How to Set Up SSH Keys on Ubuntu 22.04.
By default Ubuntu SSH root login is disabled and root password has not been set. However, many system administrators prefer to work as root to avoid having to use “sudo” for almost every command and enter passwords over and over again.
To allow root login over SSH we first need to set the root password by opening a terminal and switch to root.
$ sudo -i
Next set a new password for root (since you are logged in as root no need to add user root to the passwd command).
# passwd
Enter new password twice and confirm.
Make sure you enter a strong password and that you also store this password somewhere safe. Keepass is a great open source tool that can help you generate and store passwords.
Since we will later disable direct root access with a password, it is important to create an additional user who will still have password access to the system.
Basically it doesn’t matter what you call this user but in this case we are going to create a user “chief”. Make sure you have generated a strong password for this new user as well and saved it in a safe place for later use such as Keepass.
# useradd -m chief
The “-m” option will automatically create a home directory “/home/chief”.
To activate the user and be able to log in with it, we need to add a password.
# passwd chief
Enter new password twice and confirm.
Note that for security reasons, this user is not going to be added to the “sudo” group and therefore cannot obtain any root privileges. As such it is not possible to become root with the sudo commands “sudo -i” or “sudo su -” either. However, we can still switch to root with the command “su root” if you have at least the root password.
The original SSH configuration file includes a lot of comments and samples which are not really required and makes it hard to read.
We prefer simple and clean configuration files containing only the required settings and parameters.
You want to keep a copy of the original file in case something goes wrong or you want to check this file at a later stage.
# cp /etc/ssh/sshd_config /etc/ssh/sshd_config_orig
Use the “grep” command to strip the original file removing all the unnecessary lines.
# grep -v -E "^#|^;" /etc/ssh/sshd_config_orig | grep . > /etc/ssh/sshd_config
Edit the SSH configuration file to allow root login.
# vi /etc/ssh/sshd_config
And make the necessary changes.
Port 222 PermitRootLogin yes PasswordAuthentication yes MaxAuthTries 3 ChallengeResponseAuthentication no UsePAM yes X11Forwarding yes PrintMotd no AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server
In our case we added “Port 222” (can be another port if required or multiple ports by adding a new line with i.e. “Port 722”), “PermitRootLogin yes” and “PasswordAuthentication yes”. We also want to limit the number of attempts to log in to 3 with the option “MaxAuthTries 3”.
Adjust your firewall to accept (and forward) traffic on port 222 (or another port you configured and your ssh server is listening on).
Finally restart SSH to activate the new settings.
# systemctl restart sshd
You should now be able to log in with both “root” and “chief” via ssh from another server on the configured port of course and with the corresponding correct password.
Logging in with “root” may be convenient, but it’s not really secure, even if you have a strong password. Moreover, strong passwords are also often difficult to remember, which largely negates the convenience.
To overcome this, we are going to disable root access with password and replace it with key-pair authentication.
On the server you want to login with, we will now first create a new key pair. As of Ubuntu 22.04, the RSA and DSA algorithms are no longer supported by default for security reasons, so therefore we will use the ED25519 public-key signature system.
# ssh-keygen -t ed25519
You are given the option to specify a location where the keys will be stored, but you can just use the default here and hence press enter. You are also given the possibility of securing the key with a password or rather a passphrase. If you are going to use the ssh connection to automate processes such as backup or network tunneling it is better not to specify a password. In other cases it is recommended, especially for opening terminals on a desktop environment where multiple users can have access.
To copy the public key to the server we want to log into, we are going to use the ssh-copy-id tool that is part of the openssh package.
# ssh-copy-id -p 222 root@www.xxx.yyy.zzz
Of course, you need to replace the “www.xxx.yyy.zzz” with the ip address of the server you want to log into. If you are running ssh on the default port 22, you can leave out the “-p 222” option. if you are running ssh on a different port, this should obviously replace the 222.
If you cannot log in with root and a password for example if you have created a new key pair for an existing server you will have to copy the public key manually to the server. View the public key file on the server keys were created using the “cat” command.
# cat ~/.ssh/id_ed25519.pub
Copy the key and go to the server you want to log into and open the “authorized_keys” file to paste the key in.
# vi ~/.ssh/authorized_keys
You should now be able to log in as root from the server where the keys were created without a password (but with passphrase for the key if set).
Now that we have the “key pair” set up it is time to disable root access with a password. To do this we need to edit the sshd_config file again.
# vi /etc/ssh/sshd_config
By changing “PermitRootLogin” from “yes” to “prohibit-password” it is no longer possible to log in with “root” using a password, but other methods, such as key-pair authentication are still possible. This change will only block password access for root and not for other users so that it is still possible to login to the system if the keys were to be compromised in some way. We can however limit the number of users by adding “AllowUsers root chief” which in this will only allow root and chief to log in.
Port 222 PermitRootLogin prohibit-password PasswordAuthentication yes MaxAuthTries 3 AllowUsers root chief ChallengeResponseAuthentication no UsePAM yes X11Forwarding yes PrintMotd no AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server
You can check the configuration for errors by running a quick test.
# sshd -t
If the configuration is correct, this command will not give a result.
For the changes to take effect, it is necessary to restart SSH.
# systemctl restart sshd
If you want to recheck the current settings, you can do so with a simple command “sshd -T” to display full settings of sshd. You can add the “sort” command to list the settings in alphabetical order.
# sshd -T | sort
So from now on direct root access via SSH is only possible with key authentication. You can still gain root access with a password but then you must first login with another user (added to the AllowUsers in sshd_config file) and you will need both passwords which makes intrusion extremely difficult especially in combination with “intrusion detection” systems such as Fail2ban or CrowdSec about which more in a next post.