Heads up! To view this whole video, sign in with your Courses Plus account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
There are two more steps we should take to secure our server. First, since we want all our users to use SSH keys, we should prevent *any* user from logging in using a password. Second, it's still possible for someone to log in as the `root` account (which has full control of the system) if they can guess the password, so it's best to disable logging in as `root` completely.
- On the server:
sudo nano /etc/ssh/sshd_configand modify or add the following settings:-
PermitRootLogin:no -
PasswordAuthentication:no
-
sudo service ssh restart
There's two more issues we need
to address before we're done.
0:00
The first is that even though
we've set up an ssh key for
0:03
our deployment user a password can
still be used to log into that account.
0:06
The second is that people can still log
in as the system administrative account
0:11
also known as root.
0:15
We're going to fix both those issues to
make our system a little more secure.
0:16
Now that we have sudo access set up for
0:20
our deployed count,we can just use
that instead of our developer account.
0:22
So we're going to use sudo
to run the nano command.
0:26
And we're going to use that to edit
the file in the etc directory,
0:32
ssh sub directory and
the file is named sshd_config.
0:37
Okay so that'll bring the file up in our
editor, and the setting we're looking for
0:45
here is the PermitRootLogin setting.
0:50
Right here,
it's set to prohibit-password so
0:53
that you can't log in as
root using a password.
0:55
It might be set to yes on your system
which would allow root to login
0:58
using a password which is even worse.
1:01
But we actually want to change this
setting whatever it's currently set to
1:03
to no.
1:07
So that you can't log in as
root on the system at all.
1:08
Then below that line.
1:12
We're going to add a new
line with a new setting.
1:13
It's called PasswordAuthentication,
With a capital P and a capital A.
1:16
And we're going to say no,
1:26
PasswordAuthentication is
not allowed on this system.
1:27
This will make it so
1:31
that only users with SSH keys
are allowed to log in at the system.
1:32
So let's hit Ctrl + O
to write the file out.
1:37
Hit Enter and accept the default and
press Ctrl + X to exit.
1:40
Then we need to restart the SSH service
to ensure that our changes get picked up.
1:46
So we're going to run
sudo service ssh restart.
1:49
Now let's exit out of the server.
1:57
And let's check that our changes worked.
2:01
First, we're going to try logging
in using our developer account.
2:02
So ssh jay@hostcom.
2:05
And you'll notice that it didn't
even ask me for a password,
2:13
it just checks whether I had a public
key associated with my account.
2:16
And since I didn't, it simply denied me.
2:19
Now let's try logging back in and start
deploy user which does have a private key.
2:22
So ssh deploy@hostcom.
2:26
And you'll notice we get in immediately.
2:31
So we've set it up, so
that the root account is disabled.
2:34
We've also ensured that only uses that
have ssh keys setup can access the system.
2:37
So now you have a separate deployment
account with full control over your server
2:42
ready for
use whenever you need to deploy your app.
2:46
You've taken an important step
in keeping your app secure.
2:49
You need to sign up for Treehouse in order to download course files.
Sign up