You Got A Question? Ask    GNOME Community!

gtk-theme2
 14045   |  Oct 25
 9822   |  Aug 25
gtk_logo2
 9782   |  Mar 17
arch
 8795   |  Mar 28

Secure your Remote GNOME Box by disabling password logins

This post was made with an older stylesheet


Why GNOME

You may ask why I am using the “GNOME Box” on title since that tip works everywhere and is SSL specific rather Desktop matter. Since all Distros and DE are using pretty much the same things (Linux, X, GCC, OpenSSL, Systemd -with Ubuntu & some other exceptions-, GNU Tools, etc), it makes no difference if I say Linux or Gnome. In my very personal opinion GNOME is an OS, no matter the distro is running on. All distros today are really good, and people tend to refer the DE they are using rather the distro name.

Simply as someone says “How to do *whatever* in Ubuntu”, I am using GNOME ;)


Virtual Network

I am using a Rawhide as a server in a Oracle Virtual Box, and Fedora 18 as client. This is exactly the same as any physical network, in intranet (home network) or web. The only difference is that in this case the connection is virtual. Whatever applies in Virtual Connection, applies -almost the same- for physical.


WHATS

For this tutorial you can think Rawhide as you home computer/server and Fedora 18 as your laptop/another machine. So your home computer is also the remote/server box. I will show you how you can

1. Login to your server without asking for password

2. Block all logins, but yours.

no-password-ssh

This is a strongly recommended if you are running an SSH Server.


Use Cases

The most common use is for students that are on class, and they want to access they’re home computer, for managing Torrents Downloads or whatever else. You can find many other real world examples ;)


Steps

I’ll be a little more explainable than have to be,  since there are people that are starting from zero.

1. Set up an SSH Server
2. Create SSH Directories on Remote
3. Generate Private and Public Keys on Local
4. Upload Public Key on Remote
5. Test it!
6. Disable Password Logins in Server


1. Set up a SSH Server

First we need to run an SSH server on our home/remote machine.

In a Web Server provided by Hosting Companies, SSH is enabled and auto-start by default. Obviously ;)

I think all distros ship SSH by default but if not you can try to install it.

$ sudo yum/apt-get install openssh-server

Then we need to start it

$ sudo server sshd start -OR- systemctrl start sshd.service

If you reboot your machine, sshd won’t auto start. Depending your distro you can auto start it by:

$ sudo systemctl enable sshd.service  -OR- chkconfig sshd on

On Systemd boxes you can check if the service is enable by

$ systemctl list-unit-files --type=service | grep -i sshd

On SysV systems you can try, but I am not sure if it will display it.

$ chkconfig --list | grep -i sshd

By now you have a running SSH server. Test it. In you local machine.

$ ssh [your_remote_username]@[the_remote_machine_ip]

2. Create SSH Dir on Remote

Now you need to create the SSH directory, if doesn’t exist, to upload a new public key.This directory is used to authenticate key-based authentication when using SSH. On remote machine:

$ mkdir ~/.ssh
$ chown [your_username]:[your_username] ~/.ssh
$ chmod 700 ~/.ssh
Always set 700 to directories and 600 permissions to SSH files, otherwise you may get “Bad Authentication” messages.

3. Generate Private and Public Keys in Local

In your local machine you now have to generate a Private Key. If you already have a key you can use this.

$ ssh-keygen -t rsa

Set the filename to be

[your home directory]/.ssh/foo_rsa

If you choose to enter a password, the you will have to provide this password to use the key, that I guess you don’t want to.This will create your public (foo_rsa.pub) and private (foo_rsa) keys. By now you have the SSH keys in your local machine.


4. Upload Public Key in Remote

Next step is to copy our public key from our local machine to the remote. We will use Secure Copy tool for this. In local type:

$ scp ~/.ssh/foo_rsa.pub [server_username]@[your_server_ip]:~/.ssh/authorized_keys

5. Test it!

We are almost done. Just give a try. If all good, you have to login without be asked for a password. In local:

$ ssh [username]@[server_address] -i [your_home_directory]/.ssh/foo_rsa

If bash complains about Bad Authentication just change the permissions to the key

$ chmod 600 ~/.ssh/foo_rsa

To save some time instead of importing the key every time (you need that if you try from another pc), lets make it permanent. In you local:

$ gedit ~/.ssh/config

Insert:

Host [your_server_address]
  IdentityFile ~/.ssh/foo_rsa

And try again to login:

$ ssh [username]@[server_address]

If everything is okay so far, lets disable the passwords authentication from server.


6. Disable Password Logins in Server

Before you do that, and if you are running this example in a real remote server, make sure that you can login with the SSH without password credentials, otherwise there is no way to login again to your server and fix it.

Also maybe your provider isn’t so friendly and won’t fix it for you. So you will lose everything ;)

In remote machine edit:

$ sudo vi /etc/ssh/sshd_config

Un-comment PasswordAuthentication and set the value to no. It should look something like:

...
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
...

Done! Just restart the SSH service in remote

$ sudo service sshd restart

If you try now to login as another user, you will get a message that public key was denied. So none that hasn’t your public key can’t login to your machine. Just be sure to backup it somewhere you will never lose it. Maybe in your email, so you can always have it with you and access your server/home machine from anywhere.

If you need root access you can make the above procedure for root as well, but not really recommended. Instead you can add your user to the sudoers file.


Add User to Sudoers

In your remote server:

$ visudo -f /etc/sudoers

and add

...
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere 
root	ALL=(ALL) 	ALL
[your_username]    ALL=(ALL)    ALL

## Allows members of the 'sys' group to run networking, software, 
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
...

It is important to edit this file with visudo command to ensure there will be no mistakes (ie just a typo). If you do, you might be lock out from the machine.


This is a nice trick mostly useful for web-servers, but not only. Securing like this your home-server is also a good idea. There are many more things you can mention, but the above will do the job. If I have missed something critical please someone correct me :)


SysVinit to Systemd Cheatsheet

A quick reference for translating SysV commands to Systemd


 
  We can't watch comments unless G+ provides an API or if you send a notification, e.g +World Of Gnome
     Sometimes is better to place your questions on GNOME Community
  • Jacek Krüger

    You can avoid the hassle of copying your public key by using ssh-copy-id

    • alex285

      Thanks, I will add this later!

  • http://twitter.com/poinck André

    Just in the right time to prepare everything for #29c3 (o: Thx.