Public / private key pair -

Public / private key pair

Figure 970. Current server security flaws

Password based logins being notoriously prone to attacks.

Solution: Use public/private key based ssh login.
No updates: Software state of a most likely outdated installation image.

Figure 971. An elliptic ssh public / private key pair

`id_ed25519`	-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW QyNTUxOQAAACDZrjJrxfC/gCHcAhu6CROIxAps/tP8hNsNgM1RgyTL0wAAAKiPQ5vcj0Ob 3AAAAAtzc2gtZWQyNTUxOQAAACDZrjJrxfC/gCHcAhu6CROIxAps/tP8hNsNgM1RgyTL0w AAAECjW290zPFjh2srRIloZdaO49cs7hgQ7A7lmG8Z+SVDjdmuMmvF8L+AIdwCG7oJE4jE Cmz+0/yE2w2AzVGDJMvTAAAAImdvaWtAbWFydGluLXBjLWRhY2hib2Rlbi5mcml0ei5ib3 gBAgM= -----END OPENSSH PRIVATE KEY-----
(private key)
`id_ed25519.pub`	ssh-ed25519 AAAAC3NzaC1 ... Cmz+0/yE2w2AzVGDJMvT goik@hdm-stuttgart.de
(public key)

Figure 972. Safety considerations

Private key

Keep it private!
Define a good passphrase on key pair creation.
Cannot be derived / re-engineered from corresponding public key.

Public key

May be given to anybody.

https://www.ssh.com/academy/ssh/passphrase:

A good passphrase should have at least 15, preferably 20 characters and be difficult to guess. It should contain upper case letters, lower case letters, digits, and preferably at least one punctuation character. No part of it should be derivable from personal information about the user or his/her family.

Figure 973. ssh-keygen for elliptic key creation

$ ssh-keygen  -a 256 -t ed25519 ❶ -C "$(hostname)-$(date +'%d-%m-%Y')"
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/foo/.ssh/id_ed25519): 
Created directory '/home/foo/.ssh'.
Enter passphrase (empty for no passphrase): ❷
Enter same passphrase again: 
Your identification has been saved in /home/foo/.ssh/id_ed25519 ❸
Your public key has been saved in /home/foo/.ssh/id_ed25519.pub ❹
...

❶	Elliptic key type chosen from {`dsa`\| `ecdsa`\| `ecdsa-sk`\| `ed25519`\| `rsa`}. The `-C` hostname and date comment values are optional.
❷	Private key passphrase theft protection.
❸	Generated private key: DO NOT CHANGE FILE NAME!
❹	Corresponding public key.

Figure 974. Result of ssh-keygen execution (client side)

~/.ssh$ cd ~/.ssh
/home/foo/.ssh cat id_ed25519.pub >> authorized_keys ❶
mistudent@w10m:~/.ssh$ ls -al

drwxr-xr-x  2 student mi    0 Okt 17 17:45 .
drwxr-xr-x 32 student mi    0 Okt 17 17:44 ..
-rw-r--r--  1 student mi  396 Okt 17 17:45 authorized_keys ❷
-rw-------  1 student mi 1675 Okt 17 17:38 id_ed25519 ❸
-rw-r--r--  1 student mi  396 Okt 17 17:38 id_ed25519.pub ❹

❶	Append public key to list of authorized keys.
❷	The authorized_keys file may contain multiple lines containing public keys having access.
❸	Private key.
❹	Corresponding public key.

Figure 975. Transfer public key from client to server

goik@martin-hdm-desktop:~$ scp .ssh/id_ed25519.pub root@37.27.32.138:/tmp ❶
root@37.27.32.138's password: 
id_ed25519.pub                                     100%  103     3.7KB/s   00:00    
goik@martin-hdm-desktop:~$ ssh root@37.27.32.138 ❷
root@37.27.32.138's password: 
      ...
root@debian-4gb-hel1-2:~# cat  /tmp/id_ed25519.pub >> ~/.ssh/authorized_keys ❸
root@debian-4gb-hel1-2:~# exit ❹
goik@martin-hdm-desktop:~$ ssh root@37.27.32.138 ❺
     ...
Last login: Tue Apr  8 13:38:42 2025 from 141.62.31.244

❶	Copy ssh public key from client to server using password.
❷	Login to server by password.
❸	Copy public key to ~/.ssh/authorized_keys Note If `~/.ssh` does not yet exist we require a mkdir ~/.ssh;chmod go-w ~/.ssh first.
❹	Leave server.
❺	Login to server by private key no longer requires a password.

exercise No. 3

Improve your server's security!

