How to deny root SSH login + require SSH key for user?
If you want to disallow password logins then just set PasswordAuthentication no
in the sshd_conf
on the server.
I don't recall exactly, but I think at least no root login is the default.
Attempting to log in as any user on the system, who does not have your public key in their ~/.ssh/authorized_keys
will ask for the password, whether or not a password is set, or a shell is available, if password login has not been disabled.
I think what you want is simply:
PasswordAuthentication no PermitRootLogin no
This will disallow any root login, either with ssh key or password, and will require users to login with a valid key, as included by having the public key in that user's ~/.ssh/authorized_keys
file.
Related videos on Youtube
Sanam Patel
Updated on September 18, 2022Comments
-
Sanam Patel over 1 year
After reading this similar question I'm unclear how to require SSH keys for
user
, while denying SSH access toroot
(key or password). I'll use sudo after logging in as a user if I need to be root.I know how to require SSH keys:
PermitRootLogin without-password
I know how to disable user 'root' from logging in:
PermitRootLogin no
I know how to whitelist a user:
AllowUsers user
I don't know how to put this all together (or if it's even necessary? - SSH key may be good enough). I would normally solve an answer like this through trial and error, but I'm afraid I'll lock myself out of this server...
-
Sanam Patel over 10 yearsI think what's confusing me is that if I do this, then try to SSH in as root, I am asked for a password. I'm not expecting to see this since no root password was set and root can't log in? Is it normal for the server to ask for root's password even when root login is not possible?
-
Sanam Patel over 10 yearsThanks, I understand this now after the edit. Looks like
PasswordAuthentication no
breaksscp
from another server to this machine, so I may skip that line. I could probably copy my private key to the originating server so it would work again with the target server but I'd rather not. -
dobey over 10 yearsUse
ssh -A
to forward the agent, only when you need to access other resources from the remote machine, with your private key.