Creating a Deploy Account14:35 with Jay McGavren
Now let's create the actual deployment account. We'll also set it up to use SSH keys, to make logging in more secure.
ssh-copy-id program is present on your local system, it can simplify copying your public key over to the server. Here's a tutorial on using
If you don't have
ssh-copy-id, run these commands on the server:
sudo mkdir /home/deploy/.ssh
- Fix permissions:
sudo chmod u+rwx /home/deploy/.ssh
sudo chmod go-rwx /home/deploy/.ssh
sudo chmod 700 /home/deploy/.ssh
You can learn more about the
chmod command in the "Users and Permissions" stage of our Console Foundations course.
Next, we need to get the public key we just generated. This file is on your local computer, not the server. Copy the entire contents of
~/.ssh/id_rsa.pub. Make sure you're opening the file that ends in
.pub, not the file without an extension. The contents of the file without an extension shouldn't go anywhere except your local computer!
Now that we have the public key, we need to go back to the server and add it to a file. The public keys for our new user should be stored in a file named
authorized_keys within the
.ssh directory we just created.
sudo nano /home/deploy/.ssh/authorized_keys
- Paste the public key into your terminal.
- Save and exit.
Lastly, we need to fix the permissions and ownership of those files:
sudo chmod 400 /home/deploy/.ssh/authorized_keys
sudo chown deploy:deploy /home/deploy -R
Using a password to log on to your server isn't that secure if you make 0:00 a hard to guess password you'll probably have to write it down somewhere and 0:04 attackers could find that record. 0:08 It's far more secure to generate a cryptographic 0:10 key pair to log onto your server. 0:13 A key pair consists of a private key file you'll keep on your local computer and 0:16 a public key you'll keep on server. 0:20 When you connect to the server it will use the public key to encrypt some data which 0:22 it knows can only be decrypted using your private key. 0:27 It will send the encrypted data to your ssh client which will 0:30 use your key to decrypt the data thereby proving that its you or 0:33 at least that someone who has your private keep. 0:37 All of this is totally automatic and more secure than logging in with a password. 0:40 As long as you don't reveal your private key to anyone. 0:44 So, first we're going to need to generate a key pair. 0:48 If you already have one, you can skip this step. 0:50 We're going to use a program that comes with SSH called SSH Keygen. 0:53 That's SSH dash k-e-y g-e-n, we'll invoke that program to generate a key. 0:59 We're also going to add a command line flag dash capital C for comment. 1:06 This comment will describe what the key does in case it ever gets broken and 1:12 we need to remove it for whatever reason. 1:16 Since this is a key that will reside on my laptop will 1:19 say Jay's laptop hit enter and the command will be run. 1:24 And I'll start generating the key pair it will have a few questions for you. 1:30 First it'll ask you to enter a file in which to save the key. 1:34 I would just recommend going with the default because it'll save it in the .SSH 1:37 directory which is generally going to have pretty secure permissions on it. 1:42 So go with the default there just hit enter. 1:47 Then it's going to ask you to enter a passphrase. 1:50 This pass phrase should be at least ten characters long. 1:52 You're going to need to enter it each time your 1:55 SSH program uses this private key to connect to the server. 1:58 We'll talk about a way that you can speed that process up a little bit later on, 2:02 but for right now I'm going to enter a paraphrase. 2:06 And then it'll ask you to repeat it to make sure you 2:13 didn't make any missed typos. 2:17 And then It'll confirm that the key has been saved. 2:20 There will be two files the first with no extension is going to be your private 2:23 key file. 2:28 You need to keep this one secret at all times, 2:29 don't even print it out to your screen. 2:31 The second one with a dot pub extension is going to be your public key. 2:34 This is the one that you can make publicly available. 2:39 GitHub, for example, 2:42 makes every users public key accessible to anyone who knows your username. 2:43 You can safely place this public key out on the server and if someone access it, 2:48 it's no problem. 2:53 As long as you keep your private key secret, 2:55 no one will be able to use this key pair to do anything bad. 2:57 So, now that we have a key pair we can use, 3:01 we need to create the actual deployment account on the server. 3:03 We're going to SSH into the server using the SSH program and 3:07 we'll use our existing developer account for it. 3:10 You'll still need to provide your password for this account. 3:17 And now to add the new user account. 3:23 We need administrative access to run this command so 3:26 we're going to preface our command with sudo that is do is a super user. 3:29 Then we're going to run the ad user command. 