View previous topic :: View next topic |
Author |
Message |
pmam Veteran
Joined: 30 Dec 2013 Posts: 1145
|
Posted: Tue Feb 20, 2018 9:03 am Post subject: SSH connection with public key does not persist? |
|
|
I established ssh with public key and afterword changed to 'PermitRootLogin no'.
BTW: I choose 'passphrase blank', so I can connect to server without password - Please inform if it is safe enough or needed here password?
All the above worked ok but after reboot, I was asked to enter password (that denied),
and need to repeat on this command to establish public key again (by changing 'PermitRootLogin yes':
Code: | ssh-copy-id root@server_IP |
Then it works again. Please advise how can establish persist ssh connection? _________________ “You can take our property, our sweet homes, even our cloths...
But don't touch the streets, Ah, That's NO, NO, NO!
The streets are our @world's compilable kernel ...” |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Tue Feb 20, 2018 10:06 am Post subject: |
|
|
pmam,
You need the other option to PermitRootLogin. Its the default actually.
A passwordless key is OK at the server end. It can't tell.
If someone were to steal your private key, they would have ssh access to wherever you use that key.
How good is your physical key security?
Safe depends oh your level of paranoia.
I would set PermitRootLogin No, use keys with strong pass phrases to log in as a user and use when I needed to be root. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
krinn Watchman
Joined: 02 May 2003 Posts: 7470
|
Posted: Tue Feb 20, 2018 1:19 pm Post subject: Re: SSH connection with public key does not persist? |
|
|
pmam wrote: | I established ssh with public key and afterword changed to 'PermitRootLogin no'.
Code: | ssh-copy-id root@server_IP |
|
If you set PermitRootLogin no, then you don't need to copy any key to root@server_IP, because that key is never use.
To do what you try to do, you should either:
* use root account, but with PermitRootLogin yes
* use a user account with PermitRootLogin no, then you connect to it with ssh user@server_IP and su when you have login.
so it mean you should copy a valid key to use to user@server_IP and not root@server_IP |
|
Back to top |
|
|
pmam Veteran
Joined: 30 Dec 2013 Posts: 1145
|
Posted: Tue Feb 20, 2018 4:31 pm Post subject: |
|
|
Quote: | If you set PermitRootLogin no, then you don't need to copy any key to root@server_IP, because that key is never use. |
I see my stupid mistake... Now I choose:
Quote: | * use a user account with PermitRootLogin no, then you connect to it with ssh user@server_IP and su when you have login. |
So I copied valid key that way:
Code: | ssh-copy-id user@server_IP |
And it is working even after reboot... BTW: Do not know why my first way with ssh-copy-id root@server_IP worked, but not after reboot...
I'm not familiar with sudo - see that in other linux's dist it is more common - however I followed https://wiki.gentoo.org/wiki/Sudo
and installed app-admin/sudo, but did not figure out how to add user to sudo.
Need to add a user to /etc/sudoers? What is the exact command for adding user with root permissions?
Or I see in other dist that need to create sudo group and add user to this group?
Quote: | How good is your physical key security? |
Please explain what 'physical key security' does mean? If it refers to my root password -
I need to make it more complicated... Need to find a good generator
Or if it refers to the key generator - I used this command: ssh-keygen
Thanks _________________ “You can take our property, our sweet homes, even our cloths...
But don't touch the streets, Ah, That's NO, NO, NO!
The streets are our @world's compilable kernel ...” |
|
Back to top |
|
|
P.Kosunen Guru
Joined: 21 Nov 2005 Posts: 309 Location: Finland
|
Posted: Tue Feb 20, 2018 4:53 pm Post subject: |
|
|
pmam wrote: | I'm not familiar with sudo - see that in other linux's dist it is more common - however I followed https://wiki.gentoo.org/wiki/Sudo
and installed app-admin/sudo, but did not figure out how to add user to sudo. |
Code: | ## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL |
You can uncomment that %wheel line from /etc/sudoers, then users in wheel group can sudo.
Last edited by P.Kosunen on Tue Feb 20, 2018 4:53 pm; edited 1 time in total |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Tue Feb 20, 2018 4:53 pm Post subject: |
|
|
pmam,
Your ssh key password is never sent over the network, not even encrypted.
The public part of your key is put on the remote systems you want to connect to.
You keep the private part err ... private. Ideally with a good pass phrase.
Anyone who has both the private part of the key and pass phrase can connect to the remote servers as if they were you.
When the pass phrase is blank, they only need the private part of the key. This can only be guarded by keeping it in a secure location,
Out and about on your laptop is not secure. It must be somewhere you won't lose it and its unlikely to be stolen.
The PermitRootLogin option in /etc/sshd_config can take an least three values that I know of.
=yes, allows keys and passwords.
=no, all root logins are denied.
=prohibit-password only key based logins are permitted.
On Gentoo, only members of the wheel group are permitted to become root, add your normal user to the wheel group.
Use the visudo command to edit /etc/sudoers to your taste. visudo is a wrapper around ${EDITOR} that does syntax checking.
You probably want Code: | ## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL |
_________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21631
|
Posted: Wed Feb 21, 2018 2:54 am Post subject: |
|
|
As a minor point, you do not need sudo su - to become root. If you have the right group membership to satisfy PAM, then /bin/su -, run from a user shell, will prompt for root's password and, once that password is given, provide a root shell. In this mode, you need to give root's password, which need not be (and should not be) the same as the user's normal password. This post is independent of whether the user shell is from ssh via password, ssh via key, or local console.
I strongly discourage using PermitRootLogin yes. In limited cases, PermitRootLogin prohibit-password is acceptable. The safest choice is PermitRootLogin no, then requiring /bin/su - from the user account afterward. You can further protect the system by setting PasswordAuthentication no in the sshd configuration, so that no users are permitted to use password authentication. Everyone must authenticate by key (which may or may not itself be password-protected). |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|