Add new guide

2026-01-10 14:36:54 +01:00
parent 6996c2561e
commit e7616aa294
2 changed files with 245 additions and 0 deletions
--- a/_Sidebar.md
+++ b/_Sidebar.md
@@ -4,6 +4,7 @@
 ## 📚 Guides
 ### 💽 Applications
 - [Create SSH Keys for Gitea](create-shh-keys)
 - [New User and SSH Acccess Setup](ssh-access-setup-guide)
 ### 🛜 Networking
 - [Generate Wireguard Peer in OPNsense](generate-wireguard)
--- a/ssh-access-setup-guide.md
+++ b/ssh-access-setup-guide.md
@@ -0,0 +1,244 @@
 # Server User Setup with SSH Key Authentication
 This guide covers creating a new user account on a server, setting up SSH key authentication, and configuring sudo access.
 ## Prerequisites
 - Console root access to the server
 - A local (Linux) machine where you'll generate the SSH keypair
 ## Step 1: Generate SSH Keypair (Local Machine)
 On your local Linux machine, generate an SSH keypair:
 ```bash
 ssh-keygen -t ed25519 -C "your_email@example.com"
 ```
 When prompted:
 - **Enter file in which to save the key**: You can specify a custom name, e.g., `/home/yourusername/.ssh/id_ed25519_servername`
 - **Enter passphrase**: Choose a strong passphrase (recommended) or leave empty for no passphrase
 This creates two files:
 - `id_ed25519_servername` - Your private key (keep this secure)
 - `id_ed25519_servername.pub` - Your public key (this goes on the server)
 ### Alternative: RSA Keys
 If you need RSA keys for compatibility:
 ```bash
 ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
 ```
 ### Verify Keys Were Created
 ```bash
 ls -la ~/.ssh/
 ```
 You should see your newly created keypair files.
 ## Step 2: Create New User on Server (Server Console as Root)
 Log into your server console as root and create a new user:
 ```bash
 adduser username
 ```
 Replace `username` with your desired username. You'll be prompted to:
 - Set a password
 - Enter optional user information (can be left blank)
 ## Step 3: Add User to Sudo Group (Server Console as Root)
 Grant sudo privileges to the new user:
 ```bash
 usermod -aG sudo username
 ```
 Verify the user was added to the sudo group:
 ```bash
 groups username
 ```
 ## Step 4: Set Up SSH Directory for New User (Server Console as Root)
 Create the SSH directory and authorized_keys file for your new user:
 ```bash
 mkdir -p /home/username/.ssh
 touch /home/username/.ssh/authorized_keys
 chmod 700 /home/username/.ssh
 chmod 600 /home/username/.ssh/authorized_keys
 chown -R username:username /home/username/.ssh
 ```
 ## Step 5: Add Public Key to Server (Local Machine → Server)
 ### Option A: Copy Public Key Content Manually
 On your local machine, display your public key:
 ```bash
 cat ~/.ssh/id_ed25519_servername.pub
 ```
 Copy the entire output, then on your server console (as root):
 ```bash
 nano /home/username/.ssh/authorized_keys
 ```
 Paste the public key content, save (Ctrl+O, Enter), and exit (Ctrl+X).
 ### Option B: Use ssh-copy-id (If SSH is Already Enabled)
 If password authentication is still enabled on your server:
 ```bash
 ssh-copy-id -i ~/.ssh/id_ed25519_servername.pub username@your_server_ip
 ```
 ## Step 6: Configure SSH (Optional but Recommended)
 On your local machine, create or edit your SSH config file:
 ```bash
 nano ~/.ssh/config
 ```
 Add an entry for easy connection:
 ```
 Host servername
    HostName your_server_ip_or_domain
    User username
    IdentityFile ~/.ssh/id_ed25519_servername
    Port 22
 ```
 Save and exit. Now you can connect with just:
 ```bash
 ssh servername
 ```
 ## Step 7: Test SSH Connection (Local Machine)
 Test your SSH connection:
 ```bash
 ssh -i ~/.ssh/id_ed25519_servername username@your_server_ip
 ```
 Or if you configured your SSH config file:
 ```bash
 ssh servername
 ```
 ## Step 8: Test Sudo Access (Server as New User)
 Once logged in as your new user, test sudo access:
 ```bash
 sudo whoami
 ```
 This should return `root` after entering your password.
 ## Step 9: Disable Root Login and Password Authentication (Server Console)
 For security, after confirming SSH key authentication works, disable root login and password authentication.
 Edit the SSH daemon configuration:
 ```bash
 sudo nano /etc/ssh/sshd_config
 ```
 Find and modify these lines:
 ```
 PermitRootLogin no
 PasswordAuthentication no
 PubkeyAuthentication yes
 ```
 Save and exit, then restart SSH:
 ```bash
 sudo systemctl restart sshd
 ```
 **Warning**: Only do this after confirming you can successfully log in with your SSH key.
 ## Troubleshooting
 ### Permission Denied (publickey)
 - Verify public key is correctly added to `~/.ssh/authorized_keys` on server
 - Check file permissions on server (directory: 700, authorized_keys: 600)
 - Ensure you're using the correct private key
 - Check SSH logs on server: `sudo tail -f /var/log/auth.log`
 ### Can't Use Sudo
 - Verify user is in sudo group: `groups username`
 - Check `/etc/sudoers` file hasn't been misconfigured
 ### Locked Out After Disabling Password Auth
 - Use the server console to access as root
 - Re-enable PasswordAuthentication temporarily
 - Fix SSH key setup
 - Test thoroughly before disabling again
 ## Security Best Practices
 1. **Always use a passphrase** for your private keys
 2. **Keep private keys secure** - never share them or commit to version control
 3. **Use fail2ban** to protect against brute force attacks:
   ```bash
   sudo apt install fail2ban
   sudo systemctl enable fail2ban
   sudo systemctl start fail2ban
   ```
 4. **Change the default SSH port** (edit `/etc/ssh/sshd_config`)
 5. **Regularly update your system**:
   ```bash
   sudo apt update && sudo apt upgrade
   ```
 6. **Consider using a firewall** (ufw):
   ```bash
   sudo apt install ufw
   sudo ufw allow OpenSSH
   sudo ufw enable
   ```
 ## Quick Reference Commands
 ```bash
 # Generate SSH key
 ssh-keygen -t ed25519 -C "email@example.com"
 # Copy public key to server
 ssh-copy-id -i ~/.ssh/keyname.pub user@host
 # Connect with specific key
 ssh -i ~/.ssh/keyname user@host
 # Test sudo access
 sudo whoami
 # View SSH logs (on Server)
 sudo tail -f /var/log/auth.log
 # Restart SSH daemon
 sudo systemctl restart sshd
 ```