Heads up! To view this whole video, sign in with your Courses Plus account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
Now let's create the actual deployment account. We'll also set it up to use SSH keys, to make logging in more secure.
If the ssh-copy-id program is present on your local system, it can simplify copying your public key over to the server. Here's a tutorial on using ssh-copy-id.
If you don't have ssh-copy-id, run these commands on the server:
sudo mkdir /home/deploy/.ssh- Fix permissions:
sudo chmod u+rwx /home/deploy/.sshsudo chmod go-rwx /home/deploy/.ssh- Synonym:
sudo chmod 700 /home/deploy/.ssh
You can learn more about the chmod command in the "Users and Permissions" stage of our Console Foundations course.
Next, we need to get the public key we just generated. This file is on your local computer, not the server. Copy the entire contents of ~/.ssh/id_rsa.pub. Make sure you're opening the file that ends in .pub, not the file without an extension. The contents of the file without an extension shouldn't go anywhere except your local computer!
Now that we have the public key, we need to go back to the server and add it to a file. The public keys for our new user should be stored in a file named authorized_keys within the .ssh directory we just created.
sudo nano /home/deploy/.ssh/authorized_keys- Paste the public key into your terminal.
- Save and exit.
Lastly, we need to fix the permissions and ownership of those files:
sudo chmod 400 /home/deploy/.ssh/authorized_keyssudo chown deploy:deploy /home/deploy -R
Related Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign upRelated Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign up
Using a password to log on to your
server isn't that secure if you make
0:00
a hard to guess password you'll probably
have to write it down somewhere and
0:04
attackers could find that record.
0:08
It's far more secure to
generate a cryptographic
0:10
key pair to log onto your server.
0:13
A key pair consists of a private key file
you'll keep on your local computer and
0:16
a public key you'll keep on server.
0:20
When you connect to the server it will use
the public key to encrypt some data which
0:22
it knows can only be decrypted
using your private key.
0:27
It will send the encrypted data
to your ssh client which will
0:30
use your key to decrypt the data
thereby proving that its you or
0:33
at least that someone who
has your private keep.
0:37
All of this is totally automatic and more
secure than logging in with a password.
0:40
As long as you don't reveal
your private key to anyone.
0:44
So, first we're going to
need to generate a key pair.
0:48
If you already have one,
you can skip this step.
0:50
We're going to use a program that
comes with SSH called SSH Keygen.
0:53
That's SSH dash k-e-y g-e-n, we'll
invoke that program to generate a key.
0:59
We're also going to add a command
line flag dash capital C for comment.
1:06
This comment will describe what the key
does in case it ever gets broken and
1:12
we need to remove it for whatever reason.
1:16
Since this is a key that will
reside on my laptop will
1:19
say Jay's laptop hit enter and
the command will be run.
1:24
And I'll start generating the key pair
it will have a few questions for you.
1:30
First it'll ask you to enter
a file in which to save the key.
1:34
I would just recommend going with the
default because it'll save it in the .SSH
1:37
directory which is generally going to
have pretty secure permissions on it.
1:42
So go with the default
there just hit enter.
1:47
Then it's going to ask you
to enter a passphrase.
1:50
This pass phrase should be at
least ten characters long.
1:52
You're going to need to
enter it each time your
1:55
SSH program uses this private
key to connect to the server.
1:58
We'll talk about a way that you can speed
that process up a little bit later on,
2:02
but for
right now I'm going to enter a paraphrase.
2:06
And then it'll ask you to
repeat it to make sure you
2:13
didn't make any missed typos.
2:17
And then It'll confirm that
the key has been saved.
2:20
There will be two files the first with
no extension is going to be your private
2:23
key file.
2:28
You need to keep this
one secret at all times,
2:29
don't even print it out to your screen.
2:31
The second one with a dot pub extension
is going to be your public key.
2:34
This is the one that you can
make publicly available.
2:39
GitHub, for example,
2:42
makes every users public key accessible
to anyone who knows your username.
2:43
You can safely place this public key out
on the server and if someone access it,
2:48
it's no problem.
2:53
As long as you keep your
private key secret,
2:55
no one will be able to use this
key pair to do anything bad.
2:57
So, now that we have
a key pair we can use,
3:01
we need to create the actual
deployment account on the server.
3:03
We're going to SSH into the server
using the SSH program and
3:07
we'll use our existing
developer account for it.
3:10
You'll still need to provide
your password for this account.
3:17
And now to add the new user account.
