New user question, How do I change from password to ssh login?

crusemm · November 21, 2020, 4:07am

I’ve been running Mail-in-a-Box on a DO droplet for approx. 1 year. When I initially set it up, I wasn’t sure how to set up and install the ssh function, so I went with password. Up till now I have mostly accessed MIAB for updates from the DO console from either a windows machine at work or a windows machine at home. Tonight I tried to switch over to password by following the instructions at DO how to add ssh keys . I created a key with putty, added the key to my DO account, and following add to existing droplet I got the results indicated in the tutorial.

Number of key(s) added: 1

Now try logging in to the machine, with: “ssh ‘username@203.0.113.0’”
and check to make sure that only the key(s) you wanted were added.

When I go back to Putty to login with the ssh i get the following

Server refused our key

my next step was to see which keys were there, so I ran

ls -al ~/.ssh

I get

total 24
drwx------ 2 root root 4096 Nov 20 21:06 .
drwx------ 8 root root 4096 Nov 27 2019 …
-rw------- 1 root root 400 Nov 20 21:06 authorized_keys
-rw------- 1 root root 1679 Nov 12 2019 id_rsa_miab
-rw-r–r-- 1 root root 400 Nov 12 2019 id_rsa_miab.pub
-rw-r–r-- 1 root root 222 Nov 20 21:06 known_hosts

I’m not sure where to go from here. Did I add the keys wrong? Did they not get added at all?

Any help would be greatly appreciated.

I ran

nano ~/.ssh/authorized_keys

and saw that I have a key in the directory, but I cant find one on my machine that matches it. Can I just use nano and add a new key by copy/pasting the public key into the server?
followed the link at h ttps://docs.fuga.cloud/how-to-add-extra-ssh-key-pairs-to-an-instance (take out the space between the h and t) and it showed me how to add the extra key line using nano. Added the extra line, closed out that session, verified I had the right private key saved, and tried to access using ssh and…It Worked. So I figured it out.

I’m going to leave this up in case someone else has the same problem.

openletter · November 21, 2020, 2:28pm

Are you using a user other than root to log into the server?

Please check the output of the following on your server matches the configuration output printed below:

grep PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin no

The root user should not be used to log in using ssh.

crusemm · November 21, 2020, 3:24pm

Then how do I perform maintenance? everything I’ve seen here has said ssh is better than password, and I’ve been using root and password for the last year. So what is the alternative?

openletter · November 21, 2020, 4:00pm

The problem with logging in as root is that if your password or ssh key pair are compromised, then someone will gain root level access to your server, and will then be able to do whatever they want.

You need to create a separate user for logging in.

Running the below command will create a new user called username, but replace username with a different one (e.g., crusemm, or whatever works for you).

root@servername:~# adduser username

The command will ask numerous questions, but the most important one is the password. The password will not be used for logging in through ssh, because that login option will be disabled in a later step.

The password will be used to perform maintenance functions on the server, but protects from attackers gaining root access to the server because they have limited ability to brute-force from the server’s command line. It is recommended to use a password of at least 16 characters with upper-case, lower-case, numbers, and at least one symbol, but high entropy is less of a requirement because the server will not allow brute-forcing as viable option for discovering a password.

Linux manages permissions through users and groups. This access is for reading, writing, and executing files and directories on the server.

Your username should be a member of the sudo group and the adm group:

root@servername:~# adduser username sudo
root@servername:~# adduser username adm

The most important of the two is sudo. Users in this group make use of the sudo command, which will execute commands after it with root level privileges.

Add your public key to the username profile:

root@servername:~# mkdir /home/username/.ssh
root@servername:~# nano /home/username/.ssh/authorized_keys

Set permissions so that sshd will allow username to log in:

root@servername:~# chown -R username:username /home/username/
root@servername:~# chmod 750 /home/username/
root@servername:~# chmod 600 /home/username/.ssh/authorized_keys

(Note, it has been a long time since I used PuTTY, so maybe some things have changed.)

From your PuTTY window, click the upper left-hand corner and select ‘New session…’ from the drop-down menu. Log in using the same key used before but use username for logging in instead of root.

Please confirm if you are able to log in with username and we can go through editing sshd_config by seeing the following command prompt, home directory, and creating the test file:

username@servername:~$ ll
total 24K
drwxr-x--- 3 username username 4.0K Nov 21 15:53 ./
drwxr-xr-x 4 root   root   4.0K Nov 21 15:51 ../
-rw-r--r-- 1 username username  220 Nov 21 15:51 .bash_logout
-rw-r--r-- 1 username username 3.7K Nov 21 15:51 .bashrc
-rw-r--r-- 1 username username  807 Nov 21 15:51 .profile
drwxr-xr-x 2 username username 4.0K Nov 21 15:53 .ssh/
username@servername:~$ sudo touch test
[sudo] password for username:
username@servername:~$ ll test
-rw-r--r-- 1 root root 0 Nov 21 15:50 test
username@servername:~$ sudo rm test

Otherwise, please post any issues you are having with completing the above instructions.

crusemm · November 21, 2020, 10:13pm

Followed instructions and created a new user, applied permissions, setup ssh access.
I know how to remove the root login via ssh. But what are the implications if I do that? At that point how do I get back root access in the future? Can I just do it the same way I removed it?

alento · November 21, 2020, 11:00pm

The root user will not be able to login via SSH … there is no affect on the console login though, which is good.

This is the entire point of using a sudoer. The user who is given sudo permissions can do all tasks that root can do - they just need to authenticate. Oftentimes I simply switch to the root user with sudo.

crusemm · November 22, 2020, 1:09am

Thanks so much to all of you for all of your help. I have taken your advice and made all of the suggested changes. Have a nice day and enjoy the Holidays (if it applies to you)

openletter · November 22, 2020, 3:06am

When you have to enter a lot of commands that require root privilege, you can elevate the session to root with the command sudo -i.

In the file /etc/ssh/sshd_config, set PermitRootLogin no and restart the ssh service with sudo service sshd restart.

system · November 29, 2020, 3:06am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.