This is a small trick that SysAdmins do on servers, but you can take advantage of it in you home Linux machines.
The following small tutorial will demonstrate how you can disable the SSH logins for the unwanted users. It will work in Debian, Fedora, Ubuntu, Arch, openSUSE and pretty much all machines.
Why GNOME
You may ask why I am using the “GNOME Box” on title since that tip works everywhere and is SSL specific rather Desktop matter. Since all Distros and DE are using pretty much the same things (Linux, X, GCC, OpenSSL, Systemd -with Ubuntu & some other exceptions-, GNU Tools, etc), it makes no difference if I say Linux or Gnome. In my very personal opinion GNOME is an OS, no matter the distro is running on. All distros today are really good, and people tend to refer the DE they are using rather the distro name.
Simply as someone says “How to do *whatever* in Ubuntu”, I am using GNOME ;)
Virtual Network
I am using a Rawhide as a server in a Oracle Virtual Box, and Fedora 18 as client. This is exactly the same as any physical network, in intranet (home network) or web. The only difference is that in this case the connection is virtual. Whatever applies in Virtual Connection, applies -almost the same- for physical.
WHATS
For this tutorial you can think Rawhide as you home computer/server and Fedora 18 as your laptop/another machine. So your home computer is also the remote/server box. I will show you how you can
1. Login to your server without asking for password
2. Block all logins, but yours.
This is a strongly recommended if you are running an SSH Server.
Use Cases
The most common use is for students that are on class, and they want to access they’re home computer, for managing Torrents Downloads or whatever else. You can find many other real world examples ;)
Steps
I’ll be a little more explainable than have to be, since there are people that are starting from zero.
1. Set up an SSH Server
2. Create SSH Directories on Remote
3. Generate Private and Public Keys on Local
4. Upload Public Key on Remote
5. Test it!
6. Disable Password Logins in Server
1. Set up a SSH Server
First we need to run an SSH server on our home/remote machine.
I think all distros ship SSH by default but if not you can try to install it.
$ sudo yum/apt-get install openssh-server
Then we need to start it
$ sudo server sshd start -OR- systemctrl start sshd.service
If you reboot your machine, sshd won’t auto start. Depending your distro you can auto start it by:
$ sudo systemctl enable sshd.service -OR- chkconfig sshd on
On Systemd boxes you can check if the service is enable by
$ systemctl list-unit-files --type=service | grep -i sshd
On SysV systems you can try, but I am not sure if it will display it.
$ chkconfig --list | grep -i sshd
By now you have a running SSH server. Test it. In you local machine.
$ ssh [your_remote_username]@[the_remote_machine_ip]
2. Create SSH Dir on Remote
Now you need to create the SSH directory, if doesn’t exist, to upload a new public key.This directory is used to authenticate key-based authentication when using SSH. On remote machine:
$ mkdir ~/.ssh $ chown [your_username]:[your_username] ~/.ssh $ chmod 700 ~/.ssh
3. Generate Private and Public Keys in Local
In your local machine you now have to generate a Private Key. If you already have a key you can use this.
$ ssh-keygen -t rsa
Set the filename to be
[your home directory]/.ssh/foo_rsa
If you choose to enter a password, the you will have to provide this password to use the key, that I guess you don’t want to.This will create your public (foo_rsa.pub) and private (foo_rsa) keys. By now you have the SSH keys in your local machine.
4. Upload Public Key in Remote
Next step is to copy our public key from our local machine to the remote. We will use Secure Copy tool for this. In local type:
$ scp ~/.ssh/foo_rsa.pub [server_username]@[your_server_ip]:~/.ssh/authorized_keys
5. Test it!
We are almost done. Just give a try. If all good, you have to login without be asked for a password. In local:
$ ssh [username]@[server_address] -i [your_home_directory]/.ssh/foo_rsa
If bash complains about Bad Authentication just change the permissions to the key
$ chmod 600 ~/.ssh/foo_rsa
To save some time instead of importing the key every time (you need that if you try from another pc), lets make it permanent. In you local:
$ gedit ~/.ssh/config
Insert:
Host [your_server_address] IdentityFile ~/.ssh/foo_rsa
And try again to login:
$ ssh [username]@[server_address]
If everything is okay so far, lets disable the passwords authentication from server.
6. Disable Password Logins in Server
Also maybe your provider isn’t so friendly and won’t fix it for you. So you will lose everything ;)
In remote machine edit:
$ sudo vi /etc/ssh/sshd_config
Un-comment PasswordAuthentication and set the value to no. It should look something like:
... # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no ...
Done! Just restart the SSH service in remote
$ sudo service sshd restart
If you try now to login as another user, you will get a message that public key was denied. So none that hasn’t your public key can’t login to your machine. Just be sure to backup it somewhere you will never lose it. Maybe in your email, so you can always have it with you and access your server/home machine from anywhere.
If you need root access you can make the above procedure for root as well, but not really recommended. Instead you can add your user to the sudoers file.
Add User to Sudoers
In your remote server:
$ visudo -f /etc/sudoers
and add
... ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL [your_username] ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ...
It is important to edit this file with visudo command to ensure there will be no mistakes (ie just a typo). If you do, you might be lock out from the machine.
This is a nice trick mostly useful for web-servers, but not only. Securing like this your home-server is also a good idea. There are many more things you can mention, but the above will do the job. If I have missed something critical please someone correct me :)
SysVinit to Systemd Cheatsheet
A quick reference for translating SysV commands to Systemd