3:34 Add user takes an argument with the name of the account you want to create 3:39 a common name to use is deployed. 3:42 First you'll need to provide the password for your developer account so 3:47 that you can use sudo. 3:50 And now the actual process of creating the account will begin. 3:55 Even though we're not going to be using a password with this account, 3:58 you still have to enter a new password, just for starters. 4:02 It'll ask you to confirm that password. 4:07 And since this isn't going to be an account for an actual user, 4:13 we can leave all the remaining info blank. 4:16 So I'm just gonna hit enter, answer all these, and press Y or 4:18 just hit enter to confirm the info is correct. 4:23 It will return to the system prompts and the account will be created. 4:26 Now we need to take the public key from the key pair we just generated, and copy 4:31 it to the server, so that we can use our private key to get in without a password. 4:35 Some systems have an S S H copy ID command that will do that for us automatically. 4:39 See the teachers notes if you'd like more info about that. 4:44 But for this tutorial we're going to assume ssh copy ID isn't available on your 4:47 system and show you how to do it manually. 4:51 So first we're going to need to create the directory that will hold the deploy users 4:55 ssh configuration. 4:59 We're going to use our developer account to do this. 5:01 So we're going to need administrative access using the sudo command. 5:03 Then we'll run the ordinary make directory command and KDIR and we're 5:08 going to have it create a new directory within the deploy users home directory. 5:13 We'll call this new directory .SSH the dot at the start will keep it hidden from 5:19 ordinary directory listings. 5:24 Now since this S.S.H. directory is going to contain some sensitive information 5:28 we're going to need to make it so that not just anyone can look at its contents. 5:32 We're going to do that using the C.H. mod command. 5:36 That'll change who has permissions to read its contents. 5:38 Again since we're working on files belonging to a different user we're going 5:42 to need to use the sudo command to run this. 5:46 Then we'll run CHmod and first we're going to make 5:50 sure that the deploy user is able to read write and execute this directory. 5:54 So we're gonna type user plus the plus means we're going to add these 5:59 permissions to it read write execute R W X. 6:03 Then we need to specify what file or 6:09 directory these changes are going to apply to. 6:11 So we specify /home/deploy/ .ssh again. 6:13 Then we need to make sure that other users cannot read, write or 6:21 execute this directory. 6:24 So we're going to do the same command but we're going to alter it a little bit. 6:26 This change is going to apply to other users in the deploy users group. 6:30 And it will also apply to all other users on the server. 6:34 So, we use the initials G and O to stand for that. 6:37 We're going to be removing permissions with this command. 6:42 So, we type the minus sign here. 6:44 The minus stands for subtracting permissions. 6:47 And we're going to remove the same set of 6:52 permissions that we granted to the deployed user. 6:54 So we're going to say that all these users cannot read, write, or 6:57 execute the contents of this directory. 7:00 After you type all that, hit enter. 7:05 By the way, there's another form of this command that will let you do all those 7:07 operations at once. 7:11 Of saying user plus RWX or group and 7:13 another minus R W X you can say sudo CH mod 700. 7:17 I didn't show you this one first because it's a little harder than I understand. 7:22 Basically this first digit in the CHMOD command stands for 7:28 the user's permission and the seven means that they can read write and execute. 7:32 Then the following characters are for the group, and for all other users. 7:37 The zero means they don't have any permissions at all. 7:44 So this command here is the equivalent to the two above commands. 7:47 If you feel like that form is more practical for you to remember, 7:52 by all means, remember that instead. 7:55 And if you'd like more info on the CH mod command, 7:57 in general, see the teacher's notes. 8:00 Next we need to get the public key we just generated this file is on your local 8:02 computer not the server so let me exit out of my server connection. 8:06 You remember that we just created the dot ssh directory on the server. 8:10 Well this is going to be a dot ssh directory on our local computer. 8:15 So we're going to print out the entire contents of the file 8:19 in our home directory but .ssh sub directory. 8:22 And we're going to print out the file named id_rsa.pub. 8:26 Make sure you're opening the file that ends in .pub not the file without 8:31 an extension. 8:35 The contents of the file without an extension are your private key and 8:36 that shouldn't go anywhere except your local computer. 