Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
 |
GNU/Linux Basic Guide
This 255-page guide will provide you with the keys to understand the philosophy of free software, teach you how to use and handle it, and give you the tools required to move easily in the world of GNU/Linux. Many users and administrators will be taking their first steps with this GNU/Linux Basic guide and it will show you how to approach and solve the problems you encounter.
Click Here to receive this Complete Guide absolutely free. |
|
 |
01-25-2013, 06:12 AM
|
#1
|
|
LQ Newbie
Registered: Jun 2011
Posts: 9
Rep: 
|
SSH - How can I only allow a key pair login for my user account not root account?
Hi I'm new to linux so please be patient if it's a silly question! I'm toughening up my ssh security for working remotely. I've previously disabled root login and now login through a user account and su to root when needed. I've just set up a key pair for the user account which works fine. Is it now safe for me to change my ssh_config so that it will only allow key connection? Even though my root still requires a password through su from the user account? I'd like SSH to only accept a key pair authentication for the user account (not root) and carry on using a password for root when I su to that account. I'm worried about locking myself out! I'd be grateful for any help please? Thanks
|
|
|
|
|
01-25-2013, 06:23 AM
|
#2
|
|
Guru
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 18 with Awesome WM
Posts: 6,796
|
Hello,
First of all, I think you made a typo, fine tuning SSH on the server side is done in sshd_config not in ssh_config. Concerning your question, you will be safe using only key authentication for your user and prohibiting root to login through SSH. Once you're logged in the authentication for the su command is not handled by SSH but by PAM. So there's no problem at all in blocking root account at the SSH level at all.
Kind regards,
Eric
|
|
|
1 members found this post helpful.
|
|
01-25-2013, 08:34 AM
|
#3
|
|
LQ Newbie
Registered: Jun 2011
Posts: 9
Original Poster
Rep:
|
Thanks very much Eric, that makes sense and I've noted my mistake about the sshd_config.
One last thing please?
In sshd_config I have these 3 lines should I un-comment the first one starting RSA to only allow a key rather than password login using the user account mentioned before.
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
and change
PasswordAuthentication yes
to
PasswordAuthentication no
The key pair was created with the command ssh-keygen -t rsa
Many thanks
-Shane
|
|
|
|
|
01-25-2013, 08:48 AM
|
#4
|
|
Guru
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 18 with Awesome WM
Posts: 6,796
|
Hi,
You can do that without any problem yes. But I think that by default RSA is checked automatically if you have a RSA key pair in your ~/.ssh directory. You can check easily which get used and are allowed by supplying the -v parameter to the ssh command. I assume you already copied over the public part of your key since you stated in the first post that you're able to connect without having to provide a password (key based authentication).
Kind regards,
Eric
|
|
|
1 members found this post helpful.
|
|
01-25-2013, 09:15 AM
|
#5
|
|
LQ Newbie
Registered: Jun 2011
Posts: 9
Original Poster
Rep:
|
Thanks again Eric.
All the best
Kind regards
Shane
|
|
|
|
|
01-25-2013, 09:45 AM
|
#6
|
|
Guru
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 18 with Awesome WM
Posts: 6,796
|
Hi,
No problem at all. Thanks for marking the thread solved. Have fun with Linux.
Kind regards,
Eric
|
|
|
1 members found this post helpful.
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
All times are GMT -5. The time now is 08:11 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
