Setup a Vultr VM

This website now runs on a Vultr VM so I wanted to detail how to set one up.

Make an account and login

First, you'll need a Vultr account, which can you create by clicking here. You'll need to verify your e-mail and link a payment method before you can setup a server.

Generate SSH keys

Before provisioning the server, you'll want to generate SSH keys for connecting to you server in a more secure manner. You can do this with PuTTYGen by clicking the "Generate" button and then assigning a passphrase before saving both the public and private keys. If you have an existing Linux/Unix machine you can use the ssh-keygen utility to generate your own keys with the following command:

ssh-keygen -t rsa -b 4096

Make sure to assign a passphrase when prompted.

Provision a server

Once logged in, click on the "Servers" icon on the left-hand side. Pick a location that's close to you or your customer.

Only you will know what software and hardware requirements you'll need and this is where you get to choose them. This is a simple website running OpenBSD so I chose OpenBSD 6.3 x64 with 1 CPU / 1024 MB RAM / 25 GB disk. Select whichever additional options may apply to you, and click the "Add New" button under SSH keys. Paste the contents of the public key or id_rsa.pub file from the previous step, it should start with "ssh-rsa". If you see any text like "Private Key" then you're copying the incorrect key. Finally, write in a clever hostname (e.g. gridc0), and click the "Deploy Now" button.

Let it provision

You're all done. Your server will now be provisioned and you can start using it in just a few moments! It took about 2.5 minutes for mine to reach the login prompt. On your "Servers" page you should see your server listed, along with "Manage" or a "..." icon on the right-hand side. Click this (and then "Server Details" if it was the "..." icon) to get to the overview page. On the bottom left-hand side you'll see the password for the root account. Open the console (icon at the top right) and use that password to login as root. You can change the password if you wish with the passwd command. Otherwise, your server is up and running.

Add user and disable root SSH logins

As a first security measure, you should add a new user so that you can disable root login over SSH. Add a new user with the useradd command, which should first prompt you for some default settings for adding users for which you can accept the defaults (default defaults). Next, answer the questions for your new user, the only addition being that they should be invited to the "wheel" group. While keeping the console window up, attempt to login over SSH with your new user - be sure this works before moving on.

Now open the /etc/ssh/sshd_config file and find the following three lines (they'll be scattered around):

PermitRootLogin yes
#PasswordAuthentication yes
#ChallengeResponseAuthentication yes

and change them to and add:

PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
AuthenticationMethods publickey

The SSH daemon rereads its configuration file when it receives the SIGHUP signal, to send it we need the PID of the SSH daemon.

# cat /var/run/sshd.pid

And then send the SIGHUP signal to that PID:

# kill -HUP <PID>

Add your public SSH key to your new user's ~/.ssh/authorized_keys file by echo'ing and appending it (replacing text inside of '<>'):

# echo "<ssh public key>" >> ~<user>/.ssh/authorized_keys

Now attempt to login over SSH as root - you should get a failure for not using publickey authentication, or if you did you should get "Access Denied" (no keys should be loaded in for root anyways).

Enable doas

Lastly, enable doas by adding the following line to /etc/doas.conf

permit persist keepenv :wheel

Which will allow users in the "wheel" group to use doas. Additionally, they will retain their environment while running commands, and will not be prompted for their password if they recently authenticated to doas successfully. Optionally, you could use the following line which will not prompt for a password at all:

permit nopass keepenv :wheel

If you trust your users (or yourself) to protect their keys and not leave an SSH session unattended then this should be fine. They will have used a private key (which is hopefully protected by a password) to login indicating that they have something belonging to that user, and know something only that user should know.

Now, to login over SSH you'll need to use your private key and when prompted for a password, enter the password for the key. Once logged in, ensure doas works:

$ doas echo "hi"

Enter your password and you should see "hi" printed to the console.

Finish up

Now that the basics are under control, close your SSH session and restart the server from the console terminal:

# shutdown -r now

Once it's back at the login prompt, use SSH to login as your normal user and attempt the same doas command as before. If it works then you're all set! Close the console and use SSH logins from now on when interacting with your server.

Comments !

social