Jump to content

Guidelines:SecureOperation

From Sahana Eden Wiki
Revision as of 16:27, 2 February 2026 by Dominic (talk | contribs) (Created page with "== Secure Server Operation == The following steps are recommended to secure your Eden server: === Unprivileged Account === You should use an unprivileged user account for SSH login. To do so, login as root and create a new user, e.g. "serveradmin": <code> adduser serveradmin </code> Enter a password for the new account when prompted for, and provide additional information as required. To permit the new user to <code>sudo</code> without password, edit the sudoers c...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Secure Server Operation

The following steps are recommended to secure your Eden server:

Unprivileged Account

You should use an unprivileged user account for SSH login. To do so, login as root and create a new user, e.g. "serveradmin":

adduser serveradmin

Enter a password for the new account when prompted for, and provide additional information as required.

To permit the new user to sudo without password, edit the sudoers configuration file using the command visudo. Add the following lines at the end of the file: 

# User rules for serveradmin
serveradmin ALL=(ALL) NOPASSWD:ALL

Login to the server using the new account and password, and verify that sudo is working as expected:

sudo su -

After that, you should be root.

Key-based Login

You should use RSA keys for SSH login instead of passwords. To do so, generate a key pair on your local machine:

ssh-keygen -t rsa -m PEM -b 4096 -f serveradmin -C "serveradmin"

Choose a passphrase for the private key when prompted (for purposes of script automation, e.g. edenctl, leave the passphrase empty).

Install the public key on the server:

cat serveradmin.pub | ssh serveradmin@[server-public-ip] "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

...replacing [server-public-ip] with the public IP address of the server. You will be prompted for the password of the serveradmin user.

Next, login to the server using the newly installed key:

ssh -i serveradmin serveradmin@[server-public-up]

...to verify everything is working as expected.

You can repeat this process for a second key pair, as/if required, e.g. for a representative or as backup key. Make sure that all private keys are securely stored, and protected by passphrases.

Disable Root Login and Password Authentication

If you are not logged-in as serveradmin yet, login now (using the private key):

ssh -i serveradmin serveradmin@[server-public-up]

Make yourself root:

sudo su -

...and edit the /etc/ssh/sshd_config file. Uncomment or add the following lines: 

PermitRootLogin no
PasswordAuthentication no

After that, reload the sshd service:

systemctl reload sshd

Now, you can no longer SSH-login as root, but only as serveradmin - and you must use a private key, as passwords will no longer be accepted.

Retrieved from "https://eden.sahanafoundation.org/index.php?title=Guidelines:SecureOperation&oldid=227"