3:23
We need administrative access
to run this command so
3:26
we're going to preface our command
with sudo that is do is a super user.
3:29
Then we're going to run
the ad user command.
3:34
Add user takes an argument with the name
of the account you want to create
3:39
a common name to use is deployed.
3:42
First you'll need to provide the password
for your developer account so
3:47
that you can use sudo.
3:50
And now the actual process of
creating the account will begin.
3:55
Even though we're not going to be
using a password with this account,
3:58
you still have to enter a new password,
just for starters.
4:02
It'll ask you to confirm that password.
4:07
And since this isn't going to be
an account for an actual user,
4:13
we can leave all the remaining info blank.
4:16
So I'm just gonna hit enter,
answer all these, and press Y or
4:18
just hit enter to confirm
the info is correct.
4:23
It will return to the system prompts and
the account will be created.
4:26
Now we need to take the public key from
the key pair we just generated, and copy
4:31
it to the server, so that we can use our
private key to get in without a password.
4:35
Some systems have an S S H copy ID command
that will do that for us automatically.
4:39
See the teachers notes if you'd
like more info about that.
4:44
But for this tutorial we're going to
assume ssh copy ID isn't available on your
4:47
system and show you how to do it manually.
4:51
So first we're going to need to create the
directory that will hold the deploy users
4:55
ssh configuration.
4:59
We're going to use our
developer account to do this.
5:01
So we're going to need administrative
access using the sudo command.
5:03
Then we'll run the ordinary make
directory command and KDIR and we're
5:08
going to have it create a new directory
within the deploy users home directory.
5:13
We'll call this new directory .SSH the dot
at the start will keep it hidden from
5:19
ordinary directory listings.
5:24
Now since this S.S.H. directory is going
to contain some sensitive information
5:28
we're going to need to make it so that
not just anyone can look at its contents.
5:32
We're going to do that using the C.H.
mod command.
5:36
That'll change who has
permissions to read its contents.
5:38
Again since we're working on files
belonging to a different user we're going
5:42
to need to use the sudo
command to run this.
5:46
Then we'll run CHmod and
first we're going to make
5:50
sure that the deploy user is able to
read write and execute this directory.
5:54
So we're gonna type user plus the plus
means we're going to add these
5:59
permissions to it read
write execute R W X.
6:03
Then we need to specify what file or
6:09
directory these changes
are going to apply to.
6:11
So we specify /home/deploy/ .ssh again.
6:13
Then we need to make sure that
other users cannot read, write or
6:21
execute this directory.
6:24
So we're going to do the same command but
we're going to alter it a little bit.
6:26
This change is going to apply to other
users in the deploy users group.
6:30
And it will also apply to all
other users on the server.
6:34
So, we use the initials G and
O to stand for that.
6:37
We're going to be removing
permissions with this command.
6:42
So, we type the minus sign here.
6:44
The minus stands for
subtracting permissions.
6:47
And we're going to remove the same set of
6:52
permissions that we granted
to the deployed user.
6:54
So we're going to say that all
these users cannot read, write, or
6:57
execute the contents of this directory.
7:00
After you type all that, hit enter.
7:05
By the way, there's another form of this
command that will let you do all those
7:07
operations at once.
7:11
Of saying user plus RWX or group and
7:13
another minus R W X you
can say sudo CH mod 700.
7:17
I didn't show you this one first because
it's a little harder than I understand.
7:22
Basically this first digit in
the CHMOD command stands for
7:28
the user's permission and the seven means
that they can read write and execute.
7:32
Then the following characters are for
the group, and for all other users.
7:37
The zero means they don't
have any permissions at all.
7:44
So this command here is the equivalent
to the two above commands.
7:47
If you feel like that form is more
practical for you to remember,
7:52
by all means, remember that instead.
7:55
And if you'd like more info
on the CH mod command,
7:57
in general, see the teacher's notes.
8:00
Next we need to get the public key we
just generated this file is on your local
8:02
computer not the server so
let me exit out of my server connection.
8:06
You remember that we just created
the dot ssh directory on the server.
8:10
Well this is going to be a dot ssh
directory on our local computer.
8:15
So we're going to print out
the entire contents of the file
8:19
in our home directory but
.ssh sub directory.
8:22
And we're going to print out
the file named id_rsa.pub.
8:26
Make sure you're opening the file that
ends in .pub not the file without
8:31
an extension.
8:35
The contents of the file without
an extension are your private key and
8:36
that shouldn't go anywhere
except your local computer.
8:40
So hit Enter and it will print
out the contents of the file.
