Difference between revisions of "Accessing servers remotely"

From Richmond Maker Labs
Jump to navigation Jump to search
(Created page with "New servers, new method of entry. This page may disappear once you're in. =To start= ssh USERNAME@littlehouse.richmondmakerlabs.uk - p 47938 -p is the port number. ==Why...")
 
 
(25 intermediate revisions by the same user not shown)
Line 1: Line 1:
New servers, new method of entry. This page may disappear once you're in.
+
New servers, new method of entry.
  
 
=To start=
 
=To start=
  
   ssh USERNAME@littlehouse.richmondmakerlabs.uk - p 47938
+
   ssh USERNAME@littlehouse.richmondmakerlabs.uk -p 47983
  
 
-p is the port number.
 
-p is the port number.
  
==Why not the standard port 22?==
+
As usual, change your password with
* A lot of people do this for security through [https://en.wikipedia.org/wiki/Security_through_obscurity security through obfuscation].
+
 
* Personally it just because it lessens the amounts of scans we get and makes it easier to log at logs
+
  passwd
  
==I've failed and can't log in==
+
==I've failed 3 times and can't log in==
 
* Wait 10 minutes and try again. Or contact Andy
 
* Wait 10 minutes and try again. Or contact Andy
 +
** we're using fail2ban
 +
*** If you have a static IP, let me know and I'll whitelist it
 +
 +
==I can't remember that!==
 +
You probably don't need to if you're largely using the same computer.
 +
Create the following entry to a file called config in your .ssh folder, changing the username.
 +
 +
  Host rml-entry
 +
    HostName littlehouse.richmondmakerlabs.uk
 +
    Port 47983
 +
    User YOURUSERNAME
 +
  IdentityFile ~/.ssh/rml-entry
 +
 +
Once that's done you can just do
 +
  ssh rml-entry
 +
 +
You'll still need your password when using sudo of course.
 +
 +
Although you should still get in with your password, it will complain about not having a key, which we'll do now
  
 
=Public keys=
 
=Public keys=
We're going to move to using public keys and, once yours are set up, I'll disable password entry.  
+
We're going to move to using public keys and, once yours are set up, I'd like to disable password entry.  
  
 
On your computer, you need to do this once.   
 
On your computer, you need to do this once.   
  
 +
  cd ~/.ssh
 
   ssh-keygen -t ed25519 -a 100
 
   ssh-keygen -t ed25519 -a 100
  
Name it something useful (rml-entry works with the config file later) and put a password on it. This stops it being used if somehow lost/ taken
+
Name it something useful (rml-entry was what we put into the config file earlier) and put a password on it. This stops it being used if somehow lost/ taken.
  
 
<pre>
 
<pre>
Line 49: Line 69:
 
Now the key is created we need to add it to your account
 
Now the key is created we need to add it to your account
  
   ssh-copy-id USERNAME@littlehouse.richmondmakerlabs.uk -p 47983 -i ~/.ssh/rml-entry
+
   ssh-copy-id -i ~/.ssh/rml-entry USERNAME@littlehouse.richmondmakerlabs.uk -p 47983  
  
You can test this at this stage by
+
from now on you can just
  
   ssh USERNAME@littlehouse.richmondmakerlabs.uk -p 47938 -i ~/.ssh/rml-entry
+
   ssh rml-entry
  
 
Success is you getting in without having to enter your password.
 
Success is you getting in without having to enter your password.
  
