title | parent | grand_parent | nav_exclude | has_toc | layout | |||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Login with SSH keys |
+ System |
Bonus Section |
true |
false |
|
One of the best options to secure the sensitive SSH login is to disable passwords altogether and require an SSH key certificate. Only someone with physical possession of the private certificate key can log in.
{% hint style="warning" %} Difficulty: Medium {% endhint %}
- On your regular computer, download Puttygen 64-bit x86 or 32-bit x86 version depending on your OS architecture, and start it. Also, you can download MobaXterm start it, and use the "MobaKeyGen (SSH key generator)" integrated tool in the "Tools" submenu
- Click on the "Generate" button and move the mouse over the window until the progress is finished
- Assign a key passphrase (recommended), to encrypt the private key locally, use
password [A]
for example - Click on:
- "Save public key", and give it a name, eg.
minibolt_SSH_pubkey.txt
- "Save private key", and give it a name, eg.
minibolt_SSH_privkey
(Keep this safe!)
- "Save public key", and give it a name, eg.
- In the terminal on your regular computer, first, check if the keys already exist
ls -la ~/.ssh/*.pub
- If files are listed, your public key should be named something like
id_rsa.pub
. If one of these files already exists, skip the next step - If none of those files exist, or you get a "No such file or directory" error, create a new public/private key pair
ssh-keygen -t rsa -b 2048
When you're prompted to "Enter a file in which to save the key", press Enter to use the default file location. Optionally, for maximum security, enter a key passphrase to protect your key, and use password [A]
-
The public key now needs to be copied to the PC
Use the command
ssh-copy-id
, which stores your public key on the remote machine (and creates files and directories, if needed). You will be prompted for your SSH login password once. If fails you can try[email protected]
instead
ssh-copy-id admin@minibolt
{% hint style="info" %}
If you are on macOS and encounter an error, you might need to install ssh-copy-id
first by running the following command on your Mac's command line
{% endhint %}
brew install ssh-copy-id
- Login with the
admin
user on MiniBolt and create a new folder at home called ".ssh". If already exists, skip the next step
mkdir .ssh
- Limit permissions for reading, writing, and executing only to the user admin
chmod 700 .ssh
- Create a file called "authorized_keys" and paste the content information of the "minibolt_SSH_pubkey.txt" file generated in the Windows step before
nano .ssh/authorized_keys
e.g:
ssh-rsa AAAAB3N........
- Limit permissions for reading and writing only to the user admin
chmod 600 .ssh/authorized_keys
- Login with the user
admin
and create a new folder at home called".ssh"
. If already exists, skip the next step
mkdir .ssh
- Limit permissions for reading, writing, and executing only to the user admin
chmod 700 .ssh
- Create a file called "authorized_keys" on it and paste the content information of the "id_rsa.pub" file generated in the Linux or macOS step before
nano .ssh/authorized_keys
e.g:
ssh-rsa AAAAB3N........
- Limit permissions for reading and writing only to the user admin
chmod 600 .ssh/authorized_keys
- On your regular computer, access to "GPG and SSH keys" section of your GitHub account, if you don't have an account create one
- Click on the "new SSH key" button, type a title e.g SSH_keys_MiniBolt, select Key type "Authentication key", and paste on the "Key" section the SSH pub key generated in the preparations section depending on the regular computer OS
- Login with the
admin
user on MiniBolt and create a new folder at home called ".ssh". If already exists, skip the next step
mkdir .ssh
- Limit permissions for reading, writing, and executing only to the user admin
chmod 700 .ssh
- Import your SSH GitHub keys replacing
<username>
with the GitHub username (that appears in your profile section)
curl https://github.com/<username>.keys >> .ssh/authorized_keys
Expected output:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 725 100 725 0 0 1984 0 --:--:-- --:--:-- --:--:-- 1986
- Ensure that your SSH keys have been imported correctly in "authorized_keys" file, and press
Ctrl-X
to exit
nano .ssh/authorized_keys
- Limit permissions for read and write only to the user admin
chmod 600 .ssh/authorized_keys
- From the Terminal, use the native command
ssh -i /home/<user>/.ssh/id_rsa [email protected]
{% hint style="warning" %} Attention: This command only works if you generated the SSH keys on Linux or macOS with the OpenSSH terminal method, not Putty or MobaXterm generation methods {% endhint %}
- On your regular computer, download Putty 64-bit x86 or 32-bit x86 version depending on your OS architecture, and start it
- To automatically connect and log in to your server you need to add the Private Key to the Putty client. Then go to the left Category menu, select SSH –> Auth -> Credentials, on "Private key file for authentication" hit the "Browse" button, search, and add your Private Key file
- To the left tree, select "session", in the "Hostname (or IP address)" box, and type
[email protected]
or[email protected]
, left port22
to the right box. Click onOpen
. If you selected a key passphrase in the preparations section, enter it. That’s it! Now you can automatically securely connect to your remote SSH server with Putty client by hitting the Open button without the need to enter passwords
- On your regular computer, download MobaXterm Portable edition or Installer edition version depending on whether you want to install it permanently or not
- Start MobaXterm, on the top menu, click on Session -> New session -> Select SSH
- Enter in remote host, "minibolt.local" or your MiniBolt IP address (192.168.x.xx), check to "specify username" and enter to the right "admin", keep port "22" selected to the right
- To automatically connect and log in to your server you need to add the Private Key to the MobaXterm client, select the "Advanced SSH settings" tab, check "Use private key" and click on the icon to the right form shaped like a document and select your Private Key file
- Click on the "OK" button and that’s it! Now you can automatically securely connect to your remote SSH server with Putty client by hitting the "Open" button without the need to enter passwords
{% hint style="success" %} You can follow the guide where you left it by clicking HERE {% endhint %}
- Log in to the MiniBolt as
admin
using SSH with your SSH key (you shouldn't be prompted for the admin's password anymore) - Add a custom config file to the drop-in config
sudo nano /etc/ssh/sshd_config.d/custom.conf
- Add the next content
PermitRootLogin no
UsePAM no
PasswordAuthentication no
- Test this barebone SSH configuration
sudo sshd -t
{% hint style="info" %}
If you see no output to the next command, that is OK. If you see something like /etc/ssh/sshd_config line XX: unsupported option "XXX"
that means something is incorrect
{% endhint %}
- Restart the SSH daemon to apply changes
sudo systemctl restart sshd
- Type
exit
orlogout
to finish the session - Log in again with the user
admin
{% hint style="info" %} You can no longer log in with a password. User "admin" is the only user who has the necessary SSH keys, there won't be any way to do it with another user or ways to log in remotely {% endhint %}
{% hint style="danger" %} Back up your SSH keys!! You will need to attach a screen and keyboard to your PC if you lose them {% endhint %}
{% hint style="success" %} You can follow the guide where you left it by clicking HERE {% endhint %}
{% hint style="danger" %} Attention: This could be a security risk, is not recommended to disable the admin password to avoid a possible and hypothetical attacker could gain complete control of the node in case of intrusion, if you do it, act at your own risk. {% endhint %}
- Ensure you are logged in with user admin, edit the next file
sudo visudo
- Add the next line at the end of the file. Save and exit
admin ALL=(ALL) NOPASSWD:ALL