How to: SSH secure key authentication on Ubuntu

Open SSH is the most widely used SSH server on Linux. Using SSH, one can connect to a remote host and gain a shell access on it in a secure manner as all traffic is encrypted.

A neat feature of open SSH is to authenticate a user using a public/private key pair to log into the remote host. By doing so, you won’t be prompted for the remote user’s password when gaining access to a protected server. Of course you have to hold the key for this to work. By using key based authentication and by disabling the standard user/password authentication, we reduce the risk of having someone gaining access to our machine/s. For more info on data access management, visit sites like https://cyral.com/data-access-governance/. And if you need comprehensive visibility to enable compliance and secure data sharing, you might want to read more here to learn more. Moreover, if you need Cyber Security Solutions in charge of data protection of your company, you may look for a time-limited privileged access management system that evaluates each access request. You may click here to find out more.

Implement NIST Cybersecurity Framework in 3 weeks using CyberArrow. CyberArrow is a technology first solution that automates the evidence collection for NIST CSF controls. CyberArrow can be used by any type of organization.

So if you are not using SSH with public/private key pair, here is how to get this rolling. If you are using AWS (Amazon Web Services) you would have been forced to use this method. This is great! The instructions below will teach you a bit about this and provide insight into setting this up on your dev VM or a server which doesn’t have this level of security turned on.

Useful commands to note

Accessing server using key

ssh -i ./Security/PRIVATEKEY USERNAME@SERVER -p PORT

Example:

ssh -i ./Security/aws/myname_rsa root@127.0.0.1 -p 22345

Restart SSH server

sudo /etc/init.d/ssh restart

Install & Setup SSH Security Access

Note: This section is for admins only.

On your Server (remote host) Locally on your box
1. Install SSHOnly if not already installed.
sudo apt-get install openssh-server
sudo apt-get install openssh-client

Make sure you change your server (and firewall is present) it to listen on port 22345 (or similar port of your liking in the high range) vs the standard unsecure 22.

Via Shell

sudo nano /etc/ssh/sshd_config
sudo /etc/init.d/ssh restart

OR

In Webmin >SSH Server > Networking > Listen on port = 22345

How to install Webmin instructions are here: http://www.theroadtosiliconvalley.com/technology/building-ubuntu-lamp-web-server-vm/

On your Server (remote host) Locally on your box
2. Create a public/private key pair.
ssh-keygen -t rsa

This will generate the keys using a RSA authentication identity of the user. Why RSA instead of DSA? RSA is 2048 bit key vs DSA 1024 bit key restricted. Read here: http://security.stackexchange.com/questions/5096/rsa-vs-dsa-for-ssh-authentication-keys

By default the public key is saved in the file:~/.ssh/id_rsa.pub,
while private key is:~/.ssh/id_rsaeg.

3. Copy the generated myname_rsa.pub file to the remote host. Use SFTP and from:
/Users/name/.ssh/myname_rsa.pub drop it into remote host path:
/root/.ssh/myname_rsa.pubNote: If that folder doesn’t exist then create it.
sudo mkdir /root/.ssh/
On your Server (remote host) Locally on your box
4. SSH into remote host and append it to ~/.ssh/authorized_keys by entering:
cat /root/.ssh/myname_rsa.pub >> ~/.ssh/authorized_keys
rm /root/.ssh/myname_rsa.pub
4.1. Check the permissions on the authorized_keys file.Only the authenticated user should have read and write permissions. If the permissions are not correct change them by:
chmod 600 ~/.ssh/authorized_keys
5. Enable SSH public/private key pair access.
sudo nano /etc/ssh/sshd_config

Make sure you have the following:RSAAuthentication yesPubkeyAuthentication yesSave when exiting.

6. Reload new configuration.
/etc/init.d/ssh reload (or)
service ssh reload
On your Server (remote host) Locally on your box
7. Protect your private key file.Locally on your machine assuming you moved the private key file to folder ./Security/
chmod 0600 ./Security/myname_rsa
8. Test your new setup.Login to your remote host from your machine:
ssh -i ./Security/KEYFILE USERNAME@SERVER -p PORTNO

where ./Security/KEYFILE is the location of your private key file.eg.

ssh -i ./Security/myname_rsa root@1.1.1.1 -p 22345

You should be granted access immediately without password requirements.

On your Server (remote host) Locally on your box
9. Disable authentication by password.
sudo nano /etc/ssh/sshd_config

Make sure you have the following:

ChallengeResponseAuthentication no 
PasswordAuthentication no
UsePAM no

Save when exiting.

