5

A have a remote server for which I want to disable remote login using a password for root and other users. I have gone through a few articles on the Internet about how to do that and I have the following list of things to do/change:

  1. create private key authentication using SSH keys for all users ( I have already done this )

  2. Set the following settings in sshd_config :

    • set PermitRootLogin without-password

    • set ChallengeResponseAuthentication no

    • set PasswordAuthentication no

    • set UsePAM no

    • set AllowUsers root otheruser

  3. restart ssh using sudo service ssh reload

However, I am not sure exactly which changes are to be made to the sshd_config file and I don't want to be locked out of my remote server.

  1. If I want to be able to login as root and other users using only SSH keys, what changes do I make?

  2. If I want to prevent remote root login at all what changes do I make (and how much more secure it is as compared to remote root login using SSH keys)?

  3. If I prevent remote root login at all by making changes to sshd_config file, how will I ever be able to login as ROOT if I want to in future?

Please answer these questions as explicitly as possible and pardon me for lack of trying things as I am completely horrified of the possibility of getting locked out of my own remote server.

mxdsp
  • 3,818
user2850305
  • 163

2 Answers2

4

set "UsePAM no" in sshd_config file

You don't want to turn of PAM.

  1. If I want to be able to login as root and otheruser using only SSH keys, what changes do I make?

To achieve this, these options are related:

PermitRootLogin without-password
ChallengeResponseAuthentication no
PasswordAuthentication no
AllowUsers root otheruser
PubkeyAuthentication yes     # missing in your list, but should be on by default)
  1. If I want to prevent remote root login at all what changes do I make (and how much more secure it is as compared to remote root login using SSH keys)?

Set PermitRootLogin no and AllowUsers otheruser.

  1. If I prevent remote root login at all by making changes to sshd_config file, how will I ever be able to login as ROOT if I want to in future?

You will log in with your non-root user and use sudo to edit the configuration files and restart sshd.

Jakuje
  • 6,605
  • 7
  • 30
  • 37
  • Thanks for the answer. About the last point to use "sudo" for editing sshd_config, it asks for sudo password for "otheruser" when trying to do that. So won't it be an issue if we disable password for otheruser and try to do this. – user2850305 Mar 18 '17 at 11:14
  • It depends on how sudo is configured. You are disabling only password authentication in SSH so it wont be any issue. – Jakuje Mar 18 '17 at 11:16
  • ok. I am also using dreamweaver and its interact with the remote server via sftp using "otheruser" password. I have implemented the 1st part of ur answer( i.e. disabling remote login with password) and I can still tranfer files to the server using dreamweaver connection. Is it expected behavior? (because if it is, isnt it a security hole when someone tries to sftp with root) – user2850305 Mar 18 '17 at 11:33
  • If you had the connection opened before restarting sshd service, then it is possible. – Jakuje Mar 18 '17 at 11:50
  • yes it was because connection was opened before reasating ssh. Confirmed it. Is there any way to allow password login for "otheruser" and only SSH key authentication for root? ( Dreamweaver doesn't allow SSH keys! ) – user2850305 Mar 18 '17 at 12:01
  • Just remove the PasswordAuthentication no (or change it to yes). – Jakuje Mar 18 '17 at 12:02
  • I have done all the above, but still able to log in with username and password as well as key – Datadimension Jun 25 '23 at 11:52
0

I solved using this answer https://askubuntu.com/a/1440509/1713168

Inside the directory /etc/ssh/sshd_config.d/ there is only one .conf file (50-cloud-init.conf), but inside it contains the line: PasswordAuthentication yes

I changed the line to #PasswordAuthentication no

and i restarted the ssh. Now is working. I can only access with the ssh key.

Jonatas Artur
  • 11