I decided to write this article so that people can more securely access and share access to their servers to authorised personnel. This is intended for Service Providers in the 0Chain community, but equally applies to anyone with their own server (or VPS etc.)
Ther server commands are for a Linux server. The local commands should work on Linux or MacOs computers – for Windows, see https://phoenixnap.com/kb/generate-ssh-key-windows-10 to install ssh-keygen first, then you’ll need to change paths to use \ and use type instead of cat command
The basic concept
The concept is based around a public/private key pair which anyone interested in crypto should already be familiar with. The private key remains on the local machine and the public key gets pushed to the server(s)
Installing a key on a server
I’ll cut straight to the chase. Access the server as chosen user you wish to share access of. This may be through a user interface of your hosting provider (e.g. noVNC KVM Console), or by using ssh and the existing password.
Then cut and paste the following command. (ON YOUR SERVER) – Note this command authorizes me to access your server!!
cd ~ ; DIR=".ssh"; FILE="authorized_keys"; ADD="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMbMEFXgqISi/jdF/1HvnkeP9R4oEnm0k6c6jsbuP1Ab email@example.com"; [ ! -d "$DIR" ] && mkdir $DIR ; [ ! -f "$DIR/$FILE" ] && touch "$DIR/$FILE" ; grep -q "$ADD" "$DIR/$FILE" || echo "$ADD" >> "$DIR/$FILE"
So what this does is add my key to the ssh key authorized keys list for your user profile on that server (if one doesn’t exist, it is created).
Generating your own keys
So you have more than one server to manage and rather than having to remember separate passwords for each one, you want to generate your own key pair.
So first you will generate an ssh key pair on your local machine (laptop or desktop etc.)
The command you want to use is ssh-keygen
The only parameters we will specify are a filename and algorithm used. In this case, we will use the ed25519 algorithm.
So make sure you are in your home folder (cd ~) and then we will generate a key in the .ssh folder that is used by default for storing these keys.
So the command will look like (you will substitute all instances of test with your preferred name) :-
ON YOUR LOCAL MACHINE
ssh-keygen -f .ssh/test -t ed25519
And the output will look something like:-
Generating public/private ed25519 key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in .ssh/test Your public key has been saved in .ssh/test.pub The key fingerprint is: SHA256:DpciLmKT4GYvxAe+0DMi0NQRJLuI8Q1HTGIDyJtPSf0 sculptex@hplaptop The key's randomart image is: +--[ED25519 256]--+ |+.==Bo | |.o.Bo. | |.o* o . | |oB.B E . | |B.* o o S | |*+=+ . = | |=O+o. . | |++o. | | .. | +----[SHA256]-----+
You see it prompts for a passphrase, I highly recommend you do this for additional security. Because the use of the keypair is the main security, this passphrase will only come into play if someone gains access to that, so use your judgement to make it something easy to type and remember, as you will need to enter it each time you access.
If we look in the .ssh folder, the test and test.pub files will be there.
The test file is the private key. You want to keep this secure as you would with other private keys. The .pub file contains your public key.
You can see the contents of that file by entering
and you will see something like (there may be multiple lines)
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKI22V+K3fKNzqRAv0LmeDLIpreO3tL+rxxs90d/wXxH sculptex@hplaptop
METHOD 1 – substituting into one-liner command
This is what we need to substitute in the command at the start into the ADD variable
So the one-liner for the above test key authorization would be (but note you can change the last part to an email if desired)
cd ~ ; DIR=".ssh"; FILE="authorized_keys"; ADD="ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKI22V+K3fKNzqRAv0LmeDLIpreO3tL+rxxs90d/wXxH sculptex@hplaptop"; [ ! -d "$DIR" ] && mkdir $DIR ; [ ! -f "$DIR/$FILE" ] && touch "$DIR/$FILE" ; grep -q "$ADD" "$DIR/$FILE" || echo "$ADD" >> "$DIR/$FILE"
So now you will have your own one-liner that you can cut and paste in an ssh session on your server, and from that point onwards, you should be able to ssh into your server without a password, albeit you will still need to enter the passphrase when prompted but this will be something more memorable.
METHOD 2 – using ssh-copy-id
ON LOCAL MACHINE
By using the following command:-
ssh-copy-id -i ~/.ssh/test user@host
it will perform the addition of the keys to the server authorized_keys file for you (it will prompt you for login details if you are not already logged in)
Another step (If this is a sudo account)
By default, sudo accounts still prompt for passwords when entering a sudo command. If we want to prevent this, we will need to give them an additional privilege. NOTE: this does not apply to root accounts, they are already sudo (superuser)!
1) Lets enter a basic command using sudo:-
Note that if this is not a sudo account it will tell you.
1a) If it is a sudo account and this is the first sudo command issued this session, it will prompt you for the password, so you’ll need to enter that now.
2) Now, lets create a group type that negates the need for the sudo user to enter a password
if sudo grep -qwF "sudo_nopass" "/etc/sudoers" ; then echo "sudo_nopass group already exists" ; else sudo echo "%sudo_nopass ALL=(ALL:ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers ; echo "ADDED sudo_nopass group" ; fi
It should detect if this command has run previously so is fairly foolproof to use, (just make sure you have already run a sudo command so it doesn’t try prompting for a password in the middle of this script).
3) Establish new group with system
sudo groupadd sudo_nopass
4) Now we can assign this group to the current user, again this assumes you will already have run a sudo command (do sudo pwd before this if not).
IAM=$(whoami) ; if [ "$IAM" = "root" ] ; then echo "ROOT. No need to do this!" ; else echo "User: $IAM" ; sudo usermod -a -G sudo_nopass $IAM ; echo "Added to group sudo_nopass" ; fi
Thats it! This user should not be able to login via ssh key and not have to enter the password.
So now lets log into server using ssh
You may see something like:-
The authenticity of host '188.8.131.52 (184.108.40.206)' can't be established. ECDSA key fingerprint is SHA256:UtU+TDbb9JaVk2QEY/Tt/W7/Rnt/7ZJe70PhvWtGw8A. Are you sure you want to continue connecting (yes/no/[fingerprint])?
Just enter yes
You will also get a pop-up prompting for your passphrase, so enter that.
Warning: Permanently added '220.127.116.11' (ECDSA) to the list of known hosts. Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-65-generic x86_64)
Be aware that this ssh session may remain authorized in memory on your machine, so closing the window or typing exit on the ssh session will close the window, but subsequent connections will re-establish without asking for the passphrase.
Other Server Commands
To get your servers public IP address, you can enter the following command on the server Command Line
curl ipecho.net/plain; echo
To get the current user, enter the following command on the server Command Line
These two are the required parameters when ssh’ing into your server,
e.g. ssh <user>@<IP address> would then be