1

am new to linux and I have a problem rn.

I built a RPI server with ubuntu server lts 24 os.

I am trying to protect my server with ssh key only authentication.

I made a keypair from my laptop (ubuntu 24 os) and shared the public key with my server and set the sshd_conf file like this.

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games


The strategy used for options in the default sshd_config shipped with


OpenSSH is to specify options with their default value where


possible, but leave them commented.  Uncommented options override the


default value.


Include /etc/ssh/sshd_config.d/*.conf


#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::


#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key


Ciphers and keying


#RekeyLimit default none


Logging


#SyslogFacility AUTH
#LogLevel INFO


Authentication:


#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10


PubkeyAuthentication yes


Expect .ssh/authorized_keys2 to be disregarded by default in future.


#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2


#AuthorizedPrincipalsFile none


#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody


For this to work you will also need host keys in /etc/ssh/ssh_known_hosts


#HostbasedAuthentication no


Change to yes if you don't trust ~/.ssh/known_hosts for


HostbasedAuthentication


#IgnoreUserKnownHosts no


Don't read the user's ~/.rhosts and ~/.shosts files


#IgnoreRhosts yes


To disable tunneled clear text passwords, change to no here!


PasswordAuthentication no
#PermitEmptyPasswords no


Change to yes to enable challenge-response passwords (beware issues with


some PAM modules and threads)


KbdInteractiveAuthentication no


Kerberos options


#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no


GSSAPI options


#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no


Set this to 'yes' to enable PAM authentication, account processing,


and session processing. If this is enabled, PAM authentication will


be allowed through the KbdInteractiveAuthentication and


PasswordAuthentication.  Depending on your PAM configuration,


PAM authentication via KbdInteractiveAuthentication may bypass


the setting of "PermitRootLogin prohibit-password".


If you just want the PAM account and session checks to run without


PAM authentication, then enable this but set PasswordAuthentication


and KbdInteractiveAuthentication to 'no'.


UsePAM no


#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none


no default banner path


#Banner none


Allow client to pass locale environment variables


AcceptEnv LANG LC_*


override default of no subsystems


Subsystem   sftp    /usr/lib/openssh/sftp-server


Example of overriding settings on a per-user basis


#Match User anoncvs


X11Forwarding no


AllowTcpForwarding no


PermitTTY no


ForceCommand cvs server

it seems it is working for my laptop cause it doesn't request password

So I tried to access from my PC (ubuntu 24 os) which doesn't have the private key of my laptop to check that the server is not allowing to access with password.

But it is allowing my PC to access my server requesting the password.

I tried to access again from my PC to my server root through ssh and it didn't allowed me.

So I understood that ssh key authentication only, is working only for my root but not for other users.

Why is that?

I appreciate all the help you can provide me!

richardcrbb
  • 89

1 Answers1

1

Assuming you have the regular sshd server installation on Ubuntu,
The ssh authorization happens only for the user you shared your public key with. You can find the public key in:
/root/.ssh/authorized_keys for root
/home/<username>/.ssh/authorized_keys for other users

There is several ways you can authorize the same public key for a new user.

1- Enable PasswordAuthentication temporarily

You can temporarily change to PasswordAuthentication yes in sshd_conf file.

ssh-copy-id <your-new-user>@<your-server-ip>

You will be prompted for password. After the process is done, you can disable PasswordAuthentication no back

2- Since you have access to shell of your server. You can manually add your public key

In your laptop

  • cat ~/.ssh/id_rsa.pub copy the public key to clipboard

after connection to your server as root, run these in your server
change <username> with any other user created on your server

# su <username>

$ mkdir -p ~/.ssh/
$ touch ~/.ssh/authorized_keys
$ chown -R $USER:$USER ~/.ssh/
$ chmod 700 ~/.ssh/
$ chmod 600 ~/.ssh/authorized_keys

open the authorized_keys file in nano editor

$ nano ~/.ssh/authorized_keys

Paste the public-key from clipboard by pressing CTRL+SHIFT+V
Then press CTRL+X
Then press Y
Then press ENTER

Also, the sshd server configuration includes files in:

Include /etc/ssh/sshd_config.d/*.conf

I would recommend you to check if there is any file in there.

aliefee
  • 26
  • 2