(almost) complete guide to configure (ovh) debian/ubuntu (vps) server to conect with private key and disable root ssh access

this article assumes ideal situation and predicts no problems. i also assume that you know what it is all about, but if not – don’t try it. for troubleshooting use your google-fu (in most cases „man ssh” is good startpoint)

step-by-step todo:

  • add new remote user
  • configure user
  • generate certificate
  • install certificate
  • remove ability to remote ssh root login 

adding new server user with sudo perms:

1. login as root

~ $ ssh root@server.ovh

2. be sure that sudo is installed

root ~ # apt-get update && apt-get install sudo

3. add new shell user with adduser – do not foregot about STRONG password

root ~ # adduser USERNAME
root ~ # adduser USERNAME
Adding user `USERNAME' ...
Adding new group `USERNAME' (1000) ...
Adding new user `USERNAME' (1000) with group `USERNAME' ...
Creating home directory `/home/USERNAME' ...
Copying files from `/etcgenerate key for our user/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for USERNAME
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y

4. add user to sudoers by usermod command

root ~ # usermod -aG sudo USERNAME

5. test it

root ~ # su - USERNAME
USERNAME@vps:~$ sudo whoami
[sudo] password for USERNAME:
USERNAME@vps:~$ exit

at this point we got new shell user with sudo access, now we should enable login via ssh and block root ssh login
by default ssh service disallow plain password login, so

ssh USERNAME@servar.ovh

will asks for password, but will deny access for user.

7. we have two posibilities: enable plain password autorisation and generate key for our user. i will discribe both 🙂

7a. enable plain password autorization

all we have to do is to edit as root /etc/ssh/sshd_config

root ~ # nano /etc/ssh/sshd_config

find, uncoment and set to yes (or just add it) „PasswordAuthentication”

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes

save file and restart ssh

root ~ # service ssh restart && exit

at this point you should be able to connect to your server by ssh, let’s try it out

ssh USERNAME@server.ovh
USERNAME@server.ovh's password:
/some server info here/
USERNAME@server.ovh ~$

try if sudo works

USERNAME@server.ovh ~$ sudo -i
[sudo] password for USERNAME:
root ~ #

great we are done here

7b. generate key for our user

at this moment we are working on client’s side on our account (one we will use for ssh login in future)

i. create ~/.ssh folder with propper rights (700)

USERNAME@localhost ~$ mkdir ~/.ssh
USERNAME@localhost ~$ chmod 700 ~/.ssh

ii. generate rsa keys. remember few rules : if someone will stole your cert he will be able to autorise himself as you, so if that happend you have to chane keys EVERYWERE. to „buy some time” it’s wise to add passphrase and choose strong one. if cert will be stolen unautorised person will have to crack this password before. it’s also worth of mention that by default key is 2048 bit, but you can increase this to 4096 bits with -b flag.

USERNAME@localhost ~$ ssh-keygen -t rsa -b 4096

or just

USERNAME@localhost ~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/USERNAME/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/USERNAME/.ssh/id_rsa.
Your public key has been saved in /home/USERNAME/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:R2d2//zDuPypxDudSF1rPIsiaInd/qpa1aQbJSQB3k USERNAME@localhost
The key's randomart image is:
+----------[RSA 2048]-----------+
|             .  .              |
|             |\_|\             |
|             | a_a\            |
|             | | "]            |
|         ____| '-\___          |
|        /.----.___.-'\         |
|       //        _    \        |
|      //   .-. (~v~) /|        |
|     |'|  /\:  .--  / \        |
|    // |-/  \_/____/\/~|       |
|   |/  \ |  []_|_|_] \ |       |
|   | \  | \ |___   _\ ]_}      |
|   | |  '-' /   '.'  |         |
|   | |     /    /|:  |         |
|   | |     |   / |:  /\        |
|   | |     /  /  |  /  \       |
|   | |    |  /  /  |    \      |
|   \ |    |/\/  |/|/\    \     |
|    \|\ |\|  |  | / /\/\__\    |
|     \ \| | /   | |__          |
|          / |   |____)         |
|          |_/                  |

congrats, you have your own cert, now it’s time to transfer it to the host. (batman is extremely rare phenomenon)

iii. basicly all you have to do is to add your public key into ~/.ssh/authorized_keys file. we will do that using ssh-copy-id command from client machine

USERNAME@localhost ~$ ssh-copy-id USERNAME@server.ovh
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@server.ovh's password:

Number of key(s) added: 1

Now try logging into the machine, with: "ssh 'USERNAME@server.ovh'"
and check to make sure that only the key(s) you wanted were added.

we are done here, but …

if server’s ssh works on nos standard port (22) ssh-copy-id will fail, so there is alternative method.

first of all you have to copy public cert to server’s machine

scp /home/USERNAME/.ssh/id_rsa.pub USERNAME@server.ovh:/home/USERNAME/
USERNAME@server.ovh's password:
id_rsa.pub 100% 405 0.4KB/s 00:00

now login to server

ssh USERNAME@server.ovh

(backup your current authorized_hosts) and put key at the end of the file

cd ~
cp .ssh/authorized_keys authorized_keys_Backup
cat id_rsa.pub >> .ssh/authorized_keys

and that’s it.

disable root ssh access:

1. login to the server (as your user)

ssh USERNAME@server.ovh

2. edit (as root) /etc/ssh/sshd_config

USERNAME@server.ovh ~$ sudo nano /etc/ssh/sshd_config

3. find and set to no (or put the lines into file)

# Authentication:
PermitRootLogin no
DenyUsers root

3a. you can create blacklist to deny access for any other user typing it’s name on the DenyUsers list like

DenyUsers root joker bane face2 poisonivy

3b. additional option is to create whitelist for allowed users

AllowUsers USERNAME wanebruce pennyalf gcpd_jim barbarag kanekate caincassandra

4. save file and restart ssh

sudo service ssh restart

from this moment you can’t login with root user and you can login with USERNAME (using keys/password) and sudo anything 🙂