Linux – Using ssh key pair authentication and disabling ssh password authentication – what happens if private key lost

linuxsshssh-keysUbuntu

I'm configuring my first server on Linode and going through their set up tutorials.

In their Securing Your Server tutorial, it recommends using ssh key pair authentication and disabling password authentication.

My question is if I disable password authentication – what if I lose my private key? How will I ever be able to log back into my server again?

Best Answer

My question is if I disable password authentication - what if I lose my private key? How will I ever be able to log back into my server again?

That's why you should always have some form of Out-of-Band management for your server. For a physical server, that would be something like Dell's DRAC card or HP's iLO card. For your Linode, that's what LISH is for. Using these OOB solutions, you can sign into the actual console of your server using your username and password. These also come in handy when networking breaks on your server and you're not able to access it.

But honestly, just don't lose your key. Protect it with a passphrase and back it up somewhere safe. Heck, print it out and stash it in your safe. They're relatively small files, and there's no excuse for not taking good care of it.

Update: Regarding LISH security: use different credentials/keys for LISH. That's all there is to it - credentials which, if compromised, would not grant access to your server.

In regards to someone finding out that Linode is your provider, well that information is available to anyone, and is just a simple whois command away.

Related Solutions

Ssh – How to add private key to SSH

So, when connecting to host remotehost, you want to use the key contained in upperstorey?

You need to tell ssh to use it explicitly. The easiest way of doing so is adding the following block to your ~/.ssh/config:

Host remotehost
    IdentityFile ~/.ssh/upperstorey

This tells ssh to use that key when connecting to that host. Add any aliases to the Host line (i.e. remotehost, remotehost.remotedomain.com, etc)

Ssh – Configure Ubuntu to allow ssh login via pulic/private key and sudo without password

You're really talking about two different things. Configuring SSH to do key based authentication only is part of the sshd config, and sudo (passwordless or no) is handled by pam. What you should really be doing is this:

Configure SSHD to Only Allow SSH Key Authentication

Edit your /etc/ssh/sshd_config to modify and/or add as necessary the following

PubkeyAuthentication yes
PasswordAuthentication no

Then restart the sshd service.

Configuring sudo

You'll want to pick your sudo group and modify the sudoers file, using the visudo command and add something like this.

%wheel   ALL=(ALL)       ALL

That will allow everyone in the wheel group to execute any command as any user. Note that they will need to enter a password to do this. By default most distributions have them enter their own password, but sometimes sudo is configured to have them enter the target password.

Alternatively, you can configure sudo to not ask for a password at all. I don't recommend this except in the case of automated actions carried out by service accounts. In that situation you can specify only the service account can execute only a specific command. However, you're more than capable of removing the sudo password requirement by changing the above line to something like:

%wheel  ALL=(ALL)  NOPASSWD: ALL