In one of my last posts I announced that I started renting a VPS to experiment more substantially with the hive blockchain. Setting up a witness that is. Here's a little update on my attempt to set it all up. The focus here is getting the access to the server organised.
Image by Pexels.com
The first step here is getting the server to use SSH key authorisation instead of the basic default password authorisation. Since I use UNIX based systems, I will only cover this. For Windows users the steps might be different.
Disclaimer: I am by no means an IT specialist. The steps shown below is based on information I found online and is by no means extensive. It is advised to do your own research to make sure everything is running in order. If you find obvious mistakes in this text, please let me know!
Configuring the Client Side of Things
First step towards setting up key-based authorisation is to create a key pair. Simply run the following terminal command on your local machine from which you would like to access your server:
ssh-keygen -t rsa
You will be asked to give a password to further secure your keys. You could opt out of setting a password by simply hitting enter. Once the command is finished a key pair (private and public key) are created. By default they are named: id_rsa
and id_rsa.pub
.
To make sure the key is actually used on your local machine, it is good practice to store it in the hidden directory .ssh
in your root folder. You can simply copy both keys to have them stored together:
cp <your private key> ~/.ssh/ && cp <your private key> ~/.ssh/
ls ~/.ssh/
The last command simply shows you a list of files located in your .ssh
folder. To make sure the SSH protocol will use your newly created key, you can simply add it by running:
ssh-add <your private key>
Configuring the Server Side of Things
The next goal is to copy the public key to your server and making the server to use this key for authorisation rather than asking for a password only.
First log in to your server via the username, hostname, and password which you provided to the VPS host. For me the default username given by the VPS host is root
(another user can be added to avoid using root) and the hostname is a simple IP address. Using SSH you can do the following:
ssh <username>@<hostname>
You'll be prompted for the password as provided to the VPS hosting company.
If successful you are now logged into the VPS system.
On your server, create the ~/.ssh
folder if it doesn't already exist and create or modify the authorized_keys
file inside this folder. I'm using vim but any editor works:
vim ~/.ssh/authorized_keys
Now you need to copy the content of your public key into this file. This way the server and the client (your local machine) can check if the connection is legit.
Next we need to allow the ssh protocol to use ssh keys instead of passwords. For this we need to modify the config file: /etc/ssh/sshd_config
.
Warning, if in the
sshd_config
file you disable password authentication and allow PublicKeyAuthentication but not have your keys set correctly, you might end up locking yourself out of the server and won't be able to access it anymore. Follow these steps with caution!
Inside /etc/ssh/sshd_config
make sure to set the following to allow for the authentication through keys.
PubkeyAuthentication yes
It might be that this line is commented out, in that case remove the prepending # in front of this line. Next make sure that the protocol knows where to look for authorized keys by adding/modifying the following line:
AuthorizedKeysFile .ssh/authorized_keys
Both lines above need to be uncommented. So if theres a # in front of these lines remove them. The modifications in the sshd_config
file take affect once you reload the service via the terminal using:
service sshd reload
You can now already check if you can log into your server using the keys. In a fresh terminal simply try to SSH into your server. You can use -vvv
as an option to the ssh
command for extensive output and check if the keys were actually used.
If the keys are used during the authentication, you can now disable password authentication on the server side by modifying the below lines in the /etc/ssh/sshd_config
file:
PasswordAuthentication no
ChallengeResponseAuthentication no`
UsePAM no
If any of the above is commented out, remove the prepending #. Save the file and reload the service (service sshd reload
). As an extra safety measure, you can test server access in another terminal. If successful, you are done. If issues arise you can revert back the changes made in /etc/ssh/sshd_config
file via the (still connected) terminal session and reload the sshd service once more and try all the steps once more.
Now the basic key authorisation is all set!
More updates will follow soon!