Ssh key pair - supposed to prevent root access
I created a key pair with ssh-keygen. I changed the sshd_config files to "password authentication: no" and "permit root login: no".
I thought that if someone had physical access to my computer, that they would not be able to log in to root thru the shell with just the password. But when I do "sudo -s", I am able to enter the password and get root access. I know that "permit root login" refers to remotely accessing my shell from another computer. Q1-What is the purpose of creating a key-pair thru shell? Q2-In my sshd_config file I see the "private" key file is red "X'd" out and I can not open that file to see my own private key (I don't need to). If someone were to get access to my computer, such as if it were stolen, my guess would be that a good hacker could figure out a way to open that file and see the private key. Or maybe there is another way to see my private key with access to my computer. Do either of these possibilities make any sense? In other words, how secure is that red X file in my /ssh? Thanks. |
When you have local access to the machine you are not using ssh or sshd for access and ssh controls do not pertain.
You cannot totally remove root access without breaking the system, but ... You CAN limit or disable sudo access to root. Your study terms are sudo, sudoers, and visudo. Note that if root has a password then other tools (including su ) support root access or execution. Note also that if root lacks a password things (in terms of security) get MUCH worse. |
Quote:
|
Quote:
ALL private keys are non-readable by "not the user that owns them" (in this case root). |
Quote:
|
Quote:
|
Quote:
|
The keys in /etc/ssh are the host keys used to identify the computer itself. This is the key that is stored in your known_hosts file on your client computer. If the host key is stolen then an attacker can perform man in the middle attacks. Host keys are different from the user key pair you generated. As stated only root can open the host key files.
ssh has multiple ways to authenticate a client. Password authentication is the most basic and allows for anyone to scans the internet and finds your computer to try to brute force there way in using a dictionary word type attack. Using a strong password and fail2ban are methods to help secure your system. Using a key pair only will prevent password brute force break in attempts. PermitRootLogin no will prevent root login via ssh by any method. Allowing root login and disabling password authentication is possible. Allowing root to login via ssh is not recommend but since password authentication is turned off your system is fairly secured. I hope you really really trust whomever is accessing your system via root. |
Quote:
No one has root access but me. Is it possible to create new host files if I were concerned that someone may have read them while I was in root and online (yes, don't ever do that)? Thus, if I wanted to take away any chance of MITM attacks "due to" someone having read my host files on my computer in the past, creating new host files would seem to do this. |
No, the key pair you generated is stored where ever you put it. Generally the private key is saved to your users ~/.ssh directory but not a hard requirement.
Yes, you can create new host keys. If you do you should see a host key error with a big warning of possible man in the middle attacks and prevent you from logging in until you delete the existing key from your known_hosts file. |
Quote:
My guess is that it needs a file extension.....? Thx. |
ssh keys "appear" as ASCII text.
|
Quote:
|
Quote:
nano is as good as any, or your favorite graphical text editor, but why do you want to edit the key file? If you make any changes to it, it will become invalid. There's nothing in either the private or public keys that's user adjustable/changeable. Use cat or more or less to see what's in it, if you want, but it's just going to look like gibberish to you. Do not open it in an editor. Code:
# more .ssh/id_rsa |
Quote:
"sudo more .ssh/host_rsa_key" or "sudo more .ssh/host_rsa" ----- I'll try them. Tried it in terminal, didn't work. |
All times are GMT -5. The time now is 10:56 PM. |