Create a New User
Here, we’ll create a new user named kaladin
and give it sudo
privileges. DO NOT log out of the Ubuntu server until you have verified that the new account is viable for connection.
adduser kaladin user mod -a -G sudo
Setup SSH Keys
If you need to create SSH keys, please see GitHub’s Generating a new SSH key and adding it to the ssh-agent.
When I created my Linode, I already had an ssh key on my Mac that is ready to use. It was added through the UI when setting up the VPS; however, it only appears in the authorized_hosts
file for the root
user at this point.
We’ll move a key from our local Mac to the home
directory of the newly created user, kaladin
. This process works because it assumes that there is no ~/.ssh
directory — in other words, that kaladin
is a completely new user account (viz that there are no keys present in the authorized_keys
file.
Copy id_ed25519.pub
to server
Here we’ll use the secure copy command in the terminal on our Mac to copy the public key to the /home/kaladin/
directory.
scp ~/.ssh/id_ed25519.pub [email protected]
So that should have copied our public ssh key to the server. You should still be logged in as root
. We will now create, populate, and set permissions for a .ssh
directory in the home directory for kaladin
. You should find the ssh key we uploaded at /home/kaladin/id_ed25519.pub
.
cd ~kaladin mkdir .ssh mv id_ed25519.pub .ssh/authorized_keys chown -R kaladin:kaladin .ssh chmod 700 .ssh chmod 600 .ssh/authorized_keys
Now type ls -liah
to view the folder contents of kaladin
. You should see something like this:
263883 drwx------ 2 kaladin kaladin 4.0K Jul 6 19:00 .ssh
Open up a second terminal window on your local machine. Try to login as kaladin
. Assuming you are successful, exit the session as root
. Everything that follows assumes you are logged in as kaladin
and not root
.
Disable root
& Change the SSH Port
We will now edit the ssh_config
file to eliminate root access and make things a little more secure.
sudo nano /etc/ssh/sshd_config
At the bottom of the file add these overrides. All text below is not present by default in the sshd_config
file.
#### Overrides ##### Port 333 PermitRootLogin no AllowUsers kaladin LoginGraceTime 1m ClientAliveInterval 600 ClientAliveCountMax 0
Save the changes you’ve made and then restart the ssh service in order for the changes to take effect:
sudo systemctl restart ssh
Explanations about sshd_config settings
About Changing the Default SSH port number
There is a lot of discussion around whether changing the ssh port number is a net good and if it actually improves security. I have opted to change the default. There are reasons to not if your server engages entities that assume and cannot be configured for port numbers other than the default port 22
.
Should I change the default SSH port on linux servers? is a Stack Overflow posts that can bring you up to speed on whether, why and to what you may want to change the default ssh port number.
If you do change the default port number it is important that you pick an open port that is less than 1024. Assigning a reserved port (i.e., greater than 1024) can open your server up to DoS attack.
PermitRootLogin
By setting this to No
we disallow anyone to ssh into the server as root
. Remember, you can use the sudo
command to activate root
privileges for kaladin
.
AllowUsers
Here we limit only users authenticated as kaladin
to ssh into the server from anywhere.
If you’d like to learn how to limit user access from specific locations, see the Linux Security Cookbook by Barrett, Silverman, and Byrnes: 3.14. Restricting Access to an SSH Server by Account.
LoginGraceTime
Documentation is underrated. Checkout the man
pages for sshd_config
:
The server disconnects after this time if the user has not successfully logged in. If the value is 0, there is no time limit. The default is 120 seconds.
Oracle’s man pages for sshd_config
ClientAliveCountMax & ClientAliveInterval
The ClientAliveCountMax
and ClientAliveInterval
are used in tandem in determining how and for how long to keep the ssh connection alive.
ClientAliveInterval
determine the number of seconds before the ssh service sends a client alive message to the ssh client.
ClientAliveCountMax
is how many times the ssh service will allow no response before killing the connection.
Essentially, we’re configuring a timeout for each ssh connection that could be thought of like this:
Timeout = ClientAliveInterval * (ClientAliveCountMax + 1).
In the above configuration we had:
ClientAliveInterval 600 ClientAliveCountMax 0
This means after 10 minutes the ssh service will send a null packet. The ssh service will not retry after the first interval.