doc/security.md

# Security

YunoHost has been developed to provide the best security without too much complication. Every protocol used in YunoHost are **encrypted**, only password's hash are stored and by default each user is able to access to his personal directory only.

Two things remain important to note:

* Installing additional apps can **increase significantly** the number of potential security flaws. Do not hesitate to get information about them **before using it**, and try to install only those which will suit your needs.

* The fact that YunoHost is a well-spread software increase chances to face an attack. If a flaw is discovered, it could potentially affect all the YunoHost instances at once. Keep your system **up-to-date** to remain safe.

*If you need some advises, do not hesitate to [ask us](/support).*

---

## Improve security

If your YunoHost server is used in a critical production environment, or if you want to improve its safety, you may want to follow those good practices.

**Attention:** *Following those instructions requires advanced knowledges in system administration.*

### SSH authentication via key

By default, the SSH authentication uses the administration password. Deactivation this kind of authentication and replacing it by a key mechanism is advised.

**On your client**:

```bash
ssh-keygen
ssh-copy-id -i ~/.ssh/id_rsa.pub <your_yunohost_server>
```

Type your admnistration password and your key will be copied on your server. 

**On your server**, edit the SSH configuration file, in order to deactivate the password authentication.

```bash
nano /etc/ssh/sshd_config

# Modify or add the following line
PasswordAuthentication no
```

Save and restart SSH daemon.

---

### Deactivate YunoHost API

YunoHost administration is accessible through an **HTTP API**, served on the 6787 port by default. It can be used to administrate a lot of things on your server, thus to break many things between malicious hands. The best thing to do, if you know how to use the [command-line interface](/moulinette), is to deactivate the `yunohost-api` service.

```bash
sudo service yunohost-api stop
```
Add security.md 2014-05-13 16:09:43 +02:00			`# Security`

			`YunoHost has been developed to provide the best security without too much complication. Every protocol used in YunoHost are encrypted, only password's hash are stored and by default each user is able to access to his personal directory only.`

			`Two things remain important to note:`

			`* Installing additional apps can increase significantly the number of potential security flaws. Do not hesitate to get information about them before using it, and try to install only those which will suit your needs.`

			`* The fact that YunoHost is a well-spread software increase chances to face an attack. If a flaw is discovered, it could potentially affect all the YunoHost instances at once. Keep your system up-to-date to remain safe.`

			`If you need some advises, do not hesitate to [ask us](/support).`

Update security.md 2014-06-04 21:41:04 +02:00			`---`
Add security.md 2014-05-13 16:09:43 +02:00
			`## Improve security`

			`If your YunoHost server is used in a critical production environment, or if you want to improve its safety, you may want to follow those good practices.`

Update security.md Relecture 2014-05-13 17:40:54 +02:00			`Attention: Following those instructions requires advanced knowledges in system administration.`
Add security.md 2014-05-13 16:09:43 +02:00
			`### SSH authentication via key`

			`By default, the SSH authentication uses the administration password. Deactivation this kind of authentication and replacing it by a key mechanism is advised.`

			`On your client:`

			```bash
			`ssh-keygen`
			`ssh-copy-id -i ~/.ssh/id_rsa.pub <your_yunohost_server>`
			```

			`Type your admnistration password and your key will be copied on your server.`

			`On your server, edit the SSH configuration file, in order to deactivate the password authentication.`

			```bash
			`nano /etc/ssh/sshd_config`

			`# Modify or add the following line`
			`PasswordAuthentication no`
			```

			`Save and restart SSH daemon.`

Update security.md 2014-06-04 21:41:04 +02:00			`---`

Add security.md 2014-05-13 16:09:43 +02:00			`### Deactivate YunoHost API`

			YunoHost administration is accessible through an HTTP API, served on the 6787 port by default. It can be used to administrate a lot of things on your server, thus to break many things between malicious hands. The best thing to do, if you know how to use the [command-line interface](/moulinette), is to deactivate the `yunohost-api` service.

			```bash
			`sudo service yunohost-api stop`
			```