SSH public/private key

Key in your hand is Private, and DoorLock is called Public key(Lock itself).

Generating Keypair:

ssh-keygen -t rsa -b 4096 -f ~/.ssh/github1 -C "my@mail.com" 

-t: rsa algo name

-b: 2048 enctyption bits

-C: Comments

Upload the key to your server

Once an SSH key has been created, the ssh-copy-id command can be used to install it as an authorized key on the server.

First, make user1 owner to the ~/.ssh folder.

 mg@node2:~$ sudo mkdir -p /home/user1/.ssh
 mg@node2:~$ sudo chown fresh:users -R /home/user1/.ssh/
 mg@node2:~$ sudo chmod -R 700 /home/user1/.ssh/
 mg@node2:~$ ls -al /home/user1

Edit the sshd config:

sudo vi /etc/ssh/sshd_config
      -> PasswordAuthentication no
sudo service sshd restart

From client (git-bash client) system:

$ ssh-copy-id -i /c/Users/Rita/On...ve/P...ming/SSH/xkeyx.pub user1@113.15.51.51

(enter pass if required) After a successful install, it will show the bellow message.

Disable Password authentication, Inside the /etc/ssh/sshd_config file:

sudo vi /etc/ssh/sshd_config
      -> PasswordAuthentication no
sudo service sshd restart

[

(ssh-copy for another user https://measure9.varkel.net/2017/09/ssh-copy-id-key-to-other-user-than-yourself/)

cat ~/.ssh/node2.pub | ssh -i ~/.ssh/node2 

mg@192.168.10.115 sudo tee -a /home/life110volts/.ssh/authorized_keys

(or from Windows pc)

scp C:\Users\MyUserName\.ssh/id_rsa.pub example_user@203.0.113.100:~/.ssh/authorized_keys

]

SSH activities

Adding a private key to SSH Agent:

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/github1
passcode: d******3

To list the ssh-keys

$ ssh-add –l
$ ls -l ~/.ssh

To remove a key from the ssh-agent,

$ ssh-add -d /home/user/.ssh/id_rsa
(To remove all)
$ ssh-add –D

Kill the ssh-agent

Keeping the private keys secure is important. It is suggested that the ssh-agent is terminated or locked when it is not needed anymore. 

$ eval $(ssh-agent -s -k)

Add the private key to GitHub.

MacOS: Pbcopy < ~/.ssh/id_rsa.pub
Windows: clip < ~/.ssh/id_rsa.pub
ssh -T git@github.com
ssh -T hg@bitbucket.org

Test login

ssh -T -i ~/.ssh/github1 hg@bitbucket.org  

Login Directly without a key agent.

ssh -T -i ~/.ssh/github1 hg@bitbucket.org  
ssh -T -i ~/.ssh/github1 git@github.com

Login with ssh and deploy to a Godaddy instance:

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/gokkdy
ssh -i ~/.ssh/godkkdy bangkkking@107.1k.k0.1k

After connected to GoDaddy.

cd /home/bsdfsdfng/#mydomains/dudfhool.com
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/cmdfinc.com
ssh -T -i ~/.ssh/cmarinc.com hg@bitbucket.org
git pull upstream master

List of the SSH clients in Windows10

ZOC • SSH Client and Terminal Emulator for Windows and macOS

Securing your SSH Server

First, check if you can manage to log in with the private key. If you can then it is time to secure your SSH server.

(Login command)

# scp ~/.ssh/id_rsa.pub user@yourserver.com

# ee /etc/ssh/sshd_config

To disable the Password authentication.
#ChallengeResponseAuthentication yes
#PasswordAuthentication no
#UsePAM no

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Restart the SSH daemon and fingers crossed.
# service sshd restart

Check again, if you can manage to log in with the private key.


However, if you don’t plan to use SFTP/SCP to transfer files you should disable it. Do this by commenting out the line that starts with # Subsystem sftp.

Don't forget: Setting up your router port forwarding to 22
Funny mistake: You need to log in from outside network to log in with the public IP!
Link: How to secure your (SSH) server

Nginx on FreeBSD: 1 - Installation /Uninstall

Installation:
# pkg install nginx
If you check the which shell
# echo $SHELL

Enable Ngnix service
rc is a FreeBSD utility that controls the system's automatic boot processes.Scripts for every service available on the system are located in the /usr/local/etc/rc.d directory. These define the parameters that are used to enable each service using the rcvar variable
# grep rcvar /usr/local/etc/rc.d/*

After has been installed, this command will output a listing similar to this:

Output
/usr/local/etc/rc.d/cloudconfig:rcvar="cloudinit_enable"
/usr/local/etc/rc.d/cloudinitlocal:rcvar="cloudinit_enable"
/usr/local/etc/rc.d/nginx:rcvar=nginx_enable
/usr/local/etc/rc.d/rsyncd:rcvar=rsyncd_enable

The parameter that you need to set for the nginx service is highlighted here in this output. The name of the script itself — the last component of the path before the colon — is also helpful to know, as that's the name that FreeBSD uses to refer to the service.

To enable the nginx service you must add its rcvar to the rc.conf file, which holds the global system configuration information referenced by the startup scripts. Use your preferred editor to open the /etc/rc.conf file with sudo privileges. Here, we'll use 

# sudo ee /etc/rc.conf

/etc/rc.conf

. . .
sshd_enable="YES"
nginx_enable="YES"

IPFW is a stateful firewall written for FreeBSD.

