this is mainly to explain how to orchestrate remote administration of linux servers. specifically debian based servers, sorry for the other distros. anyways, i have been delving into securing my remote access to servers and am now configuring ssh key based authentication, removing root access, and changing how sudo works. this all started from spinning up my oracle cloud instance, where i got a taste of ssh key based authentication.
i always knew that this existed, but never really implemented it into my infrastructure. now that i have a bit of experience with it, i decided to try it out on a test server. when deploying debian, you will want to install ssh or openssh, this will give you the tools to allow remote administration. now from my main desktop, i can generate ssh key pairs with ‘ssh-keygen’. i did some looking and ed25519 is the standard and works well for what i need it to do. you can run this command to generate a key pair; private and public key:
ssh-keygen -t ed25519 -C “[email protected]”
type in directory path or press enter for defaults.
now that we have our key pair generated, how can we apply this to a remote server? we can use ‘ssh-copy-id’ to send it to the server:
ssh-copy-id -i /path/to/id_ed25519.pub [email protected]
enter the password.
now that the public key has been sent to the remote server, we can remote onto the server now. but there will still be a password prompt because we have not yet changed the ssh configuration file. follow these steps:
ssh [email protected]
sudo nano /etc/ssh/sshd_config
PermitRootLogin prohibit-password
MaxAuthTries 3
MaxSessions 2
PubKeyAuthentication yes
PasswordAuthentication no
ctrl+x and press y
this will give you a generic ssh configuration that is “secure”. you can go further and entirely disable the root account with:
sudo passwd -l root
now that key based authentication is enabled, restart the ssh service with:
sudo systemctl restart ssh
close the remote connection to the server and log back in using the private key that was generated. we can ssh using this new flag:
ssh -i /path/to/id_ed25519 [email protected]
if done correctly, there will be no more password prompt when using ssh. though using sudo will still require a password. we can also remove this password requirement for sudo. editing the sudo file with this:
sudo visudo
*scroll to bottom*
username ALL(ALL) NOPASSWD:ALL
ctrl+x and press y
now if we want to simplify how we ssh into servers, we can add hosts to our config file that lives within ‘~/.ssh/’. this is where we can add hosts so that we can just type in ‘ssh server1’ and it will remote us into the server without any ip address or user. the commands to do so:
nano ~/.ssh/config
Host server1
HostName 10.x.x.x
User username
IdentityFile /path/to/id_ed25519 StrictHostKeyChecking yes
ctrl+x and press y
this simplifies how we ssh into servers from a host machine. ensure that private keys are labeled properly so that there is no confusion. changing the permissions of those private keys is a great security measure, only the owner has read and write permissions, in addition to changing the permissions of the ~/.ssh folder:
chmod 600 /path/to/id_ed25519
chmod 700 ~/.ssh