==I can't remember that!==
+
=Notes=
You probably don't need to if you're largely using the same computer.
+
=Why use keys at all=
Look for a .ssh folder and create (or add) the following entry to a file called config, changing the username to your one and the identity file to whatever you called the key you created.
+
* Security
 +
* We're going to have more (virtual) servers and bouncing around them will be a pain
 +
* I'm going to look at synchronising logins (LDAP) but it's not here yet
  
  Host rml-entry
+
==Why not the standard port 22?==
    HostName littlehouse.richmondmakerlabs.uk
+
* A lot of people do this for security through [https://en.wikipedia.org/wiki/Security_through_obscurity security through obfuscation].
    Port 47983
+
* Personally it just because it lessens the amounts of scans we get and makes it easier to look at logs.
    User YOURUSERNAME
+
* It's a little more confusing but helpful and hopefully not too much of a speedbump for you.
  IdentityFile ~/.ssh/rml_entry_key
 
  
Once that's done you can just do
+
==Why that key type==
  ssh rml-entry
+
* I may be out of date here and and happy to take advice, more to keep it in line with my other systems
 +
* I won't be locking it down to just that key type, though may remove some of the older ones
  
You'll still need your password when using sudo of course.
+
==But ssh-copy-id won't work once you've turned off passwords==
 +
* True, but you can manually enter the information from your .pub key into your /home/USERNAME/authorized_keys , from a machine that you can access it with
 +
* Or drop me the .pub key and I'll do it for you

Latest revision as of 14:53, 10 January 2019

New servers, new method of entry.

To start

 ssh USERNAME@littlehouse.richmondmakerlabs.uk -p 47983

-p is the port number.

As usual, change your password with

 passwd

I've failed 3 times and can't log in

  • Wait 10 minutes and try again. Or contact Andy
    • we're using fail2ban
      • If you have a static IP, let me know and I'll whitelist it

I can't remember that!

You probably don't need to if you're largely using the same computer. Create the following entry to a file called config in your .ssh folder, changing the username.

 Host rml-entry
   HostName littlehouse.richmondmakerlabs.uk
   Port 47983
   User YOURUSERNAME
 IdentityFile ~/.ssh/rml-entry

Once that's done you can just do

 ssh rml-entry 

You'll still need your password when using sudo of course.

Although you should still get in with your password, it will complain about not having a key, which we'll do now

Public keys

We're going to move to using public keys and, once yours are set up, I'd like to disable password entry.

On your computer, you need to do this once.

 cd ~/.ssh
 ssh-keygen -t ed25519 -a 100

Name it something useful (rml-entry was what we put into the config file earlier) and put a password on it. This stops it being used if somehow lost/ taken.

Generating public/private ed25519 key pair.
Enter file in which to save the key (C:\Users\andy/.ssh/id_ed25519): rml-entry
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in rml-entry.
Your public key has been saved in rml-entry.pub.
The key fingerprint is:
SHA256:UBa3EOvvnuxyWCuticQ51O0FriJ+2/x9KOOmO593les andy@BEAST
The key's randomart image is:
+--[ED25519 256]--+
|        *o.      |
|       o + .     |
|      . . o      |
|       + o .     |
|      . S o .   .|
|     o . +..   ..|
|    . * .+o. . ..|
|   . o.*=+B+o o. |
|    ..o.B/@+.o.E |
+----[SHA256]-----+

Getting key onto server

Now the key is created we need to add it to your account

 ssh-copy-id -i ~/.ssh/rml-entry USERNAME@littlehouse.richmondmakerlabs.uk -p 47983 

from now on you can just

 ssh rml-entry

Success is you getting in without having to enter your password.

Notes

Why use keys at all

  • Security
  • We're going to have more (virtual) servers and bouncing around them will be a pain
  • I'm going to look at synchronising logins (LDAP) but it's not here yet

Why not the standard port 22?

  • A lot of people do this for security through security through obfuscation.
  • Personally it just because it lessens the amounts of scans we get and makes it easier to look at logs.
  • It's a little more confusing but helpful and hopefully not too much of a speedbump for you.

Why that key type

  • I may be out of date here and and happy to take advice, more to keep it in line with my other systems
  • I won't be locking it down to just that key type, though may remove some of the older ones

But ssh-copy-id won't work once you've turned off passwords

  • True, but you can manually enter the information from your .pub key into your /home/USERNAME/authorized_keys , from a machine that you can access it with
  • Or drop me the .pub key and I'll do it for you