Accessing servers remotely

From Richmond Maker Labs
Jump to navigation Jump to search

New servers, new method of entry.

To start

 ssh USERNAME@littlehouse.richmondmakerlabs.uk -p 47983

-p is the port number.

As usual, change your password with

 passwd

I've failed 3 times and can't log in

  • Wait 10 minutes and try again. Or contact Andy
    • we're using fail2ban
      • If you have a static IP, let me know and I'll whitelist it

I can't remember that!

You probably don't need to if you're largely using the same computer. Create the following entry to a file called config in your .ssh folder, changing the username.

 Host rml-entry
   HostName littlehouse.richmondmakerlabs.uk
   Port 47983
   User YOURUSERNAME
 IdentityFile ~/.ssh/rml-entry

Once that's done you can just do

 ssh rml-entry 

You'll still need your password when using sudo of course.

Although you should still get in with your password, it will complain about not having a key, which we'll do now

Public keys

We're going to move to using public keys and, once yours are set up, I'd like to disable password entry.

On your computer, you need to do this once.

 cd ~/.ssh
 ssh-keygen -t ed25519 -a 100

Name it something useful (rml-entry was what we put into the config file earlier) and put a password on it. This stops it being used if somehow lost/ taken.

Generating public/private ed25519 key pair.
Enter file in which to save the key (C:\Users\andy/.ssh/id_ed25519): rml-entry
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in rml-entry.
Your public key has been saved in rml-entry.pub.
The key fingerprint is:
SHA256:UBa3EOvvnuxyWCuticQ51O0FriJ+2/x9KOOmO593les andy@BEAST
The key's randomart image is:
+--[ED25519 256]--+
|        *o.      |
|       o + .     |
|      . . o      |
|       + o .     |
|      . S o .   .|
|     o . +..   ..|
|    . * .+o. . ..|
|   . o.*=+B+o o. |
|    ..o.B/@+.o.E |
+----[SHA256]-----+

Getting key onto server

Now the key is created we need to add it to your account

 ssh-copy-id -i ~/.ssh/rml-entry USERNAME@littlehouse.richmondmakerlabs.uk -p 47983 

from now on you can just

 ssh rml-entry

Success is you getting in without having to enter your password.

Notes

Why use keys at all

  • Security
  • We're going to have more (virtual) servers and bouncing around them will be a pain
  • I'm going to look at synchronising logins (LDAP) but it's not here yet

Why not the standard port 22?

  • A lot of people do this for security through security through obfuscation.
  • Personally it just because it lessens the amounts of scans we get and makes it easier to look at logs.
  • It's a little more confusing but helpful and hopefully not too much of a speedbump for you.

Why that key type

  • I may be out of date here and and happy to take advice, more to keep it in line with my other systems
  • I won't be locking it down to just that key type, though may remove some of the older ones

But ssh-copy-id won't work once you've turned off passwords

  • True, but you can manually enter the information from your .pub key into your /home/USERNAME/authorized_keys , from a machine that you can access it with
  • Or drop me the .pub key and I'll do it for you