1.10. Set Up Security

The Rigado Vesta Gateway ships with a “developer build”. This build is intended to ease development and is not intended for deployment into a production environment. There is no default password enabled on the Vesta developer build. You should consider adding a password or using password-less logins with SSH keys as you prototype to prevent un-approved access to the Gateway.

Warning

The Developer Build does not have a password set.

1.10.1. Changing the password

To change the password:

root@080030717-00055:~# passwd
Changing password for root
Enter the new password (minimum of 5 characters)
Please use a combination of upper and lower case letters and numbers.
New password:
Re-enter new password:
passwd: password changed.

1.10.2. SSH keys

Using a unique password is better than nothing, but a better solution is provided by employing the use of SSH keys.

Copy a new SSH key to the Gateway from your development computer. This process is similar to how git can use your SSH public key to identify you and permit access to git repositories.

To employ the use of SSH keys, you will need an SSH public/private key pair:

  1. Check if you already have one on your local machine:

    $ ls ~/.ssh
    config  id_rsa  id_rsa.pub  known_hosts
    
  2. The id_rsa.pub and id_rsa files are the public and private keys respectively. If you don’t have these, you can easily create them by running:

    $ ssh-keygen -t rsa -C "your.email@example.com" -b 4096
    
  3. You can manually copy the id_rsa.pub contents into the /home/root/.ssh/authorized_keys file on the Vesta Gateway:

    $ scp ~/.ssh/id_rsa.pub root@RigadoGateway-081020317-00000.local
    

    or you can use the ssh-copy-id to install it automatically:

    $ ssh-copy-id root@RigadoGateway-081020317-00000.local
    

As the output of that command suggests, you can log in to the Vesta and inspect the authorized_keys file.

Note that you can install multiple public keys here, which may be useful in case you accidentally delete your private key. (This is a good time to back up that private key somewhere very secure!)

If you use an SSH agent, add your new private key to it:

$ ssh-add ~/.ssh/id_rsa

This will allow you to log in to the Gateway without needing to enter the key’s passphrase.

1.10.3. Disabling password logins

To require that users log in with an SSH key, disable the ability to log in with a password as follows.

  1. Change the settings in /etc/ssh/sshd_config:

    # To disable tunneled clear text passwords, change to no here!
    PasswordAuthentication no
    PermitEmptyPasswords no
    
  2. Reboot to allow the settings to take effect:

    root@080030717-00055:~# reboot
    
  3. If you’ve already added your private key to your SSH agent, remove it with:

    $ ssh-add -d ~/.ssh/id_rsa
    
  4. Test your changes by attempting to log in without an SSH key:

    $ ssh root@080030717-00055.local
    Permission denied (publickey).