SSH connection with public key does not persist?

pmam · Veteran Joined: 30 Dec 2013 Posts: 1145

I established ssh with public key and afterword changed to 'PermitRootLogin no'.
BTW: I choose 'passphrase blank', so I can connect to server without password - Please inform if it is safe enough or needed here password?
All the above worked ok but after reboot, I was asked to enter password (that denied),
and need to repeat on this command to establish public key again (by changing 'PermitRootLogin yes':

NeddySeagoon · Posted: Tue Feb 20, 2018 10:06 am Post subject:

pmam,

You need the other option to PermitRootLogin. Its the default actually.

A passwordless key is OK at the server end. It can't tell.
If someone were to steal your private key, they would have ssh access to wherever you use that key.
How good is your physical key security?

Safe depends oh your level of paranoia.
I would set PermitRootLogin No, use keys with strong pass phrases to log in as a user and use

krinn · Watchman Joined: 02 May 2003 Posts: 7470

pmam · Veteran Joined: 30 Dec 2013 Posts: 1145

P.Kosunen · Guru Joined: 21 Nov 2005 Posts: 309 Location: Finland

NeddySeagoon · Posted: Tue Feb 20, 2018 4:53 pm Post subject:

pmam,

Your ssh key password is never sent over the network, not even encrypted.
The public part of your key is put on the remote systems you want to connect to.

You keep the private part err ... private. Ideally with a good pass phrase.
Anyone who has both the private part of the key and pass phrase can connect to the remote servers as if they were you.
When the pass phrase is blank, they only need the private part of the key. This can only be guarded by keeping it in a secure location,
Out and about on your laptop is not secure. It must be somewhere you won't lose it and its unlikely to be stolen.

The PermitRootLogin option in /etc/sshd_config can take an least three values that I know of.
=yes, allows keys and passwords.
=no, all root logins are denied.
=prohibit-password only key based logins are permitted.

On Gentoo, only members of the wheel group are permitted to become root, add your normal user to the wheel group.
Use the visudo command to edit /etc/sudoers to your taste. visudo is a wrapper around ${EDITOR} that does syntax checking.

You probably want

Hu · Moderator Joined: 06 Mar 2007 Posts: 21631

As a minor point, you do not need sudo su - to become root. If you have the right group membership to satisfy PAM, then /bin/su -, run from a user shell, will prompt for root's password and, once that password is given, provide a root shell. In this mode, you need to give root's password, which need not be (and should not be) the same as the user's normal password. This post is independent of whether the user shell is from ssh via password, ssh via key, or local console.

I strongly discourage using PermitRootLogin yes. In limited cases, PermitRootLogin prohibit-password is acceptable. The safest choice is PermitRootLogin no, then requiring /bin/su - from the user account afterward. You can further protect the system by setting PasswordAuthentication no in the sshd configuration, so that no users are permitted to use password authentication. Everyone must authenticate by key (which may or may not itself be password-protected).