41,99 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Sprache: Englisch
Arm yourself to make the most of the versatile, powerful Ubuntu Server with over 100 hands-on recipes
About This Book
- Master the skills to setup secure and scalable web services with popular tools like Apache, Nginx, MySQL and HAProxy
- Set up your own cloud with Open Stack and quickly deploy applications with Docker or LXD
- Packed with clear, step-by-step recipes to let you protect you valuable data with your own chat servers, code hosting and collaboration tools.
Who This Book Is For
Ubuntu Server Cookbook is for system administrators or software developers with a basic understanding of the Linux operating system who want to set up their own servers. You are not required to have in-depth knowledge or hands-on experience with Ubuntu, but you should know the basics commands for directory navigation, file management, and the file editing tool. An understanding of computer networks is advisable
What You Will Learn
- Set up high performance, scalable, and fault-tolerant back ends with web and database servers
- Facilitate team communication with a real-time chat service and collaboration tools
- Quickly deploy your applications to their own containers and scale your infrastructure as and when needed
- Find out how to set up your own cloud infrastructure for your internal use or rent it to the public
- Ensure quick and easy access for your users while also securing your infrastructure from intruders
- Set up a high performance private network with a personal VPN server and centralized authentication system
- Swiftly start a content streaming service
- Set up network storage for private data and source code and say good bye to costly and unreliable cloud services
In Detail
Ubuntu is one of the most secure operating systems and defines the highest level of security as compared other operating system. Ubuntu server is a popular Linux distribution and the first choice when deploying a Linux server. It can be used with a $35 Raspberry Pi to top-notch, thousand-dollar-per-month cloud hardware. Built with lists that there are 4 million + websites built using Ubuntu. With its easy-to-use package management tools and availability of well-known packages, we can quickly set up our own services such as web servers and database servers using Ubuntu.
This book will help you develop the skills required to set up high performance and secure services with open source tools. Starting from user management and an in-depth look at networking, we then move on to cover the installation and management of web servers and database servers, as well as load balancing various services. You will quickly learn to set up your own cloud and minimize costs and efforts with application containers. Next, you will get to grips with setting up a secure real-time communication system. Finally, we'll explore source code hosting and various collaboration tools. By the end of this book, you will be able to make the most of Ubuntu's advanced functionalities.
Style and approach
This easy-to-follow guide contains a series of step-by-step recipes ranging from simple to complex. Each topic will start with basic introduction to each technology followed by a detailed step-by-step installation guide and then a detailed explanation of the approach taken during installation and the various advanced options available.
Sie lesen das E-Book in den Legimi-Apps auf:
Seitenzahl: 523
Veröffentlichungsjahr: 2016
Ähnliche
Table of Contents
Ubuntu Server Cookbook
Ubuntu Server Cookbook
Copyright © 2016 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: June 2016
Production reference: 1270616
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham B3 2PB, UK.
ISBN 978-1-78588-306-4
www.packtpub.com
Credits
Author
Uday R. Sawant
Reviewer
Dominik Jakub Szynk
Commissioning Editor
Neil Alexander
Acquisition Editor
Divya Poojari
Content Development Editor
Deepti Thore
Technical Editor
Devesh Chugh
Copy Editor
Safis Editing
Project Coordinator
Shweta H Birwatkar
Proofreader
Safis Editing
Indexer
Monica Ajmera Mehta
Graphics
Kirk D'Penha
Production Coordinator
Shantanu N. Zagade
Cover Work
Shantanu N. Zagade
About the Author
Uday R. Sawant has completed his master's in computer applications from Mumbai University. He is skilled with more than four years of experience in software development and operations field.
He is an expert with the LAMP stack, JavaScript, and cloud infrastructure. Before starting as a software developer, he worked extensively with server hardware and has more than two years of experience as system administrator.
Currently, he is working as a software scientist in a Mumbai-based start-up called Sweet Couch. His responsibilities include developing backend services, setting up real-time communication server, and automating various daily tasks. With immense interest in machine learning, he likes to spend his spare time exploring this subject. His first book was Instant Building Multi-Page Forms with Yii How-To published by Packt Publishing.
I would like to thank Packt Publishing for giving me another opportunity to work with them and write my second book. A big thanks goes to my parents for their support throughout the time of writing this book. Also, I would like to thank my team at Sweet Couch as without their support, it would have not been possible to write a full length book. A special thanks to Mr. Mitul Thakkar who always encouraged me to keep on writing. Finally, thanks to Preeti Singh, an editor for this book, for keeping things on track.
www.PacktPub.com
eBooks, discount offers, and more
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at <[email protected]> for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
https://www2.packtpub.com/books/subscription/packtlib
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can search, access, and read Packt's entire library of books.
Why Subscribe?
Preface
Welcome to Ubuntu Server Cookbook, a step-by-step guide to your own Ubuntu server.
Ubuntu is an open source operating system, or rather, I should say that Ubuntu is a mission to provide quality software to everybody without any cost. As mentioned on the official site, the meaning of the word Ubuntu is I am, cause we are and Ubuntu is working hard towards their mission by being more than just a free operating system.
Ubuntu is based on Debian, a well-established Linux distribution. However, Debian is kind of limited to geeks. Ubuntu added an easy user interface named Unity that made it popular with various desktop users. One answer on Ask Ubuntu compares Ubuntu and Debian to a local restaurant and a farmer, respectively. Ubuntu carefully selects the best things from Debian and adds its own flavors to make it easy and more enjoyable for the end users. It's still Debian at base, but it more easier to use and more stable with frequent updates and a definite release cycle.
Users can choose an Ubuntu operating system from nine different flavors, starting with lightweight desktop to a fully loaded multimedia editing system. In addition to desktop systems, Ubuntu provides separate editions for various server platforms, cloud systems, mobile devices, and tablets. The new versions are released every six months with a major release in April and updates in October. All security updates are released throughout the year, as and when necessary. Every new version released in an even year (2014, 2016, and so on) are tagged for Long Term Support (LTS). These versions receive extended support period of five years and are generally used in production environments.
At the time of writing, Ubuntu has already taken a major share in the server market and has already become a default choice of millions of cloud users. According to an article by Dustin Kirkland, a member of the product team at Canonical, "November 2015 has seen over 2 million cloud instances being launched with Ubuntu Server. That's nearly one instance per second" and these are just the numbers from cloud services. Ubuntu is being used in Desktop systems, laptops, mobiles, routers, and even to control your cars, drones, and countless Internet of Things (IoT) devices. Docker hub, a popular container repository reports more than 40 million pulls of official Ubuntu image.
The purpose of this book is to provide step-by-step solutions using the Ubuntu server. We will focus on common, server-related tasks such as user management, installing various packages for web servers, database, some low hanging fruits in performance and security, and many more. The book also covers the latest development in the container world with LXD and Docker. All recipes are based on the Ubuntu server, Xenial Xerus (version 16.04), the latest LTS release of Ubuntu.
What this book covers
The book is divided into multiple chapters, covering details of specific tasks.
Chapter 1, Managing Users and Groups, covers common user management tasks such as adding or removing user accounts, creating separate groups, assigning access rights, and setting user-level resource limits.
Chapter 2, Networking, explore the various network management functions, including network configuration, setting up DNS and DHCP servers, installing network proxy, and VPN setup. It also includes performance tuning tips and firewall setup.
Chapter 3, Working with Web Servers, provides a detailed configuration of web servers. This chapter covers both Apache and Nginx. You will also find some advance topics such as reverse proxy and load balancing using Nginx.
Chapter 4, Working with Mail Servers, explains the installation and configuration of your e-mail server.
Chapter 5, Handling Databases, discusses the popular relational database server, MySQL. It also covers MongoDB as a NoSQL database system, which is quite a hot technology in recent days.
Chapter 6, Network Storage, explains how to set up the good old Samba server along with FTP and Rsync details. Additionally, it includes the basics of NFS.
Chapter 7, Cloud Computing, includes details on virtualization with the Ubuntu server and some advance tools from Ubuntu to set up your own cloud system with OpenStack and Juju.
Chapter 8, Working with Containers, introduces Linux containers (LXC) and a container management tool by Ubuntu, LXD. This chapter also covers another hot topic, Docker.
Chapter 9, Streaming with Ampache, helps you to set up your own streaming server. We will take a quick look at Ampache, an open source web application for media streaming.
Chapter 10, Communication Server with XMPP, covers the installation of XMPP-based chat server, Ejabberd.
Chapter 11, Git Hosting, covers basic work flow of version control system Git and an open source web-based repository management tool GitLab.
