-   Linux - Security (
-   -   SSH - How can I only allow a key pair login for my user account not root account? (

shanekelly 01-25-2013 06:12 AM

SSH - How can I only allow a key pair login for my user account not root account?
Hi I'm new to linux so please be patient if it's a silly question! I'm toughening up my ssh security for working remotely. I've previously disabled root login and now login through a user account and su to root when needed. I've just set up a key pair for the user account which works fine. Is it now safe for me to change my ssh_config so that it will only allow key connection? Even though my root still requires a password through su from the user account? I'd like SSH to only accept a key pair authentication for the user account (not root) and carry on using a password for root when I su to that account. I'm worried about locking myself out! I'd be grateful for any help please? Thanks

EricTRA 01-25-2013 06:23 AM


First of all, I think you made a typo, fine tuning SSH on the server side is done in sshd_config not in ssh_config. Concerning your question, you will be safe using only key authentication for your user and prohibiting root to login through SSH. Once you're logged in the authentication for the su command is not handled by SSH but by PAM. So there's no problem at all in blocking root account at the SSH level at all.

Kind regards,


shanekelly 01-25-2013 08:34 AM

Thanks very much Eric, that makes sense and I've noted my mistake about the sshd_config.
One last thing please?
In sshd_config I have these 3 lines should I un-comment the first one starting RSA to only allow a key rather than password login using the user account mentioned before.
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

and change
PasswordAuthentication yes
PasswordAuthentication no

The key pair was created with the command ssh-keygen -t rsa

Many thanks


EricTRA 01-25-2013 08:48 AM


You can do that without any problem yes. But I think that by default RSA is checked automatically if you have a RSA key pair in your ~/.ssh directory. You can check easily which get used and are allowed by supplying the -v parameter to the ssh command. I assume you already copied over the public part of your key since you stated in the first post that you're able to connect without having to provide a password (key based authentication).

Kind regards,


shanekelly 01-25-2013 09:15 AM

Thanks again Eric.

All the best

Kind regards

EricTRA 01-25-2013 09:45 AM


No problem at all. Thanks for marking the thread solved. Have fun with Linux.

Kind regards,


All times are GMT -5. The time now is 12:37 AM.