LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 01-25-2013, 06:12 AM   #1
shanekelly
LQ Newbie
 
Registered: Jun 2011
Posts: 11

Rep: Reputation: Disabled
Unhappy SSH - How can I only allow a key pair login for my user account not root account?


Hi I'm new to linux so please be patient if it's a silly question! I'm toughening up my ssh security for working remotely. I've previously disabled root login and now login through a user account and su to root when needed. I've just set up a key pair for the user account which works fine. Is it now safe for me to change my ssh_config so that it will only allow key connection? Even though my root still requires a password through su from the user account? I'd like SSH to only accept a key pair authentication for the user account (not root) and carry on using a password for root when I su to that account. I'm worried about locking myself out! I'd be grateful for any help please? Thanks
 
Old 01-25-2013, 06:23 AM   #2
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 18 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290
Hello,

First of all, I think you made a typo, fine tuning SSH on the server side is done in sshd_config not in ssh_config. Concerning your question, you will be safe using only key authentication for your user and prohibiting root to login through SSH. Once you're logged in the authentication for the su command is not handled by SSH but by PAM. So there's no problem at all in blocking root account at the SSH level at all.

Kind regards,

Eric
 
1 members found this post helpful.
Old 01-25-2013, 08:34 AM   #3
shanekelly
LQ Newbie
 
Registered: Jun 2011
Posts: 11

Original Poster
Rep: Reputation: Disabled
Thanks very much Eric, that makes sense and I've noted my mistake about the sshd_config.
One last thing please?
In sshd_config I have these 3 lines should I un-comment the first one starting RSA to only allow a key rather than password login using the user account mentioned before.
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys


and change
PasswordAuthentication yes
to
PasswordAuthentication no

The key pair was created with the command ssh-keygen -t rsa

Many thanks

-Shane
 
Old 01-25-2013, 08:48 AM   #4
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 18 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290
Hi,

You can do that without any problem yes. But I think that by default RSA is checked automatically if you have a RSA key pair in your ~/.ssh directory. You can check easily which get used and are allowed by supplying the -v parameter to the ssh command. I assume you already copied over the public part of your key since you stated in the first post that you're able to connect without having to provide a password (key based authentication).

Kind regards,

Eric
 
1 members found this post helpful.
Old 01-25-2013, 09:15 AM   #5
shanekelly
LQ Newbie
 
Registered: Jun 2011
Posts: 11

Original Poster
Rep: Reputation: Disabled
Thanks again Eric.

All the best

Kind regards
Shane
 
Old 01-25-2013, 09:45 AM   #6
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 18 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290Reputation: 1290
Hi,

No problem at all. Thanks for marking the thread solved. Have fun with Linux.

Kind regards,

Eric
 
1 members found this post helpful.
  


Reply

Tags
ssh, ssh access using key, ssh remote, ssh sshd root


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
cannot login via ssh on a single, non root account - telnet ok paziulek Red Hat 18 06-19-2013 03:28 AM
I got a root account only but no user account hitmen Linux - Newbie 2 08-27-2012 02:38 AM
[SOLVED] Need user account which can connect by ssh but not login locally nor run shell taylorkh Linux - General 11 07-05-2011 07:49 AM
root account or user account arodlinux Suse/Novell 3 12-23-2008 08:59 PM
is it legitimate and allowed and can be done to make another user account set uid and gid to null 0 to make another root account with different name and possibly not damage the debian system creating and using that new account BenJoBoy Linux - Newbie 12 01-29-2006 10:02 AM


All times are GMT -5. The time now is 08:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration