Category Archives: security

Adding a Key to Your Server for SSH Login

Posted on by

Using Ubuntu

An authentication key allows your server to authenticate the computer you are using has the right key and should be granted access. This lets you use the key instead of a username and password when using ssh.

If you don’t already have a key on your local machine (look for a file named id_rsa.pub in your user home directory under the .ssh folder

[bash]cd /.ssh[/bash]

will get you to the right directory) then you need to generate the key pair. On your desktop machine use:

[bash]ssh-keygen[/bash]

Next you copy the file to your server. scp ~/.ssh/id_dsa.pub [user]@[server]:.ssh/

[bash]scp ~/.ssh/id_dsa.pub username@servername:.ssh/[/bash]

Rename the file on the server to authorized_keys2
[bash]mv id_rsa.pub authorized_keys2[/bash]

The key is for to authenticate your computer. But on the ssh login Ubuntu will look in the user folder. So if you also had user2 access to the server and tried to ssh into the server you would not be authenticated because it would look in user2/.ssh for the authorized key file and not find it. You can put the same key in any user folder on your server to have that user also be automatically authenticated.

Replacing a Host Key

Posted on by

Host keys are used to security log into remote servers (such as Virtual Private Servers – VPS). With Ubuntu if you are using host keys to sign into servers securely and have asked for strict checking, if you make a change (such as rebuilding your VPS) the host key will change and you cannot login and will get a message like:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is

Please contact your system administrator.

RSA host key for 128.0.0.128 has changed and you have requested strict checking.
Host key verification failed.

if that happens you need to remove your local host key. Then you can sign back in and you will be able to save a new copy of the host key. If you don’t know why the key has changed you should figure that out first as it maybe be an indication of an important security problem. To remove you local key, you can use ssh-keygen -R [ip address of server with the bad key] for example: ssh-keygen -R 128.0.0.128

Then when you try to sign in you will get

The authenticity of host '128.0.0.128 (128.0.0.128)' can't be established.

RSA key fingerprint is ed:...:ea.
Are you sure you want to continue connecting (yes/no)?

And if you know why (such as you made changes to the server) you can say yes and connect and save the new known host key.

Managing Users in Ubuntu

Posted on by

add a user: sudo adduser [newuser]
sudo adduser john
then give password, and setup home folder,when prompted

edit the list of super users
visudo

list users
cat /etc/passwd

change password of a user – sudo passwd [username]
sudo passwd john
to change your password you can just use sudo passwd.

delete user

sudo deluser username

This will not delete the home folder (and subfolder) those must be dealt with separately. A new user created with the old user name would have access to those files.

temporarily lock a user account – Simply locking a user account will not prevent a user from logging into your server remotely if they have previously set up RSA public key authentication.

sudo passwd -l username

To unlock the account

sudo passwd -u username

Groups

Groups are used in to control permissions (see file permissions)
add user to a group
usermod -G [group-name] [username]
usermod -G basketball john
using the -G switch ads the group as a supplemental group. Using -g would make the group that users primary group.

see what groups a user is in
id john

add a new group: groupadd [new_group_name]
groupadd ruby_developers

Linux/Ubuntu File and Directory Permissions

Posted on by

Linux (and therefore Ubuntu) has file permissions on each file and directory for the owner, group and everyone else. Those permissions determine if the file can be viewed, executed or edited.

Only the owner of a file or directory (or a privileged user, root for example) may change its mode.

Ownership of a file

To change the ownership of the file or directory: chown new_owner_username directory

[bash]chown john public_html[/bash]

to change the ownership of directory (and all the files and folders in the directory) and also the group: chown -R new_owner_username:new_groupname directory

[bash]chown -R john:developers public_html[/bash]

to change the ownership of all the files in the current directory and also the group: chown -R new_owner_username:new_groupname *

[bash]chown john:developers *[/bash]

File permissions

The easiest way to set Linux file permissions is using a 3 digit sequence. The first digit designates owner permission; the second, the group permission; and the third, everyone else’s permission.

Read = 4
Write = 2
Execute = 1

The digit is the sum of those. So if you want to grant only read permission you use 4; read and execute 5; read, write and execute = 7.

[bash]chmod 775 index.html[/bash]

That will set the permissions on index.html so the owner, and a user in the group specified can read, write and execute the file and everyone else can read and execute.

[bash]chmod -R 755 public_html[/bash]

That will set the permissions on files and directories (recursively through all subdirectories) so the owner can read, write and execute; members of the group and everyone else can read and execute (but not write).

[bash]ls – l[/bash]

That will give you a list of files and directories, in a directory, with the owner and group settings and the permissions for all 3 (those 2 and everyone else), which will look something like:

[bash]-rw-r–r– 1 root developers 397 2008-05-25 20:33 index.html
-rw-r–r– 1 mary developers 9177 2010-05-02 22:18 unix_file_permissions.html
…[/bash]

The lines start with the permissions for the owner, group and then everyone else. There are 9 total characters, 3 for each. Taking the top line above:

rw-r--r--
rw-  (means the owner has read and write permission but not execute)
r--  (means the group has only read permission)
r--  (means everyone else has only read permission)

The next column tells you the number of hard links to the file or directory. Then column tells you the owner, then the group. Then the byte size of the file, the date it was last change and then the file name.

root
means the username of this file is named root

developers
group (means those users in the group named developers have the group permissions indicated)

Related: Ubuntu command line interface syntax examples