Add new guide

_Sidebar.md

@@ -4,6 +4,7 @@
 ## 📚 Guides
 ### 💽 Applications
 - [Create SSH Keys for Gitea](create-shh-keys)
+- [New User and SSH Acccess Setup](ssh-access-setup-guide)
 
 ### 🛜 Networking
 - [Generate Wireguard Peer in OPNsense](generate-wireguard)

ssh-access-setup-guide.md

@@ -0,0 +1,244 @@
+# Server User Setup with SSH Key Authentication
+
+This guide covers creating a new user account on a server, setting up SSH key authentication, and configuring sudo access.
+
+## Prerequisites
+
+- Console root access to the server
+- A local (Linux) machine where you'll generate the SSH keypair
+
+## Step 1: Generate SSH Keypair (Local Machine)
+
+On your local Linux machine, generate an SSH keypair:
+
+```bash
+ssh-keygen -t ed25519 -C "your_email@example.com"
+```
+
+When prompted:
+- **Enter file in which to save the key**: You can specify a custom name, e.g., `/home/yourusername/.ssh/id_ed25519_servername`
+- **Enter passphrase**: Choose a strong passphrase (recommended) or leave empty for no passphrase
+
+This creates two files:
+- `id_ed25519_servername` - Your private key (keep this secure)
+- `id_ed25519_servername.pub` - Your public key (this goes on the server)
+
+### Alternative: RSA Keys
+
+If you need RSA keys for compatibility:
+
+```bash
+ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
+```
+
+### Verify Keys Were Created
+
+```bash
+ls -la ~/.ssh/
+```
+
+You should see your newly created keypair files.
+
+## Step 2: Create New User on Server (Server Console as Root)
+
+Log into your server console as root and create a new user:
+
+```bash
+adduser username
+```
+
+Replace `username` with your desired username. You'll be prompted to:
+- Set a password
+- Enter optional user information (can be left blank)
+
+## Step 3: Add User to Sudo Group (Server Console as Root)
+
+Grant sudo privileges to the new user:
+
+```bash
+usermod -aG sudo username
+```
+
+Verify the user was added to the sudo group:
+
+```bash
+groups username
+```
+
+## Step 4: Set Up SSH Directory for New User (Server Console as Root)
+
+Create the SSH directory and authorized_keys file for your new user:
+
+```bash
+mkdir -p /home/username/.ssh
+touch /home/username/.ssh/authorized_keys
+chmod 700 /home/username/.ssh
+chmod 600 /home/username/.ssh/authorized_keys
+chown -R username:username /home/username/.ssh
+```
+
+## Step 5: Add Public Key to Server (Local Machine → Server)
+
+### Option A: Copy Public Key Content Manually
+
+On your local machine, display your public key:
+
+```bash
+cat ~/.ssh/id_ed25519_servername.pub
+```
+
+Copy the entire output, then on your server console (as root):
+
+```bash
+nano /home/username/.ssh/authorized_keys
+```
+
+Paste the public key content, save (Ctrl+O, Enter), and exit (Ctrl+X).
+
+### Option B: Use ssh-copy-id (If SSH is Already Enabled)
+
+If password authentication is still enabled on your server:
+
+```bash
+ssh-copy-id -i ~/.ssh/id_ed25519_servername.pub username@your_server_ip
+```
+
+## Step 6: Configure SSH (Optional but Recommended)
+
+On your local machine, create or edit your SSH config file:
+
+```bash
+nano ~/.ssh/config
+```
+
+Add an entry for easy connection:
+
+```
+Host servername
+    HostName your_server_ip_or_domain
+    User username
+    IdentityFile ~/.ssh/id_ed25519_servername
+    Port 22
+```
+
+Save and exit. Now you can connect with just:
+
+```bash
+ssh servername
+```
+
+## Step 7: Test SSH Connection (Local Machine)
+
+Test your SSH connection:
+
+```bash
+ssh -i ~/.ssh/id_ed25519_servername username@your_server_ip
+```
+
+Or if you configured your SSH config file:
+
+```bash
+ssh servername
+```
+
+## Step 8: Test Sudo Access (Server as New User)
+
+Once logged in as your new user, test sudo access:
+
+```bash
+sudo whoami
+```
+
+This should return `root` after entering your password.
+
+## Step 9: Disable Root Login and Password Authentication (Server Console)
+
+For security, after confirming SSH key authentication works, disable root login and password authentication.
+
+Edit the SSH daemon configuration:
+
+```bash
+sudo nano /etc/ssh/sshd_config
+```
+
+Find and modify these lines:
+
+```
+PermitRootLogin no
+PasswordAuthentication no
+PubkeyAuthentication yes
+```
+
+Save and exit, then restart SSH:
+
+```bash
+sudo systemctl restart sshd
+```
+
+**Warning**: Only do this after confirming you can successfully log in with your SSH key.
+
+
+## Troubleshooting
+
+### Permission Denied (publickey)
+
+- Verify public key is correctly added to `~/.ssh/authorized_keys` on server
+- Check file permissions on server (directory: 700, authorized_keys: 600)
+- Ensure you're using the correct private key
+- Check SSH logs on server: `sudo tail -f /var/log/auth.log`
+
+### Can't Use Sudo
+
+- Verify user is in sudo group: `groups username`
+- Check `/etc/sudoers` file hasn't been misconfigured
+
+### Locked Out After Disabling Password Auth
+
+- Use the server console to access as root
+- Re-enable PasswordAuthentication temporarily
+- Fix SSH key setup
+- Test thoroughly before disabling again
+
+## Security Best Practices
+
+1. **Always use a passphrase** for your private keys
+2. **Keep private keys secure** - never share them or commit to version control
+3. **Use fail2ban** to protect against brute force attacks:
+   ```bash
+   sudo apt install fail2ban
+   sudo systemctl enable fail2ban
+   sudo systemctl start fail2ban
+   ```
+4. **Change the default SSH port** (edit `/etc/ssh/sshd_config`)
+5. **Regularly update your system**:
+   ```bash
+   sudo apt update && sudo apt upgrade
+   ```
+6. **Consider using a firewall** (ufw):
+   ```bash
+   sudo apt install ufw
+   sudo ufw allow OpenSSH
+   sudo ufw enable
+   ```
+
+## Quick Reference Commands
+
+```bash
+# Generate SSH key
+ssh-keygen -t ed25519 -C "email@example.com"
+
+# Copy public key to server
+ssh-copy-id -i ~/.ssh/keyname.pub user@host
+
+# Connect with specific key
+ssh -i ~/.ssh/keyname user@host
+
+# Test sudo access
+sudo whoami
+
+# View SSH logs (on Server)
+sudo tail -f /var/log/auth.log
+
+# Restart SSH daemon
+sudo systemctl restart sshd
+```