# SSH connection with public key does not persist?

## pmam

I established ssh with public key and afterword changed to 'PermitRootLogin no'. 

BTW: I choose 'passphrase blank', so I can connect to server without password - Please inform if it is safe enough or needed here password?

All the above worked ok but after reboot, I was asked to enter password (that denied),

and need to repeat on this command to establish public key again (by changing 'PermitRootLogin yes':

```
ssh-copy-id root@server_IP
```

Then it works again. Please advise how can establish persist ssh connection?

----------

## NeddySeagoon

pmam,

You need the other option to PermitRootLogin. Its the default actually.

A passwordless key is OK at the server end. It can't tell.

If someone were to steal your private key, they would have ssh access to wherever you use that key.

How good is your physical key security?

Safe depends oh your level of paranoia. 

I would set PermitRootLogin No, use keys with strong pass phrases to log in as a user and use 

```
sudo su - 
```

when I needed to be root.

----------

## krinn

 *pmam wrote:*   

> I established ssh with public key and afterword changed to 'PermitRootLogin no'. 
> 
> ```
> ssh-copy-id root@server_IP
> ```
> ...

 

If you set PermitRootLogin no, then you don't need to copy any key to root@server_IP, because that key is never use.

To do what you try to do, you should either:

* use root account, but with PermitRootLogin yes

* use a user account with PermitRootLogin no, then you connect to it with ssh user@server_IP and su when you have login.

so it mean you should copy a valid key to use to user@server_IP and not root@server_IP

----------

## pmam

 *Quote:*   

> If you set PermitRootLogin no, then you don't need to copy any key to root@server_IP, because that key is never use. 

 

I see my stupid mistake... Now I choose:

 *Quote:*   

> * use a user account with PermitRootLogin no, then you connect to it with ssh user@server_IP and su when you have login. 

 

So I copied valid key that way:

```
ssh-copy-id user@server_IP
```

And it is working even after reboot... BTW: Do not know why my first way with ssh-copy-id root@server_IP worked, but not after reboot...

I'm not familiar with sudo - see that in other linux's dist  it is more common - however I followed https://wiki.gentoo.org/wiki/Sudo

and installed app-admin/sudo, but did not figure out how to add user to sudo. 

Need to add a user to /etc/sudoers? What is the exact command for adding user with root permissions?

Or I see in other dist that need to create sudo group and add user to this group? 

 *Quote:*   

> How good is your physical key security? 

 

Please explain what 'physical key security' does mean? If it refers to my root password -

I need to make it more complicated... Need to find a good generator

Or if it refers to the key generator - I used this command: ssh-keygen

Thanks

----------

## P.Kosunen

 *pmam wrote:*   

> I'm not familiar with sudo - see that in other linux's dist  it is more common - however I followed https://wiki.gentoo.org/wiki/Sudo
> 
> and installed app-admin/sudo, but did not figure out how to add user to sudo.

 

```
## Uncomment to allow members of group wheel to execute any command

# %wheel ALL=(ALL) ALL
```

You can uncomment that %wheel line from /etc/sudoers, then users in wheel group can sudo.Last edited by P.Kosunen on Tue Feb 20, 2018 4:53 pm; edited 1 time in total

----------

## NeddySeagoon

pmam,

Your ssh key password is never sent over the network, not even encrypted.

The public part of your key is put on the remote systems you want to connect to.

You keep the private part err ... private. Ideally with a good pass phrase.

Anyone who has both the private part of the key and pass phrase can connect to the remote servers as if they were you.

When the pass phrase is blank, they only need the private part of the key. This can only be guarded by keeping it in a secure location,

Out and about on your laptop is not secure. It must be somewhere you won't lose it and its unlikely to be stolen.

The PermitRootLogin option in /etc/sshd_config can take an least three values that I know of.

=yes, allows keys and passwords.

=no,  all root logins are denied.

=prohibit-password only key based logins are permitted.

On Gentoo, only members of the wheel group are permitted to become root, add your normal user to the wheel group.

Use the visudo command to edit /etc/sudoers to your taste. visudo is a wrapper around ${EDITOR} that does syntax checking.

You probably want 

```
## Uncomment to allow members of group wheel to execute any command

%wheel ALL=(ALL) ALL
```

----------

## Hu

As a minor point, you do not need sudo su - to become root.  If you have the right group membership to satisfy PAM, then /bin/su -, run from a user shell, will prompt for root's password and, once that password is given, provide a root shell.  In this mode, you need to give root's password, which need not be (and should not be) the same as the user's normal password.  This post is independent of whether the user shell is from ssh via password, ssh via key, or local console.

I strongly discourage using PermitRootLogin yes.  In limited cases, PermitRootLogin prohibit-password is acceptable.  The safest choice is PermitRootLogin no, then requiring /bin/su - from the user account afterward.  You can further protect the system by setting PasswordAuthentication no in the sshd configuration, so that no users are permitted to use password authentication.  Everyone must authenticate by key (which may or may not itself be password-protected).

----------

