SSH key working fine, but after logout from root and back for root again it ask for pass

February 2, 2017 2.1k views
Linux Commands Security Debian
87cd3dbc7d416da248a0fd48f0f26f2d4bd300ba
By:
marcosmendes

I have a ssh key working fine, i can login as root user without password. So, i created a new user, when i log in it and be back for root again, root ask for password, but i don't know because i'm using ssh key for login as root.

i try edit config /etc/ssh/sshd_config and updated the following line:

PermitRootLogin yes

to

PermitRootLogin without-password

but no success, i continue being ask for root password. Can someone help me out on this problem?

Log In to Comment
2 Answers
jtittle1 February 2, 2017
Accepted Answer

@marcosmendes

Setting PermitRootLogin to without-password means that the root user must login using a public key. If you're trying to run su root to become root from different users account, you will get prompted for a password.

You'd be better off creating a new user, setting up their environment, and adding them as a sudo user. Of course, you're still going to be prompted to authenticate when you run sudo as well. If you weren't then anyone that was able to login to that account would have free range to run root level commands without any secondary authentication.

Setting up a Sudo User

I'll use myuser as the username of the new user in this example, so wherever you see myuser, you would simply substitute in the username of your choice.

1). Create a Home + .ssh Directories

mkdir -p /home/myuser/.ssh

2). Create a New User + Assign the Home Directory

useradd -d /home/myuser myuser

3). Create the authorized_keys File

touch /home/myuser/.ssh/authorized_keys

4). Setup Correct Permissions

chown -R myuser:myuser /home/myuser \
&& chmod 700 /home/myuser/.ssh \
&& chmod 644 /home/myuser/.ssh/authorized_keys

5). Add Public Key to authorized_keys

You'd simply paste in your public key, then hit CTRL+X and hit enter to save.

nano /home/myuser/.ssh/authorized_keys

6). Add a Password for myuser

passwd myuser

With the above setup, you can now SSH in using:

ssh myuser@DROPLETIP -i /path/to/local/private_key

If you setup a passphrase on the key itself, you'd enter it in and once logged in, you start off with just basic permissions. You can't run root level commands until you prefix those commands with sudo.

If you try to run a root command, it'll fail -- i.e.

apt-get upgrade

You would need to use:

sudo apt-get upgrade

and when prompted, enter in the password for myuser -- the command will then execute.

SSH Keys exist to get in you -- after that, passwords do come in to play, especially when you're using either su or sudo.

The point is to not have to login as root at all -- you should login as the sudo user and escalate using the sudo prefix on each command from.

Reply
  • marcosmendes February 2, 2017

    Thank you so much @jtittle.
    Your answer was very clear, i understand now, thanks for help me to figure out

  • jamieson February 3, 2017

    This is exactly the right answer. (It's exactly how Userify does it, too.) You can shorten this up a bit. do useradd -m myuser first, and then mkdir /home/myuser/.ssh, write the authorized_keys file (as root, no need to touch). Great explanation @jtittle.

    I'd add one thing - after you have your account set up, test it by logging in with myuser and then sudo passwd -l root. That will lock the user account and prevent login (while not logging you out, because you're logging in as myuser and ensuring you can access sudo.)

    Then, as @jtittle pointed out, the goal is to get to not ever using root again, and not ever using passwords again.

    • jtittle1 February 3, 2017

      @jamieson - Thanks much, appreciate it!

      If this wasn't a mini-guide, I'd of suggested writing the file directly, though I wanted to show a more in-depth overview of what could be done before going the shorter route.

      As for locking the root account, definitely a welcome suggestion! If my original reply could be edited, I'd throw that in there too as once sudo is properly setup, there's really no need for root in the majority of situations. It's more an initial need and shouldn't be relied upon indefinitely.

      Ultimately, if there's one less person using root as the primary means of managing their server, I've done at least one good deed :-).

      • jamieson February 3, 2017

        Ultimately, if there's one less person using root as the primary means of managing their server, I've done at least one good deed :-)

        Well said :)

idkjs April 29, 2018

I would add/edit to this awesome post by noting that the steps above will lose your prompt settings and that you could do the exact same thing using useradd rather than adduser. See https://askubuntu.com/questions/345974/what-is-the-difference-between-adduser-and-useradd

So the steps without running into the blank prompt would look like this.

1) Create user using adduser assigning to home directory. you will be prompted to create a password so you dont need the passwd myuser step above.

adduser --home /home/myuser myuser

2) Create home/myuser/.ssh directory

mkdir /home/myuser/.ssh

3) Create the authorized_keys File

touch /home/myuser/.ssh/authorized_keys

4). Setup Correct Permissions

chown -R myuser:myuser /home/myuser \
&& chmod 700 /home/myuser/.ssh \
&& chmod 644 /home/myuser/.ssh/authorized_keys

5). Add Public Key to authorized_keys

You'd simply paste in your public key, then hit CTRL+X and hit enter to save.

nano /home/myuser/.ssh/authorized_keys

With the above setup, you can now SSH in using:

ssh myuser@DROPLETIP -i /path/to/local/private_key and when you log in you will a proper colorized prompt rather as set in default root configs, if you want it.

Great post! Thanks for sharing.

Reply
Have another answer? Share your knowledge.

Related Questions