8:44
Now you need to copy the entire
contents of the file and
8:47
only the contents of the file.
8:50
Make sure you get everything.
8:52
Make sure you don't get extra, and make
sure you don't miss any portions of it.
8:53
So we're going to select
the entire file contents Copy.
8:58
Now that we have our public key
copied to the clipboard we need
9:04
to go back to the server and
add it to a file.
9:07
So I'm going to ssh the server.
9:09
And since we're altering files
belonging to a different
9:18
user we're going to need
to use the sudo command.
9:21
And you could use vi or
at this file but for
9:24
starters we're going to use
a simpler editor named nano.
9:26
So we were on the nano command and
9:30
we need to provide the name
of the file we're editing.
9:33
This is going to be a file in
the deploy a user's home directory.
9:35
The .ssh subdirectory we just created and
we're gonna name the file authorized_keys
9:43
needs to be this specific file name
because that's where SSH is going to look.
9:49
It will ask for your password
since we're running sudo, And
9:57
then the nano editor will open.
10:04
From here you can just paste
the public key into your terminal, and
10:06
it will be entered into the editor.
10:09
The bottom of the nano screen lists
keyboard shortcuts you can press.
10:13
The carrot symbol here stands for
the control key.
10:17
So we're going to press Ctrl+O to write
out the file followed by Ctrl+X to exit.
10:23
Ctrl+O, it will ask for the name of the
file to write to, just go with the default
10:29
since we entered that on the command line
and then press Ctrl+X to exit the editor.
10:35
Now, you may remember that we alter
permissions of the SSH directory earlier.
10:42
We also need to fix the permissions
of the authorized key file.
10:47
If we take a look at how they
are currently set using the ls command,
10:51
with its -l flag that will list
all files out in long format.
10:55
And if we use that to take a look
at the deploy users home directory
11:02
SSH sub directory.
11:05
The first portion here is what the user
themselves can do, they can read and
11:10
write the file and that's fine.
11:14
But we also see that other users in
this users group can read the file,
11:16
as well as any user on the system.
11:20
They can also read the file.
11:22
So we're going to need to use
the chmod command to fix that,
11:24
we can do that by running pseudochmod 400.
11:30
And then the name of the file that we
want to alter that's home deploying.
11:35
The dot ssh directory and
the authorized keys file.
11:43
And if we list out the permissions for
files in that folder again you'll see that
11:50
it's only readable by
the user that owns it.
11:54
There's one other problem with this.
11:58
This listing right here and
this listing here show what group and
12:00
user owns the file, and
12:04
currently it's owned by root, because
we created it using the sudo command.
12:05
So we need to change the owner of
the file so that the deploy user and
12:10
the deploy group owns it.
12:14
So we're going to type sudo chown,
for change owner,
12:16
deploy:deploy.
12:21
Then we need to specify what file or
folder we're operating on so
12:26
we're going to say home deploying.
12:30
And we're going to have this effect
the entire S.S.H. directory.
12:32
Don't hit in there yet because we're going
to add a command line flag that makes this
12:38
operate recursively on all sub folders and
all files that this directory contains.
12:43
So we'll type the command
line flag-capitalR.
12:48
And now if we take a look
at the permissions and
12:53
ownership of the authorized keys file
again we can see that it's owned
12:56
by the deploy user in the deploy group.
13:00
And if we look at the permissions
on the SSH sub folder itself,
13:04
sudo ls-al the dash
13:08
a flag there says that we should show
all files including hidden files.
13:13
Look at the entire contents of
the deploy user's home directory.
13:21
Oops, I typed sude and not sudo.
13:26
Let me fix that really quick.
13:29
There we go.
13:30
We can see that the .ssh sub folder
is owned by the deploy user and
13:32
the deploy group.
13:37
And that it's readable, writable, and
executable only by the user that owns it.
13:38
We can test whether all this works by
logging out of our development account and
13:44
then logging back into the server
as the new deploy account.
13:48
We'll have to enter the passphrase for
our private key that we set up,
13:54
note that this is the private
key passphrase and
14:01
not the password that you set
up when creating the user.
14:04
That will access the private key and
log us into the server using the key.
14:09
Now the deploy user doesn't have all
the permissions they need yet so it's
14:14
important to log back out of this user and
log back in as your developer account.
14:18
We'll need to use the developer
account to complete these final steps.
14:30
You need to sign up for Treehouse in order to download course files.
Sign upYou need to sign up for Treehouse in order to set up Workspace
Sign up