freedombone/doc/EN/security.org

49 lines
2.2 KiB
Org Mode

#+TITLE:
#+AUTHOR: Bob Mottram
#+EMAIL: bob@freedombone.net
#+KEYWORDS: freedombone, security, ssh, debian, beaglebone
#+DESCRIPTION: Improving security
#+OPTIONS: ^:nil toc:nil
#+HTML_HEAD: <link rel="stylesheet" type="text/css" href="freedombone.css" />
#+BEGIN_CENTER
[[file:images/logo.png]]
#+END_CENTER
* Authentication with keys
It's a lot more secure to log in to the Freedombone system using ssh keys rather than with a password. You can set that up by first running:
#+begin_src bash
freedombone-client
#+end_src
On your local system (i.e. whatever you're logging in to the Freedombone system from, typically a laptop). Then:
#+begin_src
ssh myusername@freedombone.local -p 2222
#+end_src
Select *Administrator controls* and re-enter your password, then *Manage Users* and *Change user ssh public key*. Copy and paste the ssh public keys which appeared after the *freedombone-client* command was run. Then go to *Security settings* and select *Allow ssh login with passwords* followed by *no*.
You'll need to make sure that you have a copy of the ~/.ssh directory on your local system. You could just copy that directory to a USB drive and then keep that somewhere safe so that you can restore the keys if you need to.
* Administrating the system via an onion address (Tor)
You can also access your system via the Tor system using an onion address. To find out what the onion address for ssh access is you can do the following:
#+BEGIN_SRC bash
ssh username@freedombone.local -p 2222
#+END_SRC
Select /Administrator controls/ then select "About this system" and look for the onion address for ssh. You can then close the terminal and open another, then do the following on your local system:
#+BEGIN_SRC bash
freedombone-client
#+END_SRC
This will set up your ssh environment to be able to handle onion addresses. Then you can test ssh with:
#+BEGIN_SRC bash
ssh username@address.onion -p 2222
#+END_SRC
Subsequently even if dynamic DNS isn't working you may still be able to administer your system. Using the onion address also gives you some degree of protection against corporate or government metadata analysis, since it becomes more difficult to passively detect which systems are communicating.