Initial Setup - PageSpeedPlus/ubuntu GitHub Wiki
Creating a New User
Once you are logged in as root, we're prepared to add the new user account that we will use to log in from now on.
adduser ubuntu
Granting Administrative Privileges
As root, run this command to add your new user to the sudo group (substitute the highlighted word with your new user):
usermod -aG sudo ubuntu
Zum Benutzer ubuntu wechseln
su ubuntu
Root Privilegien erhalten
sudo -s
Geben Sie nun das Passwort des Benutzer ubuntu ein
Deaktivieren Sie Ihr Root-Konto.
Wenn Sie aus irgendeinem Grund Ihr Root-Konto aktiviert haben und es wieder deaktivieren möchten, verwenden Sie den folgenden Befehl im Terminal.....
sudo passwd -dl root
Create the RSA Key Pair
The first step is to create a key pair on the client machine (usually your computer):
ssh-keygen -t ecdsa -b 521
CHOOSING AN ALGORITHM AND KEY SIZE
SSH supports several public key algorithms for authentication keys. These include:
rsa - an old algorithm based on the difficulty of factoring large numbers. A key size of at least 2048 bits is recommended for RSA; 4096 bits is better. RSA is getting old and significant advances are being made in factoring. Choosing a different algorithm may be advisable. It is quite possible the RSA algorithm will become practically breakable in the foreseeable future. All SSH clients support this algorithm. dsa - an old US government Digital Signature Algorithm. It is based on the difficulty of computing discrete logarithms. A key size of 1024 would normally be used with it. DSA in its original form is no longer recommended. ecdsa - a new Digital Signature Algorithm standarized by the US government, using elliptic curves. This is probably a good algorithm for current applications. Only three key sizes are supported: 256, 384, and 521 (sic!) bits. We would recommend always using it with 521 bits, since the keys are still small and probably more secure than the smaller keys (even though they should be safe as well). Most SSH clients now support this algorithm. ed25519 - this is a new algorithm added in OpenSSH. Support for it in clients is not yet universal. Thus its use in general purpose applications may not yet be advisable. The algorithm is selected using the -t option and key size using the -b option. The following commands illustrate:
ssh-keygen -b 4096
ssh-keygen -t dsa
ssh-keygen -t ecdsa -b 521
ssh-keygen -t ed25519
Copying Public Key Using ssh-copy-id
ssh-copy-id username@remote_host
You may see the following message:
Output The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established. ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe. Are you sure you want to continue connecting (yes/no)? yes This means that your local computer does not recognize the remote host. This will happen the first time you connect to a new host. Type "yes" and press ENTER to continue.
Next, the utility will scan your local account for the id_rsa.pub key that we created earlier. When it finds the key, it will prompt you for the password of the remote user's account:
Output /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys [email protected]'s password: Type in the password (your typing will not be displayed for security purposes) and press ENTER. The utility will connect to the account on the remote host using the password you provided. It will then copy the contents of your ~/.ssh/id_rsa.pub key into a file in the remote account's home ~/.ssh directory called authorized_keys.
You should see the following output:
Output Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'" and check to make sure that only the key(s) you wanted were added. At this point, your id_rsa.pub key has been uploaded to the remote account. You can continue on to Step 3.
Automating Initial Server Setup with Ubuntu 18.04
Introduction
When you first create a new Ubuntu 18.04 server, there are a few configuration steps that you should take early on as part of the basic setup. This will increase the security and usability of your server and will give you a solid foundation for subsequent actions.
While you can complete these steps manually, sometimes it can be easier to script the processes to save time and eliminate human error. This guide explains how to use a script to automate the steps in the initial server setup guide.
What Does the Script Do?
This script is an alternative to manually running through the procedure outlined in the Ubuntu 18.04 initial server setup guide and the guide on setting up SSH keys on Ubuntu 18.04.
The following variables affect how the script is run:
USERNAME: The name of the regular user account to create and grant sudo privileges to.
COPY_AUTHORIZED_KEYS_FROM_ROOT: Whether to copy the SSH key assets from the root account to the new sudo account.
OTHER_PUBLIC_KEYS_TO_ADD: An array of strings representing other public keys to add to the sudo-enabled account. This can optionally be used in addition to or instead of copying the keys from the root account.
You should update these variables as needed before running the script.
When the script runs, the following actions are performed:
Create a regular user account with sudo privileges using the name specified by the USERNAME variable.
Configure the initial password state for the new account:
If the server was configured for password authentication, the original, generated administrative password is moved from the root account to the new sudo account. The password for the root account is then locked.
If the server was configured for SSH key authentication, a blank password is set for the sudo account.
The sudo user's password is marked as expired so that it must be changed upon first login.
The authorized_keys file from the root account is copied over to the sudo user if COPY_AUTHORIZED_KEYS_FROM_ROOT is set to true.
Any keys defined in OTHER_PUBLIC_KEYS_TO_ADD are added to the sudo user's authorized_keys file.
Password-based SSH authentication is disabled for the root user.
The UFW firewall is enabled with SSH connections permitted.
How To Use the Script
The script can be run in two ways: by adding it to the server's user data field during creation or by logging in as root and executing it after provisioning.
Running the Script After Provisioning
curl -L https://raw.githubusercontent.com/do-community/automated-setups/master/Ubuntu-18.04/initial_server_setup.sh -o /tmp/initial_setup.sh
Inspect the script to ensure that it downloaded properly and update any variables that you wish to change:
nano /tmp/initial_setup.sh
Once satisfied, run the script manually using bash:
bash /tmp/initial_setup.sh username
You should be able to log in using the sudo-enabled user to complete any further configuration.
The Script Contents
You can find the initial server setup script in the automated-setups repository in the DigitalOcean Community GitHub organization. To copy or download the script contents directly, click the Raw button towards the top of the script, or click here to view the raw contents directly.