Video Captions
00:00 Introduction
Hi there and welcome to this video. In this video, let’s see why you should not expose the content of your private SSH key. We’re going to go step by step. First thing I’m going to do is generate an SSH key. Then we’re going to use that key to deploy two servers. These servers are simply just for demonstration purposes. So we’re going to SSH from one server to the other server. You can follow along with any VPS or on your private computer. You can deploy to Vagrant virtual machines. You can use any VM on your computer. Let’s get started.
00:52 Generate SSH Key pair
The first thing: let’s generate an SSH key. Then we’re going to come back to DigitalOcean and deploy two droplets. If you want to use DigitalOcean as well, you can get $200 credit using the link that I will provide in the description. So let’s generate our SSH key. I know as soon as I’m done with this tutorial, I’m going to delete it and I don’t want to have anything hanging around on my computer. So I’m going to do this inside of the temp directory. You can do it in any directory, but I’m going to use the temp directory. If you’re on Windows, you can follow along with me using Git Bash. Just download Git, install Git, and then open Git Bash and you can follow along with me.
So, the first thing: let’s generate an SSH key. Create a folder where I will house my SSH keys. I’m going to do mkdir. I want to call this directory SSH. And then, now we can generate our SSH key inside of this directory. I’m going to do ssh-keygen and I want to generate the key of type -t. This simply signifies the type of the key. And I’m going to generate an Ed25519 key. I want to generate the key inside of the directory that I created. -f will simply tell it the file name. Select this directory that I’ve just created as where I will store my SSH key. And I will call the SSH key just samples. My SSH keys will be generated inside of this folder and they will be called samples. So I’ll press enter and it will ask me for a passphrase. For this demonstration, I’m going to create a passphrase and the reason I’m going to create a passphrase will come out later on. You’ll see why it’s important to have a passphrase. Just choose a passphrase that only you can remember, but not something that is too difficult that you might forget it because if you forget it, you will not be able to use the key again. So I will retype the passphrase.
My SSH key has been generated. List the files of SSH. You’ll see, let me list them in a line. I will just clear the screen at this point like that. There is our private key and there is our public key. I want to use this key to deploy two droplets in DigitalOcean and then we’re going to see why you should not share the content of your private key.
Let me cut the content of this and I’ll just press tab to autocomplete. Dot and then press tab again to autocomplete. You can see it’s a very short key as compared to RSA. So I’m going to copy. You know what? I can just open it in Visual Studio Code instead of using this. So I’m going to ctrl + a, will take me to the beginning of the line. Then control + delete will delete that and I can open it using Visual Studio Code.
04:00 Deploy droplet/ servers – Ubuntu
There we go. Copy the content of that, copy the content of that, then let’s come back to DigitalOcean and deploy a droplet. If you want to use DigitalOcean, I have $200 free credit. Link in the description. I will deploy two droplets. I will create a droplet that is… I will choose Frankfurt and I’ll just use Ubuntu. I’ll go with the Ubuntu 22.04. I’ll choose shared. I’ll go with regular and I’ll just go with the 1GB one or I can go with the 2GB. It doesn’t matter. I’m going to delete this within the next 30 minutes. All these others, I’ll just forget about. I’ll forget about that. And then SSH key, of course, I want to use an SSH key. So I’m just going to click on new SSH key and I will paste the content of my public key, the content that I got from my public key. And I will give it a name and I can just call it temporary. And then I will add SSH key. And that’s the one I’m going to use to deploy this server. So I’ll forget about both of these. Finalize, I want two droplets and I will call one… I’ll just call one server one and the other one I’ll call server two. And I will put it inside of the demos project. And why is it $24? Oh yeah, there are two. I will create the droplets.
05:47 log in via SSH keys
Alright, alright. Our two virtual servers have been deployed. We can try and log in. So I’m going to copy. I want to log into my server. I’ll just do ssh. The user is root. ctrl + shift + v. If you’re following on Git Bash, you can paste using shift + insert. ssh root and we want to use our SSH private key. So I’ll do -i, that simply means the identity of the key. So I’m going to do ssh tab. So wherever you saved your key, put that there. And you can save your key anywhere. Let’s log into the first server.
And then I will accept it, yes. And then enter. And you can see it’s asking us for a passphrase. So enter the passphrase that you chose. There we go, we’re logged into the first server. For the second server, I can also just open it in a new tab here. And I will do ssh root and what is the IP of the second server? Just click to copy. ctrl + shift + v and then the identity of the key -i. We used the same key, so I’m just going to do ssh samples. Enter. Yes, accept this. So you have to explicitly type yes and then press enter. Enter your passphrase. There we go, we logged into the second server. I’ll do ctrl + L to clear the screen.