10. Reload new configuration.
/etc/init.d/ssh reload (or)
service ssh reload
On your Server (remote host) Locally on your box
11. Test #2 your new setupLogin to your remote host from your machine:
ssh -i ./Security/KEYFILE USERNAME@SERVER -p PORTNO

where ./Security/KEYFILE is the location of your private key file.eg.

ssh -i ./Security/myname_rsa root@1.1.1.1 -p 22345

You should be granted access immediately without password requirements.Also test using the old method which should prohibit access.

ssh root@1.1.1.1 -p 22345

Should yield: Permission denied (publickey).
Server is now protected against brute-force attacks.

Finally make sure you adjust your development tools so they tool can gain access to your secured server.

Tools

Your choice of tools my vary but the process is very similar. The following are my most used tools and how to tweak them to allow SSH key entry to my secured server.

FileZilla – SFTP

To enable FileZilla to access the server under the new configuration do this:

  1. FileZilla > Preferences…
  2. Settings window opens. Select “Connection > SFTP” (left hand navigation).
  3. In the right pane, click on “Add keyfile…”. Navigate to your private keyfile and click on it to add.
  4. You may be asked by FileZilla to “Convert keyfile” to a supported FileZilla format. This is fine and just click “Yes”. Save the output file to the same location as your private key file.
  5. Click OK on the Settings file to save final changes.

SublimeText2 – IDE

To enable SublimeText2 to access the server under the new configuration do this.

In your solutions sftp-settings.json configuration file enable key file access like this:

"ssh_key_file": "~/.ssh/id_rsa",

Example:

"ssh_key_file": "~/Security/myname_rsa",

And that’s it. Happy development!

~ Ernest

EC2: how to launch Ubuntu into the cloud

Amazon Elastic Compute Cloud (EC2) delivers scalable, pay-as-you-go compute capacity in the cloud. It is a part of a collection of remote computing services (also called web services) from Amazon that together make up a multi-tenant cloud computing platform. The most central and well-known of these services are Amazon EC2 and Amazon S3. The goal in this post is to get you up and running on an EC2 instance super fast.

Get familiar

I’m going to assume you have an account with AWS and are familiar with:

If you do not know those 3, please spend some time learning about them by following the links in the bullet points above. Else, let’s get rollin.

Step by step guide

1. Setting up security

Before we launch an Instance you need to do some Pre-work since both “Security Group” and “Key Pair Name” cannot be changed once an Instance is mapped to one and started.

  1. Setup a “Security Group” for your new Linux Instance.
    1. From Navigation menu select “Security Groups”.
    2. Click on “Create Security Group” button and fill out the form giving your security group a very descriptive name.
    3. Click “Yes, Create” button, select the new group and in the lower half window/frame press the “Inbound” tab.
    4. Inbound allows you to open ports on this Instance. You can add or remove these after the Instance is created. By default allow these: SSH (22), HTTP (80) and MySQL (3306). For extra security limit (source) SSH & MySQL to only your IP address. If you plan to install Webmin add port 10000 here too.
    5. When done, click on “Apply Rule Changes”.
  2. Create a “Key Pair Name”.
    1. This is super important and will be used for accessing your Instance both via SSH & sFTP.
    2. From Navigation menu select “Key Pairs”.
    3. Click on “Create Key Pair” button.
    4. Give it a descriptive Key Pair Name and click on “Create” button. A private key with extension .pem will download. Save this in a secure location since this is your key to access your Instance.
    5. On your local machine (Linux X or Mac OS X), give this file more secure permissions like this:
      chmod 0700 ./keys/mykey.pem

2. Launching an Instance

  1. From Navigation menu select “Instances”.
  2. Click on “Launch Instance” button.
  3. This launches the Request Instance Wizard where you can select an Amazon Machine Image (AMI). Note that Ubuntu is only available from “Community AMIs”. Click the Community AMIs tab.
    1. Here is a list of available Ubuntu images:
      http://uec-images.ubuntu.com/releases/10.10/release/
    2. Make sure you use an EBS root store – it’s better. For benefits see here:
      http://stackoverflow.com/questions/3630506/benefits-of-ebs-vs-instance-store-and-vice-versa
  4. Step through the 5 stages of the Wizard and click on “Launch” button. This will launch your new Instance. The Wizard is straight forward and you will most likely go with all the defaults.
  5. Your Linux Instance will launch pretty fast. You should now see your Instance listed under “My Instances”.
  6. Click on your Instance. Instance properties window/frame shows up in the bottom half of the console. Note down “Public DNS” and “Private DNS/IP Address”. You will need those to access the box – especially the Public DNS.

