As a cPanel user, you will often need to manage your website or application files either through SSH or SFTP.
Here is a way to do this securely through the SSH key feature that comes with cPanel natively.
The first question probably is, why enforce key authentication instead of the normal password authentication for these tasks?
Passwords remain the most used form of online authentication.
This is mostly because they are simple and inexpensive to implement on most infrastructures.
However, it is generally agreed that passwords are the weakest link and poorest form of protection when it comes to online security.
And as technology evolves, tools available to malicious hackers & intruders to crack your online credentials evolve too gaining more speed and sophistication.
Compounding the problem is also the fact that users are often given the ability to create their own passwords when creating new online identities.
Humans are not known as the most patient of nature’s creatures and so, they often go for passwords that are easily guessable & hackable.
This is why whenever there is a password dump, you will often find that the most commonly used passwords are “password,” “1234,”, “birth dates” or “pass”.
Most folks will also re-use the same password for multiple sites.
So when one site is compromised, so is every other website that the user has an account on.
As a cPanel user, what then should you use for SFTP/SSH authentication – SSH keys or passwords?
Of course, the answer will be a key-based SSH.
SSH keys are an excellent way to stay secure provided that you use best practices to generate, store, manage, and remove them.
While you certainly can use password authentication for SSH, it doesn’t protect against weak passwords even when they run encrypted over the network.
If a malicious user is able to guess or obtain your password of a legitimate user, the malicious user can then authenticate and pose as you.
On our web hosting platform, we don’t allow SSH password authentication.
There are several advantages to this among which is:
- malicious hackers cannot brute-force key-based login
- in an event that a server is compromised, a malicious attacker will not be able to access your server even when he or she has gained control of the password.
- and because a password isn’t required at login, you are able to able to log in to servers from within scripts or automation tools that you need to run unattended.
Instead, we expect customers that want to use SFTP/SSH to use public-key authentication.
With SSH, a cryptographic key that consists of two parts is generated :
- a private key usually named id_rsa that is stored on your local computer.
- a public key usually named id_rsa.pub that will be placed on the server that you will be logging in to.
This tutorial is meant to show you how easy it is, to get this done.
How To Generate Your Key And Add It To CPanel
Pull up your Terminal.
Paste something like the text below:
$ ssh-keygen -t rsa -b 4096 -C "$identifier"
where $identifier is either your email address or something else.
When you’re prompted to “Enter a file in which to save the key,” press Enter.
This accepts the default file location.
At the prompt, type a secure passphrase.
Now create a ~/.ssh/config file to automatically load keys into the ssh-agent and store passphrases in your keychain.
Start the ssh-agent in the background.
$ eval "$(ssh-agent -s)"
Modify the file you created earlier:
cd .ssh && vi ~/.ssh/config
Add this to the file:
Add your SSH private key to the ssh-agent and store your passphrase in the keychain.
$ ssh-add -K ~/.ssh/id_rsa
Confirm the key existence:
$ ls -al ~/.ssh
Now copy the generated public key you will add to the cPanel server:
$ cat .ssh/id_rsa.pub
Windows has a different workflow but these will help:
Generate a Key Pair with PuTTY
Download PuTTYgen (puttygen.exe) and PuTTY (putty.exe) from the official site at http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html.
The RSA key type at the bottom of the window is selected by default for an RSA key pair but ED25519 (EdDSA using Curve25519) is a comparable option if your remote machine’s SSH server supports DSA signatures.
Increase the RSA key size from 2048 bits to 4096 and click Generate
PuTTY uses the random input from your mouse to generate a unique key.
Once key generation begins, keep moving your mouse until the progress bar is filled.
When finished, PuTTY will display the new public key.
Save the public key as a .txt file.
This is important because a rich text format such as .rtf or .doc can add extra formatting characters and then your private key won’t work.
Enter a passphrase for the private key in the Key passphrase and Confirm passphrase text fields.
Click Save private key.
Choose a file name and location in Explorer while keeping the .ppk file extension.
Remember the location of the private key file for future use.
If you plan to create multiple key pairs for different servers, be sure to give them different names so that you don’t overwrite old keys with new ones.
Convert The Public Key Into The OpenSSH Format
Now open your private key in PuTTYGen.
Select your private key that ends in .ppk and then click “Open”.
Look at the top menu and select “Conversions” -> “Export OpenSSH key”.
Save the new OpenSSH key when prompted.
The public key will be under a public key for pasting into cPanel.
New Windows has a better approach to this and you may want to take a look at the following links:
Once you have generated your keys, login to cPanel
Scroll down to Security >> SSH Access.
To import an existing SSH key, perform the following steps:
Click Manage SSH Keys.
Click Import Key and copy the id_rsa.pub you generated.
To use a custom key name, enter the key name in the Choose a name for this key (defaults to id_dsa) text box.
Paste the public and private keys into the appropriate text boxes.
You must authorize new keys before you attempt to use them.
So go back and click Manage to manage authorization for the key. A new interface will appear.
Click Authorize to authorize the key or Deauthorize when you need to revoke authorization for the key.
Protecting Your SSH Public Keys:
- if you are an organization or shares SSH logins with other people or someone else, have a centralized way of managing all your SSK keys.
- passphrase your keys and do not use the same passphrase with multiple keys (with each key granting access to a different server).
- actively rotate SSH keys by forcing users to generate keys on a regular basis.
- never share a private key between physical devices.
- if possible tie each SSH key to an individual, rather than just to an account that can be accessed by multiple users.
- use a bastion host. Bastion hosts allow you to create a firewall rule that allows SSH traffic only to a single instance.
- set up alerts to notify you when some successfully SSH or logs in.
Struggling with key management?
These tools below make SSH key management a breeze.
They surely will give you a way to consolidate and securely access your systems, apps, networks, and file servers – regardless of platform, protocol, provider, or location.
- Userify: https://userify.com
- Jumpcloud: https://jumpcloud.com/
- CyberArk: https://www.cyberark.com/
- BeyondTrust: https://www.beyondtrust.com/
- SSH Universal Key Manager: http://www.ssh.com/
- Keybox: http://sshkeybox.com
When it comes to your digital assets (website, databases, crypto-currencies, etc), using a password should be regarded as a doorway to a communal bar.
However, these below can be considered password best practices and may be able to help mitigate the risk involved with passwords:
Password Best Practices
- don’t use any personal identifying information as part of your password: yours, spouse’s, significant other’s, children’s, friend’s, or pet’s name, date of birth, license plate number, telephone number, social security number, make of your automobile, house address, etc.
- don’t use a word contained in English or foreign language dictionaries, spelling lists, acronym or abbreviation lists, or other lists of words.
- don’t share your password with another person for any reason.
- don’t write your passwords on paper.
- don’t re-use the same (or similar) password on two websites.
- ensure that the password you are using or generating has mixed-case characters, non-alphabetic characters/symbols and is at least, 20 characters in length.
- make it a habit to use two-factor authentication along with any password you have.
- and periodically or every 90-120 days, change every password that you own.