| title | parent | grand_parent | nav_exclude | has_toc | layout | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Login with SSH keys |
+ System |
Bonus Section |
true |
false |
|
One of the best options to secure the sensitive SSH login is to disable passwords altogether and require an SSH key certificate. Only someone with physical possession of the private certificate key can log in.
{% hint style="warning" %} Difficulty: Medium {% endhint %}
- On your regular computer, download Puttygen 64-bit x86 or 32-bit x86 version depending on your OS architecture, and start it. Also, you can download MobaXterm start it, and use the "MobaKeyGen (SSH key generator)" integrated tool in the "Tools" submenu
- Click on the "Generate" button and move the mouse over the window until the progress is finished
- Assign a key passphrase (recommended), to encrypt the private key locally, use
password [A]for example - Click on:
- "Save public key", and give it a name, eg.
minibolt_SSH_pubkey.txt - "Save private key", and give it a name, eg.
minibolt_SSH_privkey(Keep this safe!)
- "Save public key", and give it a name, eg.
- In the terminal on your regular computer, first, check if the keys already exist
ls -la ~/.ssh/*.pub- If files are listed, your public key should be named something like
id_rsa.pub. If one of these files already exists, skip the next step - If none of those files exist, or you get a "No such file or directory" error, create a new public/private key pair
ssh-keygen -t rsa -b 2048When you're prompted to "Enter a file in which to save the key", press Enter to use the default file location. Optionally, for maximum security, enter a key passphrase to protect your key, and use password [A]
-
The public key now needs to be copied to the PC
Use the command
ssh-copy-id, which stores your public key on the remote machine (and creates files and directories, if needed). You will be prompted for your SSH login password once. If fails you can tryadmin@192.168.x.xxxinstead
ssh-copy-id admin@minibolt{% hint style="info" %}
If you are on macOS and encounter an error, you might need to install ssh-copy-id first by running the following command on your Mac's command line
{% endhint %}
brew install ssh-copy-id- Login with the
adminuser on MiniBolt and create a new folder at home called ".ssh". If already exists, skip the next step
mkdir .ssh- Limit permissions for reading, writing, and executing only to the user admin
chmod 700 .ssh- Create a file called "authorized_keys" and paste the content information of the "minibolt_SSH_pubkey.txt" file generated in the Windows step before
nano .ssh/authorized_keyse.g:
ssh-rsa AAAAB3N........- Limit permissions for reading and writing only to the user admin
chmod 600 .ssh/authorized_keys- Login with the user
adminand create a new folder at home called".ssh". If already exists, skip the next step
mkdir .ssh- Limit permissions for reading, writing, and executing only to the user admin
chmod 700 .ssh- Create a file called "authorized_keys" on it and paste the content information of the "id_rsa.pub" file generated in the Linux or macOS step before
nano .ssh/authorized_keyse.g:
ssh-rsa AAAAB3N........- Limit permissions for reading and writing only to the user admin
chmod 600 .ssh/authorized_keys- On your regular computer, access to "GPG and SSH keys" section of your GitHub account, if you don't have an account create one
- Click on the "new SSH key" button, type a title e.g SSH_keys_MiniBolt, select Key type "Authentication key", and paste on the "Key" section the SSH pub key generated in the preparations section depending on the regular computer OS
- Login with the
adminuser on MiniBolt and create a new folder at home called ".ssh". If already exists, skip the next step
mkdir .ssh- Limit permissions for reading, writing, and executing only to the user admin
chmod 700 .ssh- Import your SSH GitHub keys replacing
<username>with the GitHub username (that appears in your profile section)
curl https://github.com/<username>.keys >> .ssh/authorized_keysExpected output:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 725 100 725 0 0 1984 0 --:--:-- --:--:-- --:--:-- 1986
- Ensure that your SSH keys have been imported correctly in "authorized_keys" file, and press
Ctrl-Xto exit
nano .ssh/authorized_keys- Limit permissions for read and write only to the user admin
chmod 600 .ssh/authorized_keys- From the Terminal, use the native command
ssh -i /home/<user>/.ssh/id_rsa admin@minibolt.local{% hint style="warning" %} Attention: This command only works if you generated the SSH keys on Linux or macOS with the OpenSSH terminal method, not Putty or MobaXterm generation methods {% endhint %}
- On your regular computer, download Putty 64-bit x86 or 32-bit x86 version depending on your OS architecture, and start it
- To automatically connect and log in to your server you need to add the Private Key to the Putty client. Then go to the left Category menu, select SSH –> Auth -> Credentials, on "Private key file for authentication" hit the "Browse" button, search and add your Private Key file
- To the left tree, select "session", in the "Hostname (or IP address)" box, and type
admin@minibolt.localoradmin@192.168.x.xx, left port22to the right box. Click onOpen. If you selected a key passphrase in the preparations section, enter it. That’s it! Now you can automatically securely connect to your remote SSH server with Putty client by hitting the Open button without the need to enter passwords
- On your regular computer, download MobaXterm Portable edition or Installer edition version depending of you want to install it permanently or not
- Start MobaXterm, on the top menu, click on Session -> New session -> Select SSH
- Enter in remote host, "minibolt.local" or your MiniBolt IP address (192.168.x.xx), check to "specify username" and enter to the right "admin", keep port "22" selected to the right
- To automatically connect and login to your server you need to add the Private Key to the MobaXterm client, select the "Advanced SSH settings" tab, check "Use private key" and click on the icon to the right form shaped like a document and select your Private Key file
- Click on the "OK" button and that’s it! Now you can automatically securely connect to your remote SSH server with Putty client by hitting the "Open" button without the need to enter passwords
- Log in to the MiniBolt as
adminusing SSH with your SSH key. You shouldn't be prompted for the admin's password anymore - Edit the ssh configuration file
/etc/ssh/sshd_configby uncommenting the following options and setting their value tono
sudo nano /etc/ssh/sshd_config# uncomment and change the line to "no"
PermitRootLogin no
# change the line to "no"
UsePAM no
# change the line to "no"
PasswordAuthentication no
- Test this barebone SSH configuration. If you see no output to the next command, that is OK. If you see something like
/etc/ssh/sshd_config line XX: unsupported option "XXX"that means something is incorrect
sudo sshd -t- Restart the SSH daemon
sudo systemctl restart sshd- Type
exitorlogoutto finish the session - Log in again with the user
admin
You can no longer log in with a password. User "admin" is the only user that has the necessary SSH keys, no other user can log in remotely. You can follow the guide where you left it by clicking here
🚨 Backup your SSH keys!
{% hint style="danger" %} You will need to attach a screen and keyboard to your PC if you lose them {% endhint %}
{% hint style="danger" %} Attention: This could be a security risk, is not recommended to disable the admin password to avoid a possible and hypothetical attacker could gain complete control of the node in case of intrusion, if you do it, act at your own risk. {% endhint %}
- Ensure you are logged in with user admin, edit the next file
sudo visudo- Add the next line at the end of the file. Save and exit
admin ALL=(ALL) NOPASSWD:ALL