Latest revision as of 19:42, 2 February 2026

Secure Server Operation

The following steps are recommended to secure your Eden server back-end under Debian/Linux.

Note: this configuration is standard on many clouds, e.g. AWS EC2, so you do not need to do this manually. Check with your cloud service provider for details.

Unprivileged Account

You should use an unprivileged user account for SSH login. To do so, login as root and create a new user, e.g. "serveradm":

adduser serveradm

Enter a password for the new account when prompted for, and provide additional information as required.

To permit the new user to sudo without password, edit the sudoers configuration file using the command visudo. Add the following lines at the end of the file:

# User rules for serveradm
serveradm ALL=(ALL) NOPASSWD:ALL

Login to the server using the new account and password, and verify that sudo is working as expected:

sudo su -

After that, you should be root.

Key-based Login

You should use RSA keys for SSH login instead of passwords. To do so, generate a key pair on your local machine:

ssh-keygen -t rsa -m PEM -b 4096 -f serveradm -C "serveradm"

Choose a passphrase for the private key when prompted (for purposes of script automation, e.g. edenctl, leave the passphrase empty).

Install the public key on the server:

cat serveradm.pub | ssh serveradm@[server-public-ip] "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

...replacing [server-public-ip] with the public IP address of the server. You will be prompted for the password of the serveradm user.

Next, login to the server using the newly installed key:

ssh -i serveradm serveradm@[server-public-up]

...to verify everything is working as expected.

You can repeat this process for a second key pair, as/if required, e.g. for a representative or as backup key. Make sure that all private keys are securely stored, and protected by passphrases.

Disable Root Login and Password Authentication

If you are not logged-in as serveradm yet, login now (using the private key):

ssh -i serveradm serveradm@[server-public-up]

Make yourself root:

sudo su -

...and edit the /etc/ssh/sshd_config file. Uncomment or add the following lines:

PermitRootLogin no
PasswordAuthentication no

After that, reload the sshd service:

systemctl reload sshd

Now, you can no longer SSH-login as root, but only as serveradm - and you must use a private key, as passwords will no longer be accepted.

@@ Line 1: / Line 1: @@
-== Secure Server Operation ==
+[[Guidelines:Deployment|All Deployment Guidelines]]
+= Secure Server Operation =
 The following steps are recommended to secure your Eden server back-end under Debian/Linux.
- Note: this configuration is standard on many clouds, e.g. AWS EC2, so you do not need to do this manually. Check with your cloud service provider for details.
+'''''Note:''' this configuration is standard on many clouds, e.g. AWS EC2, so you do not need to do this manually. Check with your cloud service provider for details.''
-=== Unprivileged Account ===
+== Unprivileged Account ==
 You should use an unprivileged user account for SSH login. To do so, login as root and create a new user, e.g. "serveradm":
@@ Line 30: / Line 32: @@
 After that, you should be ''root''.
-=== Key-based Login ===
+== Key-based Login ==
 You should use RSA keys for SSH login instead of passwords. To do so, generate a key pair on your local machine:
@@ Line 58: / Line 60: @@
 You can repeat this process for a second key pair, as/if required, e.g. for a representative or as backup key. Make sure that all private keys are securely stored, and protected by passphrases.
-=== Disable Root Login and Password Authentication ===
+== Disable Root Login and Password Authentication ==
 If you are not logged-in as ''serveradm'' yet, login now (using the private key):