Chapter 12, Collaboration Tools, explores more open source tools for your team and also covers the various tools to help your team stay connected.
Chapter 13, Performance Monitoring, introduces various monitoring tools that can help you optimize the performance of your Ubuntu server.
Chapter 14, Centralized Authentication Service, saves some efforts by introducing LDAP. This chapter covers the LDAP-based centralized authentication and authorization.
What you need for this book
The book is written with the help of Ubuntu server 16.04 and few virtual machines with VirtualBox. The recipes should work fine with Ubuntu version 14.04 and higher. For most of the recipes, a minimum hardware configuration of 512 MB memory with single CPU is enough. However, a few recipes such as OpenStack installation require additional hardware resources. The specific requirements are given in the respective recipes, if any.
Feel free to use any virtualization tool of your choice. Also, you can skip the local set up and use cloud servers. Many cloud providers give free introductory service for limited period. You can use these services to test your setup.
Who this book is for
Ubuntu Server Cookbook is intended for system administrators with a basic understanding of Linux operating system. If you are a software developer or a newbie system administrator and want to setup your own servers, this book is an ideal guide for you. You are not required to have an in-depth knowledge or hands-on experience with Ubuntu, but you should know the basic commands for directory navigation, file management, and file editing tool. An understanding of computer networks and Internet is advisable.
Sections
In this book, you will find several headings that appear frequently (Getting ready, How to do it…, How it works…, There's more…, and See also).
To give clear instructions on how to complete a recipe, we use these sections as follows:
Getting ready
This section tells you what to expect in the recipe, and describes how to set up any software or any preliminary settings required for the recipe.
How to do it…
This section contains the steps required to follow the recipe.
How it works…
This section usually consists of a detailed explanation of what happened in the previous section.
There's more…
This section consists of additional information about the recipe in order to make the reader more knowledgeable about the recipe.
See also
This section provides helpful links to other useful information for the recipe.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.
To send us general feedback, simply e-mail <[email protected]>, and mention the book's title in the subject of your message.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Downloading the example code
You can download the example code files for this book from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files e-mailed directly to you.
You can download the code files by following these steps:
You can also download the code files by clicking on the Code Files button on the book's webpage at the Packt Publishing website. This page can be accessed by entering the book's name in the Search box. Please note that you need to be logged in to your Packt account.
Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:
The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Ubuntu-Server-Cookbook. We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!
Downloading the color images of this book
We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output. You can download this file from: http://www.packtpub.com/sites/default/files/downloads/UbuntuServerCookbook_ColorImages.pdf.
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.
To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.
Piracy
Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors and our ability to bring you valuable content.
Questions
If you have a problem with any aspect of this book, you can contact us at <[email protected]>, and we will do our best to address the problem.
Chapter 1. Managing Users and Groups
In this chapter, we will cover the following recipes:
Introduction
In this chapter, you will see how to add new users to the Ubuntu server, update existing users, and set permissions for users. You will get to know the default setting for new users and how to change them. Also, you will take a look at secure shell (SSH) access and securing user profiles.
Creating a user account
While installing Ubuntu, we add a primary user account on the server; if you are using the cloud image, it comes preinstalled with the default user. This single user is enough to get all tasks done in Ubuntu. There are times when you need to create more restrictive user accounts. This recipe shows how to add a new user to the Ubuntu server.
Getting ready
You will need super user or root privileges to add a new user to the Ubuntu server.
How to do it…
Follow these steps to create the new user account:
How it works…
In Linux systems, the adduser command is higher level command to quickly add a new user to the system. Since adduser requires root privileges, we need to use sudo along with the command, adduser completes following operations:
If you want to skip the password prompt and finger information while adding the new user, use the following command:
Alternatively, you can use the useradd command as follows:
Where:
Creating a user with the command useradd does not set password for the user account. You can set or change the user password with the following command:
This will change the password for the user account bob.
Note
Note that if you skip the username part from the above command you will end up changing the password of the root account.
There's more…
With adduser, you can do five different tasks:
Check out the manual page man adduser to get more details.
You can also configure various default settings for the adduser command. A configuration file /etc/adduser.conf can be used to set the default values to be used by the adduser, addgroup, and deluser commands. A key value pair of configuration can set various default values, including the home directory location, directory structure skel to be used, default groups for new users, and so on. Check the manual page for more details on adduser.conf with following command:
See also
Creating user accounts in batch mode
In this recipe, you will see how to create multiple user accounts in batch mode without using any external tool.
