Skip to content

Instantly share code, notes, and snippets.

@tigarcia
Last active September 6, 2023 16:50
Show Gist options
  • Save tigarcia/94dbd40e752a6cec5f2040623116b507 to your computer and use it in GitHub Desktop.
Save tigarcia/94dbd40e752a6cec5f2040623116b507 to your computer and use it in GitHub Desktop.
A walkthrough of an ssh configuration that disables password login and root login for operators of Solana Validators

Step 1: Create sol User With SSH Access

Assuming you are logged into the remote machine with sudo privledges

  • sudo useradd sol
  • sudo usermod -aG sudo sol

Next verify that the sol user has sudo privledges:

  • sudo ls /root/

Create an ssh keypair on your local machine (not on the remote server)

  • ssh-keygen -t ed25519

Copy the contents of $HOME/.ssh/id_ed25519.pub then ssh to the remote machine

  • su - sol
  • mkdir ~/.ssh
  • touch ~/.ssh/authorized_keys
  • Paste the contents of $HOME/.ssh/id_ed25519.pub into ~/.ssh/authorized_keys on the remote machine

Now verify that you can ssh to the remote machine using the sol user

  • ssh sol@remote-host

SSH Troubleshooting

Verify that you have the correct public key in /home/sol/.ssh/authorized_keys

If you have multiple keys on your localhost, you may have to specify the ssh keypai to use

  • ssh -i $HOME/.ssh/id_ed25519.pub sol@remote-host

Your local .ssh/config may be causing issues. To use ssh without the config, do the following:

  • ssh -F /dev/null sol@remote-host

Step 2 Disabling root/password SSH Access

WARNING These changes could disable remote access if done incorrectly. Be sure that the sol user can login remotely before proceeding.

Edit /etc/ssh/sshd_config or add /etc/ssh/sshd_config.d/disable_root.conf. In order for the disbale_root.conf file to work, you must have a line in /etc/ssh/sshd_config that includes the file. It may look like this: Include /etc/ssh/sshd_config.d/*.conf

In either file, add the following lines:

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
PermitRootLogin no

Then reload the ssh daemon

sudo systemctl reload ssh

Lastly, install fail2ban to mitigate repeated malicious login attempts

sudo apt update
sudo apt install fail2ban

Step 3: Verify SSH Access

Remote root access should now be disabled

  • ssh root@remote-host should fail

Remote sol user access should succeed

  • ssh sol@remote-host

Check access logs using journelctl

journelctl -u ssh –since -1h
journelctl -u ssh –since -2d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment