Ssh key pair - supposed to prevent root access
 

I created a key pair with ssh-keygen. I changed the sshd_config files to "password authentication: no" and "permit root login: no".

I thought that if someone had physical access to my computer, that they would not be able to log in to root thru the shell with just the password. But when I do "sudo -s", I am able to enter the password and get root access.

I know that "permit root login" refers to remotely accessing my shell from another computer.

Q1-What is the purpose of creating a key-pair thru shell?

Q2-In my sshd_config file I see the "private" key file is red "X'd" out and I can not open that file to see my own private key (I don't need to). If someone were to get access to my computer, such as if it were stolen, my guess would be that a good hacker could figure out a way to open that file and see the private key. Or maybe there is another way to see my private key with access to my computer. Do either of these possibilities make any sense? In other words, how secure is that red X file in my /ssh?

Thanks.

When you have local access to the machine you are not using ssh or sshd for access and ssh controls do not pertain.

You cannot totally remove root access without breaking the system, but ...

You CAN limit or disable sudo access to root. Your study terms are sudo, sudoers, and visudo.

Note that if root has a password then other tools (including su ) support root access or execution. Note also that if root lacks a password things (in terms of security) get MUCH worse.

With the setting "PermitRootLogin prohibit-password" it will prevent REMOTE users (through ssh) to login with the root password, but will allow them to do so through using the public key OF root (which must on their system already). As all this is for ssh access to your machine (which is what the ssh daemon is for) neither setting will change anything on LOCAL login.

For anyone who can become root (or use sudo without a password) NOTHING is secure in your system. The protection of the private key is only against normal users that do not know the root password and do not have sudo rights TO root.
ALL private keys are non-readable by "not the user that owns them" (in this case root).

Thanks. Root has a password. I was hoping that I could require root to have a password "AND" private key for escalation to root. Possible?

Thanks. In other words, that red-X file can only be opened in shell by a root user, yes?

Thanks. It seems that if I have set "Permit root login" to "no", then there's no point in creating a key pair; I'm assuming this means that login can not happen with a password or key.

The keys in /etc/ssh are the host keys used to identify the computer itself. This is the key that is stored in your known_hosts file on your client computer. If the host key is stolen then an attacker can perform man in the middle attacks. Host keys are different from the user key pair you generated. As stated only root can open the host key files.

ssh has multiple ways to authenticate a client. Password authentication is the most basic and allows for anyone to scans the internet and finds your computer to try to brute force there way in using a dictionary word type attack. Using a strong password and fail2ban are methods to help secure your system. Using a key pair only will prevent password brute force break in attempts.

PermitRootLogin no will prevent root login via ssh by any method.

Allowing root login and disabling password authentication is possible. Allowing root to login via ssh is not recommend but since password authentication is turned off your system is fairly secured. I hope you really really trust whomever is accessing your system via root.

Thanks. I see 4 different types of "host" key files in ssh. The key-pair generated - is that stored on my computer in a directory? I know it was stored on the home/user where I removed it from, but is it also stored in a directory somewhere else? I originally saved it to a blank file I created in my home directory.

No one has root access but me.

Is it possible to create new host files if I were concerned that someone may have read them while I was in root and online (yes, don't ever do that)? Thus, if I wanted to take away any chance of MITM attacks "due to" someone having read my host files on my computer in the past, creating new host files would seem to do this.

No, the key pair you generated is stored where ever you put it. Generally the private key is saved to your users ~/.ssh directory but not a hard requirement.

Yes, you can create new host keys. If you do you should see a host key error with a big warning of possible man in the middle attacks and prevent you from logging in until you delete the existing key from your known_hosts file.

Thanks. I'm trying to open, in terminal, the file: "ssh_host_dsa_key" using "sudo xdg-open ssh_host_dsa_key" and keep getting ""Unable to detect the URI-scheme of "ssh_host_dsa_key""

My guess is that it needs a file extension.....?

Thx.

ssh keys "appear" as ASCII text.

Thanks. I tried "sudo xdg-open ssh_host_dsa_key.text" - didn't work, same error message. If I need to open it in something like 'nano', I'm not sure what to do once I get in there. "sudo nano /etc/ssh/sshd_config" opened nano and I can scroll down to the file, but don't know how to open it to read using "sudo xdg-open ssh_host_dsa_key.text" or any other way.

The message is because xdg-open doesn't know what "preferred application for files of that type" is. If I use it to open a text file, it just opens in the browser.

nano is as good as any, or your favorite graphical text editor, but why do you want to edit the key file? If you make any changes to it, it will become invalid. There's nothing in either the private or public keys that's user adjustable/changeable.

Use cat or more or less to see what's in it, if you want, but it's just going to look like gibberish to you. Do not open it in an editor.
(snippage, of course, is 'cause I don't want to post a real private key)

Thanks. I don't want to edit it. I wanted to look at it as I thought someone said that it contained IP addresses, so I am curious to see what the file looks like.

"sudo more .ssh/host_rsa_key" or "sudo more .ssh/host_rsa" ----- I'll try them.

Tried it in terminal, didn't work.