How to Set Up SSH Keys on Ubuntu 22.04.

By default Ubuntu SSH root login is disabled and root password has not been set. However, many system administrators prefer to work as root to avoid having to use “sudo” for almost every command and enter passwords over and over again.

To allow root login over SSH we first need to set the root password by opening a terminal and switch to root.

$ sudo -i

Next set a new password for root (since you are logged in as root no need to add user root to the passwd command).

# passwd

Enter new password twice and confirm.

Make sure you enter a strong password and that you also store this password somewhere safe. Keepass is a great open source tool that can help you generate and store passwords.

Since we will later disable direct root access with a password, it is important to create an additional user who will still have password access to the system.

Basically it doesn’t matter what you call this user but in this case we are going to create a user “chief”. Make sure you have generated a strong password for this new user as well and saved it in a safe place for later use such as Keepass.

# useradd -m chief

The “-m” option will automatically create a home directory “/home/chief”.

To activate the user and be able to log in with it, we need to add a password.

# passwd chief

Enter new password twice and confirm.

Note that for security reasons, this user is not going to be added to the “sudo” group and therefore cannot obtain any root privileges. As such it is not possible to become root with the sudo commands “sudo -i” or “sudo su -” either. However, we can still switch to root with the command “su root” if you have at least the root password.

The original SSH configuration file includes a lot of comments and samples which are not really required and makes it hard to read.

We prefer simple and clean configuration files containing only the required settings and parameters.

You want to keep a copy of the original file in case something goes wrong or you want to check this file at a later stage.

# cp /etc/ssh/sshd_config /etc/ssh/sshd_config_orig

Use the “grep” command to strip the original file removing all the unnecessary lines.

# grep -v -E "^#|^;" /etc/ssh/sshd_config_orig | grep . > /etc/ssh/sshd_config

Edit the SSH configuration file to allow root login.

# vi /etc/ssh/sshd_config

And make the necessary changes.

Port 222
PermitRootLogin yes
PasswordAuthentication yes
MaxAuthTries 3
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server

In our case we added “Port 222” (can be another port if required or multiple ports by adding a new line with i.e. “Port 722”), “PermitRootLogin yes” and “PasswordAuthentication yes”. We also want to limit the number of attempts to log in to 3 with the option “MaxAuthTries 3”.

Adjust your firewall to accept (and forward) traffic on port 222 (or another port you configured and your ssh server is listening on).

Finally restart SSH to activate the new settings.

# systemctl restart sshd

You should now be able to log in with both “root” and “chief” via ssh from another server on the configured port of course and with the corresponding correct password.

Logging in with “root” may be convenient, but it’s not really secure, even if you have a strong password. Moreover, strong passwords are also often difficult to remember, which largely negates the convenience.

To overcome this, we are going to disable root access with password and replace it with key-pair authentication.

On the server you want to login with, we will now first create a new key pair. As of Ubuntu 22.04, the RSA and DSA algorithms are no longer supported by default for security reasons, so therefore we will use the ED25519 public-key signature system.

# ssh-keygen -t ed25519

You are given the option to specify a location where the keys will be stored, but you can just use the default here and hence press enter. You are also given the possibility of securing the key with a password or rather a passphrase. If you are going to use the ssh connection to automate processes such as backup or network tunneling it is better not to specify a password. In other cases it is recommended, especially for opening terminals on a desktop environment where multiple users can have access.

To copy the public key to the server we want to log into, we are going to use the ssh-copy-id tool that is part of the openssh package.

# ssh-copy-id -p 222 root@www.xxx.yyy.zzz

Of course, you need to replace the “www.xxx.yyy.zzz” with the ip address of the server you want to log into. If you are running ssh on the default port 22, you can leave out the “-p 222” option. if you are running ssh on a different port, this should obviously replace the 222.

If you cannot log in with root and a password for example if you have created a new key pair for an existing server you will have to copy the public key manually to the server. View the public key file on the server keys were created using the “cat” command.

