SSH provides an authentication option that utilises an RSA public / private key pair. This allows you to lock your node, to only be accessible via SSH by use of the private key, preventing all password-based access. While this provides an additional level of security when accessing your node remotely, care should be taken to prevent locking yourself out of your node. If you already have an existing SSH RSA public / private key pair, you may choose to use that key pair to access your node. If you are at all unsure, please ask within Discord, or via a zenhelp ticket before proceeding with these steps.
**THIS IS A DELIBERATELY BOLD AND RED WARNING - ENSURE YOU UNDERSTAND WHAT YOU ARE DOING BEFORE PROCEEDING - PLEASE READ THE TEXT BELOW THIS WARNING BEFORE CONTINUING**
**ENSURE you OPEN A SECOND TERMINAL SESSION on your local machine and are logged into your node with BOTH terminal sessions while following these steps**
NOTE: This page only applies to Mac OS and Linux terminals, for Windows users see:
Copy the SSH public key to your node, replace 'zenops' with your own username and <FQDN>with your own Fully-Qualified Domain Name, remove <brackets>
If prompted to continue connecting with an ECDSA fingerprint, answer yes
If prompted to install new keys, do so by entering your non-root user password
Test access to the node via SSH with the key pair, replace 'zenops' with your own username and <FQDN>with your own Fully-Qualified Domain Name, remove <brackets>
You will be prompted for the PASSWORD USED WHEN GENERATING THE KEY, not the user password for your node
If a key pair already exists from step 2 and you skipped to step 4 as instructed, you will be using the password for that key, likely from another node setup.
Repeat the login in step 5 as many times as necessary to be confident that you are logging in without a USER password, instead using the RSA key password. Failure to complete this step will result in locking yourself out of your node.
On your node
NOTE: Proceed with steps 8 and 9 ONLY if you have established key-based login to your node AND TESTED YOU CAN ACCESS WITH THE RSA KEY PASSWORD (NOT THE USER PASSWORD)
Edit sshd_config to secure the SSH daemon
NOTE: The RSA Key password is only used to login to your node, all other password prompts will require your non-root user password
Copy and paste the entire block
sudo sed -i '/PermitRootLogin/d' /etc/ssh/sshd_config && \
sudo sed -i '/PasswordAuthentication/d' /etc/ssh/sshd_config && \
sudo sed -i '/ChallengeResponseAuthentication/d' /etc/ssh/sshd_config && \
echo -e "PermitRootLogin no\nPasswordAuthentication no\nChallengeResponseAuthentication no" | sudo tee -a /etc/ssh/sshd_config