How do I ensure password auth is completely disabled?
I find it somewhat surprising in this day and age that password authentication as root is even an option, nevermind the default…
So I created an SSH key, added it, and tried to use this instead. Curiously, it still asks me to enter a password when I create a node… why not just use my key? Argh
Using the API, I can start using the default ubuntu18.10 image without a password but it still uses a default one anyway.
6 Replies
In /etc/ssh/sshd_config
:
PasswordAuthentication no
Then systemctl restart sshd
I'd recommend doing it while logged in, and making sure (from another window) that you can log in using your ssh key. Just to be safe.
You still want root to have a password, and password-based login enabled for interactive (console, not sshd) login. This way if something goes wrong, you can connect using Lish and log in (Lish is essentially your server's console in a browser).
@latteisnotcoffee I have a StackScript that I use to disable the root account's password and password authentication.
The StackScript takes a list of Github Usernames as a parameter and creates user accounts for each of those names users. The users have sudo access and their Github registered SSH keys are added to the authorized_keys files.
You still have to provide a root password to provision the Linode disk, but the StackScript will nullify it (passwd -d
).
@latteisnotcoffee I have another StackScript that allows you to provide UserData to the Linode. This StackScript takes a single userdata
parameter which should be the Base64 encoded userdata. The userdata contents can be optionally multi-part mime'd and gzip'd before being base64'd.
The UserData you would want to provide is:
#cloud-config
disable_root: 1
ssh_pwauth: 0
https://www.linode.com/stackscripts/view/392559
I also have a Linode UserData Terraform example project which demonstrates this (see init.tpl
).
Update: See below It seems this needs more userdata or a secondary account configured
@kmansoft doesn't really work when you're dealing with a lot of servers - I'd rather not have a root password at all, as I'd never use LISH, instead I'd tear down the server and redeploy it using Puppet… if it's down it's probably my code that's caused it and I can revert that.
@Marques That's what I'm after, cheers. I was on that road myself but not quite there yet…doing it with puppet could have worked but I was still worried about someone getting in between it booting and me running the puppet modules…
I do wonder why Linode insists on doing this the 'old' way so we need workarounds here.
It looks like my Cloud-Config suggestion doesn't work entirely. You may need to experiment with other Cloud-Config options to get this behavior.
For example, to deploy this with the Linode CLI (pip install linode-cli
).
# leading space keeps this out of your bash history, depending on your bashrc/profile
LINODE_USERNAME=marques
ROOT_PASS=$(openssl rand -base64 48)
linode-cli linodes create \
--authorized_users $LINODE_USERNAME \
--root_pass=$ROOT_PASS \
--stackscript_id 392559 \
--stackscript_data '{"userdata":"I2Nsb3VkLWNvbmZpZwpkaXNhYmxlX3Jvb3Q6IDEKc3NoX3B3YXV0aDogMAo="}'
The userdata parameter here was created by running base64 on the userdata above.
Once the machine is up, you can ssh in using linode-cli ssh
(this feature is not merged in yet, but super useful):
linode-cli ssh root@linode13635732
PasswordAuthentication
is not enabled over SSH:
root@li496-148:~# grep -e PasswordAuthentication /etc/ssh/sshd_config | grep -v '#'
PasswordAuthentication no
But grep 'root:$' /etc/shadow 1>/dev/null && echo root has a password
shows that the root password was not deleted.
I think cloud-config saved me from locking myself out. It appears to have detected that there were no other user accounts with SSH authentication. But, I may be reading too much into this log message.
$ tail -n 3 /var/log/cloud-init-output.log
Cloud-init v. 0.7.6 running 'modules:final' at Wed, 17 Apr 2019 17:10:11 +0000. Up 48.71 seconds.
ci-info: no authorized ssh keys fingerprints found for user debian.
Cloud-init v. 0.7.6 finished at Wed, 17 Apr 2019 17:10:11 +0000. Datasource DataSourceNoCloudNet [seed=/var/lib/cloud/seed/nocloud-net][dsmode=net]. Up 48.85 seconds
I found this URL useful for providing Cloud-Init examples:
https://github.com/number5/cloud-init/blob/master/doc/examples/cloud-config.txt
Hi,
cloud-init is now officially supported by some Linode images in specific regions. You can simply disable the password in the cloud-init config file.
https://www.linode.com/docs/guides/configure-and-secure-servers-with-cloud-init/#harden-ssh