Get the most out of your Centmin Mod LEMP stack
Become a Member

Sysadmin SoYouStart server lost SSH access ?

Discussion in 'System Administration' started by Colin, Apr 26, 2017.

  1. Colin

    Colin Premium Member Premium Member

    111
    33
    28
    Oct 7, 2015
    Sheffield UK
    Ratings:
    +83
    Local Time:
    12:56 PM
    1.11.#
    MariaDB 10.1.#
    I've not tested this. I'm making a guess.

    I built a SoYou server using a ssh key on the install. Thus no root password issued and crucially, nor did I remember to set one and make a note of it. My fault.

    All was fine... on a routine update, I lost ssh access. This was Monday. The server is a backup node so actually, I just rebuilt it. While figuring out the how something else I wondered on how it happened, I think I sussed it.

    The centmin sshd_config template seems to have authorized_keys specified. The new build on soyou (cent7) creates an authorized_keys2 file. QED on the restart of sshd, the authorized_keys2 isn't going to be checked. I don't tend to change my ports, instead I add CSF to block everything except via ssh bastions/jumps, hence I didn't change the sshd config initally.

    It might be something else, I'm making 2+1 equal 4 here. I didn't have the root pw so the box was as good as dead. I didn't have the time to ask soyou to reset the root, if it's something they can even do.

    Feel free to delete if the above is just a distraction/non issue.
     
    • Informative Informative x 1
  2. eva2000

    eva2000 Administrator Staff Member

    30,168
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    9:56 PM
    Nginx 1.13.x
    MariaDB 5.5
    SoYou ? = SoYouStart ?

    hmm authorized_keys2
    Code (Text):
    ls -lah /root/.ssh/
    total 8.0K
    drwx------.  2 root root 4.0K Apr  4 07:26 .
    dr-xr-x---. 12 root root 4.0K Apr 26 04:01 ..
    -rw-r--r--.  1 root root    0 Apr  4 07:26 authorized_keys2
    


    interesting need to look into this

    edit: hmm https://serverfault.com/questions/1...-between-authorized-keys-and-authorized-keys2

    you should put them in authorized_keys regardless of what CentOS 7 creates out of the box HowTos/Network/SecuringSSH - CentOS Wiki

    From /etc/ssh/sshd_config
    Code (Text):
    grep _keys /etc/ssh/sshd_config
    # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
    # but this is overridden so installations will only check .ssh/authorized_keys
    AuthorizedKeysFile      .ssh/authorized_keys
     
    Last edited: Apr 27, 2017
    • Agree Agree x 1
  3. Colin

    Colin Premium Member Premium Member

    111
    33
    28
    Oct 7, 2015
    Sheffield UK
    Ratings:
    +83
    Local Time:
    12:56 PM
    1.11.#
    MariaDB 10.1.#
    Agree with the conclusion and thinking more it feels likely this was the cause.

    The dog ate my home work sir, no I was being lazy :D Ironically if I'd gone for a non-ssh key setup, the issued password, I'd of gotten it right with the ssh-copy-id dance.

    I didn't think to actually check to see if it was authorized_keys or keys2 when I built the server the first time around. Login, send the installer on its way while I brew a coffee.

    A bit like when I started using rails, I began to forget how to do complex sql... so some aspects of admin are blurring behind menu numbers. :D All for the greater good of course :)
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,168
    6,784
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,136
    Local Time:
    9:56 PM
    Nginx 1.13.x
    MariaDB 5.5
    normally ssh-copy-id would of populated the public key in the right authorized_keys file :)
     
  5. Colin

    Colin Premium Member Premium Member

    111
    33
    28
    Oct 7, 2015
    Sheffield UK
    Ratings:
    +83
    Local Time:
    12:56 PM
    1.11.#
    MariaDB 10.1.#
    Totally agree. SoYouStart might not be unique, but for all the others I've used, they all put the key in the authorized_keys file.

    Anyway, this might be a thing then. Certainly baked into my mind to double check now.