Improving Security: SSH Keys
Adding SSH keys
You store a wallet on your server. It is important to take steps to ensure its security. Digital Ocean makes adding SSH keys on droplet creation very easy by simply selecting your SSH key file. Other cloud service don’t provide that kind of convenience and you have to add it yourself. These instructions are for those kinds of cloud services.
NOTE: Contabo and Hetzner allow for SSH key adding on their website services. We recommend using those services if you aren’t comfortable with the following process.
!!IMPORTANT!! Many accidently lock themselves out while trying to set this up. Always keep a window open and test the settings by opening another connection before closing the main window.
First is to create a super user called harmony. If you have already done this skip down to the harmony user log in step.
It will ask you to enter a password. The way Linux works is you won’t see *** or something when typing a password. You just see blanks.
🚨🚨WRITE DOWN THE PASSWORD ON PAPER🚨🚨
It will then ask a bunch of information questions. You can just leave them blank. The information questions are not important. Hit y at the end of it.
The above just created a normal user. You need to give permissions to the harmony user to be a super user.
The command above adds the harmony user to the super group, sudo.
If you do the command correctly, you will get a blank line return.
Log on to your super user, harmony.
su - harmony Create a new user for SSH login. Make up a username different than the harmony user. Change the bolded and italicized word to your desired user name.
🚨🚨REMEMBER DONT INSTALL UNDER THE SSH LOGIN. THE SSH LOGIN IS FOR LOGGING IN ONLY 🚨🚨
sudo adduser usernameMake username a super user by adding it to the ssh group.
sudo usermod -aG ssh usernameNext setup the username ssh permissions and files.
sudo mkdir -p "/home/username/.ssh"sudo chmod 0700 "/home/username/.ssh"sudo chown "username:username" "/home/username/.ssh"
Add the SSH public key to your username. This next command will open up a blank text editor. Here you will copy/paste the key starting with “ssh-rsa….”
For information about how to generate an SSH Key with PuTTY for windows click here.
sudo nano "/home/username/.ssh/authorized_keys"Save the file by CTRL+X and then hitting y to save when prompted.
sudo ls "/home/username/.ssh" -lsudo chown "username:username" "/home/username/.ssh/authorized_keys"sudo chmod 0600 "/home/username/.ssh/authorized_keys"
Edit the SSH settings.
sudo nano /etc/pam.d/sshdComment the following line out by adding a # in front of it.
#@include common-auth
Save the file by CTRL+X and then press y to save when prompted.
Next is to edit the sshd_config file.
sudo nano /etc/ssh/sshd_configFollowing changes need to be edited:
Set UsePAM to yes.
UsePAM yesDisable the password authentication by removing # in front of it.
PasswordAuthentication noAdd a new line at the end of the file that sets the Authentication Methods to require first the public key to be valid.
AuthenticationMethods publickeyOPTIONAL BUT RECOMMENDED: Disable root authentication this will add extra layer of security to your VPS. Find the line and remove the # in front of it and set the value to no.
PermitRootLogin noOPTIONAL BUT RECOMMEND: Change your SSH port from 22 to another one, for example 2225. Check this list to help you pick a port to use. WARNING: If you do change your port to something other than 22 remember to change your ufw settings.
Port 2225Save the file by CTRL+X and then press y to save when prompted.
Finally restart the sshd service to update the settings.
sudo service sshd restartDONT CLOSE YOUR SESSION YET. Test it first by opening a new session.
Congratulations you’ve increased your security! Please provide any questions or comments below.
