This website now runs on a Vultr VM so I wanted to detail how to set one up.
Make an account and login
First, you'll need a Vultr account, which can you create by clicking here. You'll need to verify your e-mail and link a payment method before you can setup a server.
Generate SSH keys
Before provisioning the server, you'll want to generate SSH keys for connecting to you server in a more secure manner. You can do this with PuTTYGen by clicking the "Generate" button and then assigning a passphrase before saving both the public and private keys. If you have an existing Linux/Unix machine you can use the ssh-keygen utility to generate your own keys with the following command:
ssh-keygen -t rsa -b 4096
Make sure to assign a passphrase when prompted.
Provision a server
Once logged in, click on the "Servers" icon on the left-hand side. Pick a location that's close to you or your customer.
Only you will know what software and hardware requirements you'll need and this is where you get to choose them. This is a simple website running OpenBSD so I chose OpenBSD 6.3 x64 with 1 CPU / 1024 MB RAM / 25 GB disk. Select whichever additional options may apply to you, and click the "Add New" button under SSH keys. Paste the contents of the public key or id_rsa.pub file from the previous step, it should start with "ssh-rsa". If you see any text like "Private Key" then you're copying the incorrect key. Finally, write in a clever hostname (e.g. gridc0), and click the "Deploy Now" button.
Let it provision
You're all done. Your server will now be provisioned and you can start using it
in just a few moments! It took about 2.5 minutes for mine to reach the login
prompt. On your "Servers" page you should see your server listed, along with
"Manage" or a "..." icon on the right-hand side. Click this (and then "Server
Details" if it was the "..." icon) to get to the overview page. On the bottom
left-hand side you'll see the password for the root account. Open the console
(icon at the top right) and use that password to login as root. You can change
the password if you wish with the
passwd command. Otherwise, your server is up
Add user and disable root SSH logins
As a first security measure, you should add a new user so that you can disable
root login over SSH. Add a new user with the
useradd command, which should
first prompt you for some default settings for adding users for which you can
accept the defaults (default defaults). Next, answer the questions for your new
user, the only addition being that they should be invited to the "wheel" group.
While keeping the console window up, attempt to login over SSH with your new
user - be sure this works before moving on.
Now open the
/etc/ssh/sshd_config file and find the following three lines
(they'll be scattered around):
PermitRootLogin yes #PasswordAuthentication yes #ChallengeResponseAuthentication yes
and change them to and add:
PermitRootLogin no PasswordAuthentication no ChallengeResponseAuthentication no AuthenticationMethods publickey
The SSH daemon rereads its configuration file when it receives the SIGHUP signal, to send it we need the PID of the SSH daemon.
# cat /var/run/sshd.pid
And then send the SIGHUP signal to that PID:
# kill -HUP <PID>
Add your public SSH key to your new user's
~/.ssh/authorized_keys file by
echo'ing and appending it (replacing text inside of '<>'):
# echo "<ssh public key>" >> ~<user>/.ssh/authorized_keys
Now attempt to login over SSH as root - you should get a failure for not using publickey authentication, or if you did you should get "Access Denied" (no keys should be loaded in for root anyways).
Lastly, enable doas by adding the following line to
permit persist keepenv :wheel
Which will allow users in the "wheel" group to use doas. Additionally, they will retain their environment while running commands, and will not be prompted for their password if they recently authenticated to doas successfully. Optionally, you could use the following line which will not prompt for a password at all:
permit nopass keepenv :wheel
If you trust your users (or yourself) to protect their keys and not leave an SSH session unattended then this should be fine. They will have used a private key (which is hopefully protected by a password) to login indicating that they have something belonging to that user, and know something only that user should know.
Now, to login over SSH you'll need to use your private key and when prompted for a password, enter the password for the key. Once logged in, ensure doas works:
$ doas echo "hi"
Enter your password and you should see "hi" printed to the console.
Now that the basics are under control, close your SSH session and restart the server from the console terminal:
# shutdown -r now
Once it's back at the login prompt, use SSH to login as your normal user and
attempt the same
doas command as before. If it works then you're all set!
Close the console and use SSH logins from now on when interacting with your