Directly below the nginx_enable parameter you just added, add the following highlighted lines:

/etc/rc.conf

. . .
nginx_enable="YES"
firewall_enable="YES"
firewall_type="workstation"
firewall_myservices="22/tcp 80/tcp"
firewall_allowservices="any"

For the first time to run the server (in csh or tcsh shells, freeBSD)
# nohup service ipfw start >&/tmp/ipfw.log

Stop, start and restart the ipfw service.
# sudo service ipfw stop
# sudo service ipfw start
# sudo service ipfw restart

Start the Nginx service:

# service nginx start

Stop Ngnix:

# service nginx stop
# rm -f -R /usr/local/nginx && rm -f /usr/local/sbin/nginx
# rm -rf /var/www
# sysrc nginx_enable=no

http://192.168.10.114/

OR, to see the public ip address: 

# curl -4 icanhazip.com

To setting Up a server Block using a domain name.


Uninstall Nginx:
From ports:
# service nginx stop
# cd /usr/ports/www/nginx && make deinstall
Check the liestening ports
# sockstat -4 -l

Part 2:

Set up an SSH server with the key! freeBSD

For basic mechanism, you may consider the public key as the lock and the private key as its key.

"A word of caution – the root account should NEVER have SSH access. If somehow someone breaks into the SSH server they would have administrative access. Administrative access can always be obtained by using su and entering the root password – which should be different from the user’s password!"

FreeBSD has an SSH server and client out of the box, it just needs to be enabled.
You need ssh public/private key first, so let's make it.

Initial login with no key pair (default):
# ssh junayed@192.168.10.114 (my ssh server LAN IP)

links: https://man.openbsd.org/ssh-keygen.1,
Generating a new SSH key and adding it to the ssh-agent

How to secure your (SSH) server on Linux/FreeBSD

Configuring sshd

HOW TO CREATE A SUPER SECURE SSH SERVER TUNNEL WITH FREEBSD

Create a key pair from your desktop bash /OR inside in server directly(not from the root account):

# ssh-keygen -t rsa -b 4096 -C "y@ex.com"
# ssh-keygen -t ecdsa -b 4096 -C "y@ex.com" -f ~/.ssh/freeBSD -N abc123

here,
[-C comment]
[-t dsa | ecdsa | ed25519 | rsa]
[-b bits] 4096
[-f output_keyfile]
[-N new_passphrase]

Sample Server credentials details,

port: 22

Server name: mg1149

-f freeBSD -N xyz987

AUTHORIZED KEY:

An authorized key in SSH is a public key used for granting login access to users. The authentication mechanism is called public key authentication.

Authorized keys are configured separately for each user - usually in the .ssh/authorized_keys file in the user's home directory. However, the location of the keys can be configured in SSH server configuration files and is often changed to a root-owned location in more secure environments.

Typically provisioning an authorized key involves generating a key pair, installing the public key as an authorized key, and using the private key as an identity key.

The first command will add your desktop’s public key to the server’s list of allowed desktop computers to connect (authorized keys)

Option 1: Operation inside the server;

# cat id_rsa.pub >> ~/.ssh/authorized_keys

# rm id_rsa.pub

# cat ~/.ssh/id_rsa

Copy the content and paste it into a blank file, name it id_rsa. 

From your desktop, make login with this private keys.

$ ssh -i ~/.ssh/freeBSD2 junayed@192.168.10.114 -p 22

Option 2: Operation from the desktop;

You need to use the SSH-COPY-ID

Create lock/key from your desktop, then copy the Lock/Public-key to the server using
# ssh-copy-id -i ~/.ssh/mykey user@host
# ssh-copy-id -i ~/.ssh/freeBSD.pub junayed@192.168.10.114 /103.10....
(Login to the machine)

(Authorize and delete public key)

# cat id_rsa.pub >> ~/.ssh/authorized_keys

# rm id_rsa.pub

Adding your SSH key to the ssh-agent:

# eval $(ssh-agent -s)

# ssh-add ~/.ssh/freeBSD

Log in to the server with the private key:

# ssh -i ~/.ssh/freeBSD junayed@192.168.10.114 -p 22

Securing your SSH Server

Lastly:

If you don’t plan to use SFTP/SCP to transfer files you should disable it. Do this by commenting out the line that starts with # Subsystem sftp.

Don't forgot: Setting up your router port forwarding to :22

Funny mistake: You need to login from outside network to login with the public IP!

SFTP freeBSD

SFTP port is open by default by AWS. So just log in, and ftp.

# sftp -i "aws-domo.pem" ubuntu@ec2-13-55-197-77.ap-southeast-2.compute.amazonaws.com

Check Present Working Directory from a remote server.

sftp> lpwd

Remote working directory: /tecmint/

Local working directory: 

sftp> pwd

Upload a File

sftp> put local.profile

However, if you don’t plan to use SFTP/SCP to transfer files you should disable it. Do this by commenting out the line that starts with # Subsystem sftp at the bottom of the file.

# ee /etc/ssh/sshd_config

Don't forget: Setting up your router port forwarding to 22

Funny mistake: You need to log in from the outside network to log in with the public IP!

Link: 10 sFTP Command Examples to Transfer Files on Remote Servers in Linux

Login in EC2 with root user - freeBSD

1: Use the SSH to connect to the EC2 FreeBSD instance with the username "ec2-user".

# ssh -i "aws-domo.pem" ec2-user@x.amazonaws.com

It will not require any pass from you.

2: run the command "su" to gain superuser privilege, it will make you the "root" user.

Enjoy!