Security Archives • Page 12 of 14 • Linux Tips

Prevent SSH Root Login

Today’s article will tell you how, and why you’d want to, disable root login via SSH. It’s actually a brief article and approachable by even a beginner with SSH. If you have SSH enabled, then you may want to make sure to do this.

In some cases, like Ubuntu, the root account is disabled by default. That’s generally a good thing. In that case, this article may be important to you if you’ve enabled root login. This article may also be of interest for those who have changed the port SSH uses. Even if logging in as root is already disabled, it won’t hurt to disable it via SSH. Even if the port has been changed, disabling SSH root login won’t hurt.

So, why would you want to disable root login for SSH? Well, it’s a known account – meaning ‘root’ is pretty standard across the distros. An attacker already has half the information – the name of the account. It’s also an account that has the keys to the kingdom. If you have control of the root account, you have complete control of the system. This is fine if it’s your system and you with the root account, it’s less appreciated when it’s someone else that has control of your devices.

This article is actually pretty easy and is a step I suggest everyone take. What it does is it prevents root login via SSH entirely. It’s a simple step to make your computer more secure by preventing SSH root login. You can still login with other accounts and use sudo, so it’s really not limiting your ability to control the system.

Prevent SSH Root Login:

Like many other articles on this site, this one needs an open terminal. You can open your terminal with your keyboard – just press CTRL + ALT + T and your default terminal should open.

Once you have your terminal open, enter the following command:

sudo nano /etc/ssh/sshd_config

1	sudo nano /etc/ssh/sshd_config

Once that’s open, you’re looking for #PermitRootLogin no. When you find that line, you simply want to remove the # symbol. The end result should look like this:

PermitRootLogin no

1	PermitRootLogin no

In some default configurations, you may see #PermitRootLogin prohibit-password instead. If you uncomment that line, you could still login as root – you just can’t login with a password and would have to use a key like in this article about SSH keys.

In that case, when the line doesn’t exist or is changed, you can just add the line yourself. It won’t hurt anything and will still work. So, just find a blank section in the config file, add a new blank line, and then add the PermitRootLogin no like above.

Once you’re done, you need to save the file. As we’re using nano, you do that by pressing CTRL + X, then Y, and then ENTER. That should save the file with the correct name.

Finally, you will want to reload SSH. That’s easy enough, you reload SSH with the following command:

sudo systemctl reload sshd

1	sudo systemctl reload sshd

That’s it, that’s all you need to do! Once you’ve done that, and you can test it yourself. You shouldn’t be able to login to SSH with the root account, which is a pretty solid security idea. If you can’t login as root, nobody else should be able to login as root.

By the way, if you decide you want to undo this – just go back into the config file and add a # at the start of the line, save it, and restart the sshd daemon.

Closure:

That’s it. Thanks for reading yet another article! This one is pretty quick and easy, plus it will help you increase your server’s security. There really aren’t many reasons to have SSH root login enabled, and disabling it completely removes that attack vector.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

How To: Change Your Password In The Terminal

It’s considered good form to change your password once in a while. This may not be something important for you, but others may appreciate it. It may be corporate policy or regulations that make you need to change your password, or you could just be more security minded than many others. No matter what, this article tells you how.

The tool we’re using in today’s exercise is called ‘passwd‘, which is a tool to help make and manage passwords. It’s a bit complicated, but it uses something called hashing and stores a hash instead of a plain-text password.

When you login, your password is checked against the hash that was created when the password was created. This prevents people from easily reading your stored password, stored of course because there must be something to check against.

If one remembers way back to the start of this project, my goal is to put my notes online. This article is in my notes, which is why this is such a simple article. Indeed, this article should be pretty straightforward and easy to understand. I’d definitely call it a beginner-friendly article.

Change Your Password:

Like most always, you need to open your terminal. You can do so with your keyboard – just press CTRL + ALT + T and your default terminal should open.

Once you have your terminal open, the command you’re looking for is:

passwd

passwd

If you already have a password, you’ll need to type your current password and then you’ll type the new password twice. When you logout or next need to use your password, your new password will be required. You don’t need ‘sudo’ for this, as the password you’re changing belongs to you.

Seeing as this is short, I’ll toss in another use of passwd. If you want to change the password for a different user, you just use this command:

sudo passwd <user_name>

1	sudo passwd <user_name>

Change the obvious to the obvious, specifically the username. This command does require ‘sudo’, because you’re changing a password that doesn’t belong to the current user.

There’s more that can be done with passwd, but those things are beyond the scope of this article. I’d expect to see some more passwd uses covered in the future, but you can get a head start by typing man passwd into your terminal and learning about the other options.

Closure:

That’s it, really. I told you that this one would be short and easy! Sure enough, it’s pretty easy. Many of my notes are regarding people who are new to Linux, but it’s still nice to get more of them online. I dare say we’re coming along nicely.

Guest Article: What Are SSH Keys?

The following article is a guest-written article from Andy Brooks (aka captain-sensible) about SSH keys. So, let’s put our hands together for a guest author and appreciate that I got a break from writing articles! Thanks, Andy!

There are a few articles about SSH already:

Install SSH to Remotely Control Your Linux Computers
Enable x11 Forwarding With SSH (Remotely Use GUI Applications)
How To: Change The Port SSH Uses

What Are SSH Keys?

Recently, I created an account for the AUR (Arch user repository) with a view to taking over an maintaining an Aurphan AUR package. On the registration form, which included the usual user name etc, was a text box asking for my SSH public key? You might wonder what is that, why do the AUR want it, and how are they going to use it?

Well the AUR would hold my public key and that would be associated with my user account. What I would want to do with the AUR for a package would be update the PKGBUILD file and get those changes published on AUR repository. So basically that would require getting access to the server of the AUR by logging in and then pushing up my changes to it.

So how are SSH keys involved in that process ? Well on my PC in my home folder there is a directory called .ssh inside are two text files called id_rsa id_rsa.pub. The information held inside the id_rsa.pub, the AUR has a copy of.

If and when I access AUR to make changes, to any package on the repo, there is an exchange of information over my terminal that I am using as a communication channel via ssh. The server sends a challenge, which is to see if my private key matches up with the public key which the AUR server is holding a copy of.

A couple of points are the process involves encryption and the only key that should be “given out” to anybody is the public key. The private key should be, well kept private and out of peoples hands. Putting it simply, ssh-keys are a way of securely giving users access to remote servers. Secure Shell was created in 1995 by Tatu Ylönen a Finnish national following a password-sniffing attack at his university.

Now for registration for accounts such as with the AUR, there are really only two things you need to do.

1) create as a “once off” a pair of private & public keyserver-options.
2) Give the details of the public key to the AUR server.

Creating SSH Keys:

Lets start with item 1):

ssh-keygen is a utility of openSSH so you need to install that, then from a terminal simply issue the command (as a normal user not sudo): ssh-keygen

To keep things simple, you can accept the defaults by hitting return button.

At the end you should see something like in the adjacent image.

ssh keygen — Yours should look pretty similar to this!

Note: At this point, you can generate a password/passphrase. Doing so can increase the level of security, but the choice is yours to make.

Now lets look at 2):

From your terminal, check you are in your home folder, or cd to it eg ($ cd ~ )
Then change directory into the .ssh directory with cd .ssh
Then get contents via cat
cat : [andrew@darkstar:~/.ssh]$ cat id_rsa.pub

You should get something like : ssh-rsa AAAAB3NzaC1yc2EAAAAD… There will be something like 569 chars in all.

From the terminal you can just copy starting from the ssh-rsa ….. to the end; then you can just paste that into a text box asking for your public key.

A quick warning the two keys generated are a matched pair. Once you submit your public key, don’t just repeat the default way of generating keys otherwise the keys will be overwritten and then you will be rejected from getting access to where you last put your public keys.

Also to see the .ssh directory in your home folder, you may need to click view hidden files and dirs.

Closure:

And there you have it, a guest-authored article about SSH keys! I’m very grateful for the help. If you’re interested in writing an article, you can do that. The easiest way for you is to use the Contribute Your Article link at the top of any page. The easiest way for me is if you just register and ask to be made an author. Either is awesome and even if you’re an author I will still need to edit and schedule posts.

Create A New User With SUDO Privileges In Ubuntu

It’s not unusual to want to create a new user with sudo privileges and it’s actually really easy. This will be just a quick article that explains how. It’s not exactly a complex operation.

This article doesn’t cover other distros! It has only been tested in a couple of Ubuntu derivatives and not all distros come with ‘adduser’. It should probably work if you install ‘adduser’ where available, but that’s entirely untested by me. Give it a shot and let me know in a comment if it works out for you.