8:40 So hit Enter and it will print out the contents of the file. 8:44 Now you need to copy the entire contents of the file and 8:47 only the contents of the file. 8:50 Make sure you get everything. 8:52 Make sure you don't get extra, and make sure you don't miss any portions of it. 8:53 So we're going to select the entire file contents Copy. 8:58 Now that we have our public key copied to the clipboard we need 9:04 to go back to the server and add it to a file. 9:07 So I'm going to ssh the server. 9:09 And since we're altering files belonging to a different 9:18 user we're going to need to use the sudo command. 9:21 And you could use vi or at this file but for 9:24 starters we're going to use a simpler editor named nano. 9:26 So we were on the nano command and 9:30 we need to provide the name of the file we're editing. 9:33 This is going to be a file in the deploy a user's home directory. 9:35 The .ssh subdirectory we just created and we're gonna name the file authorized_keys 9:43 needs to be this specific file name because that's where SSH is going to look. 9:49 It will ask for your password since we're running sudo, And 9:57 then the nano editor will open. 10:04 From here you can just paste the public key into your terminal, and 10:06 it will be entered into the editor. 10:09 The bottom of the nano screen lists keyboard shortcuts you can press. 10:13 The carrot symbol here stands for the control key. 10:17 So we're going to press Ctrl+O to write out the file followed by Ctrl+X to exit. 10:23 Ctrl+O, it will ask for the name of the file to write to, just go with the default 10:29 since we entered that on the command line and then press Ctrl+X to exit the editor. 10:35 Now, you may remember that we alter permissions of the SSH directory earlier. 10:42 We also need to fix the permissions of the authorized key file. 10:47 If we take a look at how they are currently set using the ls command, 10:51 with its -l flag that will list all files out in long format. 10:55 And if we use that to take a look at the deploy users home directory 11:02 SSH sub directory. 11:05 The first portion here is what the user themselves can do, they can read and 11:10 write the file and that's fine. 11:14 But we also see that other users in this users group can read the file, 11:16 as well as any user on the system. 11:20 They can also read the file. 11:22 So we're going to need to use the chmod command to fix that, 11:24 we can do that by running pseudochmod 400. 11:30 And then the name of the file that we want to alter that's home deploying. 11:35 The dot ssh directory and the authorized keys file. 11:43 And if we list out the permissions for files in that folder again you'll see that 11:50 it's only readable by the user that owns it. 11:54 There's one other problem with this. 11:58 This listing right here and this listing here show what group and 12:00 user owns the file, and 12:04 currently it's owned by root, because we created it using the sudo command. 12:05 So we need to change the owner of the file so that the deploy user and 12:10 the deploy group owns it. 12:14 So we're going to type sudo chown, for change owner, 12:16 deploy:deploy. 12:21 Then we need to specify what file or folder we're operating on so 12:26 we're going to say home deploying. 12:30 And we're going to have this effect the entire S.S.H. directory. 12:32 Don't hit in there yet because we're going to add a command line flag that makes this 12:38 operate recursively on all sub folders and all files that this directory contains. 12:43 So we'll type the command line flag-capitalR. 12:48 And now if we take a look at the permissions and 12:53 ownership of the authorized keys file again we can see that it's owned 12:56 by the deploy user in the deploy group. 13:00 And if we look at the permissions on the SSH sub folder itself, 13:04 sudo ls-al the dash 13:08 a flag there says that we should show all files including hidden files. 13:13 Look at the entire contents of the deploy user's home directory. 13:21 Oops, I typed sude and not sudo. 13:26 Let me fix that really quick. 13:29 There we go. 13:30 We can see that the .ssh sub folder is owned by the deploy user and 13:32 the deploy group. 13:37 And that it's readable, writable, and executable only by the user that owns it. 13:38 We can test whether all this works by logging out of our development account and 13:44 then logging back into the server as the new deploy account. 13:48 We'll have to enter the passphrase for our private key that we set up, 13:54 note that this is the private key passphrase and 14:01 not the password that you set up when creating the user. 14:04 That will access the private key and log us into the server using the key. 14:09 Now the deploy user doesn't have all the permissions they need yet so it's 14:14 important to log back out of this user and log back in as your developer account. 14:18 We'll need to use the developer account to complete these final steps. 14:30
You need to sign up for Treehouse in order to download course files.Sign up