Configuring & Using SSH
All dedicated ARM Linux servers provided by OakHost come with SSH pre-installed and configured. By default, root access with a random password is provided to get you started right away. Although encrypted, the default password can be viewed through the Customer Panel for initial configuration. Therefore, it is strongly advised to change the password as soon as you connect to your server for the first time.
For additional security, we also recommend enabling SSH Public/Private Key authentication, disabling password login and disallowing the root user to sign in through SSH entirely. Please read on to learn about these best practices.
#
Connecting via SSHTo initially connect to your OakHost Server, navigate to the Customer Panel, click on your server and then select the Remote Access
tab. There, you will find your initial login credentials.
You will need an SSH client to connect to the Server. On macOS or Linux, this client comes pre-installed and can be access through the Terminal application. Just copy the line beginning with ssh root@...
from the customer panel. When prompted for a password, type in the initial password provided. Don't worry if it won't show up on the screen.
On Windows, you have multiple options to proceed. You can either install Windows Subsystem for Linux and proceed as above, which we would recommend, or you can use an external SSH client like PuTTY.
#
Changing the Root PasswordOnce connected to your server, changing a user password is as simple as typing the following command and hitting enter:
You will be prompted to enter a new password and confirm it once. Don't worry if the password won't show up on the screen, it will still register.
Once done, verify whether the password works by initiating a new SSH connection using the new password. We recommend keeping the old connection open, in case the password doesn't work.
#
Disallow Root Login via SSHTo increase security, the root user should not be able to connect via SSH directly. Instead, you should create a new user, and then use this user to change to the root user when necessary (sudo).
- First, create a new user that will be used to sign in. You can choose any name, as long as it doesn't contain special characters or spaces. Type in the following command, hit enter and walk through the assistant. It will also ask for a new password. This will later be used to sudo into the root user.
- Next, add the newly created user to the
sudo
group. This is needed so you can later switch to the root user. Make sure to replacemyuser
with the username you picked in the comment above.
- Once the user is set up, we need to disallow the root user from signing in via SSH. For that, open up the SSH configuration using a text editor. For example, nano:
- Locate the following line (probably at the end of the file), and change
no
toyes
, and add aAllowUsers
line below:
Save the file to the file by hitting
Ctrl+X
and theny
to confirm the changes.Restart the SSH server to apply the new configuration file by using the following command:
caution
Please leave the SSH connection open in case anything goes wrong. Otherwise you may lose access to your server.
- Test your changes by opening a new connection via SSH. This time, you shouldn't be able to login as root. So, instead of root@..., try:
- In case everything is set up correctly, you should be able to sign in using the newly chosen password and username. Lastly, check whether you are able to sudo to the root account:
- This should ask for a password. It's the same password you used to log in via SSH. Once done, you should be root. Check by typing
It should return root
.
#
Disallow SSH Login via PasswordThe last step in securing your SSH access is to disable password logins entirely. With passwords, there is always the chance that they may be guessed by an attacker. To avoid this, SSH allows login via SSH Keys, which consists of two files. One containing a private key which resides on the connecting device, an one containing a public key which will be put on the server. That way, a secure connection can always be established without the need of a password.
- First, you need to generate a public and private key pair which we will use to connect to your server. Do so by running the following command on your client PC, NOT the server:
- Confirm the default values. If you want, you can provide a password. This will then be used to decrypt your private key every time you connect. This is however optional and can be left blank.
caution
Your SSH-Keyfile has now been generated at the indicated location (by default, in your home folder in a hidden .ssh-directory). Make sure that you do not lose or share this key. Otherwise, access to your server will be lost. There is however always the option to add additionaly SSH keys, as long as you still have access to your server.
- Now, we need to copy the newly generated public key to the server. This will authorize this key (and therefore you) to access the server. On your PC, execute the following command:
Replace myuser
with the username created on your sever, and [your-ip]
with the IP address of the server.
Once complete, this should already give you access to your server without the need of the user password. Try connecting via SSH, like you normally would and verify that it's not requesting your user password. If you opted to enter a password during the generation of the SSH key, you will however be asked for this password instead.
When connected, type in the following command to verify whether the key was correctly placed:
It should return a long string of random characters, beginning with ssh-rsa
and ending with what looks like an email address. For example:
- Lastly, we need to disable password logins via SSH. Otherwise, a malicious attacker may still be able to brute-force the password, even though you're using a key to log in.
To do so, once again open up the SSH configuration using a text editor:
Now, you should search for a line starting with PasswordAuthentication
and change its value from yes
to no
.
If you can't find it, just add it to the bottom of the file.
Again, save the file to the file by hitting Ctrl+X
and then y
to confirm the changes, then restart the SSH server:
caution
Please leave the SSH connection open in case anything goes wrong. Otherwise you may lose access to your server.
- To complete the process, try to log in via SSH with a new connection again. If it works, everything should be set up correctly. If the login fails, try to revert the changes to the SSH configuration file and restart the SSH server once more.