Setup SSH Keys on Ubuntu 18.04

Who should read this?

This tutorial is for novice to intermediate linux users who want to go beyond basic password security.  Security professionals recommend using ssh keys to make authentication into ssh sessions faster, easier and more secure.   As passwords become longer and more complex they become more difficult to use and manage.

Key based access is more secure and easier to manage for individuals.  For teams and organizations key based access has some challenges around rotation and user hygiene that are outside of the scope of this tutorial.

What are we talking about ?

This tutorial will walk you through the basic procedures on setting up and utilizing SSH keys on your servers and how to use those keys with common windows ssh tools like putty or on OSX, or Linux.

SSH is a client server protocol originally developed to replace the insecure and unencrypted telnet protocol.  SSh1 was originally developed in 1995 by Tatu Ylonen, a researcher at the Helsinki University of Technology.   Tatu went on to found ssh.com.  SSH went on to become one of the most widely used security and administration tools in modern technology.

OpenSSH was a derivative work forked (by the OpenBSD project) from earlier versions of the SSH server application that had less restrictive licensing.

Why

Using SSH keys makes system access fast, easy, secure and scalable.   It’s pretty much the only way to fly if you’re serious about being a linux administrator.

What are SSH Keys?

SSH keys are a public and private key pair used for authenticating users whom are trying to remotely login to systems to perform administrative tasks and actions.  The public key is placed on the remote server and the private key is held as a secret on the  user’s local machine.

Pre-requisites

This tutorial is based on Ubuntu 18.04 running the latest

$ sudo apt-get update && apt-get upgrade

If you are using windows you’ll need:
Putty https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html    ### You need at least putty v0.70 to use ED25519

WinSCP https://winscp.net/eng/download.php

Puttygen https://winscp.net/eng/download.php  This is included in the WinSCP installer

Step 1

$ mkdir -p ~/.ssh
$ chmod 0700 ~/.ssh
$ ssh-keygen -t ed25519 -C "VPS server #101"    ### https://ed25519.cr.yp.to/ if you are wondering what ED25519 is 
Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):   #haha I can't type 
Enter same passphrase again:
Passphrases do not match.  Try again.
Enter passphrase (empty for no passphrase):  #still can't type
DEnter same passphrase again:
Your identification has been saved in /root/.ssh/id_ed25519.
Your public key has been saved in /root/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:+EgRgp7QUWicc/vjjYfl8iW/HW1E5PkzOYY7TmCMlYU VPS server #101
The key's randomart image is:  
+--[ED25519 256]--+
| o.*o .     ...  |
|. O ..     Eoo . |
| + + ...   o  +  |
|  o .  O  +  .+..|
|     .o S. + ..*.|
|     .oo. . .oo +|
|     ..Bo . .+o  |
|      = ++ .oo.  |
|       +. o...   |
+----[SHA256]-----+
$ ls -al ~/.ssh
total 16
drwx------ 2 root root 4096 Apr 30 04:12 .            ### Agree to pretend that I didn't run this as root
drwx------ 7 root root 4096 Apr 30 04:11 ..
-rw------- 1 root root  411 Apr 30 04:12 id_ed25519    ### THIS IS YOUR PRIVATE KEY DO NOT SHARE
-rw-r--r-- 1 root root   97 Apr 30 04:12 id_ed25519.pub ### THIS IS YOUR PUBLIC KEY - GOES ON REMOTE DEVICES 

Step 2

You need to add your public key to the ~/.ssh/authorized_keys file on any server you want to login to.

$ cat id_ed25519.pub >> ~/.ssh/authorized_keys   #APPENDS THE CONTENTS OF FILE_1 to FILE_2

Use WinSCP or SCP to download your private key to your workstation.

On Windows

Open PuttyGen and load the private key that you downloaded from the VPS.  Make sure you select the ED25519 parameter if that is the key type that you generated!

Then hit Save Private Key, save the id_ed25519.ppk key file somewhere smart.

Open Putty and navigate to SSH > Auth in the left hand menu, browse to and load your private key file

Go back to Session and save the session so that you don’t have to specify the key file over and over again like a robot.

If your session throws an error “Unable to load private key file .ppk (file format error)” your version of putty probably is too old and doesn’t support ED25519.