# cat ~/.ssh/id_ed25519.pub

Copy the key and go to the server you want to log into and open the “authorized_keys” file to paste the key in.

# vi ~/.ssh/authorized_keys

You should now be able to log in as root from the server where the keys were created without a password (but with passphrase for the key if set).

Now that we have the “key pair” set up it is time to disable root access with a password. To do this we need to edit the sshd_config file again.

# vi /etc/ssh/sshd_config

By changing “PermitRootLogin” from “yes” to “prohibit-password” it is no longer possible to log in with “root” using a password, but other methods, such as key-pair authentication are still possible. This change will only block password access for root and not for other users so that it is still possible to login to the system if the keys were to be compromised in some way. We can however limit the number of users by adding “AllowUsers root chief” which in this will only allow root and chief to log in.

Port 222
PermitRootLogin prohibit-password
PasswordAuthentication yes
MaxAuthTries 3
AllowUsers root chief
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server

You can check the configuration for errors by running a quick test.

# sshd -t

If the configuration is correct, this command will not give a result.

For the changes to take effect, it is necessary to restart SSH.

# systemctl restart sshd

If you want to recheck the current settings, you can do so with a simple command “sshd -T” to display full settings of sshd. You can add the “sort” command to list the settings in alphabetical order.

# sshd -T | sort

So from now on direct root access via SSH is only possible with key authentication. You can still gain root access with a password but then you must first login with another user (added to the AllowUsers in sshd_config file) and you will need both passwords which makes intrusion extremely difficult especially in combination with “intrusion detection” systems such as Fail2ban or CrowdSec about which more in a next post.

Deleting software RAID device with swap partition during Ubuntu installation.

ByPieter Bakker 02/04/202002/09/2022

If you want to use HDD’s on which a raid array was created in a previous server setup we recommend to reset the HDD’s removing all existing partitions and raid arrays before starting a fresh installation using the Ubuntu installer (or any other Linux OS installer). Instructions on how to perform a full reset can…

Ubuntu 22.04 | ERPnext

Installing ERPNext 14 on Ubuntu 22.04

ByPieter Bakker 04/11/202204/11/2022

ERPNext is a promising Open Source ERP solutions that, unlike similar products such as Odoo is completely Open Source and as such does not require paying modules to use all its functionalities. ERPNext is built on the Frappé Framework that can be managed with the cli tool “bench”. Although somewhat cumbersome, installation is not really…

SSH | sSMTP

Set email alerts for root login on Linux servers.

ByPieter Bakker 26/08/202226/08/2022

As a Linux system administrator, it is important to know when someone logs into your server, especially as root. Unauthorized logins can cause serious security issues, as they can gain full access to the system and install unwanted and malicious software on it, among other things. Therefore, it is recommended to set up an automatic…

Ubuntu | Mautic

Upgrading Mautic from v2 to v3

ByPieter Bakker 15/08/202206/12/2022

A new client recently asked to upgrade a still functioning Mautic 2.15.3 running on Ubuntu 18.04 to the latest Mautic v3. In this guide, we will look at how this can be achieved and what to look out for. If you are running Mautic on a VPS or in a LXC/LXD container, it is highly…

Ubuntu | SSH | sSMTP

Using sSMTP to send emails from a Linux system?

ByPieter Bakker 16/01/202226/08/2022

To send mail messages from a Linux server, you need to install an MTA to take care of this task. If you don’t want to use a full MTA like Postfix or Sendmail, sSMTP is a good lightweight alternative that is easy to install and configure. However, you do need a relay SMTP server to…

LXD | apt | Ubuntu

Automatically update all your running LXD containers.

ByPieter Bakker 20/09/202225/12/2022

While you could perform common management of multiple LXD containers with tools like Ansible or Puppet, in this tutorial we are going to show how to work with a simple script that runs on the host and automatically updates/upgrades all running Debian/Ubuntu-based containers. We could extend the script to perform other tasks or include updates/upgrades…

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Similar Posts