ben/diyhosting
ben/diyhosting
1
0
Fork 1
Code Issues 1 Pull Requests Projects Releases Wiki Activity
0bc025bff8
diyhosting/sshkeys.html
Mark McNally 0bc025bff8 Added styling for a "callout" style aside and added a callout about ssh 
key file permissions
2021-06-30 16:23:02 +01:00

174 lines
8.0 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang=en>
<head>
<title>Log on with SSH Keys &ndash; LandChad.net</title>
<meta charset="utf-8"/>
<link rel="shortcut icon" href="favicon.ico" type="image/x-icon" />
<link rel='stylesheet' type='text/css' href='style.css'>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel='alternate' type='application/rss+xml' title='Land Chad RSS' href='/rss.xml'>
</head>
<body>
<header><h1>Log on with SSH Keys</h1></header>
<nav></nav>
<main>
<p>
Let's generate and use SSH keys on our computer.
This allows us to ensure our identity better than a password ever could.
This allows us to do two main things:
</p>
<ol>
<li><strong>Password-less login</strong>: With SSH keys, we can permanently designate our profile on our local computer as safe for hour server, allowing us to bypass password verification when logging into our server.</li>
<li><strong>Prevent hacking</strong>: Since we no longer need a password to log in, we can simply deactivate password logins on our server altogether, which prevents hacking from people who may be so lucky as to guess our password!</li>
</ol>
<p>
In order words, using an SSH key to login is <strong>both safer, faster and easier</strong>.
</p>
<p>
This is especially better once you start making scripts on your computer that interact with your server.
You can upload files in the background, edit your spam filters or anything else from your local computer without having to input
your password each time you touch the server.
</p>
<h2>Generate an SSH key pair</h2>
<p>
Generating an SSH key is simple. Just run:
</p>
<pre><code>ssh-keygen</code></pre>
<p>
It will prompt you for several options and you can generally chose the default options in each case.
It will ask you to optionally include a password on your SSH key.
I generally recommend against this unless you happen to be using a computer where you don't have root access but someone else does (it does minimize the ease of using an SSH key in our case).
</p>
<h3>What does this SSH key do?</h3>
<p>
Now whenever you use <code>ssh</code> to log into a server, you have the public key of this SSH key pair as your identifier.
You can tell your server to trust this key and it will automatically allow password-less logins from this computer.
</p>
<h3>Backing up your key</h3>
<p>
We will do that momentarily, but first, I recommend you backup your newly generated key if you plan to use it.
If we disable logins to this one key and then lose the key, we might be locked out of our server.
</p>
<p>
I suggest copying your entire <code>~/.ssh/</code> directory (user-specific) to a USB drive and storing it securely.
You may also copy it to the same place on another computer to use the key there.
</p>
<h2>Making your server trust your key.</h2>
<p>
Now that you have an SSH key generate, just run the following:
</p>
<pre><code>ssh-copy-id root@yourdomain.com</code></pre>
<p>
That will ask for your server's root password and will log you in briefly.
What this does is that it puts your public SSH key fingerprint on your server in a file <code>/root/.ssh/authorized_keys</code>.
What this does is that it allows approved SSH keys to login without passwords.
</p>
<aside>
<p>
Note that you can also replace <strong>root</strong> with a username of an account on the server if you had made a non-root user that you'd like to easily log into as well.
For the username <strong>user</strong>, it will also store the key in <code>/home/user/.ssh/authorized_keys</code>.
</p>
</aside>
<p>
To test if this has worked, now try logging in normally to your server with ssh:
</p>
<pre><code>ssh root@yourdomain.com</code></pre>
<p>
It should now let your log in without a password prompt!
</p>
<aside class=callout>
<p>
If you find that this does not work try running the following, make sure you are in the directory where the keys where created.
</p>
<p>
<code> chmod 700 .ssh/ </code>
</p>
<code> chmod 644 .ssh/id_rsa.pub </code>
<p>
<code> chmod 600 .ssh/id_rsa </code>
</p>
<code> chmod 644 .ssh/authorized_keys </code>
<p>
For whatever reason these files due not have the correct permissions set, as ssh is very picky about correct file permissions this can cause errors. The above will fix these.
</p>
</aside>
<h2>Disabling Password Logins for Security</h2>
<p>
Once we have authorized ssh keys for all the devices we need, we can actually just disable password logins.
If you've ever looked at your system logs (<code>journalctl -xe</code>) you will find that there are always hundreds of random Chinese computers trying to brute force every server connected to the internet with random passwords.
They usually always are unsuccessful, but let's make it <strong>impossible</strong> for them.
</p>
<p>
Log into your server and open the <code>/etc/ssh/sshd_config</code> file.
Here we can set settings for our SSH daemon that receives SSH requests.
</p>
<p>
Now find, uncomment or create the following three lines and set them all to <strong>no</strong>:
</p>
<pre><code>PasswordAuthentication <strong>no</strong>
ChallengeResponseAuthentication <strong>no</strong>
UsePAM <strong>no</strong></code></pre>
<p>
Once we've done that, we will reload hour SSH daemon:
</p>
<pre><code>systemctl reload sshd</code></pre>
<h3>We're done!</h3>
<p>
Now you can log in quickly and password-less-ly to your server, despite the fact that it is now more secure than ever!
</p>
<p>
With these settings, even if a hacker steals or perfectly guesses an account password, they still cannot log in without an approved SSH key!
</p>
<h2>What if I lose my SSH key?!</h2>
<p>
Firstly, don't do this. Make every precaution that you have a backup.
</p>
<p>
If this does happens, Vultr and most other VPS providers will have one little out.
Log onto their website and select the server you want to log into.
</p>
<img src="pix/ssh-01.png" alt="vultr login">
<p>
In the image above, to the right of your VPS name are a series of icons.
Click on the computer screen-like icon which is the leftmost one.
</p>
<p>
This will open up a browser window emulating a terminal and you can always login with your password here,
since logins here count as being local and they do not use SSH and therefore can indeed validate with your password even if you have disabled it over SSH.
</p>
<p>
From here, simply reverse the settings we set above and you can login via SSH with a password and you can reapprove a newly created SSH key or whatever you want to do.
</p>
</main>
<footer><a href="https://landchad.net">LandChad.net</a></br>Because Everyone should be an Internet LandChad.</br><li><a href="index.html"><img src="pix/chad.gif" alt="chad"></a></li><li><a href="rss.xml"><img src="pix/rss.svg" alt="RSS"></a></li><li><a href="pix/btc.png"><img src="pix/btc.svg" alt="BTC"></a></li><li><a href="pix/xmr.png"><img src="pix/xmr.svg" alt="XMR"></a></li><li><a href="https://github.com/lukesmithxyz/landchad"><img src="pix/git.svg" alt="Github"></a></footer>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink