Author Topic: ssh disable root login  (Read 8732 times)

0 Members and 1 Guest are viewing this topic.

Offline
***
ssh disable root login
« on: June 12, 2019, 08:39:37 PM »
I am a little confused about this whole root login no-no business.

If ssh config is set to NO for allowrootlogin then how do we login?

I created a su but the new su does not have root access if I try to see the root directory.

Right now, I login to shell using putty.  I use the root user and private key generated from putty.  And that works fine.  But everyone is saying using root is not a good idea.  So what do I do?

When I try using putty with a new su and the private key, it says server refused our key, please type in password.  So I type in the password and I am in.  But with no root access.


Offline
**
Re: ssh disable root login
« Reply #1 on: June 12, 2019, 09:04:55 PM »
the private was created with the root user and cant be used by another user.
If you want to use another user, follow the steps below:

1. useradd username
2. passwd username
3. usermod -aG wheel username

Please replace username with the name of the user you want to create

You can now use sudo to perform all administrative task

For example - sudo [COMMAND]

Offline
***
Re: ssh disable root login
« Reply #2 on: June 13, 2019, 03:15:12 PM »
Not true.  Private key was created without any user name input.  A matching private and public key is all that is needed.

Apparently, private key login is only used for root login.

Offline
***
Re: ssh disable root login
« Reply #3 on: June 13, 2019, 03:43:34 PM »
Okay, figured it out.

1. create new directory .ssh in /home/somenewuser/
2. create new file authorized_keys in /home/.ssh/ directory
3. paste new public key in /home/.ssh/authorized_keys file

Now login is possible with shell.   HOWEVER.....login to filezilla will only give you access to public_html

Offline
**
Re: ssh disable root login
« Reply #4 on: June 13, 2019, 07:29:01 PM »
Not true.  Private key was created without any user name input.  A matching private and public key is all that is needed.

Apparently, private key login is only used for root login.

Ok That fine.

However, please try to open the private key and you see the user writen as root@hostname.

This i can be seen more on amazon server.

Nevertheless its fine you have figured it out

Offline
***
Re: ssh disable root login
« Reply #5 on: June 13, 2019, 10:33:05 PM »
private key has no mention of root, ask anyone.

Offline
**
Re: ssh disable root login
« Reply #6 on: June 14, 2019, 09:43:24 AM »
I may be misunderstanding the question...if so forgive me.

The object of the exercise as far as my limited knowledge of web servers goes is this...

1. having ssh logins for users, in general, is a terrible idea for most web servers. That means, no user should be given ssh login ability unless you are prepared to spend a good deal of time making sure you are both capable and willing to really lock down the web server.

2. If the ssh login is just for a single user, or small group who you have excellent control over, then it's by far one of the most secure forms of communication between yourself and your server!

So the above two scenarios at first glance seem to completely contradict each other, however, that is not exactly a good illustration of the problem. The problem is that one of the most secure forms of communication (ssh) is potentially the most catastrophic to the server should it get hacked! Some of the issues are:

- users being able to see files that dont belong to them
- users potentially running dangerous commands
- ssh can still be brute forced

Whilst all of the above are not beyond fixing, i dont allow any SSH access to my webservers for anyone else but myself. If clients have use of filemanager, or even cms such as wordpress, i dont see any good reason why they need ssh/sftp access (or alternatively, ftp/ftps for that matter).

Now, in terms of root user access from terminal...

the reason we are told to disable "root user" ssh or shell access is

1.  just in case the root account gets hacked! Such a scenario would be catastrophic to your web server!
2.  so you cant stuff your system so easily when playing around on a live production system!

So the recommended alternative is to create a sudoer user...which has rights similar to root for most things, however, does not have access to high-level directories that can be used to completely destroy the server either intentionally or unintentionally.

sudoer should not be able to edit/write to root owned directories unless group permissions have been assigned that allow such access!

short and curly...create a sudoer administrator user and provide access to ssh for that user. Usually one then disables direct access to ssh by root.

Should you be in command shell via programs such as putty for example, then in order to gain root access, you then elevate your sudo user to temporarily gain root access using a few different methods...

1. sudo
2. sudo -i
3. su
4 sudo -s

I also am able on one of my systems change an existing user to root by typing "su root"

I also do not see any great advantage in using private key files either. Sure it makes brute forcing the server account directly almost impossible, if someone gets access to your keyfiles on your desktop pc (because home computers have such great reputations for getting viruses and trojans etc)....

Finally, i think there is some misconception about the "Control Panel" root user access, and normal shell/command prompt access. Disabling the root user shell access doesnt mean the control panel is going to stop functioning!

this is my understanding of the why and how.



« Last Edit: June 14, 2019, 10:03:20 AM by adamjedgar »

Offline
**
Re: ssh disable root login
« Reply #7 on: June 14, 2019, 09:07:07 PM »
I may be misunderstanding the question...if so forgive me.

The object of the exercise as far as my limited knowledge of web servers goes is this...

1. having ssh logins for users, in general, is a terrible idea for most web servers. That means, no user should be given ssh login ability unless you are prepared to spend a good deal of time making sure you are both capable and willing to really lock down the web server.

2. If the ssh login is just for a single user, or small group who you have excellent control over, then it's by far one of the most secure forms of communication between yourself and your server!

So the above two scenarios at first glance seem to completely contradict each other, however, that is not exactly a good illustration of the problem. The problem is that one of the most secure forms of communication (ssh) is potentially the most catastrophic to the server should it get hacked! Some of the issues are:

- users being able to see files that dont belong to them
- users potentially running dangerous commands
- ssh can still be brute forced

Whilst all of the above are not beyond fixing, i dont allow any SSH access to my webservers for anyone else but myself. If clients have use of filemanager, or even cms such as wordpress, i dont see any good reason why they need ssh/sftp access (or alternatively, ftp/ftps for that matter).

Now, in terms of root user access from terminal...

the reason we are told to disable "root user" ssh or shell access is

1.  just in case the root account gets hacked! Such a scenario would be catastrophic to your web server!
2.  so you cant stuff your system so easily when playing around on a live production system!

So the recommended alternative is to create a sudoer user...which has rights similar to root for most things, however, does not have access to high-level directories that can be used to completely destroy the server either intentionally or unintentionally.

sudoer should not be able to edit/write to root owned directories unless group permissions have been assigned that allow such access!

short and curly...create a sudoer administrator user and provide access to ssh for that user. Usually one then disables direct access to ssh by root.

Should you be in command shell via programs such as putty for example, then in order to gain root access, you then elevate your sudo user to temporarily gain root access using a few different methods...

1. sudo
2. sudo -i
3. su
4 sudo -s

I also am able on one of my systems change an existing user to root by typing "su root"

I also do not see any great advantage in using private key files either. Sure it makes brute forcing the server account directly almost impossible, if someone gets access to your keyfiles on your desktop pc (because home computers have such great reputations for getting viruses and trojans etc)....

Finally, i think there is some misconception about the "Control Panel" root user access, and normal shell/command prompt access. Disabling the root user shell access doesnt mean the control panel is going to stop functioning!

this is my understanding of the why and how.

I think your analysis make sense.

He didnt understand what i meant by the keys were created by the root user.I never said all private keys are created by the root user.

Nothwithstanding this, using the root user on the terminal makes working easier but also dangerous as root is the top most admin on the system.A compromise means whole system is compromised.

Also note, same way passowrds can be stolen, private keys can also be stolen