0
0
this article assumes ideal situation and predicts no problems. i also assume that you know what it is all about, but if not – don’t try it. for troubleshooting use your google-fu (in most cases „man ssh” is good startpoint)
step-by-step todo:
- add new remote user
- configure user
- generate certificate
- install certificate
- remove ability to remote ssh root login
adding new server user with sudo perms:
1. login as root
~ $ ssh root@server.ovh2. be sure that sudo is installed
root ~ # apt-get update && apt-get install sudo3. add new shell user with adduser – do not foregot about STRONG password
root ~ # adduser USERNAMEroot ~ # adduser USERNAME
Adding user `USERNAME' ...
Adding new group `USERNAME' (1000) ...
Adding new user `USERNAME' (1000) with group `USERNAME' ...
Creating home directory `/home/USERNAME' ...
Copying files from `/etcgenerate key for our user/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for USERNAME
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
4. add user to sudoers by usermod command
root ~ # usermod -aG sudo USERNAME5. test it
root ~ # su - USERNAME
USERNAME@vps:~$ sudo whoami
[sudo] password for USERNAME:
root
USERNAME@vps:~$ exitat this point we got new shell user with sudo access, now we should enable login via ssh and block root ssh login
by default ssh service disallow plain password login, so
ssh USERNAME@servar.ovhwill asks for password, but will deny access for user.
7. we have two posibilities: enable plain password autorisation and generate key for our user. i will discribe both 🙂
7a. enable plain password autorization
all we have to do is to edit as root /etc/ssh/sshd_config
root ~ # nano /etc/ssh/sshd_configfind, uncoment and set to yes (or just add it) „PasswordAuthentication”
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yessave file and restart ssh
root ~ # service ssh restart && exitat this point you should be able to connect to your server by ssh, let’s try it out
ssh USERNAME@server.ovh
USERNAME@server.ovh's password:
/some server info here/
USERNAME@server.ovh ~$try if sudo works
USERNAME@server.ovh ~$ sudo -i
[sudo] password for USERNAME:
root ~ #great we are done here
7b. generate key for our user
at this moment we are working on client’s side on our account (one we will use for ssh login in future)
i. create ~/.ssh folder with propper rights (700)
USERNAME@localhost ~$ mkdir ~/.ssh
USERNAME@localhost ~$ chmod 700 ~/.sshii. generate rsa keys. remember few rules : if someone will stole your cert he will be able to autorise himself as you, so if that happend you have to chane keys EVERYWERE. to „buy some time” it’s wise to add passphrase and choose strong one. if cert will be stolen unautorised person will have to crack this password before. it’s also worth of mention that by default key is 2048 bit, but you can increase this to 4096 bits with -b flag.
USERNAME@localhost ~$ ssh-keygen -t rsa -b 4096or just
USERNAME@localhost ~$ ssh-keygen -t rsaGenerating public/private rsa key pair.
Enter file in which to save the key (/home/USERNAME/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/USERNAME/.ssh/id_rsa.
Your public key has been saved in /home/USERNAME/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:R2d2//zDuPypxDudSF1rPIsiaInd/qpa1aQbJSQB3k USERNAME@localhost
The key's randomart image is:
+----------[RSA 2048]-----------+
| . . |
| |\_|\ |
| | a_a\ |
| | | "] |
| ____| '-\___ |
| /.----.___.-'\ |
| // _ \ |
| // .-. (~v~) /| |
| |'| /\: .-- / \ |
| // |-/ \_/____/\/~| |
| |/ \ | []_|_|_] \ | |
| | \ | \ |___ _\ ]_} |
| | | '-' / '.' | |
| | | / /|: | |
| | | | / |: /\ |
| | | / / | / \ |
| | | | / / | \ |
| \ | |/\/ |/|/\ \ |
| \|\ |\| | | / /\/\__\ |
| \ \| | / | |__ |
| / | |____) |
| |_/ |
+-----------[SHA256]------------+
congrats, you have your own cert, now it’s time to transfer it to the host. (batman is extremely rare phenomenon)
iii. basicly all you have to do is to add your public key into ~/.ssh/authorized_keys file. we will do that using ssh-copy-id command from client machine
USERNAME@localhost ~$ ssh-copy-id USERNAME@server.ovh
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@server.ovh's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'USERNAME@server.ovh'"
and check to make sure that only the key(s) you wanted were added.we are done here, but …
if server’s ssh works on nos standard port (22) ssh-copy-id will fail, so there is alternative method.
first of all you have to copy public cert to server’s machine
scp /home/USERNAME/.ssh/id_rsa.pub USERNAME@server.ovh:/home/USERNAME/
USERNAME@server.ovh's password:
id_rsa.pub 100% 405 0.4KB/s 00:00now login to server
ssh USERNAME@server.ovh(backup your current authorized_hosts) and put key at the end of the file
cd ~
cp .ssh/authorized_keys authorized_keys_Backup
cat id_rsa.pub >> .ssh/authorized_keysand that’s it.
disable root ssh access:
1. login to the server (as your user)
ssh USERNAME@server.ovh2. edit (as root) /etc/ssh/sshd_config
USERNAME@server.ovh ~$ sudo nano /etc/ssh/sshd_config3. find and set to no (or put the lines into file)
# Authentication:
PermitRootLogin no
DenyUsers root3a. you can create blacklist to deny access for any other user typing it’s name on the DenyUsers list like
DenyUsers root joker bane face2 poisonivy3b. additional option is to create whitelist for allowed users
AllowUsers USERNAME wanebruce pennyalf gcpd_jim barbarag kanekate caincassandra4. save file and restart ssh
sudo service ssh restartfrom this moment you can’t login with root user and you can login with USERNAME (using keys/password) and sudo anything 🙂
Average Rating