On a few of my test servers, I am logging in with the root user by SSH key exchange. In moving some of my servers public, I wanted to be able to login with a secondary user account with an SSH key and disable SSH login entirely for the root user. This took me longer than expected, but a google search on the subject shows quite a few people have the same struggles. I am performing this on Ubuntu Server 12.04 LTS.
Below is how to, create a new user, add to sudo group, generate RSA public/private pair, and disable root login:
I like the adduser as it create the home directory and requests the password immediately.
Add the user to sudoers
Copy the root entry, just replacing “root” with “username_here”
Now you will need to give your user full ownership of its home directory and subdirectories, this is important otherwise you’ll be unable to generate the RSA key pair.
sudo chown -R username_here /home/username_here
Next, we need to allow this user to login via SSH:
You will need to add a line “AllowUsers username_here”.
You will also need to change the value of “PermitRootLogin” to no.
Now we need to logout or exit the ssh session. Then login with your new user. Then run this command and follow the prompts. A password is not required:
Next, you will need to identify your local machines’ id_rsa.pub key. If you don’t have an RSA key pair yet, you’ll need to generate one. Windows instructions here, Mac or Linux instructions here. You need to copy the contents of the id.rsa.pub file and add it to the following file on your server:
Issue a “reload ssh” for good measure, logout and then try to login as root. You should see permission denied. Then try to login as your new user, you should be automatically logged in without a password prompt. Since you are a member of sudoers you can run “su” and enter the root credentials to run all commands during your session as root.
This accomplishes several things for us on the security end of things:
- You are no longer logging in as root. With or without a key, it is not recommended
- Root cannot login to SSH session, sorry brute force hackers
- If someone does happen to acquire your private id_rsa file, they still cannot have full root access to your server without the root sudo credential