3. Building a Ubuntu LAMP Web Server on your new Instance

This step is optional.

But should you want to setup LAMP on this new Instance follow the steps outlined in my previous post here: http://www.theroadtosiliconvalley.com/technology/building-ubuntu-lamp-web-server-vm/

The only additions in light of Amazon EC2 host are:

  • When using SSH/sFTP use the private key with extension .pem you downloaded above.
  • Note that root user in EC2 is “ubuntu” not “root” like in a VM Ubuntu setup.
  • To SSH into your new EC2 Instance do this in terminal where the URL after @ is your Public DNS:
    ssh -i ./keys/mykey.pem ubuntu@region.compute.amazonaws.com
  • Use the Public DNS or setup a static IP address to point to your Instance(s). Amazon calls this Elastic IP Address and this allows you to have multiple Instances all pointing to the 1 IP address for dynamic cloud computing.

Now go and build kick ass products!

There you have it folks. How simple is that. Amazon makes cloud computing look simple and launching new servers (Instances) is a breeze.. in a matter of minutes.

If you found this post useful let me know in comments section below. Super!!

~ Ernest

Building an Ubuntu LAMP Web Server

Recently I was setting up my Mac OS X with a kick ass development environment and jotted down all the cool steps I took to build an Ubuntu LAMP web server in a virtual machine environment. Here is this in-depth guide translated from paper to this digital copy. Hope you find this guide valuable and it saves you time when you need to do the same.

LAMP (Linux, Apache, MySQL and PHP)

Ubuntu Server

The flavor of Linux I like to use as a Web Server is Ubuntu.

What is Ubuntu

Ubuntu , is a secure, intuitive operating system that powers desktops, servers, netbooks and laptops. It is based on the Debian GNU/Linux distribution. Ubuntu is also named after the Southern African ethical ideology Ubuntu (“humanity towards others”) and is distributed as free and open source software with additional proprietary software available.

Why Ubuntu

  1. Reduce costs – free to use with no licensing fees.
  2. Visualization – it runs beautifully & fast in any VM environment (esp. Mac OS X)
  3. Build-in security – tight security, inbuilt firewall and encryption.
  4. It based on a Debian Distribution. A computer operating system composed of software packages released as free and open source software especially under the GNU General Public License and other free software licenses. Debian distributions are slower to release but this means they are extremely thorough.
  5. A lot of the big boys use Ubuntu. See case studies here: http://www.ubuntu.com/business/case-studies

Step by Step – your 1st web server

This guide assumes you have already installed Ubuntu Server. If not, go here and do it first. I recommend you install Ubuntu Server in a VM. I use VMware Fusion to run my instances when developing and Amazon EC2 for production. This guarantees that whatever I do locally in a VM will be compatible when pushed into production.

Ubuntu Server in a VMware Fusion

Goal:

  • Install LAMP – Linux (already done), Apache (web server), MySQL (mysql) and PHP (code compiler).
  • Install Webmin – a web-based interface for system administration for Unix.
  • Allow WWW for sFTP so you can remotely manage your website using a GUI.
  • Setup access to MySQL using MySQL Workbench.

1. Install LAMP

  • SSH into your box as root on Port 22 (default post install).
  • Update your OS software (just in case you are missing some dependencies):
    sudo apt-get update
  • From the terminal window, install LAMP using this 1 line of code (the caret (^) must be included):
    sudo apt-get install lamp-server^
  • The apt package manager will display what it is installing and ask you a bunch of standard questions. Just say yes to all. You will also be asked for a password for your new MySQL database. Type that in and note this down for future.
  • When this finishes you are done. Easy hey! Port 80 (default web server port) is now enabled and pointing to ‘/var/www’. ‘/var/www’ is where your site(s) should be placed.
  • Hit the Public DNS URL of your server (typically your IP) to verify that it’s up. It should show up a page with “It works!” If you are not sure what your box’s IP is, type this in and hit enter (similar to ipconfig on a Windows box).
    ip route
  • Before moving to the next step, you may want to know information about PHP’s configuration inc. installed extensions. You can grab this by creating a PHP file from your terminal window like this:
     sudo nano /var/www/phpinfo.php

    then adding this into it, save it, and quit nano (the editor your in):

    <?php phpinfo(); ?>

    restart Apache:

    sudo /etc/init.d/apache2 restart

    Hit the IP in your browser again with this new file name appended to the end eg. http://170.10.105.110/phpinfo.php – it should show you what is running.

