Add SSH Keys/Disable Password login in Cloudron Dashboard (similar to Hetzner)
-
@matix131997 That's right. I should have clarified that. I thought of that extra step while typing the post
-
A cool solution in terms of security even on providers without an external firewall is "Match user" with "List Address" in the SSH configuration. You could use with a VPN and not have to worry about attacks.
In my spare time on a test server I played around with it, but until today I could not enable it. With the various configurations given on the internet it throws an error about an error every time.
-
@humptydumpty said in Add SSH Keys/Disable Password login in Cloudron Dashboard (similar to Hetzner):
In Hetzner's dashboard, you can add your SSH keys without having to use the terminal. I'd like to request something similar in Cloudron since it comes in handy for home servers.
- Ability to add SSH keys in Cloudron UI
- Disable password login after keys are saved
Interesting idea, however I'm quite not sure if that can be done. Cloudron is NOT the root server itself. I mean for my part it's the only way I've been using SSH keys, it's to connect to a server with root access.
Still it would be great if it could work as you would expect, but on the other hand it's not really necessary, you can still use SSH over FTP which is SFTP. Same thing to connect to database you have SSL encryption etc.
-
@micmc I'm not sure if there are any technical limitations to this request, and maybe I didn't explain it well. I'm looking for an GUI to manage/add SSH keys to the server like you can do on Hetzner. It looks like the location of SSH keys is persistant across Ubuntu so all I'm suggesting is a UI where we can add keys and it will drop them into the proper SSH folder (/etc/ssh/ is the right path, I believe?). I know SSH is easy for you guys, but I've been trying to set it up properly since last Friday and I finally got the edDSA key to work last night (more like early AM hours today) but I have no clue if I disabled pass auth or not. The docs don't explain things well from a noob's perspective.
-
@humptydumpty Yeah, I see what you mean now, yes I use Hetzner too make sense yes. Implementing such thing in Cloudron might another story though. Let's see what our fearless devs have to say about this.
-
@humptydumpty
If you want to check that you have actually disabled password logins then use CMD or Window PowerShell and typessh root@1.1.1.1
1.1.1.1 - change to server address IP
-
@matix131997 Thanks again for the SSH config you provided here. I managed to add the ssh keys to my home servers with chatgpt's help.
I finished setting up and securing SSH and while I now have first hand knowledge of how it's done, I would still recommend an SSH UI page in the Cloudron dashboard. I've been using Cloudron for years and it took me until now (~3 server upgrades/migrations) to muster enough courage to tackle SSH. Usually, I'd too busy with other specifics when migrating or setting up a new server, and after that is done, the last thing I want to do is lock myself out. Then, I move on with my life and forget about SSH. For us noobs, I highly recommend a UI page in Cloudron since it simplifies the process and give us a chance of properly securing our servers.
If not feasible, a full Cloudron oriented guide would also work. I know it has nothing to do with Cloudron, but for us regular Joe's, we don't know what does or does not apply to us Cloudron(ians?), since we're not supposed to install/run other things alongside Cloudron.
With that said, I'd prefer if Cloudron focused on CR 9 (mainly, multi-backup destinations and per-app backup settings). Maybe, I can write a guide for this myself now that I've gotten my hands dirty and have set up SSH on my VPS and home servers.
-
Still I forgot to add that a few hosting e.g. OVH, that has the username ubuntu instead of root. This yet they added the parameter ‘PasswordAuthenication’ in another place, this causes a conflict with the automation with the Cloudron panel for easy key management and security.
-
@matix131997 Yes, I just found that out when I was testing to see if password auth was disabled using the method you mentioned and it turns out it was still working! The wizard aka chatgpt helped me find and fix the issue.
Include /etc/ssh/sshd_config.d/*.conf
is mentioned in/etc/ssh/sshd_config
which overrides ourPasswordAuthentication no
that we're modifying.sshd_config.d
is a directory with a file called50-cloud-init.conf
which has a single line,PasswordAuthentication yes
Steps taken to locate and edit the referenced file:
# lists the contents of the sshd_config.d directory ls -l /etc/ssh/sshd_config.d/ #The output is the name of the config file we need to edit. On my servers, the file name is 50-cloud-init.conf # Enter and modify the line to: PasswordAuthentication no nano /etc/ssh/sshd_config.d/50-cloud-init.conf # Password authentication should be properly disabled now. # Confirm by attempting to log in without an SSH key. # Server should refuse your password with an error " bla bla ..[publickey]".
This only applies to home servers where openssh was installed during the ubuntu server set up. Maybe, you get to customize this if you manually install openssh. I didn't test this. For my Hetzner VPS, the ssh_config.d directory was empty, so no extra mods were needed.
@joseph Can we please have this mentioned in the docs? Thanks!
-
@humptydumpty
Not only on home servers, also OVH and Vultr. Additional files will definitely be with local providers.In this file "50-cloud-init.conf" as it actually is, I simply delete the line