Part 4 - Securing SSH

SSH provides an authentication option that utilises an RSA public / private key pair. This allows you to lock your node, to only be accessible via SSH by use of the private key, preventing all password-based access. While this provides an additional level of security when accessing your node remotely, care should be taken to prevent locking yourself out of your node. If you already have an existing SSH RSA public / private key pair, you may choose to use that key pair to access your node. If you are at all unsure, please ask within Discord, or via a zenhelp ticket before proceeding with these steps.

**THIS IS A DELIBERATELY BOLD AND RED WARNING - ENSURE YOU UNDERSTAND WHAT YOU ARE DOING BEFORE PROCEEDING - PLEASE READ THE TEXT BELOW THIS WARNING BEFORE CONTINUING**


**ENSURE you OPEN A SECOND TERMINAL SESSION on your local machine and are logged into your node with BOTH terminal sessions while following these steps**


NOTE: This page only applies to Mac OS and Linux terminals, for Windows users see: 


DescriptionCommand

Generate an SSH key-pair - steps 1 - 5 are performed on your local machine, not node

1

Steps 1 - 5 are a pre-requisite for securing SSH in steps 8 and 9 below, the intention is to generate an RSA key pair in order to turn off password access via SSH.

Ensure you are still logged in with your first terminal session (opened in Part 2)

2

Open a SECOND TERMINAL WINDOW and check for an existing public / private key pair on your local device

  • OS X - press <CMD> + <N> to open a new Terminal window
  • Linux - open the Terminal app, or press <CTRL> + <SHIFT> + <N>


If the files - id_rsa and id_rsa.pub are already present (shown in the example output) skip step 3. If they are not present, or you saw an error (.ssh: No such file or directory) proceed with step 3


ls -alh ~/.ssh/
Example Output

user@localmachine:~$ ls -alh ~/.ssh/

total 80K

drwxr-xr-x  2 user user 4.0K May 28 13:47 .

drwx------ 19 user user 4.0K Jun  4 23:35 ..

-rw-------  1 user user 1.7K Oct 15  2017 id_rsa

-rw-r--r--  1 user user  394 Oct 15  2017 id_rsa.pub

3

Generate an ssh key pair on your local device

IF PROMPTED TO OVERWRITE AN EXISTING FILE, UNLESS YOU EXPLICITLY WANT TO DO THAT, ANSWER NO AND PROCEED TO STEP 4!


Hit enter when prompted to enter a file name (SEE WARNING ABOVE), enter a strong password when prompted


DO NOT LOSE THIS PASSWORD, IT SHOULD NOT BE THE SAME AS THE USER PASSWORD!


NOTE: The key pair files: "id_rsa and id_rsa.pub" are stored in: "/Users/<USER>/.ssh/" on OS X and "/home/<USER>/.ssh on Linux


It is recommended to backup these files in a secure offline location, such as an encrypted thumb drive

ssh-keygen -t rsa -b 2048
4

Copy the SSH public key to your node, replace 'zenops' with your own username and <FQDN> with your own Fully-Qualified Domain Name, remove <brackets>

If prompted to continue connecting with an ECDSA fingerprint, answer yes

If prompted to install new keys, do so by entering your non-root user password

ssh-copy-id zenops@<FQDN>
5

Test access to the node via SSH with the key pair, replace 'zenops' with your own username and <FQDN> with your own Fully-Qualified Domain Name, remove <brackets>

You will be prompted for the PASSWORD USED WHEN GENERATING THE KEY, not the user password for your node

If a key pair already exists from step 2 and you skipped to step 4 as instructed, you will be using the password for that key, likely from another node setup.

ssh zenops@<FQDN>
exit
ssh zenops@<FQDN>
6

Repeat the login in step 5 as many times as necessary to be confident that you are logging in without a USER password, instead using the RSA key password. Failure to complete this step will result in locking yourself out of your node.


On your node

7

NOTE: Proceed with steps 8 and 9 ONLY if you have established key-based login to your node AND TESTED YOU CAN ACCESS WITH THE RSA KEY PASSWORD (NOT THE USER PASSWORD)

8

Edit sshd_config to secure the SSH daemon


NOTE: The RSA Key password is only used to login to your node, all other password prompts will require your non-root user password

Copy and paste the entire block

sudo sed -i '/PermitRootLogin/d' /etc/ssh/sshd_config && \
sudo sed -i '/PasswordAuthentication/d' /etc/ssh/sshd_config && \
sudo sed -i '/ChallengeResponseAuthentication/d' /etc/ssh/sshd_config && \
echo -e "PermitRootLogin no\nPasswordAuthentication no\nChallengeResponseAuthentication no" | sudo tee -a  /etc/ssh/sshd_config
9Restart SSH with the new configuration
sudo systemctl restart sshd

Part 4 of 11 - Securing SSH



© 2020 Horizen. All rights reserved.