Re-create your server solving (some of) its security flaws.

Create a firewall using the Hetzner GUI containing just a single ICMP inbound access rule.
Transfer your public ssh key to your Hetzner account marking it as “default”.
Select both your newly created firewall and your ssh key during server creation. The subsequent examples assumes a 167.235.54.109 server IP.

Try to ping your server:

$ ping 167.235.54.109
PING 167.235.54.109 (167.235.54.109) 56(84) bytes of data.
64 bytes from 167.235.54.109: icmp_seq=1 ttl=54 time=13.2 ms
64 bytes from 167.235.54.109: icmp_seq=2 ttl=54 time=12.3 ms
^C
--- 167.235.54.109 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 12.325/12.749/13.173/0.424 ms

Due to your firewall rule ssh access should fail.
Add an inbound rule to port 22 (ssh standard port) to your current firewall. ssh passwordless access should work:
```
$ ssh root@167.235.54.109
Linux gtest3 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64
    ...
root@gtest3:~# hostname
gtest3
```

Update and reboot your server:

root@gtest3:~# apt update
Get:1 http://mirror.hetzner.com/debian/packages bookworm InRelease [151 kB]
Get:2 http://deb.debian.org/debian bookworm InRelease [151 kB]                                                        
Get:3 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB] 
    ...
root@gtest3:~# apt upgrade  
...
root@gtest3:~# aptitude -y upgrade
Resolving dependencies...                
The following NEW packages will be installed:
  linux-image-6.1.0-32-amd64{a} 
The following packages will be upgraded:
  base-files curl libc-bin libc-l10n libc6 libcurl3-gnutls libcurl4 libfreetype6 liblzma5 libnss-systemd libpam-systemd libsystemd-shared libsystemd0 libudev1 linux-image-amd64 locales locales-all python3-jinja2 
  systemd systemd-sysv systemd-timesyncd tzdata udev vim vim-common vim-runtime vim-tiny wget xz-utils 
     ...
root@gtest3:~# reboot

Install the nginx webserver:

root@gtest3:~# apt install nginx
Reading package lists... Done
Building dependency tree... Done
...
Do you want to continue? [Y/n] y
Get:1 http://deb.debian.org/debian bookworm/main amd64 nginx-common all 1.22.1-9 [112 kB]
Get:2 http://deb.debian.org/debian bookworm/main amd64 nginx amd64 1.22.1-9 [527 kB]
...
Processing triggers for man-db (2.11.2-2) ...

Check for the running process:

root@gtest3:~# systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/lib/systemd/system/nginx.service; enabled; preset: enabled)
     Active: active (running) since Tue 2024-06-04 08:24:57 UTC; 1min 31s ago
       Docs: man:nginx(8)
    Process: 1558 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
    Process: 1559 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
   Main PID: 1582 (nginx)
      Tasks: 2 (limit: 2251)
     Memory: 1.8M
        CPU: 22ms
     CGroup: /system.slice/nginx.service
             ├─1582 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;"
             └─1583 "nginx: worker process"

Use wget for locally accessing http://167.235.54.109 verifying HTTP (port 80) accessibility from your server:

# ssh root@167.235.54.109
root@gtest3:~# wget -O - http://167.235.54.109
--2024-06-04 09:02:41--  http://167.235.54.109/
Connecting to 167.235.54.109:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 615 [text/html]
Saving to: ‘STDOUT’

<html>
<head>
<title>Welcome to nginx!</title>
            ...
<p><em>Thank you for using nginx.</em></p>
</body>
</html>

Try external access using http://167.235.54.109 again in your browser of choice.

Why does external access fail although local access from the server itself works?
Modify your firewall adding an inbound HTTP traffic rule and try again accessing http://167.235.54.109 in your browser.

Figure 976. Cleaning up!

Caution

This is about $$$ MONEY $$$

Delete your server including the IPv4 address and its volume: All three are being billed on a per hour basis.
You may optionally delete your firewall.

Prev	Up	Next
Using ssh	Home	Passphrases and ssh agent

Using ssh