To SSH or Not?
SSH keys offer superior security over passwords due to their strong encryption, elimination of password sharing, immunity to password guessing attacks, and ease of revocation and central management. Their random, lengthy nature makes them highly resistant to brute-force attacks and enhances overall security, particularly in environments with multiple users or systems.
But here’s the tradeoff
The tradeoff with SSH keys lies in the complexity of key management, including generation, distribution, and revocation, which can become a single point of failure if not properly secured. While offering enhanced security, SSH keys lack the flexibility of password-based authentication, particularly in scenarios requiring access from untrusted devices or locations, necessitating careful consideration of security versus usability and operational concerns.
Options
YOLO
Just add your SSH username to ansible_user
in justdeploy-ansible/inventory
and you’re good to go. You will also likely need to enable password authentication in your sshd_config
file. Here’s a link on how to do that: Enable Password Authentication
But security..
Recommended
I hear you, in that case there’s a few extra steps we will need.
NOTE
If you’re using a DigitalOcean Droplet chances are you’ve already done this. If you’re not sure, you can check by running ssh
root@your_server_ip
in your favorite terminal. If you’re prompted for a password or get the messagePermission denied (publickey)
, you’ll need to follow the steps below.
-
Generate SSH Key Pair:
- On your local machine, open a terminal.
- Use the
ssh-keygen
command to generate a new SSH key pair. You can accept the default location and optionally provide a passphrase for added security.
ssh-keygen -t ed25519 -C "your_email@example.com"
- This command will generate a new SSH key pair (public and private) and save it to the default location (
~/.ssh/id_ed25519
for the private key and~/.ssh/id_ed25519a.pub
for the public key).
-
Copy Public Key to Remote Server:
- Use the
ssh-copy-id
command to copy your public SSH key to the remote server. Replace username and hostname with your remote server’s username and hostname/IP address.
ssh-copy-id root@SERVER_IP_ADDRESS
NOTE
At this point, you may realize you don’t have a root password. If you’re using DigitalOcean, you can reset your root password from the DigitalOcean dashboard. If you’re using another provider, you may need to contact their support. You may also need to enable password authentication by following the steps here: Enable Password Authentication
- Use
-p port_number
to connect to the specified SSH port on the server, instead of the default port 22. - This command will prompt you for your remote server password. Enter it to complete the process. Your public key will be added to the
~/.ssh/authorized_keys
file on the remote server, allowing you to authenticate using your private key.
If all goes well you should see the following:
Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'root@SERVER_IP_ADDRESS'" and check to make sure that only the key(s) you wanted were added.
- Use the
-
Test SSH Connection:
- Try connecting to your remote server using SSH. If everything is set up correctly, you should be able to log in without entering a password.
ssh username@hostname
-
Update Ansible Inventory:
- Once SSH key-based authentication is working, you can update your Ansible
inventory
file(vps:vars)
to use the SSH key for authentication instead of a password. Make sure you uncommentansible_ssh_private_key_file
. - At this point you may still need to use
root
as theansible_user
since we’re yet to create a new user.
ansible_user=root ansible_ssh_private_key_file=~/.ssh/id_ed25519
- Once SSH key-based authentication is working, you can update your Ansible
What’s Next?
Now it’s time we head to Step 2 to configure JustDeploy
⚙️ Configure your server