Getting ready
You will need a user account with root or root privileges.
How to do it...
Follow these steps to create a user account in batch mode:
How it works…
We created a database of user details listed in same format as the passwd file. The default format for each row is as follows:
Where:
The new user command reads each row and updates the user information if the user already exists, or it creates a new user.
We made the users.txt file accessible to owner only. This is to protect this file, as it contains the user's login name and password in unencrypted format.
Creating a group
Group is a way to organize and administer user accounts in Linux. Groups are used to collectively assign rights and permissions to multiple user accounts.
Getting ready
You will need super user or root privileges to add a group to the Ubuntu server.
How to do it...
Follow these steps to create a group:
How it works…
Here, we are simply adding a new group guest to the server. As addgroup needs root privileges, we need to use sudo along with the command. After creating a new group, addgroup displays the GID of the new group.
There's more…
Similar to adduser, you can use addgroup in different modes:
Check out the manual page for the addgroup(man addgroup) to get more details.
See also
Adding group members
Once you have groups in place, you can add existing users as well as new users to that group. All access rights and permissions assigned to the group will be automatically available to all the members of the group.
Getting ready
You will need super user or root privileges to add a group member to the Ubuntu server.
How to do it…
Follow these steps to add group members:
How it works…
As mentioned previously, you can use the adduser command to add an existing user to an existing group. Here, we have passed two non-option arguments:
There's more…
Alternatively, you can use the command usermod to modify the group assigned to the user:
To add a user to multiple groups, use the following command:
This will add <username> to <group1>, <group2>, and <group3>. Without flag –a, any previously assigned groups will be replaced with new groups.
Deleting a user account
If you no longer need a user account, it is good idea to delete that account.
Getting ready
You will need super user or root privileges to delete a group from the Ubuntu server.
How to do it...
Follow these steps to delete the user account:
How it works…
Here, we used the deluser command with the option --remove-home. This will delete the user account named john and also remove the home and mail spool directories associated with john. By default, the deluser command will delete the user without deleting the home directory.
It is a good idea to keep a backup of user files before removing the home directory and any other files. This can be done with an additional flag along with the deluser command:
This will create a backup file with the name john.tar.gz in the current working directory, and then the user account and the home directory will removed.
There's more…
When called with the --group option, the deluser command will remove the group. Similarly, when called with two non-option arguments, the deluser command will try to remove a user from a specific group:
If you want to disable the user account rather than delete it, you can do it with the following commands:
See also
Managing file permissions
We have created users and groups. In this recipe, you will work with default file permissions for users and groups, as well as see how to modify those permissions.
Getting ready
Create two users, user1 and user2. Create new group editor and add user1 and user2 as members.
How to do it…
Follow these steps to manage file permissions, follow these steps:
How it works…
When you create a new file or directory in Ubuntu, the default permissions for files are read and write access to owner and owner's private group, along with read, write, and execute access for directories. You can check the default setting with umask -S.
In our example, we have user1 and user2. Both of them are members of the editor group. When user1 creates a file, the default permissions are limited to user1 and its private group (user1) named after the user account. This is the reason user2 sees Permission denied on editing file. By changing the group of documents to editor we allow all members of editor to read and write to files in documents.
With the chmod command, we can set permissions at a more granular level. In our example of hello.sh, we have set the executable permission for hello.sh. Similarly, we can set read permission as follows:
To set write permission, use the following command:
You can set more selective permissions with additional parameters before mode expression as follows:
Here, u sets the permission for user, g for group, and o for all others.
To remove permissions, replace + with -. For example, $chmod o-w filename. Alternatively, you can use the Octal format to specify permissions:
This gives read, write, and execute permission to user group and others, whereas the command $chmod 600 filename gives set, read, and write permissions for owner and no permission to groups and others. In Octal format [777], the first bit is used for the user or owner of the file, the second bit is for group, and the third bit is for everyone else. Check out the following table for more information:
Notation
Octal value
Permissions
-|---|---|---
0|000|000|000
Regular files, no permissions
d|r--|r--|r--
d|400|400|400
Directory, read permission to owner, group, and others
-|rw-|r--|r--
-|644|644|644
Regular file, read and write permission to owner and read permission to group or others
-|rwx|rwx|rwx
-|777|777|777
Regular file, all permissions to everyone
Finally, when you share files within a group of users, there are chances that someone deletes the file that is required by other users. Sticky bit can protect these file from deletion. When sticky bit is set, only the owner or a user with root privileges can delete a file.
