Authentication via PEM file without root user
- March 16, 2017
- M M Arif
A year or so ago i wrote how to create PEM file and login to your server with it to take advantage of disabling password based logins.
Today i am taking it a step further and disabling root user to login at all. For this we need to create new user. Also i hope you have your root password somewhere safe. It will be used only for doing root stuff after login to the server when needed. This user we add will have basic privileges. Because i want to make sure we have another step for going to the root user for any commands to be run.
From the link above, please follow till step 4. Skip the command ssh-copy-id in step 3. We will copy it later after creating new user. Also that’s it from that post.
1- Now login to your server(CentOS) and type:
If you are on Ubuntu server, passwd command is not required as adduser will ask for password.
Now lets copy the public key to this new user account.
2- Switch/open to the tab(terminal) on your local machine and run:
ssh-copy-id -i trb.pub TRB@188.8.131.52
Change the key name and ip address to yours. Enter password for the user created above.
3- Login to the server with new user account. Hope you make it so far and all is good.
ssh -i trb.pub TRB@184.108.40.206
4- Switch to root by su and enter the root password. Open sshd_config for editing:
5- Change these lines(these lines exists in sshd_config):
PasswordAuthentication yes PermitRootLogin yes
PasswordAuthentication no PermitRootLogin no
6- If you prefer to change the port which i do, can do so. After that restart sshd.
systemctl restart sshd
If you did change the port, then login command will need to know the port too. e.g port 2151. Try it in another terminal window/tab. If you login with it, then you configured things properly.
ssh -p 2151 -i trb.pub TRB@220.127.116.11
I know you have that itch feeling to test with different port or user or root user. Go ahead and try it.
Summary : we created PEM file, a new user, disabled root login, password based logins and port(if you did).