SSH key Pair login and first time server setup

[DevShivmohan]

Step 1

• login to the server as root

ssh [root@159.65.158.191](mailto:root@159.65.158.191) (use the server IP assigned). On password prompt enter password created at the time of droplet creation

Step 2

• Create a new user to avoid using root credentials
• Type adduser < username > in terminal
• The terminal displays the following after pressing enter above

root@ubuntu-s-1vcpu-1gb-blr1-01:~# adduser lattice
Adding user `lattice' ...
Adding new group `lattice' (1001) ...
Adding new user `lattice' (1001) with group `lattice' ...
Creating home directory `/home/lattice' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for lattice
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]

Step 3

• Assign sudo previledges to new user
• Type the command usermod -aG sudo lattice in terminal . Use the username created in above step in place of lattice

Step 4 : Copy local key to server (first time)

• login to server as root
• Type su - lattice where lattice is the username created
• This logs you in as lattice user
• Create a new directory called .ssh and restrict its permissions with the following commands: mkdir ~/.ssh chmod 700 ~/.ssh
• Now open a file in .ssh called authorized_keys with a text editor. We will use nano to edit the file: nano ~/.ssh/authorized_keys
• Copy the key file from Step 2 of below comment in authorized_keys file
• Now restrict the permissions of the authorized_keys file with this command: chmod 600 ~/.ssh/authorized_keys

Step 5 : Disable password login

• As root or your new sudo user, open the SSH daemon configuration: Type the following in terminal sudo nano /etc/ssh/sshd_config
• Find the line that specifies PasswordAuthentication, uncomment it by deleting the preceding #, then change its value to “no”. It should look like this after you have made the change:
• Set PasswordAuthentication no
• Here are two other settings that are important for key-only authentication and are set by default. If you haven’t modified this file before, you do not need to change these settings:
• Add two lines PubkeyAuthentication yes and ChallengeResponseAuthentication no
• Add line LogLevel VERBOSE
• The contents of file should be like below or you can directly cut paste the contents with text below -Type sudo systemctl reload sshd for the changes to take place

# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Include /etc/ssh/sshd_config.d/*.conf

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
PubkeyAuthentication yes
ChallengeResponseAuthentication no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin yes
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

Step 6 : Change default ssh port number

• Type the command sudo nano /etc/ssh/sshd_config on remote server terminal
• Find the following line #Port 22
• Remove # sign and replace the Port 22 with your selected port from given range of ports
• Use any number within this range 49152-65535
• Port 50162
• Type sudo systemctl reload sshd for the changes to take place
• ssh username@userIP -p 49160 -p argument as to pe passed after default port is changed

Note

• You still need to create a strong passoword for new user
• The password will be require if you need sudo previledges inside system after login and also in Digital ocean console during lockout condition

[DevShivmohan]

Generating key on local Machine

Linux

Step 1 : Generate key

• Type ssh-keygen in linux terminal of your local machine
• Press enter on every prompt till the terminal displays the following below

binay@binay-ThinkPad-E480:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/binay/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/binay/.ssh/id_rsa
Your public key has been saved in /home/binay/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:R82EA9tJ5mo89yJj9cVPji5ukuQV8fCM8O4CsskM5XM binay@binay-ThinkPad-E480
The key's randomart image is:
+---[RSA 3072]----+
|        ..o..    |
|         *+=o    |
|        . =+oB   |
|      .. o  +.+  |
|     o  S +. .o .|
|    . +.E=.oo. = |
|     + *++.+o . o|
|      =. o=.+.   |
|           =...  |
+----[SHA256]-----+

Step 2: Copy key to clipboard

• Type commnad cat ~/.ssh/id_rsa.pub on your local machine terminal
• The entire thing
• Copy the key above in step 4 of above comment

binay@binay-ThinkPad-E480:~$ cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCx+WP0Wac1DAGUeENrRq9kvEd9/5PcWqrbuNplKZIEY/eO9Y7/4i8woLtXoIQArtk/5PRWVJAZdlr9lXIbpMK9ZvyWhDlEI5zelpvGa0F4xLkcuWXGamaVZvpHgtd4UuUeb+6O6R/c7mdzE2DuvbV/M40CXgrqzZG0ewhpD7/93XE2YIJyzJqazPKh7n6GUKRXGIOKn/AhPsYoI6iAnAYUBQbdyjz76wvnRGDF37hnlblK4BPhnBh458S+ryXmBLqXBdCYsX6F9oVhsqSO1uPim+Pjc+AowgjF1OecO6bd4NMQt95uNreZZz4dnSrdd6Y8KDIr8ZPviX//9CI9wamarLJdKvXAkRpchfYj0suIJSqX20gIM/VvByJ2CbDN9kLJWrurUDk0QjHVEq+xwLd/3k//zotvhx01xFWHiORlKlYLU/4x2VSqOze+1lEbxfGe/77zQoVkE5/b7bGKQPo3ZT8EXZPus= binay@binay-ThinkPad-E480

Windows

Step 1

• Install Putty
• https://phoenixnap.com/kb/generate-ssh-key-windows-10

[DevShivmohan]

How to check which key was used to access the server

Login to server
Type sudo cat /var/log/auth.log in terminal
System displays the following

an 6 12:28:45 ubuntu-s-1vcpu-1gb-blr1-01 sshd[2120]: Connection from 49.37.5.172 port 51182 on 159.65.158.191 port 50162 rdomain "" Jan 6 12:28:46 ubuntu-s-1vcpu-1gb-blr1-01 sshd[2120]: Accepted key RSA SHA256:R82EA9tJ5mo89yJj9cVPji5ukuQV8fCM8O4CsskM5XM found at /home/lattice/.ssh/authorized_keys:1 Jan 6 12:28:46 ubuntu-s-1vcpu-1gb-blr1-01 sshd[2120]: Postponed publickey for lattice from 49.37.5.172 port 51182 ssh2 [preauth] Jan 6 12:28:46 ubuntu-s-1vcpu-1gb-blr1-01 sshd[2120]: Accepted key RSA SHA256:R82EA9tJ5mo89yJj9cVPji5ukuQV8fCM8O4CsskM5XM found at /home/lattice/.ssh/authorized_keys:1 Jan 6 12:28:46 ubuntu-s-1vcpu-1gb-blr1-01 sshd[2120]: Accepted publickey for lattice from 49.37.5.172 port 51182 ssh2: RSA SHA256:R82EA9tJ5mo89yJj9cVPji5ukuQV8fCM8O4CsskM5XM

R82EA9tJ5mo89yJj9cVPji5ukuQV8fCM8O4CsskM5XM is encrypted key of the public key of user
To match it with authorized keys in the system
Create indivdual file of each key say key1.pub
Naviagte to folder where the file key1.pub is created
Run the command ssh-keygen -l
It will prompt to enter file name enter the file name key1.pub till you find a match with the encrypted key from log