Hey there,
I am currently trying to establish a ssh-connection between two of my pcs. Both are running Manjaro 5.14.10-1 with openssh installed. My goal is execute bash commands via shh on the other machine without it asking me for a (root) password.
I created the Key Pair using:
ssh-keygen -t ed25519 -f ~/.ssh/my-file.ppk
And tried copying the public key to the other machine using:
Same happens when trying to just login via ssh to root@ip_of_machine.
I am sure I am using the correct password because it works when I use it for su on the other machine. My caps lock is off and I am certain I didn’t misspell it like 50 time xD.
I don’t really know how to troubleshoot this problem.
Hoping for smarter people then me
Look at the following settings in /etc/ssh/sshd_config.
#PermitRootLogin prohibit-password
PermitRootLogin no
Disclaimer: You should never ever allow for a root login over ssh ─ passwordless or otherwise. Never. ¹ Log in as a regular user and use su - or sudo.
Hey thanks for your answer. I am currently not able to check whether this will solve my problem but it sounds like the cause.
Just another quick question: After enabling this option it will still ask for the root password, so that others will need the password and my machines can use the generated private and public key, won’t it?
If you want passwordless root logins, then you have to enablePermitRootLogin prohibit-password and set PermitRootLogin to yes. Also make sure that the following line in /etc/pam.d/sshd is commented out.
auth requisite pam_securetty.so
It may say required in your version, but the line needs to be commented out in order to allow remote root logins.
For passwordless remote logins for unprivileged users via authentication keys, you have to set that up separately. See…
I have modified the guide to use a default Manjaro instance instead of the VPS example.
Copy the public keyfile to a non root user with sudo privilege on the device.
Then connect as that user and copy the keyfile to the root location.
Security advise: Do not ever enable password login for root user.
The ONLY possible exception is if it is something on your lan - inaccessible from the internet. Even then - it is not advisable due to the possible vulnerability.
Also remember that repeatedly trying to login with password (brute force password guessing) will block the user in question and you do not want your root user locked out
If you use a ssh-agent, you could unlock a key manually (please be sure to use a good passphrase for this key). The key is kept secure in memory by the agent.
Then after that you will not be asked for a password to start a script on pc1 that logs into pc2 and performs some task(as root). But this is only permitted after you login, and unlock the key on pc1.
Do NOT (never !) create a key without passphrase !
If the task on pc2 can be done without being root, then this is the best way to go. The permission-system of linux has a lot of possibilities.
It may be possible to create a separate user which is only allowed to execute a special script as “admin” with sudo.
It is also possible to restrict the ssh-account of such a user, so it is only possible to execute a certain script.