Security Sysadmin Google Authenticator

seriously test unknown stuff on test vps servers first

If you can't access SSH, you need to hope your web host has out of band console/kvm access. Otherwise, you won't be able to SSH in anymore. Copy and paste below for lost SSH key access is basically the same for some web host providers which have out of band console access detailed below:

Before you look into ssh key only (+disable password authentication), make sure your web host is setup with features that allow you to regain access to your server if you ever loose your ssh key's private key and that you know how to use those features to regain access.

If you don't know how to use those features, setup a test instance/VPS with that web host and test it out. If you're with web host with hourly billed VPSes like Linode, DigitalOcean, and Vultr then it is relatively cheap to test out for a few hours on a test VPS.

Here's a example text you can use to ask your web host to be sure

There's numerous how to use ssh key login guides online, but not many go beyond that to explain what to do if you loose your ssh private key and are unable to use password logins. And that can come down to your web host and what measures they have in place i.e. out of band console access etc and recovery ISO/cds available.

And some relevant guides with different web hosts about setting up SSH key authentication and also about recovery as well general need to know info.

DigitalOcean

Has out of band console access

• How To Use SSH Keys with DigitalOcean Droplets | DigitalOcean
• How To Recover from File System Corruption Using Fsck and a Recovery ISO | DigitalOcean. Just the part about using Console but not the Fsck and file system recovery steps Don't need to do that just to get ssh access when you loose normal ssh access to your server i.e. loose ssh private key for ssh public key authentication.

Linode

Has out of band console access called Lish

• Use Public Key Authentication with SSH
• Using the Linode Shell (Lish)

Vultr

Has out of band console access

• How Do I Generate SSH Keys? - Vultr.com
• Access Single User Mode (Reset Root Password) - Vultr.com
• Using Finnix Rescue CD to Rescue, Repair, or Backup Your Linux System - Vultr.com

OVH

• Installation of OVH SSH key — OVH Documentation 0.0.1 documentation
• SSH key for Public Cloud — OVH Documentation 0.0.1 documentation
• Creating SSH keys- OVH
• Replacing your lost SSH key pair - OVH
• Become root and select a password - OVH

RamNode

• How do I add an SSH key to my VPS? - Knowledgebase - RamNode

Others

• Finnix Recovery CD - Mammoth Cloud

 

problem is not all servers/vps have out of band console/vnc/kvm console access so if their TFA setups don't work for whatever reason, they won't be able to gain access. For example, if server time/clock is out of whack, 2FA/TFA will not work. Security is nice but sometimes you need to weigh up which is worse - compromised access to server versus total loss of access to server

 

Centmin Mod isn't fully supported for regular sudo users it expects full root user for centmin.sh menu etc. So things could break with normal sudo users you created in 123.08stable. In 123.09beta01 there is post install sudo user support somewhat experimental but not for initial installs.

Centmin Mod 123.09beta01 and higher have a tools/addsudousers.sh script created to properly setup sudo users for elevation to root user. You can add a new sudo user i.e. george via below commands

Code (Text):

cd /usr/local/src/centminmod/tools
./addsudousers.sh george

But again it's still experimental as Centmin Mod expects full root user

if you don't use addsudousers.sh to create your sudo users, then centmin menu and some path/programs and command shortcuts/aliases will break as Centmin Mod installs some software where regular sudo created users don't have permissions to look for them unlike if you create them via addsudousers.sh