Need help to secure my ssh

Really? - i thought it had none so one can not login to? - one never stops to learn

Especially if it had none, everyone could authenticate as root.
You need to lock the password of the root account

man passwd:

-l, --lock
           Lock the password of the named account. This option disables a password by changing it to a
           value which matches no possible encrypted value (it adds a '!' at the beginning of the
           password).
           Users with a locked password are not allowed to change their password.
1 Like

Linux belongs to the family of Unix-like OS'es.
Tell me, what happens if you use su on it's on in the shell?
it switches user to root if none other specified and executes his login-shell.

In other words "it substitutes the current user" or "it sets a new user".
This "discussion" is pointless and over now.

I now did some more reading. Actually it doesn't create a password but locks the password: It puts an exclamation mark into the shadow file. Since the exclamation mark is followed by the hash of the password before it was locked and there is no character behind the exclamation mark in this case, the password is empty. Due to the lock you are unable to use the login command to log into the account. I read on another forum that there was a password set by default, but that seems to be a misconception.

It is locked by default.

1 Like

(all of this is after i configured the root account and logged in as root )
i dont see any users other than root in the visudo file,

but when i "deluser brandon sudo & adduser brandon sudo" this spits out information that i was added or removed from the sudoers

also after "deluser brandon sudo" when i cat "/ etc / group" brandon is still labled an admin under group 4 but not labled a sudoer under group 27 is this a problem?

1 Like

visudo is a program to edit the file /etc/ sudoers

That's normal.

The user can remain in group adm but has to be removed from admin.
adm - can view log files
admin - has root privileges

http://ubuntuforums.org/showthread.php?t=1318346

1 Like

ok so its good then becasue im listed next to "adm:x:4:syslog , brandon"
there is no "admin" group

It seems this group is not used by default but can be created according to: https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1604-lts-server-part-1-basics

So basically, you should be fine.

new problem guys =) =| =\ =/ =(

so yesterday i had just about everything done ie i had root sett up, my standard user had to su into root to do anything privileged, i set up privet key to public key SSH and it was working then, i disabled password login to ssh so i could only login via the priv/pub key, i was going to set up f2b today but when i logged in today it prompted me for my password again witch i thought was strange (note yes i restarted ssh server the set up was working yesterday) then all i got was "Access-Your-Private-Data.desktop README.txt" in my home/brandon dir so i open the read me and to states
"THIS DIRECTORY HAS BEEN UNMOUNTED TO PROTECT YOUR DATA.
From the graphical desktop, click on:
"Access Your Private Data"
or
From the command line, run:
ecryptfs-mount-private"

so i did the whole ecryptfs-mount-privete and it asks for a pass phrase

however it will not accept my users login , root login, the ssh passphrase, or the ssh key its self as a log in, how do i fix this?????can i fix this / what happened???

side note: the only thing i can think of to make this happen was when i ran "chmod 700 .ssh" to my .ssh folder before i powered off the server, but even that was b4 i restarted the ssh server, however i had not restarted the server its self after that untill i ran in to this problem.

where you prompted for your server-user-password or the ssh key passord when trying to connect?
you can use ssh -I <path to identity file> or add -vvv to see the real errors, maybe pastebin them here

when loging on via ssh i was prompted for my user password

did you set up a passphrase for your ssh key?
did you tell ssh to use your key (Identity) file?

@edit:

what user did executed that command or was it root?

Sounds like it's asking for the encryption passphrase. Did you encrypt your home directory?

sooo i set up a passphrase on my ssh key in putty but never in linux

yes i had the key working yesterday

and i ran the command under my user name (the only user on the system) not root

thats what all the ubuntu forums say but heres the thing, i think i did encrypt my home during the install but i was never given a key during the install (i would have written it down), i followed one of the guides to set a key this morning and i set one but it did not help

I'm not sure but you may have to log in to the machine first before you can ssh in.

i tryed that a few hours ago nothing i even restarted ssh via the physical machine aswell

im contemplating reinstalling ubuntu i only have 2 days worth of work in this OS i could be back to where i was last night in an hour or 2 (ill try to see if i can fix the issue for the next 24 hours before i do that though)

Ok, so you enabled the encryption of you /home/yourusername directory when you installed ubuntu; it uses luks to do that.

When you login on the physical machine your users password is used to unlock the encrypted /home/yoursusername filesystem and mount it automatically so you can access your data.
But when you just start the machine (restart etc.) it is not yet mounted;

BUT now comes the problem: your public key to log into with SSH is in your /home/yourusername/.ssh/authorized_keys file which can NOT be accessed as its still encrypted and NOT mounted.

To ssh into a system with home directory encryption you must move the configuration and keys for SSH into a folder that is readily available even with the home directory encrypted, locked, and not mounted.

But after you move theauthorized_keys file out of /home/yourusername/ to e.g. /usr/ssh giving it read access only for your user, you still will have to manually mount your encrypted home folder every time you SSH into the machine after it has restarted.


home folder encryption like that, as well as even full disk encryption is yet only usable if you have physical or at least IPMI access to the system.

P.s. as I do not get IPMI access to my dedicated root server, I can not implement full disk encryption =(

but even if i log on the the physical machine my home folder is sill not mounted