07:42 Don’t expose private SSH Key
This side as well, ctrl + L to clear the screen. So let’s see why you should not share the content of your SSH key, of your private SSH key. At the end of this video, you’re going to see two things. Number one, why you should not share the content of your SSH key and why having a passphrase for your SSH key is important. So we’re going to… So the reason I deployed two servers was because I’m going to use server one to try and log into server two using the content of your private SSH key.
So let me open up another tab and I want to open the content of the private SSH key. So I’m just going to do code. That will open it inside of Visual Studio Code. And there we go. So this is the content of a private key. And whenever you see that first comment with a private key, you just know this is a private SSH key. I’m going to copy this. So if somebody gets access to this, they can log into your server, especially if you don’t have the passphrase. They can just take a screenshot and then use an OCR, and it’s just going to convert it to text. So I’m just going to copy that.
First of all, let’s assume that you don’t know what you’re doing, right? You’re just trying out things. You want to see if you can log in using that key. Now you already have the key details like I’ve just copied them. Maybe you don’t know what to do. Okay, the first thing you’re going to try to do, you’re going to try to just create a normal file with the content of the SSH key to see if you can use that to log in. Let’s create a file. I’m just going to call it try. Something happened here, let’s log back in. ctrl + L. So let’s just say that we are going to try and create a new file. I’ll just call it key and press enter. Then I will copy the content of the private key inside there. Can do ctrl + shift + V, press enter to accept that.
So we’re just assuming that you don’t know what you’re doing. You’re just trying out, okay, to see if you can log in with the key without doing anything else to the key. Press escape and then I can do shift + z z and that’s going to save that file. That’s going to save the key in Vim. But you also know that your SSH key, the private SSH key, needs to have certain permissions. So let’s change the permissions for the key chmod 600. If you’re not the root user, make sure you’re using sudo. We’re going to change the permissions of the key. There we go. So let’s try and log in with a key just without doing anything as it is.
So I’m just going to do ssh. Right now you can see we are at server one. So let’s get the IP of server two. We try to log in with the key. User is root. So you can also see something here. If the second server allows root to log in, someone can just assume that they can log in with root. So it’s important also to disable the root user from logging in on the second server. And I have tutorials for this, how to initially set up your server, enter the IP address, ctrl + shift + V to paste. Identity of the key -i for identity of the key. And our key is just called key. So let’s try to log in. Right now, you’ve not done anything. You just created a key. And of course, it’s going to ask you this passphrase. But let’s see if the key is going to work. At this point, you can see that if you didn’t have a passphrase, someone would just be able to log into your server. Without the passphrase, they won’t be able to log in. You need to have the passphrase. And just like that, someone has logged into your server by just creating a simple file, changing the permission of the file, and copying your private SSH key inside there. That is not secure at all. So that is reason enough for you not to share the content of your private SSH key.
In this video, you’ve seen at least four different things that can help you try to improve the security of your server. Number one, which is the most important, which was the initial objective of the video, was do not share the content of your private key. So if somebody sees the key, they can just take a snapshot of it, go to an OCR software. There are lots of Open Source OCR software that they can use to convert this into text without really having to type. And then all they’ll have to do is just confirm that everything is accurate. And then they’ll use the key. That’s number one. Do not share the content of your private SSH key. For the public SSH key, you can share that. That doesn’t really matter. People can see that, but it’s not going to be the end of the for your server.
Number two, when you’re generating your SSH key, you’ll be asked for a passphrase. You’ve seen why it’s important to add a passphrase. Even if somebody gets access to your SSH key, which is possible, very possible, they will not be able to log into your server without the passphrase. You also have to add a passphrase that cannot be easily guessed. That’s number two.
And number three, you’ve seen that I tried to log in using the root user on the second server. If I was to go in and disable the root user from logging in, of course, firstly create a new sudo user and then disable the root user from logging into my server, if that was the case on this other side, you can see this individual would not be able to log in with the root user. They will simply get access denied. And also on the other end, you can also see why it’s also sometimes important to change the SSH port of your server. So if you change the SSH port of your server, you’ll see that this individual will not be able to log in just by guessing that they can log in with Port 22. It’s important to change the SSH port of your server as well. And I have videos for that. And once you change the SSH port on your server, you can use fail2ban to block out someone after they try to log in like three times. And this is something you can do with SSH fail2ban. And you can also use CrowdSec for this. If you use CrowdSec and you add a CrowdSec bouncer, that’s something you can do with this. I hope that there are some gems you’ve gotten in this video that are going to show you why it’s important sometimes to do an initial server setup for your server. And I do have Ubuntu setup video and a Debian free setup video. Make sure you follow those videos because they’re important. I’m also going to add the link to the blog post for those initial server setups. So that’s pretty much it for this video. If you have any questions, feel free to let me know. I will see you next time in another video.
