I have deployed my public key on to authorized keys.
All was fine till a couple of hours ago, when Logging in via SSH with RSA PK Auth
started prompting for a sudo password.
I checked Auth.log , and it says
Public Key Accepted.
One weird thing I noticed was, There were Millions of entries that logged
Opened a session for root
Immediately after It said
Public key accepted
Probably because it prompted me for a sudo password?
There are also millions of entries logging
Maximum login attempts reached for root @ port 472 from an IP I dont recognise
which were all blocked thanks to the firewall.
Also weird is, Once I do login,
When I run
ps -aux | grep ssh
I get a long list of root logins on the SSH process
I kill them, and they create a new one.
Why?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Accepted Answer
I Found the culprit!
It was a process called
hugepages
and it was doing
dev-hugepages.mount
on startup.
systemctl list-unit-files | grep hu
Gave it out
dev-hugepages.mount | static
sigpwr-container-shutdown.service | static
This, was running a shell script , to disable thp (Transparent huge page) on startup.
Like so:
sudo hugeadm --thp-never
This was one of the tweaks to memalloc for the Redis server on the VPS
** Solution : **
remove the shell script it ran from under
\etc\init.d
reboot droplet
thanks for pointing me to this :
That being said, it’s hard to tell what’s going on. It looks like something is being executed after login (authentication) and it’s attempting to run something that would require root or sudo, thus you’re being prompted to authenticate before whatever command is running tries to execute.
If you’re logged in as root and using sudo, i.e.
sudo [command]
… then you shouldn’t be prompted for a password as you’re already running as root, thus there’s no higher escalation.
If you’re logged in a as a non-root user and prefixing commands with sudo, then you’ll be asked to confirm that users password before the command executes – that’s by design. Without prompting for the users password, you’re effectively running as root and that defeats the purpose of a sudo user.
…
Public Key authentication has nothing to do with anything other than initial authentication between your computer and the server (or between two servers). If you’re being prompted at initial login, that’s because you’ve most likely put a passphrase on your key (which is ideal), but that’s as far as that goes.
…
As for the failed logins, seeing failures is normal as the IP of your Droplet is public and most likely belonged to a user before you had it. It’s common to see attempts to break in, and what this boils down to is security and properly securing your server.
Ideally, you should:
1). Create a sudo user;
2). Setup SSH keys for that user (with a passphrase on the key);
3). Set a password for the sudo user that differs from your passphrass;
4). Confirm that you’re able to login as the sudo user using the key.
5). Confirm that you’re able to run sudo [command] as the user, and it works;
6). Lock the root account so that it can’t be used to login.
When you run:
ssh user@hostname
… it’s not asking for a sudo password, it’s asking for the password associated with your private key. When you created your public/private key pair, you must have set a passphrase on it (which is good), so you’d need to enter in that passphrase to login.
The above applies if you’re using PuTTy on Windows or similar. On a Mac, you’d specify the path to your key using -i, i.e.
ssh user@hostname -i /path/to/privatekey
If it’s not asking for a key file, then it’s asking for the password of the user. If the user doesn’t have a password, then you won’t be able to login as that user and would need to login as root to change the users password using:
passwd username
Where username is the user you’re trying to login with.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.