freedombone/doc/EN/security.org

#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, security, ssh, debian, beaglebone
#+DESCRIPTION: Improving security
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />

#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER

* Authentication with keys
It's a lot more secure to log in to the Freedombone system using ssh keys rather than with a password. You can set that up by first running:

#+begin_src bash
freedombone-client
#+end_src

On your local system (i.e. whatever you're logging in to the Freedombone system from, typically a laptop). Then:

#+begin_src
ssh myusername@freedombone.local -p 2222
#+end_src

Select *Administrator controls* and re-enter your password, then *Manage Users* and *Change user ssh public key*. Copy and paste the ssh public keys which appeared after the *freedombone-client* command was run. Then go to *Security settings* and select *Allow ssh login with passwords* followed by *no*.

You'll need to make sure that you have a copy of the ~/.ssh directory on your local system. You could just copy that directory to a USB drive and then keep that somewhere safe so that you can restore the keys if you need to.
* Administrating the system via an onion address (Tor)
You can also access your system via the Tor system using an onion address. To find out what the onion address for ssh access is you can do the following:

#+BEGIN_SRC bash
ssh username@freedombone.local -p 2222
#+END_SRC

Select /Administrator controls/ then select "About this system" and look for the onion address for ssh. You can then close the terminal and open another, then do the following on your local system:

#+BEGIN_SRC bash
freedombone-client
#+END_SRC

This will set up your ssh environment to be able to handle onion addresses. Then you can test ssh with:

#+BEGIN_SRC bash
ssh username@address.onion -p 2222
#+END_SRC

Subsequently even if dynamic DNS isn't working you may still be able to administer your system. Using the onion address also gives you some degree of protection against corporate or government metadata analysis, since it becomes more difficult to passively detect which systems are communicating.
Update documentation 2018-03-12 00:27:02 +01:00			`#+TITLE:`
			`#+AUTHOR: Bob Mottram`
			`#+EMAIL: bob@freedombone.net`
			`#+KEYWORDS: freedombone, security, ssh, debian, beaglebone`
			`#+DESCRIPTION: Improving security`
			`#+OPTIONS: ^:nil toc:nil`
			`#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />`

			`#+BEGIN_CENTER`
			`[[file:images/logo.png]]`
			`#+END_CENTER`

			`* Authentication with keys`
			`It's a lot more secure to log in to the Freedombone system using ssh keys rather than with a password. You can set that up by first running:`

			`#+begin_src bash`
			`freedombone-client`
			`#+end_src`

			`On your local system (i.e. whatever you're logging in to the Freedombone system from, typically a laptop). Then:`

			`#+begin_src`
			`ssh myusername@freedombone.local -p 2222`
			`#+end_src`

			`Select Administrator controls and re-enter your password, then Manage Users and Change user ssh public key. Copy and paste the ssh public keys which appeared after the freedombone-client command was run. Then go to Security settings and select Allow ssh login with passwords followed by no.`

			`You'll need to make sure that you have a copy of the ~/.ssh directory on your local system. You could just copy that directory to a USB drive and then keep that somewhere safe so that you can restore the keys if you need to.`
			`* Administrating the system via an onion address (Tor)`
			`You can also access your system via the Tor system using an onion address. To find out what the onion address for ssh access is you can do the following:`

			`#+BEGIN_SRC bash`
			`ssh username@freedombone.local -p 2222`
			`#+END_SRC`

			`Select /Administrator controls/ then select "About this system" and look for the onion address for ssh. You can then close the terminal and open another, then do the following on your local system:`

			`#+BEGIN_SRC bash`
			`freedombone-client`
			`#+END_SRC`

			`This will set up your ssh environment to be able to handle onion addresses. Then you can test ssh with:`

			`#+BEGIN_SRC bash`
			`ssh username@address.onion -p 2222`
			`#+END_SRC`

			`Subsequently even if dynamic DNS isn't working you may still be able to administer your system. Using the onion address also gives you some degree of protection against corporate or government metadata analysis, since it becomes more difficult to passively detect which systems are communicating.`