doc/security.md
2014-05-13 16:09:43 +02:00

51 lines
2.1 KiB
Markdown

# Security
YunoHost has been developed to provide the best security without too much complication. Every protocol used in YunoHost are **encrypted**, only password's hash are stored and by default each user is able to access to his personal directory only.
Two things remain important to note:
* Installing additional apps can **increase significantly** the number of potential security flaws. Do not hesitate to get information about them **before using it**, and try to install only those which will suit your needs.
* The fact that YunoHost is a well-spread software increase chances to face an attack. If a flaw is discovered, it could potentially affect all the YunoHost instances at once. Keep your system **up-to-date** to remain safe.
*If you need some advises, do not hesitate to [ask us](/support).*
## Improve security
If your YunoHost server is used in a critical production environment, or if you want to improve its safety, you may want to follow those good practices.
**Attention :** *Following those instructions requires advanced knowledges in system administration.*
### SSH authentication via key
By default, the SSH authentication uses the administration password. Deactivation this kind of authentication and replacing it by a key mechanism is advised.
**On your client**:
```bash
ssh-keygen
ssh-copy-id -i ~/.ssh/id_rsa.pub <your_yunohost_server>
```
Type your admnistration password and your key will be copied on your server.
**On your server**, edit the SSH configuration file, in order to deactivate the password authentication.
```bash
nano /etc/ssh/sshd_config
# Modify or add the following line
PasswordAuthentication no
```
Save and restart SSH daemon.
### Deactivate YunoHost API
YunoHost administration is accessible through an **HTTP API**, served on the 6787 port by default. It can be used to administrate a lot of things on your server, thus to break many things between malicious hands. The best thing to do, if you know how to use the [command-line interface](/moulinette), is to deactivate the `yunohost-api` service.
```bash
sudo service yunohost-api stop
```