On Linux / OSX

Downloading your keys on your linux workstation is pretty simple.

user@workstation:~$ scp user@192.168.1.101~/.ssh/id_ed25519 ~/.ssh/
user@192.168.1.101’s password:
id_ed25519 100% 411 15.4KB/s 00:00
user@workstation:~$ ssh root@192.168.1.101    #type your passphrase and boom you are in
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-38-generic x86_64)

References

  • https://www.openssh.com/history.html
  • https://www.ssh.com/ssh/
  • https://ed25519.cr.yp.to/ if you are wondering what ED25519 is

About the Author

Sean Richards, CISSP,  is a 20 year  Technology enthusiast and security practitioner.   Loves family, animals, BBQ, and bicycles.
https://www.linkedin.com/in/seangrichards/
https://github.com/seangrichards/
https://twitter.com/seangrichards

The post Setup SSH Keys on Ubuntu 18.04 appeared first on Low End Box.

How to setup OpenVPN on your VPS: Ubuntu 18.04

Who should read this tutorial:

This tutorial is written for novice level Linux users and DevOps folks who need to add encryption to their internet traffic.  A virtual private network (an encrypted network over the public internet) to access specific networks or services from the outside is the way to go.

What are we going to cover

  1. Walk through the installation of OpenVPN on Ubuntu 18.04
  2. How to install the OpenVPN client on a windows workstation
  3. Generate a certificate and connect to the VPN server

Why Would You Want to Do This?

The key benefit of a VPN is to access resources that are otherwise inaccessible from external networks while maintaining a minimum level of network security at the time.

Generally adding an encrypted virtual private network connection to your infrastructure is a good idea if:

  • you are not confident of the security of the network you are connecting from (public wifi anyone?)
  • the resources that you want to utilize lack inherent security (such as network communications that don’t support strong levels of encryption.)
  • attempting accessing resources that are protected by multiple levels of network security and should never be publicly accessible such as systems holding payment card, healthcare, or security data.

My personal use case is to access my home security system (MotionEye) while traveling on my laptop or on my mobile device so that I can keep an eye on my cats, dogs and fend off porch pirates.


Random internet cat

PRE-REQUISITES

We recommend:

  • Starting with a clean VPS
  • At least 512Mb of Ram
  • 15GB of free disk space
  • This tutorial is written for Ubuntu 18.04

Skills and Tools

  • You need to know how to SSH and get around the command line
  • An SSH client like Putty
  • An SFTP client like WinSCP
  • The ability to work with files and transfering files

First Step – Make Sure You Are at the Latest and Greatest

Connect to your VPS via SSH

Upgrade your repositories to make sure they are up to date.  We are installing git because this is about 500% faster if we use the fantastic script from Angristan.

$ sudo apt-get update && sudo apt-get upgrade

$ sudo apt-get install git

Do you know your public IP address and your private IP address if you are behind a NAT device (like a router?)

Get the IP from your server

$ ifconfig
eth0: flags=4163  mtu 1500
        inet 192.168.1.166  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::216:3cff:fe43:ba41  prefixlen 64 scopeid 0x20
        ether 00:16:3c:43:ba:41  txqueuelen 1000 (Ethernet)
        RX packets 11672693  bytes 1049010192 (1.0 GB)
        RX errors 0  dropped 0 overruns 0  frame 0
        TX packets 347581  bytes 57193541 (57.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0 collisions 0

--

If you are behind a device like a firewall or router I visit http://www.whatismyip.com to find my public IP since it is easier than logging into the router directly.

Make a note of these IP addresses on your scratch pad. You might need them later

The Actual Install starts here

The process with the openvpn-install.sh script is dead simple. We are going to clone the script from github.  Then, change into the directory that was created and make sure the script is executable and then bang, run that baby as root or with sudo!  That will kick off the installation dialogues and away you go.

$ cd ~ 
$ git clone https://github.com/angristan/openvpn-install openvpn-install
$ cd openvpn-install/
$ ls -l 
$ chmod +x openvpn-install.sh
$ sudo ./openvpn-install.sh

Welcome to the OpenVPN installer!
The git repository is available at: https://github.com/angristan/openvpn-install
I need to ask you a few questions before starting the setup.

You can leave the default options and just press enter if you are ok with them.

I need to know the IPv4 address of the network interface you want OpenVPN listening to.
Unless your server is behind NAT, it should be your public IPv4 address.

IP address: 192.168.1.111

Checking for IPv6 connectivity...

Your host does not appear to have IPv6 connectivity.

Do you want to enable IPv6 support (NAT)? [y/n]: n

What port do you want OpenVPN to listen to?

   1) Default: 1194
   2) Custom
   3) Random [49152-65535]

Port choice [1-3]: 2

Custom port [1-65535]: 7777     #YOU MIGHT WANT 80 or 443 if your local network is filtering things

What protocol do you want OpenVPN to use?

UDP is faster. Unless it is not available, you shouldn't use TCP.

   1) UDP
   2) TCP

Protocol [1-2]: 1

What DNS resolvers do you want to use with the VPN?

