first things I do with a new server
There’s a little routine I go through when a get a new server.
- change the password for the account provided (usually root) because I’m paranoid
- setup any new accounts required (including their SSH keys) because I’m courteous
- disable password based SSH login because people choose weak passwords
The following tasks simplify this process:
$ cap deprec:users:passwd HOSTS=root@sh03 $ cap deprec:users:add HOSTS=root@sh03 $ cap deprec:ssh:config HOSTS=sh03
If you want to know more about how this works then please read on.
more about how this works
Assume I’ve been given an IP address and root password by my VPS provider. I add an entry to my DNS. In this example the hostname is ‘sh03.failmode.org’. As ‘failmode.org’ is in the DNS search path on all my servers (and workstations) I can address the host as ‘sh03′. (My fingers have a finite number of keystrokes left!)
Change the root password
I tell Capistrano to connect as root as it’s the only account I have details for.
$ cap deprec:users:passwd HOSTS=root@sh03 Enter user to change password for |root| Enter new password for root Re-enter new password for root Password:
Create an account for myself
I believe everyone should use their own account for ease of use, accountability and security. No logging in as root or deploy!
$ cap deprec:users:add HOSTS=root@sh03 Enter userid for new user |root| mbailey Should this be an admin account? |no| yes Enter new password for mbailey ******** Re-enter new password for mbailey ********
Admin accounts have sudo setup for them.
The deprec:users:add task looks on the local filesystem for ./config/ssh/authorized_keys/username and ~username/.ssh/authorized_keys (where username is the user being created). If found, it copies this file out and sets the correct permissions so the user can ssh in using the public keys. In a team environment, drop your colleagues public keys into this directory (renaming accordingly) to provide a polished service when creating their accounts. (Password access will be turned off so you’ll need to do this anyway!)
deprec found my public key in ~/.ssh/id_dsa and copied it to the server. I can now login using the command “ssh sh03″ without being prompted for a password.
From now on I don’t need to add ‘USER=root’ as I can use my own account now.
Now that I have my SSH keys setup, I can disallow password based SSH access. This is an easy way to reduce the risk of system compromise.
$ cap deprec:ssh:config