Logging into the CLI for the First Time

Lee Painter

Introduction

All JADAPTIVE Server products have a built-in CLI management shell that is accessible over SSH. We endeavor to make the product as configurable via the CLI as it would be through a web-based interface. This article explains what to do when you log into the CLI for the first time and recommends some configuration options to harden access to the CLI.

1. Logging In

Once you have installed the JADAPTIVE Server you can proceed to log into the system via SSH and configure the builtin Administrators account. The default SSH port for the management CLI is port 2222. You should start a shell using your preferred SSH client logging in as the user 'admin'.

ssh -p 2222 admin@x.x.x.x


You should be prompted to accept the servers host key

The authenticity of host '[x.x.x.x]:2222 ([x.x.x.x]:2222)' can't be established.
ECDSA key fingerprint is SHA256:N2OIlRRNNBi5+fgA81MTwnDpqEQ+UPPCmdhDz7uHErI.
Are you sure you want to continue connecting (yes/no)?

 

Type 'yes' to continue. You will then be prompted for the admin's password

Warning: Permanently added '[x.x.x.x]:2222' (ECDSA) to the list of known hosts.
password
Enter password for admin
Password:


The default password is admin. Once you have provided this password you will be prompted to provide a new password. We recommend you use a strong password that includes uppercase, lowercase, numbers, and symbols. 

password
Enter new password for admin
New Password:
Confirm Password:


The CLI management shell will now start.

==============================================
  _           _             _   _           
  (_) __ _  __| | __ _ _ __ | |_(_)_   _____
  | |/ _` |/ _` |/ _` | '_ \| __| \ \ / / _ \
  | | (_| | (_| | (_| | |_) | |_| |\ V /  __/
_/ |\__,_|\__,_|\__,_| .__/ \__|_| \_/ \___|
|__/                  |_|                    

Virtual SFTP
0.0.2-SNAPSHOT
==============================================

Type 'help' for a list of commands.
#


2. Generating a Private Key

Now that you have changed the default password for the admin account we recommend that you generate a private key to use public key authentication for future logins. To generate a new key for admin, simply issue ssh-keygen command in the shell:

# ssh-keygen


The system will then prompt you for a name, and a passphrase to encrypt the key.

Name: Admin Key
Passphrase: **********
Confirm Passphrase: **********


The key is then generated and printed out to the shell. You should copy and paste this into a file on your local machine. The key will not be saved anywhere else, so if you fail to do this you will lose access to the key and will have to generate a new one.

*** IMPORTANT ***
Your private has been created and has been printed below.
There is no other record of the private key on this server.
Therefore please copy this to a safe location or it will be lost.

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACFFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAG
CdrWy8zLwloDzZNrsyotAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIK0D
rEYxSL3bpz4drRUdt76CJ1ZsSdPAh0VrjyFtnnFUAAAAkNaWKUIn9vbaEJ/2jIhu
r1hfay/b1XQ7t5W624d7BbwNcaYPOsKK7s5UkI3R0qLxGCEYP2ocGtPpT7H+kzKM
OCzSTK2NBh941GKCfm+jKIW60aa17Ae4Pf6am6xkiA+ZXgYM5uDjZVyPlI04Vvdb
UeAS1BLJzrT01ULIIVKPzberjGqItN2hzgFL7B+sgy3/Jg==
-----END OPENSSH PRIVATE KEY-----

SHA256:0wvYB/w9v38vapxOC+6ZRDSU9VGSQoxHK/dRjfgshyc

xivip-mecup-mepeb-ralel-fobyr-zelyf-rusyz-zofah-fovub-gimoz-tixix

 

3. Uploading an Existing Key

If you have an existing key that you would rather use, then you should upload it using SFTP or SCP. Once uploaded, go back to the shell and use the import-key command. You can upload just the public key or the private key part (the private key will not be stored on the server so you should remove it after importing the key). 

import-key <filename>


The system will then prompt you for a name for this key.

Name: Admin Key

If the key is a private key and is protected by a passphrase you will be prompted to enter the passphrase.

Passphrase: **********


Your key has now been imported. 

4. Hardening the SSH Server

We recommend that you turn off password authentication support and only allow users to login using public-key authentication. 

To disable password logins, edit the $HOME/conf/jadaptive.properties file, locating the directives below

#sshd.permitPassword=true
#sshd.permitAdminPassword=true


To prevent all password logins, uncomment the following directive by removing the # at the beginning of the line, and then change the value to false.

sshd.permitPassword=false


If you just want to prevent the admin account from password login, then change the alternative setting:

sshd.permitAdminPassword=false


You will also notice a couple of other commented out properties

#sshd.port=2222
#sshd.externalAccess=true


Uncomment these to activate. You can change the port as desired, and disable external access if this is required. If you disable external access you will only be able to login to the SSH server using the localhost interface on your server. 

You will need to restart the server to make the configuration changes effective. 

You are now ready to administer your server securely.