   1) Current system resolvers (from /etc/resolv.conf)
   2) Self-hosted DNS Resolver (Unbound)
   3) Cloudflare (Anycast: worldwide)
   4) Quad9 (Anycast: worldwide)
   5) Quad9 uncensored (Anycast: worldwide)
   6) FDN (France)
   7) DNS.WATCH (Germany)
   8) OpenDNS (Anycast: worldwide)
   9) Google (Anycast: worldwide)
   10) Yandex Basic (Russia)
   11) AdGuard DNS (Russia)

DNS [1-10]: 9

Do you want to use compression? It is not recommended since the VORACLE attack make use of it.

Enable compression? [y/n]: n

Do you want to customize encryption settings?

Unless you know what you're doing, you should stick with the default parameters provided by the script.

Note that whatever you choose, all the choices presented in the script are safe. (Unlike OpenVPN's defaults)
See https://github.com/angristan/openvpn-install#security-and-encryption to learn more.

Customize encryption settings? [y/n]: n

Okay, that was all I needed. We are ready to setup your OpenVPN server now.
You will be able to generate a client at the end of the installation.

Press any key to continue...

Tell me a name for the client.
Use one word only, no special characters.

Client name: chad

Do you want to protect the configuration file with a password?

(e.g. encrypt the private key with a password)
   1) Add a passwordless client
   2) Use a password for the client

Select an option [1-2]: 2

⚠ You will be asked for the client password below ⚠

Note: using Easy-RSA configuration from: ./vars
Using SSL: openssl OpenSSL 1.1.0g  2 Nov 2017
Generating an EC private key
writing new private key to '/etc/openvpn/easy-rsa/pki/private/chad.key.hYBMPyHfHV'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'chad'
Certificate is to be certified until Apr  9 03:48:48 2022 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated
Client chad added, the configuration file is available at /root/chad.ovpn.

Download the .ovpn file and import it in your OpenVPN client.

Checking Our Work

I like to hit https://www.whatismyip.com while I’m connected and make sure that I see the remote network in the returned page rather than the external IP of my local network.

Then I like to visit https://speedtest.net and see what kind of throughput I get out of the system.  I got 28.75Mbps down and 73.31 Mbps. Not bad at all!

User Management

To manage OpenVPN users on the system we just re-visit the installer and it will detect that OpenVPN has already been installed and proceed to give us 4 management options.

  1. Add a new user
  2. Revoke an existing user
  3. Remove OpenVPN
  4. Exit
-- 
$ ./openvpn-install.sh 
Looks like OpenVPN is already installed.

What do you want to do?
   1) Add a new user
   2) Revoke an existing user
   3) Remove OpenVPN
   4) Exit 

Select an option [1-4]: 1

Tell me a name for the client certificate.
Please, use one word only, no special characters.

Client name: chad

Using SSL: openssl OpenSSL 1.1.0g  2 Nov 2017
Generating a 2048 bit RSA private key
............+++
.........................+++
writing new private key to '/etc/openvpn/easy-rsa/pki/private/chad.key.YjDIHqlesv'
-----
Using configuration from /etc/openvpn/easy-rsa/pki/safessl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows

commonName            :ASN.1 12:'chad'
Certificate is to be certified until Apr 22 02:45:13 2029 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
Client chad added, configuration is available at: /root/chad.ovpn
root@ubuntu:~/openvpn-install#
--

Grab your SFTP client and download the username.ovpn certificate file to the workstation that is going to run the OpenVPN client.

Installing the Client on a Windows 10 Workstation

On the workstation download the appropriate client from OpenVPN  at https://openvpn.net/community-downloads/

Assuming Windows 10 download and run the installer and then in your system tray right click the little monitor with a lock on it  and Import your chad.ovpn file! Then Chad > Connect and you should be good to go.  I like to hit https://whatismyip.com while connected and verify that I’m showing the IP address of the OpenVPN server that I’m connected to and not the public IP address of my local network.

Installing the OpenVPN client on your iPhone

https://itunes.apple.com/us/app/openvpn-connect/id590379981 grab that thing from the App Store and then use a cloud file utility like google drive to get the chad.ovpn file or do something really insecure and email it to yourself…

References & Other Options

Alternatives to OpenVPN

About the Author

Sean Richards, CISSP,  is a 20 year linux enthusiast and security practitioner.  He loves family, animals, BBQ, and bicycles.
https://www.linkedin.com/in/seangrichards/
https://github.com/seangrichards/
https://twitter.com/seangrichards

The post How to setup OpenVPN on your VPS: Ubuntu 18.04 appeared first on Low End Box.