You can set sticky bit with the command chmod as $chmod +t directoryName. Sticky bit is shown in long listing (ls -l) with symbol t or T. Additionally, sticky bit works only with directories and is ignored on ordinary files.
There's more…
Many times when working as a root user, all files and directories created are owned by root. A non-root user can't write to these directories or files. You can use the command chown to change the ownership of such files and assign them to respective users.
To change ownership of a file, use the following command:
To change the owner as well as the group of file, use the following command:
You can skip changing owner and change only the group with the following command:
Note that the chown command can only be used by users with root privileges.
Getting root privileges with sudo
When you create a new Ubuntu server in the cloud, by default you get the root account. This account has full system access with no restrictions at all and should only be used for administrative tasks. You can always create a new user account with fewer privileges. But there are times when you need extra root privileges to add a new user or change some system setting. You can use the sudo command to temporarily get extra privileges for a single command. In this recipe, you will see how to grant sudo privileges to a newly created user.
Getting ready
You will need a root account or an account with root privileges.
How to do it...
Follow these steps to get the root privileges with sudo:
How it works…
All sudo access rules are configured in a file located at /etc/sudoers. This file contains a list of users and groups that are allowed to use the sudo command:
The line alan ALL=(ALL:ALL) ALL specifies that the user alan can run any command as any user and optionally set any group (taken from man pages for sudoers: man sudoers).
The entry %sudo ALL=(ALL) ALL specifies that any member of system group sudo can run any command as any user.
All we have to do is add a new user to the group sudo and that user will automatically get sudo privileges. After getting the membership of the sudo group, user needs to log out and log back in for the changes to take effect. Basically, the user shell needs to be restarted with new privileges. Optionally, you can always go and change the sudoers file for a specific condition.
Note
Make sure that you use the visudo tool to make any changes to sudoers file.
There's more…
Here, we will discuss how to set a password-less sudo and some additional benefits of sudo.
Setting password less sudo
sudo is a useful and handy tool for temporary root privileges, but you need to enter your password every time. This creates problems especially for users with no password set. This problem can be solved by setting the NOPASSWD flag in the sudoers file. Make sure you use the visudo tool to edit the sudoers file:
Now, the users of the group sudo should be able to use the sudo command without providing a password. Alternatively, you can add a separate entry to limit password-less access to a specific user.
Note that the sudoers program performs cache authentication for a small time (default is 15 minutes). When repeated within timeout, you may notice password-less sudo without setting the NOPASSWD flag.
Other uses of sudo
In addition to running a single command with sudo, you might want to execute a list of commands with the sudo privileges. Then, you can open a shell with root access (# prompt) with the command $sudo -s. The shell environment remains same as original user, but now you can execute commands as a root user.
Alternatively, you can switch user to root with the command $sudo su -. This command will open a new shell as a root user.
See also
Setting resource limits with limits.conf
Ubuntu is a multiuser and multi-process operating system. If a single user or process is consuming too many resources, other processes might not be able to use the system. In this recipe, you will see how to set resource limits to avoid such problems.
Getting ready
User account with root privileges is required.
How to do it...
Following are the steps to set the resource limits:
How it works…
PAM stands for pluggable authentication module. The PAM module pam_limits.so provides functionality to set a cap on resource utilization. The command ulimit can be used to view current limits as well as set new limits for a session. The default values used by pam_limits.so can be set in /etc/security/limits.conf.
In this recipe, we are updating limits.conf to set a limit on CPU uses by user username. Limits set by the ulimit command are limited to that session. To set the limits permanently, we need to set them in the limits.conf file.
The syntax of the limits.conf file is as follows:
Here, <domain> can be a username, a group name, or a wildcard entry.
<type> denotes the type of the limit and it can have the following values:
<item> is the resource to set the limit for. You can get a list of all items with $ulimit –a:
In our example, we have set soft limit on CPU uses to 0 minutes and hard limit to 1000 minutes. You can changes soft limit values with the ulimit command. To view existing limits on open files, use the command $ulimit -n. To change limits on open files, pass the new limit as follows:
An unprivileged process can only set its soft limit value between 0 and hard limit, and it can irreversibly lower hard limit. A privileged process can change either limit values.