2. Install Webmin

  • Edit “/etc/apt/sources.list” to add 2 new source:
    sudo nano /etc/apt/sources.list
  • … add these 2 new lines to the end, save and exit:
    deb http://download.webmin.com/download/repository sarge contrib
    deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib
  • Now you can run this in your terminal window to install Webmin.
    sudo apt-get update
    sudo apt-get install webmin
  • Webmin should now be accessible from your browser using the server’s ip address followed by port 10,000 eg. https://170.10.105.110:10000
    Note that you do not have HTTPS cert so your browser will throw a warning since https is (and has to be) the protocol. Ignore it and move forward.
  • If you cannot login with your sudo account you may need to enable root. Follow the steps outlined here: https://help.ubuntu.com/community/WebminWithoutARootAccount
  • Or you can change the password of the root user in your terminal window. Then restart webmin.
    sudo /usr/share/webmin/changepass.pl /etc/webmin/ root foo
    sudo /etc/init.d/webmin restart
    
  • If you need to restart webmin run this:
    sudo /etc/init.d/webmin restart

3. Allow WWW for sFTP

  • You need to make sure the group www-data is added to “/var/www”. Run this in your terminal window:
    sudo chgrp www-data /var/www
  • Make “/var/www” writable for the group.
    sudo chmod 775 /var/www
  • Set the GID for www-data for all sub-folders.
    sudo chmod g+s /var/www
  • Your directory should look like this on an ‘ls -l’ output.
    drwxrwsr-x    root www-data
  • Last, add your user name to the www-data group (secondary group) where USERNAME is the “new” username you will use to sFTP. Note that we follow it by “passwd” to give new account a password.
    sudo useradd -G www-data NEW_USERNAME
    sudo passwd NEW_USER

    OR if the username is “existing” one use the command below. Also don’t forget to add “ubuntu” user if you have set this up on an EC2:

    sudo usermod -a -G www-data EXISTING_USERNAME
  • You should now be able to SFTP to your server using this USERNAME and upload data to “/var/www” with no problems.

4. Access to MySQL using MySQL Workbench

  • MySQL Workbench is a nice free GUI tool by the folks at mysql.com to manage your MySQL database. It can be downloaded from here: http://wb.mysql.com/
  • By default MySQL listens on localhost (127.0.0.1) so if you are going to manage your Ubuntu VM instance from say OS X, MySQL wont allow you entry. Here’s what to do to grant remote management of MySQL.
    1. Go to Webmin and login.
    2. In Webmin, navigate here: Servers > MySQL Database Server > MySQL Server Configuration
    3. Change “MySQL server listening address” to “Any”. By default it is 127.0.0.1. Save this.
    4. Now navigate here: Servers > MySQL Database Server > User Permissions
    5. Click on User “root” on the line where it says 127.0.0.1. And under Hosts change it to “Any”. This set the permissions on your db access.
    6. Save & Restart MySQL and you are done.
  • Remember that this is for “development” purposes only. You would not be allowing “Any” to your DB rather a specific static address and username.

5. Bonus – running multiple web applications on the LAMP instance

To save on time, money and managing multiple boxes, you may want to run multiple websites from this same box. I like to do this using ports as the separator. The following can be done in Webmin:

  1. Upload code to /var/www/mynewsite/
  2. Create a Virtual host for your new web application by navigating to:
    Servers > Apache Webserver > Create virtual host
  3. Fill out the form pointing ‘Document Root’ to the location of your code and assign a ‘Port’ number eg. 81, to this new host. Remember port 80 is your default.
  4. Save and click on ‘Apply Settings’ (link top right of the Webmin interface).
  5. Finally you need to tell Apache to listen to this new port. Navigate here:
    Servers > Apache Webserver > Global configuration > Networking and Addresses
  6. Add port 81 (where your new host is configured on) to ‘Listen on addresses and ports’.
  7. Save, apply changes and restart Apache.
  8. Done. You can now access your website via http://IP_DNS:81

Now go and build kick ass products!

There you have it folks. How simple is that. That’s why I love Ubuntu so much. It’s simple and powerful all under the 1 umbrella. That’s how software should be. All the complexities removed so us engineers can get to work and build kick ass products!

If you found this post useful let me know in comments section below. Super!!

~ Ernest