click on the View/Download link under the Private Key section of the SSH Key lists:
Near the bottom of that page is a section where you can convert the private key into a Putty Private Key. It will ask for the passphrase for the private key. Enter the passphrase that you entered when you first generated the SSH key.
Now click on the Convert button to have the private key converted into a Putty Private Key so that it will be readable by Putty. The resulting page will show the key in PPK format.
There will be a button for Download Key. Click this button to download the key. Save the key somewhere on your computer and remember where you saved this file, it will be needed later. This saved file is your private key. You will need this file any time you need to SSH into your account.
Now that you have the SSH Key generated and saved on your computer the final thing you need to do in your control panel is remove the private key. You don't want to store the private key with the public key, especially on the public server. This defeats the purpose of the public/private key combination pair. Somebody could still hack into your control panel or your FTP account and download the private SSH key. So the smart thing to do is to remove the private key from the server.
Click on Delete next to the private key in the Manage SSH Keys page.
This will take you to a new page where you are asked to confirm that you really want to delete the private key. Click on Yes.
Now that you have the SSH private key generated and stored on your local computer and have deleted the private key from the server, you are ready to connect via SSH using this key.
You first need to start up Pageant. Pageant is a private key organizer used by Putty to manage private keys. Find where you downloaded the Pageant program from the Putty Website. This will load an icon into your system tray on your taskbar. The icon will look like:
Double click on this icon to bring up a window that shows all of the private keys you have loaded. If you have just started the program, then no private key will be loaded and the list will be empty. Click on Add Key to load the PPK file that you have previously created. Navigate your way to the folder where you saved the Putty converted private key and open it.
Pageant will now ask for the passphrase for your private key. Type in the passphrase in the supplied text box.
Click OK to authenticate the private key and load it into Pageant. Now the Pageant Key list will show your loaded private key.
You can now click on Close to close out the Pageant window. Notice that pageant is still running down in your system tray of your taskbar.
You are now ready to configure Putty to connect to your account via SSH. When you start up Putty you will be given a Putty configuration screen.
The main things to consider when configuring Putty:
You may choose to save this configuration profile so that you do not have to type it back in each time.
Now click on Open to connect.
You may be asked to accept the SSH server fingerprint. If this is the first time you have connected to your account with Putty via SSH then you will be asked to accept this. Just click 'Accept' and 'Save' to continue.
You will then be asked to enter the login name. This is your account's username, the username that you use to access your control panel. After you enter your username, Putty will check with Pageant to see if a valid SSH key match can be found. It will find one and will then authenticate your SSH session. You don't need to enter a password because you have already authenticated yourself through Pageant.
All things being equal, you should never access your account via SSH on a public access computer. This is just too insecure an environment.
SSH access would allow a hacker to take complete control of your account. If you must use SSH on your account, you really need to wait until you are home or at your own personal computer before proceeding.
Once you have finished your SSH session, you need to exit out of Pageant. Right-click on the Pageant
icon in the system tray and click on Exit to close out Pageant.
Now whenever you need to access SSH on your account you just need to start Pageant and load your private key. Once you have generated a private key, you do not need to regenerate a different private key each time you connect to your account via SSH.
If you should run into difficulties with any aspect of this process, don't hesitate to ask for help by completing a support request.
© 2005 - 2012 5quidhost Ltd - Designed by Ian Lunn Design