There's more…
The command ulimit can be used to set limits on per process basis. You can't use the ulimit command to limit resources at the user level. You can use cgroups to set a cap on resource use.
Setting up public key authentication
In this recipe, you will see how to set up secure public key authentication.
Getting ready
You might need root privileges for certain tasks.
How to do it...
Follow these steps to set up public key authentication:
How it works…
Logging in with SSH supports different authentication methods. Public key authentication and password-based authentication are two common methods. To log in with public key authentication, we need a public private key pair. We generate this key pair with the ssh-keygencommand. This command creates two files under the .ssh directory in the user's home:
You can view the contents of the files with $cat id_rsa.pub. It should start with something like ssh-rsa AAAA...(except for the trailing dots).
We then copy the contents of public key to the server's authorized_keys file. Ensure that all contents are listed on single line in the authorized_keys file.
Also, ensure the permissions are properly set for the .ssh directory, and ensure that the authorized_keys file and directory are owned by the user. The permissions for the .ssh directory limits read, write, and execute permissions to the owner of the file. Similarly, for authorized_keys file, permissions are limited to read and write for owner only. This ensures that no other user can modify the data in the .ssh directory. If these permissions are not properly set, the SSH daemon will raise the warning Permission denied?.
Working of SSH authentication
When the SSH client initiates a connection with the server, the server sends public key identification of server to client. If a client is connecting to the server for the first time, it shows a warning and asks for user confirmation to store the server key in the known_hosts file under the .shh directory. After receiving the identity, the client authenticates server to ensure that it is really the intended server.
After server authentication, the server sends a list of possible authentication methods. The client selects the authentication method and selection to the server. After receiving the authentication method, the server sends a challenge string encrypted with client's private key. The client has to decrypt this string and send it back to server along with previously shared session key. If the response from the client matches the response generated by the server, then client authentication succeeds.
There's more…
You might be searching for a secure option to install key on server. Here's one way!
If your local system has the ssh-copy-id tool installed, you can directly add your public key to the server's authorized_keys file with a single command:
After providing the password, your local public key will be added to the authorized_keys file under the .ssh directory of the user john.
Troubleshooting SSH connections
Most of the connection issues are related with configuration problems. If you happen to face any such issue, read the error message in detail. It is descriptive enough to understand the mistake. You can also go through following checklist:
Additionally, you can use the verbose flag (-v or -vvv) with the ssh command to get details of every step taken by the SSH client. Also, check SSH daemon logs on server.
SSH tools for the Windows platform
If your local system runs Windows, then you can use tools provided by puTTYto generate new keys and connect to the server:
When using public key generated by the puttygen.exe tool, make sure that you convert the key to OpenSSH key format. Remove all comments and prepend ssh-rsa. Additionally, the entire key should be listed on a single line.
Another easy option is to use puttygen.exe. Load your private key in PuTTYgen and then copy the public key from the Keysection of the PuTTYgen window.
See also
Securing user accounts
In this recipe, we will look at ways to make user profiles more secure.
How to do it...
Follow these steps to secure the user account:
How it works…
This recipe discussed a few important steps to make user accounts more secure.
A password is the most important aspect in securing user accounts. A weak password can be easily broken with brute force attacks and dictionary attacks. It is always a good idea to avoid password-based authentication, but if you are still using it, then make sure you enforce a strong password policy.
Password authentication is controlled by the PAM module pam_unix, and all settings associated with login are listed at /etc/pam.d/login. An additional configuration file /etc/pam.d/common-password includes values that control password checks.
The following line in the primary block of common-password file defines the rules for password complexity:
The default setting already defines some basic rules on passwords. The parameter obscure defines some extra checks on password strength. It includes the following:
The other parameter, sha512, states that the new password will be encrypted with the sha512 algorithm. We have set another option, minlen=8, on the same line, adding minimum length complexity to passwords.
Tip
For all settings of the pam_unix module, refer to the manual pages with the command man pam_unix.
Additionally, we have set alphanumeric checks for new passwords with the PAM module pam_cracklib:
The preceding line adds requirement of one uppercase letter, one lowercase letter, one digit (dcredit), and one special character (ocredit)
There are other PAM modules available, and you can search them with the following command:
You might also want to secure the home directory of users. The default permissions on Ubuntu allow read and execute access to everyone. You can limit the access on the home directory by changing permission on the home