You may want a multi-user environment, you may want different logs for different users, you may want some customization with one user, you might want to test things with a separate user, etc… There are tons of reasons for wanting a different account and wanting a new user with sudo privileges.

I shouldn’t need to mention this, but sudo stands for ‘superuser do’. Users that belong to the sudo group are pretty much omnipotent. They can access anything, change anything, and do anything they please. You’ll use sudo to do things like install software or edit system files.

Anyhow, I’ll explain how to create a new user with sudo privileges in this article. It’s a pretty easy task and you shouldn’t have much trouble with this one.

Create New User With SUDO Privileges:

This article requires an open terminal, like many other articles on this site. If you don’t know how to open the terminal, you can do so with your keyboard – just press CTRL + ALT + T and your default terminal should open.

The tool we’ll be starting with is called ‘adduser‘, and the name tells you what it does. With your terminal now open, you start by entering the following to add a new user:

sudo adduser <new_user_name>

1	sudo adduser <new_user_name>

Once you’ve done that, you’ll be asked to type the new user’s password twice, and then you can fill in some additional information for that user. Those steps aren’t necessary, but you will want to add a password for the user – and definitely so because it’s an account that has access to sudo.

Now that you have created a new user, you’ll need to modify that user. The newly created user doesn’t come with sudo access by default, you need to grant it. The tool we’ll be using for this is ‘usermod‘ and the command to make the new account a new user with sudo privileges is:

sudo usermod -aG sudo <new_user_name>

1	sudo usermod -aG sudo <new_user_name>

At this point, you should be able to login and use the newly minted user account. Indeed, you should have a new user account and that new account should have sudo privileges.

CLOSURE:

See? I told you that this wouldn’t be a long or difficult article. If you want a new account and you want that account to have sudo privileges, it’s just a couple of easy commands away. This is yet another article in what’s turning out to be quite a long list of articles.

Strip Password From A Password-Protected PDF

One company likes to send me a password-protected PDF every month, and it can be a pain typing in the password every time. Fortunately, we don’t have to! To completely remove the password from password-protected PDFs, keep reading!

Now, there are times when removing the password from a password-protected PDF is against corporate policy or may be a violation of regulations. I suppose a good rule might be, “Don’t tamper with the password protection unless the PDF belongs to you.”

That said, it’s actually pretty easy to remove the passwords from password-protected PDFs. It’s easy and I’ll show you how! This won’t even have to be a very long article!

Remove Password From A Password-Protected PDF:

Like oh so many of my articles, this one starts with the terminal open. If you don’t know how to do that, it’s easy. Just use your keyboard and press CTRL + ALT + T and your default terminal emulator will open.

The tool we’ll be using is called ‘qpdf‘ and it describes itself as:

PDF transformation software

Once you have that open, one of the following should help you install qpfd:

Debian/Ubuntu:

sudo apt install qpdf

1	sudo apt install qpdf

Arch/Manjaro:

sudo pacman -S qpdf

1	sudo pacman -S qpdf

RHEL/Fedora:

sudo dnf install qpdf

1	sudo dnf install qpdf

Any of those should get you to the point where qpdf is installed, and there shouldn’t be (m)any dependencies. Using it is just as easy as installing it.

qpdf --password='PASSWORD' --decrypt original.pdf new_file.pdf

1	qpdf --password='PASSWORD' --decrypt original.pdf new_file.pdf

Obviously, you change “PASSWORD” to the password that’s used in the password-protected PDF to the actual password. You also use the name (and path) of the PDF and a new name for the new PDF that has no password. That will, of course, remove the password and you can delete the original after verifying that it worked.

BONUS:

You can actually use qpdf to make a password-protected PDF. It’s also easy and the command would look like this:

qpdf --encrypt PASSWORD PASSWORD 256 -- original.pdf new_file.pdf

1	qpdf --encrypt PASSWORD PASSWORD 256 -- original.pdf new_file.pdf

In this case, the PASSWORD is your new password and it must be typed twice. The 256 is the key-length used to encrypt the PDF. To get more information like that, just run:

qpdf --help

1	qpdf --help

In there, you’ll see that qpdf is really quite a potent application. It can do so much more than just stripping the password from a password-protected PDF. So, give that help file a scan and see what other features it has!

CLOSURE:

See? I told you that this article wouldn’t take all that long. Best part? It’s another in what’s a growing list of articles and it’s something you can actually use when you get a password-protected PDF. Again, if you’re gainfully employed or in a regulated occupation you may not want to remove the password protection.