169 lines
7.2 KiB
HTML
169 lines
7.2 KiB
HTML
<!DOCTYPE html>
|
|
<html lang=en>
|
|
<head>
|
|
<title>Log on with SSH Keys – diyhosting.bhh.sh</title>
|
|
<!--# include file=".nav.html" -->
|
|
</head>
|
|
<body>
|
|
<header><h1>Log on with SSH Keys</h1></header>
|
|
<nav></nav>
|
|
<main>
|
|
<p>
|
|
Let's generate and use SSH keys on our computer.
|
|
This allows us to ensure our identity better than a password ever could.
|
|
This allows us to do two main things:
|
|
</p>
|
|
<ol>
|
|
<li><strong>Password-less login</strong>: With SSH keys, we can permanently designate our profile on our local computer as safe for our server, allowing us to bypass password verification when logging into our server.</li>
|
|
<li><strong>Prevent hacking</strong>: Since we no longer need a password to log in, we can simply deactivate password logins on our server altogether, which prevents hacking from people who may be so lucky as to guess our password!</li>
|
|
</ol>
|
|
<p>
|
|
In other words, using an SSH key to login is <strong>both safer, faster and easier</strong>.
|
|
</p>
|
|
|
|
<p>
|
|
This is especially useful once you start making scripts on your computer that interact with your server.
|
|
You can upload files in the background, edit your spam filters or anything else from your local computer without having to input
|
|
your password each time you touch the server.
|
|
</p>
|
|
<h2>Generate an SSH key pair</h2>
|
|
<p>
|
|
Generating an SSH key is simple. Just run:
|
|
</p>
|
|
<pre><code>ssh-keygen</code></pre>
|
|
<p>
|
|
It will prompt you for several options and you can generally chose the default options in each case.
|
|
It will ask you to optionally include a password on your SSH key.
|
|
I generally recommend against this unless you happen to be using a computer where you don't have root access but someone else does (it does minimize the ease of using an SSH key in our case).
|
|
</p>
|
|
<h3>What does this SSH key do?</h3>
|
|
<p>
|
|
Now whenever you use <code>ssh</code> to log into a server, you have the public key of this SSH key pair as your identifier.
|
|
You can tell your server to trust this key and it will automatically allow password-less logins from this computer.
|
|
</p>
|
|
<h3>Backing up your key</h3>
|
|
<p>
|
|
We will do that momentarily, but first, I recommend you backup your newly generated key if you plan to use it.
|
|
If we disable logins to this one key and then lose the key, we might be locked out of our server.
|
|
</p>
|
|
<p>
|
|
I suggest copying your entire <code>~/.ssh/</code> directory (user-specific) to a USB drive and storing it securely.
|
|
You may also copy it to the same place on another computer to use the key there.
|
|
</p>
|
|
|
|
<h2>Making your server trust your key.</h2>
|
|
|
|
<p>
|
|
Now that you have generated an SSH key, just run the following:
|
|
</p>
|
|
|
|
<pre><code>ssh-copy-id root@yourdomain.com</code></pre>
|
|
|
|
<p>
|
|
The command will ask for your server's root password and log you in briefly.
|
|
What this does is that it puts your public SSH key fingerprint on your server in a file <code>/root/.ssh/authorized_keys</code>.
|
|
This file in turn allows approved SSH keys to log in without passwords.
|
|
</p>
|
|
|
|
<aside>
|
|
<p>
|
|
Note that you can also replace <strong>root</strong> with a username of an account on the server if you had made a non-root user that you'd like to easily log into as well.
|
|
For the username <strong>user</strong>, it will also store the key in <code>/home/user/.ssh/authorized_keys</code>.
|
|
</p>
|
|
</aside>
|
|
|
|
<p>
|
|
To test if this has worked, now try logging in normally to your server with ssh:
|
|
</p>
|
|
|
|
<pre><code>ssh root@yourdomain.com</code></pre>
|
|
|
|
<p>
|
|
It should now let you log in without a password prompt!
|
|
</p>
|
|
<aside class=callout>
|
|
<p>
|
|
If you find that this does not work try running the following, make sure you are in the directory where the keys where created.
|
|
</p>
|
|
<p>
|
|
<code> chmod 700 .ssh/ </code>
|
|
</p>
|
|
<code> chmod 644 .ssh/id_rsa.pub </code>
|
|
<p>
|
|
<code> chmod 600 .ssh/id_rsa </code>
|
|
</p>
|
|
<code> chmod 644 .ssh/authorized_keys </code>
|
|
<p>
|
|
For whatever reason these files due not have the correct permissions set, as ssh is very picky about correct file permissions this can cause errors. The above will fix these.
|
|
</p>
|
|
</aside>
|
|
|
|
<h2>Disabling Password Logins for Security</h2>
|
|
|
|
<p>
|
|
Once we have authorized ssh keys for all the devices we need, we can actually just disable password logins.
|
|
If you've ever looked at your system logs (<code>journalctl -xe</code>) you will find that there are always hundreds of random Chinese computers trying to brute force every server connected to the internet with random passwords.
|
|
They are usually unsuccessful, but let's make it <strong>impossible</strong> for them.
|
|
</p>
|
|
|
|
<p>
|
|
Log into your server and open the <code>/etc/ssh/sshd_config</code> file.
|
|
Here we can set settings for our SSH daemon that receives SSH requests.
|
|
</p>
|
|
|
|
<p>
|
|
Now find, uncomment or create the following three lines and set them all to <strong>no</strong>:
|
|
</p>
|
|
|
|
<pre><code>PasswordAuthentication <strong>no</strong>
|
|
ChallengeResponseAuthentication <strong>no</strong>
|
|
UsePAM <strong>no</strong></code></pre>
|
|
|
|
<p>
|
|
Once we've done that, we will reload our SSH daemon:
|
|
</p>
|
|
|
|
<pre><code>systemctl reload sshd</code></pre>
|
|
|
|
<h3>We're done!</h3>
|
|
|
|
<p>
|
|
Now you can log in quickly and password-less-ly to your server, despite the fact that it is now more secure than ever!
|
|
</p>
|
|
<p>
|
|
With these settings, even if a hacker steals or perfectly guesses an account password, they still cannot log in without an approved SSH key!
|
|
</p>
|
|
|
|
|
|
<h2>What if I lose my SSH key?!</h2>
|
|
|
|
<p>
|
|
Firstly, don't do this. Take every precaution that you have a backup.
|
|
</p>
|
|
|
|
<p>
|
|
If this does happen, Vultr and most other VPS providers will have a way out.
|
|
Log onto their website and select the server you want to log into.
|
|
</p>
|
|
|
|
<img src="pix/ssh-01.png" alt="vultr login">
|
|
|
|
<p>
|
|
In the image above, to the right of your VPS name are a series of icons.
|
|
Click on the computer screen-like icon which is the leftmost one.
|
|
</p>
|
|
|
|
<p>
|
|
This will open up a browser window emulating a terminal and you can always login with your password here,
|
|
since logins here count as being local and they do not use SSH and therefore can indeed validate with your password even if you have disabled it over SSH.
|
|
</p>
|
|
|
|
<p>
|
|
From here, simply reverse the settings we set above and you can log in via SSH with a password and reapprove a newly created SSH key or whatever you want to do.
|
|
</p>
|
|
|
|
</main>
|
|
<!--# include file=".footer.html" -->
|
|
</body>
|
|
</html>
|