• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

Allow root ssh login with public key authentication only

by admin

The Basics

SSH server has multiple ways of authenticating a client connecting to it. The most popular method is password-based authentication as it is the easiest one, however it is not so secure. Passwords are exchanged with secure mechanisms, however, due to ease of use they are generally not complex or long. This enables the attacker to break the password using brute-force or dictionary attacks. In such scenarios, the SSH keys can provide a secure and reliable means of authentication for clients.

SSH server uses a public key cryptography scheme to authenticate users. In this scheme, a pair of keys are generated, a public key and a private key, for authentication. As the name suggests, a private key is kept secret by the client as its compromise can lead to someone logging in to the server without any additional authentication.

The corresponding public key for the secret private key of the client is not kept as secret and is copied to systems the user logs in to. The private key is used to decrypt the message encrypted using the associated public key of the client. Using the key pair, we can also enable password-less authentication. The trusted public key of the client is stored in a special file named authorized_keys in the home directory of the user account.

When a client attempts to authenticate the SSH server using keys, a challenge is issued using the public key of the client stored in the server. On successfully decrypting the challenge using the client’s private key, the user gets access to the shell of the server.

Configure public key only authentication for ssh

1. As root, edit the sshd daemon configuration file (/etc/ssh/sshd_config).

2. Modify the PermitRootLogin and the PubkeyAuthentication parameters to have the following values:

PermitRootLogin without-password
PubkeyAuthentication yes

Allow only key-based ssh login in the root account by setting the directive PermitRootLogin value as without-password as shown above.

3. Verify the syntax of the configuration file sshd_config is correct before restarting sshd deamon.

# sshd -t

The above command should return nothing. This means the config file is syntactically correct and you are sure of restarting sshd daemon without any issue.

4. Restart the sshd daemon:

# service sshd restart

or

# systemctl restart sshd

Filed Under: Linux

Some more articles you might also be interested in …

  1. nautilus Command Examples in Linux
  2. CentOS / RHEL 7 : How to configure cache-only nameserver
  3. Encrypted vSphere vMotion
  4. Firewalld Command line Reference (Cheat Sheet)
  5. Understanding the nfsiostat command output (Examples Included)
  6. How To Check Swap Usage of Each Processes in Linux
  7. bastet: Clone of the game Tetris in the terminal
  8. Linux Vs Windows – Why Linux Is Better For Programming & Web Dev
  9. How to change the path of the auditd log file /var/log/audit/audit.log
  10. How to Setup SSH keys for “passwordless” ssh login in Linux

You May Also Like

Primary Sidebar

Recent Posts

  • cf: Command-line tool to manage apps and services on Cloud Foundry
  • certutil: Manage keys and certificates in both NSS databases and other NSS tokens
  • cdk: A CLI for AWS Cloud Development Kit (CDK)
  • cd: Change the current working directory

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright