Accessing servers remotely
New servers, new method of entry.
ssh USERNAME@littlehouse.richmondmakerlabs.uk -p 47983
-p is the port number.
As usual, change your password with
I've failed 3 times and can't log in
- Wait 10 minutes and try again. Or contact Andy
- we're using fail2ban
- If you have a static IP, let me know and I'll whitelist it
- we're using fail2ban
I can't remember that!
You probably don't need to if you're largely using the same computer. Create the following entry to a file called config in your .ssh folder, changing the username.
Host rml-entry HostName littlehouse.richmondmakerlabs.uk Port 47983 User YOURUSERNAME IdentityFile ~/.ssh/rml-entry
Once that's done you can just do
You'll still need your password when using sudo of course.
Although you should still get in with your password, it will complain about not having a key, which we'll do now
We're going to move to using public keys and, once yours are set up, I'd like to disable password entry.
On your computer, you need to do this once.
cd ~/.ssh ssh-keygen -t ed25519 -a 100
Name it something useful (rml-entry was what we put into the config file earlier) and put a password on it. This stops it being used if somehow lost/ taken.
Generating public/private ed25519 key pair. Enter file in which to save the key (C:\Users\andy/.ssh/id_ed25519): rml-entry Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in rml-entry. Your public key has been saved in rml-entry.pub. The key fingerprint is: SHA256:UBa3EOvvnuxyWCuticQ51O0FriJ+2/x9KOOmO593les andy@BEAST The key's randomart image is: +--[ED25519 256]--+ | *o. | | o + . | | . . o | | + o . | | . S o . .| | o . +.. ..| | . * .+o. . ..| | . o.*=+B+o o. | | ..o.B/@+.o.E | +----[SHA256]-----+
Getting key onto server
Now the key is created we need to add it to your account
ssh-copy-id -i ~/.ssh/rml-entry USERNAME@littlehouse.richmondmakerlabs.uk -p 47983
from now on you can just
Success is you getting in without having to enter your password.
Why use keys at all
- We're going to have more (virtual) servers and bouncing around them will be a pain
- I'm going to look at synchronising logins (LDAP) but it's not here yet
Why not the standard port 22?
- A lot of people do this for security through security through obfuscation.
- Personally it just because it lessens the amounts of scans we get and makes it easier to look at logs.
- It's a little more confusing but helpful and hopefully not too much of a speedbump for you.
Why that key type
- I may be out of date here and and happy to take advice, more to keep it in line with my other systems
- I won't be locking it down to just that key type, though may remove some of the older ones
But ssh-copy-id won't work once you've turned off passwords
- True, but you can manually enter the information from your .pub key into your /home/USERNAME/authorized_keys , from a machine that you can access it with
- Or drop me the .pub key and I'll do it for you