Difference between revisions of "Access server"

From Anarchaserver
Line 20: Line 20:


$ /etc/init.d/
$ /etc/init.d/
$ ./ssh reload
or an newer systems :
$ sudo service ssh restart


$ ./ssh reload


[ ok ] Reloading OpenBSD Secure Shell server's configuration: sshd
[ ok ] Reloading OpenBSD Secure Shell server's configuration: sshd

Revision as of 19:35, 7 April 2021

SSH

SSH keys provide **a more secure way** of logging into a virtual private server with SSH than using a password alone. Generating a key pair provides you with two long string of characters: a public and a private key. You can place the public key on the server, and then unlock it by connecting to it with a client that already has the private key. When the two match up, the system unlocks without the need for a password. You can increase security even more by protecting the private key with a passphrase.

We definitely also need to disable Password authentication, so only the public key authentication is used:

$ nano /etc/ssh/sshd_config

  1. Change to no to disable tunnelled clear text passwords
  2. PasswordAuthentication yes

PasswordAuthentication no


Reload ssh server configuration:

$ /etc/init.d/ $ ./ssh reload

or an newer systems : $ sudo service ssh restart


[ ok ] Reloading OpenBSD Secure Shell server's configuration: sshd

Create RSA Key Pair

You create your rsa key pair in the computer you want to log to the server

Be careful to pay attention from which user you create the rsa key pair in your local machine (computer). Since the rsa key pairs are saved in a hidden directory in my user home directory (~/.ssh), if trying to login from a different user, it will not work

So, from the user in my localmachine that I wish to use to access the server, I will create my rsa key pair. When generating the key, you will need to introduce a **"passphrase".**


$ ssh-keygen -t rsa -b 4096

By default it will generate two keys in ~/.ssh, a public key and a private key. The public key we will send to an admin of Anarcha server.

Send public key to the server

After generating an SSH key pair, you will want to copy your public key to your new server.

Assuming you generated an SSH key pair using the previous step, use the following command at the terminal of your local machine to print your public key (id_rsa.pub):

cat ~/.ssh/id_rsa.pub

This should print your public SSH key, which should look something like the following:

ssh-rsa AAAB3NzaC1yc2EAAAADAQABAAABAQDBGTO0tsVejssuaYR5R3Y/i73SppJAhme1dH7W2c47d4gOqB4izP0+fRLfvbz/tnXFz4iOP/H6eCV05hqUhF+KYRxt9Y8tVMrpDZR2l75o6+xSbUOMu6xN+uVF0T9XzKcxmzTmnV7Na5up3QM3DoSRYX/EP3utr2+zAqpJIfKPLdA74w7g56oYWI9blpnpzxkEd3edVJOivUkpZ4JoenWManvIaSdMTJXMy3MtlQhva+j9CgguyVbUkdzK9KKEuah+pFZvaugtebsU+bllPTB0nlXGIJk98Ie9ZtxuY3nCKneB+KjKiXrAvXUPCI9mWkYS/1rggpFmu3HbXBnWSUdf localuser@machine.local

Select the public key, and copy it to your clipboard or send it by email.

creating new sysadmin accounts

Changing to root user

$ sudo su

Check the sudo users

$ grep '^sudo:.*$' /etc/group | cut -d: -f4

If you are not yet - create a superuser

$ adduser superusername

add a superuser to the group sudoers

$ sudo addgroup (username) sudo

creating .ssh directory and authorized_keys document in the superuser home directory

As the superuser to whom we want to give ssh access to the server, create a new directory called .ssh and restrict its permissions with the following commands:

$ mkdir .ssh
$ chmod 700 .ssh


Now open a file in .ssh called authorized_keys with a text editor. We will use nano to edit the file:

$ nano .ssh/authorized_keys

Now copy-paste the public key by pasting it into the editor.

Save and close.


Now restrict the permissions of the authorized_keys file with this command:

$ chmod 600 .ssh/authorized_keys


As we are creating a new user + authentication as root, we have to change the owner of the .ssh directory to the new user (recursively -R)

$ chown (user):(user) .ssh -R


Now the new sysadmin may SSH login as your new user, using the private key as authentication.

After reboot

Access physical mainframe to reboot the encrypted virtual machine. Ask permissions to the syteradmins, by posting on the mailingslist anarchaserver@lists.systerserver.net