| |
@@ -4,7 +4,7 @@
|
| |
|
| |
[NOTE]
|
| |
====
|
| |
- Beta Version (1)! Please comment on server mailing list
|
| |
+ Status: RC – Ready for publication
|
| |
====
|
| |
[sidebar]
|
| |
****
|
| |
@@ -15,11 +15,11 @@
|
| |
|
| |
== 1. Set up root login via key file
|
| |
|
| |
- According to the default installation, SSH login is only possible using an RSA key file. However, the setup cannot be done as part of the installation. If this step is omitted, logging in as root via SSH is not possible.
|
| |
+ According to the default installation, SSH login is only possible using an SSH key file. However, the setup cannot be done as part of the installation. If this step is omitted, logging in as root via SSH is not possible.
|
| |
|
| |
- === Prepare a pair of private / public RSA keys
|
| |
+ === Prepare a pair of private / public keys
|
| |
|
| |
- This step is to be performed only if a pair of RSA keys does not already exist. It is best to create the key in the _.ssh_ directory of the desktop user. It should not be secured by password to enable automatic processing. The naming with leading 'id_' und trailing '_rsa' is just a common convention, yet helpful.
|
| |
+ This step is to be performed only if a pair of keys does not already exist. It is best to create the key in the _.ssh_ directory of the desktop user. It should not be secured by password to enable automatic processing. The naming with leading 'id_' und trailing types abbreviation, e.g. '_rsa' is just a common convention, yet helpful.
|
| |
|
| |
a. Execute on the local desktop
|
| |
+
|
| |
@@ -27,17 +27,21 @@
|
| |
----
|
| |
[…]# mkdir ~/.ssh
|
| |
[…]# cd ~/.ssh
|
| |
- […]# ssh-keygen -t rsa -b 4096 -C "root@example.com" -f id_<outputkeyfile>_rsa
|
| |
+ […]# ssh-keygen -t rsa -b 4096 -C "root@example.com" -f <outputkeyfile>
|
| |
----
|
| |
|
| |
+ Although the type rsa is widely used, you may adjust your key type accordingly.
|
| |
+
|
| |
=== Transfer and Install the Public Key onto the Server
|
| |
|
| |
+ You normally use _ssh-copy-id_ to install the public key on the server. However, this requires a password login, which was disabled for root during installation. Therefore, a detour is now required.
|
| |
+
|
| |
a. Log in to your server via sftp using the unprivileged administration account and transfer the public key file
|
| |
+
|
| |
[source,]
|
| |
----
|
| |
[…]# sftp hostmin@example.com
|
| |
- sftp> put ~/.ssh/id_<outputkeyfile>_rsa.pub
|
| |
+ sftp> put ~/.ssh/<outputkeyfile>.pub
|
| |
sftp> quit
|
| |
----
|
| |
|
| |
@@ -55,7 +59,7 @@
|
| |
[…]$ sudo su -
|
| |
[…]# mkdir /root/.ssh
|
| |
[…]# cd /root/.ssh
|
| |
- […]# mv /home/hostmin/id_<outputkeyfile>_rsa.pub /root/.ssh/authorized_keys
|
| |
+ […]# mv /home/hostmin/<outputkeyfile>.pub /root/.ssh/authorized_keys
|
| |
[…]# chown -R root.root /root/.ssh
|
| |
[…]# chmod 700 /root/.ssh
|
| |
[…]# chmod 600 ~/.ssh/*
|
| |
@@ -68,10 +72,10 @@
|
| |
+
|
| |
[source,]
|
| |
----
|
| |
- […]# ssh -i ~/.ssh/id_<outputkeyfile>_rsa root@example.com
|
| |
+ […]# ssh -i ~/.ssh/<outputkeyfile> root@example.com
|
| |
----
|
| |
+
|
| |
- adjust file and domain name as appropriate.
|
| |
+ adjust file, file type, and domain name as appropriate.
|
| |
|
| |
a. To simplify access create a configuration file on your desktop and define a short name for the connection:
|
| |
+
|
| |
@@ -89,7 +93,7 @@
|
| |
ForwardX11 no
|
| |
Port 22
|
| |
KeepAlive yes
|
| |
- IdentityFile ~/.ssh/id_<outputkeyfile>_rsa
|
| |
+ IdentityFile ~/.ssh/<outputkeyfile>
|
| |
----
|
| |
+
|
| |
again, replace names accordingly.
|
| |
@@ -191,12 +195,12 @@
|
| |
+
|
| |
[source,]
|
| |
----
|
| |
- […]# nmnmcli con mod 'enp3s0' ipv6.method manual \
|
| |
+ […]# nmcli con mod 'enp3s0' ipv6.method manual \
|
| |
ipv6.addresses <YOUR_IPv6_PREFIX>::2/64 \
|
| |
ipv6.gateway fe80::1 \
|
| |
ipv6.dns "2a01:4f8:xx:yy::zzz:8888 2a01:4f8:xx:yy::zzz:9999"
|
| |
- […]# nmnmcli con up 'enp3s0'
|
| |
- […]# nmnmcli con reload
|
| |
+ […]# nmcli con up 'enp3s0'
|
| |
+ […]# nmcli con reload
|
| |
----
|
| |
+
|
| |
Again, don't forget to adjust names, prefix, and DNS IP addresses. Pay special attention to the gateway. Using a local address of 1 (fe80::1) is a widely used convention.Another is the IPV6 prefix with the address 1. But each provider may have an even different approach.
|
| |
@@ -213,12 +217,12 @@
|
| |
+
|
| |
[source,]
|
| |
----
|
| |
- […]# nmnmcli con mod 'enp3s0' ipv4.method manual \
|
| |
+ […]# nmcli con mod 'enp3s0' ipv4.method manual \
|
| |
ipv4.addresses <YOUR_IPv4>/27 \
|
| |
ipv4.gateway <GATEWAY> \
|
| |
ipv6.dns "<DNS1_IPv4> <DNS2_IPv4>"
|
| |
- […]# nmnmcli con up'enp3s0'
|
| |
- […]# nmnmcli con reload
|
| |
+ […]# nmcli con up'enp3s0'
|
| |
+ […]# nmcli con reload
|
| |
----
|
| |
+
|
| |
Again, don't forget to adjust names, prefix, and DNS IP addresses and check connectivity from your local workstation:
|
| |
@@ -279,6 +283,8 @@
|
| |
|
| |
The software monitors the log files for authentication errors. In case of multiple retries from the same IP address, the source IP gets blocked by the firewall. This is to prevent brute force methods for cracking passwords and bots checking for weak passwords. However, if an error occurs in the authentication process, a system administrator may also lock himself out.
|
| |
|
| |
+ If you disabled system users password Login in the previous step so sshd only allows keys, you may skip this section. There will be nothing to log in this regard anymore.
|
| |
+
|
| |
a. Installation of the software and the required Postfix
|
| |
+
|
| |
[source,]
|
| |