diff --git a/_Sidebar.md b/_Sidebar.md index ba023fb..05c6940 100644 --- a/_Sidebar.md +++ b/_Sidebar.md @@ -4,6 +4,7 @@ ## 📚 Guides ### 💽 Applications - [Create SSH Keys for Gitea](create-shh-keys) +- [New User and SSH Acccess Setup](ssh-access-setup-guide) ### 🛜 Networking - [Generate Wireguard Peer in OPNsense](generate-wireguard) diff --git a/ssh-access-setup-guide.md b/ssh-access-setup-guide.md new file mode 100644 index 0000000..58a30a5 --- /dev/null +++ b/ssh-access-setup-guide.md @@ -0,0 +1,244 @@ +# Server User Setup with SSH Key Authentication + +This guide covers creating a new user account on a server, setting up SSH key authentication, and configuring sudo access. + +## Prerequisites + +- Console root access to the server +- A local (Linux) machine where you'll generate the SSH keypair + +## Step 1: Generate SSH Keypair (Local Machine) + +On your local Linux machine, generate an SSH keypair: + +```bash +ssh-keygen -t ed25519 -C "your_email@example.com" +``` + +When prompted: +- **Enter file in which to save the key**: You can specify a custom name, e.g., `/home/yourusername/.ssh/id_ed25519_servername` +- **Enter passphrase**: Choose a strong passphrase (recommended) or leave empty for no passphrase + +This creates two files: +- `id_ed25519_servername` - Your private key (keep this secure) +- `id_ed25519_servername.pub` - Your public key (this goes on the server) + +### Alternative: RSA Keys + +If you need RSA keys for compatibility: + +```bash +ssh-keygen -t rsa -b 4096 -C "your_email@example.com" +``` + +### Verify Keys Were Created + +```bash +ls -la ~/.ssh/ +``` + +You should see your newly created keypair files. + +## Step 2: Create New User on Server (Server Console as Root) + +Log into your server console as root and create a new user: + +```bash +adduser username +``` + +Replace `username` with your desired username. You'll be prompted to: +- Set a password +- Enter optional user information (can be left blank) + +## Step 3: Add User to Sudo Group (Server Console as Root) + +Grant sudo privileges to the new user: + +```bash +usermod -aG sudo username +``` + +Verify the user was added to the sudo group: + +```bash +groups username +``` + +## Step 4: Set Up SSH Directory for New User (Server Console as Root) + +Create the SSH directory and authorized_keys file for your new user: + +```bash +mkdir -p /home/username/.ssh +touch /home/username/.ssh/authorized_keys +chmod 700 /home/username/.ssh +chmod 600 /home/username/.ssh/authorized_keys +chown -R username:username /home/username/.ssh +``` + +## Step 5: Add Public Key to Server (Local Machine → Server) + +### Option A: Copy Public Key Content Manually + +On your local machine, display your public key: + +```bash +cat ~/.ssh/id_ed25519_servername.pub +``` + +Copy the entire output, then on your server console (as root): + +```bash +nano /home/username/.ssh/authorized_keys +``` + +Paste the public key content, save (Ctrl+O, Enter), and exit (Ctrl+X). + +### Option B: Use ssh-copy-id (If SSH is Already Enabled) + +If password authentication is still enabled on your server: + +```bash +ssh-copy-id -i ~/.ssh/id_ed25519_servername.pub username@your_server_ip +``` + +## Step 6: Configure SSH (Optional but Recommended) + +On your local machine, create or edit your SSH config file: + +```bash +nano ~/.ssh/config +``` + +Add an entry for easy connection: + +``` +Host servername + HostName your_server_ip_or_domain + User username + IdentityFile ~/.ssh/id_ed25519_servername + Port 22 +``` + +Save and exit. Now you can connect with just: + +```bash +ssh servername +``` + +## Step 7: Test SSH Connection (Local Machine) + +Test your SSH connection: + +```bash +ssh -i ~/.ssh/id_ed25519_servername username@your_server_ip +``` + +Or if you configured your SSH config file: + +```bash +ssh servername +``` + +## Step 8: Test Sudo Access (Server as New User) + +Once logged in as your new user, test sudo access: + +```bash +sudo whoami +``` + +This should return `root` after entering your password. + +## Step 9: Disable Root Login and Password Authentication (Server Console) + +For security, after confirming SSH key authentication works, disable root login and password authentication. + +Edit the SSH daemon configuration: + +```bash +sudo nano /etc/ssh/sshd_config +``` + +Find and modify these lines: + +``` +PermitRootLogin no +PasswordAuthentication no +PubkeyAuthentication yes +``` + +Save and exit, then restart SSH: + +```bash +sudo systemctl restart sshd +``` + +**Warning**: Only do this after confirming you can successfully log in with your SSH key. + + +## Troubleshooting + +### Permission Denied (publickey) + +- Verify public key is correctly added to `~/.ssh/authorized_keys` on server +- Check file permissions on server (directory: 700, authorized_keys: 600) +- Ensure you're using the correct private key +- Check SSH logs on server: `sudo tail -f /var/log/auth.log` + +### Can't Use Sudo + +- Verify user is in sudo group: `groups username` +- Check `/etc/sudoers` file hasn't been misconfigured + +### Locked Out After Disabling Password Auth + +- Use the server console to access as root +- Re-enable PasswordAuthentication temporarily +- Fix SSH key setup +- Test thoroughly before disabling again + +## Security Best Practices + +1. **Always use a passphrase** for your private keys +2. **Keep private keys secure** - never share them or commit to version control +3. **Use fail2ban** to protect against brute force attacks: + ```bash + sudo apt install fail2ban + sudo systemctl enable fail2ban + sudo systemctl start fail2ban + ``` +4. **Change the default SSH port** (edit `/etc/ssh/sshd_config`) +5. **Regularly update your system**: + ```bash + sudo apt update && sudo apt upgrade + ``` +6. **Consider using a firewall** (ufw): + ```bash + sudo apt install ufw + sudo ufw allow OpenSSH + sudo ufw enable + ``` + +## Quick Reference Commands + +```bash +# Generate SSH key +ssh-keygen -t ed25519 -C "email@example.com" + +# Copy public key to server +ssh-copy-id -i ~/.ssh/keyname.pub user@host + +# Connect with specific key +ssh -i ~/.ssh/keyname user@host + +# Test sudo access +sudo whoami + +# View SSH logs (on Server) +sudo tail -f /var/log/auth.log + +# Restart SSH daemon +sudo systemctl restart sshd +``` \ No newline at end of file