Bummer! This is just a preview. You need to be signed in with a Pro account to view the entire video.

Preview

Start a free Basic trial
to watch this video

Sign up for Treehouse

Preventing Password and Root Logins

2:52 with Jay McGavren

There are two more steps we should take to secure our server. First, since we want all our users to use SSH keys, we should prevent *any* user from logging in using a password. Second, it's still possible for someone to log in as the `root` account (which has full control of the system) if they can guess the password, so it's best to disable logging in as `root` completely.

  • On the server: sudo nano /etc/ssh/sshd_config and modify or add the following settings:
    • PermitRootLogin: no
    • PasswordAuthentication: no
  • sudo service ssh restart
  • 0:00

    There's two more issues we need to address before we're done.

  • 0:03

    The first is that even though we've set up an ssh key for

  • 0:06

    our deployment user a password can still be used to log into that account.

  • 0:11

    The second is that people can still log in as the system administrative account

  • 0:15

    also known as root.

  • 0:16

    We're going to fix both those issues to make our system a little more secure.

  • 0:20

    Now that we have sudo access set up for

  • 0:22

    our deployed count,we can just use that instead of our developer account.

  • 0:26

    So we're going to use sudo to run the nano command.

  • 0:32

    And we're going to use that to edit the file in the etc directory,

  • 0:37

    ssh sub directory and the file is named sshd_config.

  • 0:45

    Okay so that'll bring the file up in our editor, and the setting we're looking for

  • 0:50

    here is the PermitRootLogin setting.

  • 0:53

    Right here, it's set to prohibit-password so

  • 0:55

    that you can't log in as root using a password.

  • 0:58

    It might be set to yes on your system which would allow root to login

  • 1:01

    using a password which is even worse.

  • 1:03

    But we actually want to change this setting whatever it's currently set to

  • 1:07

    to no.

  • 1:08

    So that you can't log in as root on the system at all.

  • 1:12

    Then below that line.

  • 1:13

    We're going to add a new line with a new setting.

  • 1:16

    It's called PasswordAuthentication, With a capital P and a capital A.

  • 1:26

    And we're going to say no,

  • 1:27

    PasswordAuthentication is not allowed on this system.

  • 1:31

    This will make it so

  • 1:32

    that only users with SSH keys are allowed to log in at the system.

  • 1:37

    So let's hit Ctrl + O to write the file out.

  • 1:40

    Hit Enter and accept the default and press Ctrl + X to exit.

  • 1:46

    Then we need to restart the SSH service to ensure that our changes get picked up.

  • 1:49

    So we're going to run sudo service ssh restart.

  • 1:57

    Now let's exit out of the server.

  • 2:01

    And let's check that our changes worked.

  • 2:02

    First, we're going to try logging in using our developer account.

  • 2:05

    So ssh jay@hostcom.

  • 2:13

    And you'll notice that it didn't even ask me for a password,

  • 2:16

    it just checks whether I had a public key associated with my account.

  • 2:19

    And since I didn't, it simply denied me.

  • 2:22

    Now let's try logging back in and start deploy user which does have a private key.

  • 2:26

    So ssh deploy@hostcom.

  • 2:31

    And you'll notice we get in immediately.

  • 2:34

    So we've set it up, so that the root account is disabled.

  • 2:37

    We've also ensured that only uses that have ssh keys setup can access the system.

  • 2:42

    So now you have a separate deployment account with full control over your server

  • 2:46

    ready for use whenever you need to deploy your app.

  • 2:49

    You've taken an important step in keeping your app secure.

You need to sign up for Treehouse in order to download course files.

Sign up