Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Wed Aug 23, 2017 8:46 am


FreeBSD tutorials and how-tos

Author Message
debuser
Post  Post subject: SSH disable password login for root (only allow public key authentication)  |  Posted: Mon Jul 12, 2010 3:50 pm

Joined: Thu Aug 06, 2009 2:48 am
Posts: 105

Offline
 

SSH disable password login for root (only allow public key authentication)

SSH (Secure SHell) is a system that allows remote login to Linux/*BSD servers or VPS servers securely, traffic between ssh client and server being encrypted as well as the username and password used to login.
In certain scenarios, root password login only or global password login should be restricted to increase the security level of the intended VPS server. This is done in tandem with SSH Key authentication (see https://vpsie.com/ssh-key-authentication-linux-vps-server/) to avoid loosing access.

In order for root user to be able to login, first of all make sure it's listed in AllowedUsers if this directive is being used in ssh server configuration file /etc/ssh/sshd_config.

SSH:Disable password login for root user only


Second, change PermitRootLogin from yes/no to "without-password":
Code:
#PermitRootLogin yes
PermitRootLogin without-password

Quote:
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument
must be ``yes'', ``without-password'', ``forced-commands-only'',
or ``no''. The default is ``no''. Note that if
ChallengeResponseAuthentication is ``yes'', the root user may be
allowed in with its password even if PermitRootLogin is set to
``without-password''.

If this option is set to ``without-password'', password authenti-
cation is disabled for root.

If this option is set to ``forced-commands-only'', root login
with public key authentication will be allowed, but only if the
command option has been specified (which may be useful for taking
remote backups even if root login is normally not allowed). All
other authentication methods are disabled for root.

If this option is set to ``no'', root is not allowed to log in.

Disable password authentication for all users in SSH


Another option is to disable password authentication for ssh globally, for all users.
Code:
...
PasswordAuthentication no
...

Quote:
PasswordAuthentication
Specifies whether password authentication is allowed. The default is “yes”.

Restart ssh daemon and try again (Leave one terminal up as backup).





Top
prabu
Post  Post subject: Re: SSH disable password authentication for root (only allow public key authentication)  |  Posted: Tue Feb 08, 2011 2:25 am

Joined: Mon Feb 07, 2011 8:36 am
Posts: 2

Offline
It is a nice sharing.............


Top
Display posts from previous:  Sort by  
E-mail friendPrint view
Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO