I am starting over on my server and this time I am being more serious about security. I think shellshock has made everyone a little weary.

The first time I configured my server I disabled selinux because I found it annoying, allowed remote log in by root and stored files in my web root so I could get to them easily. Not this time.

My goal for this thread is to change the port for ssh, disable root login, disable password login and create and install keys and certs.

I can do most of that myself. Figuring out how to configure selinux to know I changed the port and to change it in the firewall is just a google search away. However, creating the key pairs... well google gives me TOO MUCH info...

Most sites describe very different steps. Some have you create the keys on the server, others on the client. Most assume only one server and one client, and almost all of them assume the server is linux and the client is windows. I have tried a couple of these methods and found them incompatible with each-other.

I am hoping with the help from the security gurus here I can figure out the correct way to secure my system.

Server: CentOS 7

Clients:
CentOS 6.5
Mint 17
Android Phone (KitKat)
Windows 7 x3

For the Windows machines I am thinking about just putting putty on a thumb drive and having the key on there. If I lose the thumb drive I will have to change the keys.

I am eager to hear suggestions and possibly point me to a usable site about this.

In general, all you have to be concerned of is how to format the generated public key from your client machines to fit in the authorized_keys file on your centos server. For example, the following is the public key generated by puttygen on a Windows machine:

should turn this into something like

and add it to your centos machine's authorized_keys

I just don't know how the public key looks like in the other machines.

Also, I am just being general with my response since..
is quite a broad topic.

I know. Security is a very big issue with many complex choices. I will attempt to be more specific and say I am seeking assistance with using keys for remote authentication when using ssh and vsftpd.

Thank you for your demonstration of how certs created by puttygen differ from those made on a linux box. I think I can use that to make a usable pair. Will test and return with my results.

Question? Would it be best to have a different key pair for each device?

Ok, so I did a lot more reading and it seams I got the whole process backwards and that was causing confusion and misunderstanding of how the keys worked. This page set me straight.

I thought that the server held the private key and the many devices that connected to it had public keys. But that isn't how it works. Both the public and private keys are on the client. The server only stores a file with the allowed public keys. You can add as many as you want. This also broke the misconception I had that key=file. The key itself is the string within the file and can be placed in other files (such as ~/.ssh/authorized_keys) or even program dialogs/settings.

I feel really stupid now posting a topic for this.


I guess I only have one more question: How did you guys learn to secure your servers? Class/Training? Trail and error? Books? Google-Fu? I want to become much better at this and my current "hey, let's try this!" approach isn't producing the desired results