Sysadmin protect root user over ssh

nice link

ssh keys are nice but there are times you still need a password i.e. if you use a VPS and get locked out and need to use the web host provider's ipmi or out of band consoles with providers like digitalocean, ramnode, vultr

for most folks 6 things are enough

1. long and strong root user passwords i.e. use Strong Password Generator
2. change sshd port from default 22 via centmin.sh menu option 16 which prompts for default port number first = 22 then your desired new sshd port number - this menu option auto reconfigures CSF Firewall's port whitelisting for sshd too
3. if you web host provider's client/server admin login area has 2 step authentication enable and use it
4. any web host provider email address you use to reset passwords needs to also have strong email login password and 2 step authentication enabled
5. never use unprotected wifi - whether it be public or private (at home) wifi - use a VPN
6. never send server login or sensitive info over unencrypted emails.. use sendinc.com to send private encrypted emails for server logins

 

Before you look into ssh key only (+disable password authentication), make sure your web host is setup with features that allow you to regain access to your server if you ever loose your ssh key's private key and that you know how to use those features to regain access.

If you don't know how to use those features, setup a test instance/VPS with that web host and test it out. If you're with web host with hourly billed VPSes like Linode, DigitalOcean, and Vultr then it is relatively cheap to test out for a few hours on a test VPS. I wrote an article at https://blog.centminmod.com/2020/11...er-being-locked-out-by-iptables-csf-firewall/

Here's a example text you can use to ask your web host to be sure

There's numerous how to use ssh key login guides online, but not many go beyond that to explain what to do if you loose your ssh private key and are unable to use password logins. And that can come down to your web host and what measures they have in place i.e. out of band console access etc and recovery ISO/cds available.

And some relevant guides with different web hosts about setting up SSH key authentication and also about recovery as well general need to know info.

DigitalOcean

Has out of band console access

• How To Use SSH Keys with DigitalOcean Droplets | DigitalOcean
• How To Recover from File System Corruption Using Fsck and a Recovery ISO | DigitalOcean. Just the part about using Console but not the Fsck and file system recovery steps Don't need to do that just to get ssh access when you loose normal ssh access to your server i.e. loose ssh private key for ssh public key authentication.

Linode

Has out of band console access called Lish

• Use Public Key Authentication with SSH
• Using the Linode Shell (Lish)

Vultr

Has out of band console access

• How Do I Generate SSH Keys? - Vultr.com
• Access Single User Mode (Reset Root Password) - Vultr.com
• Using Finnix Rescue CD to Rescue, Repair, or Backup Your Linux System - Vultr.com

OVH

• Installation of OVH SSH key — OVH Documentation 0.0.1 documentation
• SSH key for Public Cloud — OVH Documentation 0.0.1 documentation
• Creating SSH keys- OVH
• Replacing your lost SSH key pair - OVH
• Become root and select a password - OVH

RamNode

• How do I add an SSH key to my VPS? - Knowledgebase - RamNode

Others

• Finnix Recovery CD - Mammoth Cloud

 

Safer to use sendinc as it ensures both ends (sender & receiver) are secure as you may send via Gmail/HTTPS but the receiver end Email client might not be as secure. Compromised Gmail account would also make it's stored email text insecure/readable.