[SOLVED] SSH - How can I only allow a key pair login for my user account not root account?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
SSH - How can I only allow a key pair login for my user account not root account?
Hi I'm new to linux so please be patient if it's a silly question! I'm toughening up my ssh security for working remotely. I've previously disabled root login and now login through a user account and su to root when needed. I've just set up a key pair for the user account which works fine. Is it now safe for me to change my ssh_config so that it will only allow key connection? Even though my root still requires a password through su from the user account? I'd like SSH to only accept a key pair authentication for the user account (not root) and carry on using a password for root when I su to that account. I'm worried about locking myself out! I'd be grateful for any help please? Thanks
First of all, I think you made a typo, fine tuning SSH on the server side is done in sshd_config not in ssh_config. Concerning your question, you will be safe using only key authentication for your user and prohibiting root to login through SSH. Once you're logged in the authentication for the su command is not handled by SSH but by PAM. So there's no problem at all in blocking root account at the SSH level at all.
Thanks very much Eric, that makes sense and I've noted my mistake about the sshd_config.
One last thing please?
In sshd_config I have these 3 lines should I un-comment the first one starting RSA to only allow a key rather than password login using the user account mentioned before. #RSAAuthentication yes
and change PasswordAuthentication yes
to PasswordAuthentication no
The key pair was created with the command ssh-keygen -t rsa
You can do that without any problem yes. But I think that by default RSA is checked automatically if you have a RSA key pair in your ~/.ssh directory. You can check easily which get used and are allowed by supplying the -v parameter to the ssh command. I assume you already copied over the public part of your key since you stated in the first post that you're able to connect without having to provide a password (key based authentication).