Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
SSH connection with public key does not persist?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
pmam
Veteran
Veteran


Joined: 30 Dec 2013
Posts: 1145

PostPosted: Tue Feb 20, 2018 9:03 am    Post subject: SSH connection with public key does not persist? Reply with quote

I established ssh with public key and afterword changed to 'PermitRootLogin no'.
BTW: I choose 'passphrase blank', so I can connect to server without password - Please inform if it is safe enough or needed here password?
All the above worked ok but after reboot, I was asked to enter password (that denied),
and need to repeat on this command to establish public key again (by changing 'PermitRootLogin yes':
Code:
ssh-copy-id root@server_IP

Then it works again. Please advise how can establish persist ssh connection?
_________________
“You can take our property, our sweet homes, even our cloths...
But don't touch the streets, Ah, That's NO, NO, NO!
The streets are our @world's compilable kernel ...”
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42576
Location: 56N 3W

PostPosted: Tue Feb 20, 2018 10:06 am    Post subject: Reply with quote

pmam,

You need the other option to PermitRootLogin. Its the default actually.

A passwordless key is OK at the server end. It can't tell.
If someone were to steal your private key, they would have ssh access to wherever you use that key.
How good is your physical key security?

Safe depends oh your level of paranoia.
I would set PermitRootLogin No, use keys with strong pass phrases to log in as a user and use
Code:
sudo su -
when I needed to be root.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6967

PostPosted: Tue Feb 20, 2018 1:19 pm    Post subject: Re: SSH connection with public key does not persist? Reply with quote

pmam wrote:
I established ssh with public key and afterword changed to 'PermitRootLogin no'.
Code:
ssh-copy-id root@server_IP


If you set PermitRootLogin no, then you don't need to copy any key to root@server_IP, because that key is never use.

To do what you try to do, you should either:
* use root account, but with PermitRootLogin yes
* use a user account with PermitRootLogin no, then you connect to it with ssh user@server_IP and su when you have login.
so it mean you should copy a valid key to use to user@server_IP and not root@server_IP
Back to top
View user's profile Send private message
pmam
Veteran
Veteran


Joined: 30 Dec 2013
Posts: 1145

PostPosted: Tue Feb 20, 2018 4:31 pm    Post subject: Reply with quote

Quote:
If you set PermitRootLogin no, then you don't need to copy any key to root@server_IP, because that key is never use.

I see my stupid mistake... Now I choose:
Quote:
* use a user account with PermitRootLogin no, then you connect to it with ssh user@server_IP and su when you have login.

So I copied valid key that way:
Code:
ssh-copy-id user@server_IP

And it is working even after reboot... BTW: Do not know why my first way with ssh-copy-id root@server_IP worked, but not after reboot...

I'm not familiar with sudo - see that in other linux's dist it is more common - however I followed https://wiki.gentoo.org/wiki/Sudo
and installed app-admin/sudo, but did not figure out how to add user to sudo.
Need to add a user to /etc/sudoers? What is the exact command for adding user with root permissions?
Or I see in other dist that need to create sudo group and add user to this group?

Quote:
How good is your physical key security?

Please explain what 'physical key security' does mean? If it refers to my root password -
I need to make it more complicated... Need to find a good generator
Or if it refers to the key generator - I used this command: ssh-keygen

Thanks
_________________
“You can take our property, our sweet homes, even our cloths...
But don't touch the streets, Ah, That's NO, NO, NO!
The streets are our @world's compilable kernel ...”
Back to top
View user's profile Send private message
P.Kosunen
Guru
Guru


Joined: 21 Nov 2005
Posts: 309
Location: Finland

PostPosted: Tue Feb 20, 2018 4:53 pm    Post subject: Reply with quote

pmam wrote:
I'm not familiar with sudo - see that in other linux's dist it is more common - however I followed https://wiki.gentoo.org/wiki/Sudo
and installed app-admin/sudo, but did not figure out how to add user to sudo.

Code:
## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL


You can uncomment that %wheel line from /etc/sudoers, then users in wheel group can sudo.


Last edited by P.Kosunen on Tue Feb 20, 2018 4:53 pm; edited 1 time in total
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42576
Location: 56N 3W

PostPosted: Tue Feb 20, 2018 4:53 pm    Post subject: Reply with quote

pmam,

Your ssh key password is never sent over the network, not even encrypted.
The public part of your key is put on the remote systems you want to connect to.

You keep the private part err ... private. Ideally with a good pass phrase.
Anyone who has both the private part of the key and pass phrase can connect to the remote servers as if they were you.
When the pass phrase is blank, they only need the private part of the key. This can only be guarded by keeping it in a secure location,
Out and about on your laptop is not secure. It must be somewhere you won't lose it and its unlikely to be stolen.

The PermitRootLogin option in /etc/sshd_config can take an least three values that I know of.
=yes, allows keys and passwords.
=no, all root logins are denied.
=prohibit-password only key based logins are permitted.

On Gentoo, only members of the wheel group are permitted to become root, add your normal user to the wheel group.
Use the visudo command to edit /etc/sudoers to your taste. visudo is a wrapper around ${EDITOR} that does syntax checking.

You probably want
Code:
## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL

_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13498

PostPosted: Wed Feb 21, 2018 2:54 am    Post subject: Reply with quote

As a minor point, you do not need sudo su - to become root. If you have the right group membership to satisfy PAM, then /bin/su -, run from a user shell, will prompt for root's password and, once that password is given, provide a root shell. In this mode, you need to give root's password, which need not be (and should not be) the same as the user's normal password. This post is independent of whether the user shell is from ssh via password, ssh via key, or local console.

I strongly discourage using PermitRootLogin yes. In limited cases, PermitRootLogin prohibit-password is acceptable. The safest choice is PermitRootLogin no, then requiring /bin/su - from the user account afterward. You can further protect the system by setting PasswordAuthentication no in the sshd configuration, so that no users are permitted to use password authentication. Everyone must authenticate by key (which may or may not itself be password-protected).
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum