Preventing Password and Root Logins2:52 with Jay McGavren
There are two more steps we should take to secure our server. First, since we want all our users to use SSH keys, we should prevent *any* user from logging in using a password. Second, it's still possible for someone to log in as the `root` account (which has full control of the system) if they can guess the password, so it's best to disable logging in as `root` completely.
- On the server:
sudo nano /etc/ssh/sshd_configand modify or add the following settings:
sudo service ssh restart
There's two more issues we need to address before we're done. 0:00 The first is that even though we've set up an ssh key for 0:03 our deployment user a password can still be used to log into that account. 0:06 The second is that people can still log in as the system administrative account 0:11 also known as root. 0:15 We're going to fix both those issues to make our system a little more secure. 0:16 Now that we have sudo access set up for 0:20 our deployed count,we can just use that instead of our developer account. 0:22 So we're going to use sudo to run the nano command. 0:26 And we're going to use that to edit the file in the etc directory, 0:32 ssh sub directory and the file is named sshd_config. 0:37 Okay so that'll bring the file up in our editor, and the setting we're looking for 0:45 here is the PermitRootLogin setting. 0:50 Right here, it's set to prohibit-password so 0:53 that you can't log in as root using a password. 0:55 It might be set to yes on your system which would allow root to login 0:58 using a password which is even worse. 1:01 But we actually want to change this setting whatever it's currently set to 1:03 to no. 1:07 So that you can't log in as root on the system at all. 1:08 Then below that line. 1:12 We're going to add a new line with a new setting. 1:13 It's called PasswordAuthentication, With a capital P and a capital A. 1:16 And we're going to say no, 1:26 PasswordAuthentication is not allowed on this system. 1:27 This will make it so 1:31 that only users with SSH keys are allowed to log in at the system. 1:32 So let's hit Ctrl + O to write the file out. 1:37 Hit Enter and accept the default and press Ctrl + X to exit. 1:40 Then we need to restart the SSH service to ensure that our changes get picked up. 1:46 So we're going to run sudo service ssh restart. 1:49 Now let's exit out of the server. 1:57 And let's check that our changes worked. 2:01 First, we're going to try logging in using our developer account. 2:02 So ssh jay@hostcom. 2:05 And you'll notice that it didn't even ask me for a password, 2:13 it just checks whether I had a public key associated with my account. 2:16 And since I didn't, it simply denied me. 2:19 Now let's try logging back in and start deploy user which does have a private key. 2:22 So ssh deploy@hostcom. 2:26 And you'll notice we get in immediately. 2:31 So we've set it up, so that the root account is disabled. 2:34 We've also ensured that only uses that have ssh keys setup can access the system. 2:37 So now you have a separate deployment account with full control over your server 2:42 ready for use whenever you need to deploy your app. 2:46 You've taken an important step in keeping your app secure. 2:49
You need to sign up for Treehouse in order to download course files.Sign up