6

After reading this similar question I'm unclear how to require SSH keys for user, while denying SSH access to root (key or password). I'll use sudo after logging in as a user if I need to be root.

I know how to require SSH keys:

PermitRootLogin without-password

I know how to disable user 'root' from logging in: 

PermitRootLogin no

I know how to whitelist a user:

AllowUsers user

I don't know how to put this all together (or if it's even necessary? - SSH key may be good enough). I would normally solve an answer like this through trial and error, but I'm afraid I'll lock myself out of this server...

Community
  • 1
Tom Brossman
  • 13,297

1 Answers1

7

If you want to disallow password logins then just set PasswordAuthentication no in the sshd_conf on the server.

I don't recall exactly, but I think at least no root login is the default.

Attempting to log in as any user on the system, who does not have your public key in their ~/.ssh/authorized_keys will ask for the password, whether or not a password is set, or a shell is available, if password login has not been disabled.

I think what you want is simply:

PasswordAuthentication no
PermitRootLogin no

This will disallow any root login, either with ssh key or password, and will require users to login with a valid key, as included by having the public key in that user's ~/.ssh/authorized_keys file.

dobey
  • 41,650