SSH provides an authentication option that utilises an RSA public / private key pair. This allows you to lock your node, to only be accessible via SSH by use of the private key, preventing all password-based access. While this provides an additional level of security when accessing your node remotely, care should be taken to prevent locking yourself out of your node. If you already have an existing SSH RSA public / private key pair, you may choose to use that key pair to access your node. If you are at all unsure, please ask within Discord, or via a zenhelp ticket before proceeding with these steps.

THIS IS A DELIBERATELY BOLD AND RED WARNING - ENSURE YOU UNDERSTAND WHAT YOU ARE DOING BEFORE PROCEEDING - PLEASE READ THE TEXT BELOW THIS WARNING BEFORE CONTINUING

ENSURE you OPEN A SECOND TERMINAL SESSION on your local machine and are logged into your node with BOTH terminal sessions while following these steps

NOTE: This page only applies to Mac OS and Linux terminals, for Windows users see:

Part 4a - Securing SSH (Windows Systems)

	Description	Command
	Generate an SSH key-pair - steps 1 - 5 are performed on your local machine, not node
1	Steps 1 - 5 are a pre-requisite for securing SSH in steps 8 and 9 below, the intention is to generate an RSA key pair in order to turn off password access via SSH. Ensure you are still logged in with your first terminal session (opened in Part 2)
2	Open a SECOND TERMINAL WINDOW and check for an existing public / private key pair on your local device OS X - press <CMD> + <N> to open a new Terminal window Linux - open the Terminal app, or press <CTRL> + <SHIFT> + <N> If the files - id_rsa and id_rsa.pub are already present (shown in the example output) skip step 3. If they are not present, or you saw an error (.ssh: No such file or directory) proceed with step 3	ls -alh ~/.ssh/ Example Output user@localmachine:~$ ls -alh ~/.ssh/ total 80K drwxr-xr-x 2 user user 4.0K May 28 13:47 . drwx------ 19 user user 4.0K Jun 4 23:35 .. -rw------- 1 user user 1.7K Oct 15 2017 id_rsa -rw-r--r-- 1 user user 394 Oct 15 2017 id_rsa.pub
3	Generate an ssh key pair on your local device IF PROMPTED TO OVERWRITE AN EXISTING FILE, UNLESS YOU EXPLICITLY WANT TO DO THAT, ANSWER NO AND PROCEED TO STEP 4! Hit enter when prompted to enter a file name (SEE WARNING ABOVE), enter a strong password when prompted DO NOT LOSE THIS PASSWORD, IT SHOULD NOT BE THE SAME AS THE USER PASSWORD! NOTE: The key pair files: "id_rsa and id_rsa.pub" are stored in: "/Users/<USER>/.ssh/" on OS X and "/home/<USER>/.ssh on Linux It is recommended to backup these files in a secure offline location, such as an encrypted thumb drive How to create an encrypted thumb drive in Mac OS using Disk Utility How to create an encrypted thumb drive in Linux using Disks Utility	ssh-keygen -t rsa -b 2048
4	Copy the SSH public key to your node, replace 'zenops' with your own username and <FQDN> with your own Fully-Qualified Domain Name, remove <brackets> If prompted to continue connecting with an ECDSA fingerprint, answer yes If prompted to install new keys, do so by entering your non-root user password	ssh-copy-id zenops@<FQDN>
5	Test access to the node via SSH with the key pair, replace 'zenops' with your own username and <FQDN> with your own Fully-Qualified Domain Name, remove <brackets> You will be prompted for the PASSWORD USED WHEN GENERATING THE KEY, not the user password for your node If a key pair already exists from step 2 and you skipped to step 4 as instructed, you will be using the password for that key, likely from another node setup.	ssh zenops@<FQDN> exit ssh zenops@<FQDN>
6	Repeat the login in step 5 as many times as necessary to be confident that you are logging in without a USER password, instead using the RSA key password. Failure to complete this step will result in locking yourself out of your node.
	On your node
7	NOTE: Proceed with steps 8 and 9 ONLY if you have established key-based login to your node AND TESTED YOU CAN ACCESS WITH THE RSA KEY PASSWORD (NOT THE USER PASSWORD)
8	Edit sshd_config to secure the SSH daemon NOTE: The RSA Key password is only used to login to your node, all other password prompts will require your non-root user password	Copy and paste the entire block sudo sed -i '/PermitRootLogin/d' /etc/ssh/sshd_config && \ sudo sed -i '/PasswordAuthentication/d' /etc/ssh/sshd_config && \ sudo sed -i '/ChallengeResponseAuthentication/d' /etc/ssh/sshd_config && \ echo -e "PermitRootLogin no\nPasswordAuthentication no\nChallengeResponseAuthentication no" \| sudo tee -a /etc/ssh/sshd_config
9	Restart SSH with the new configuration	sudo systemctl restart sshd

Part 3

Part 4 of 11 - Securing SSH

Part 5

© 2020 Horizen. All rights reserved.

Browser not supported