Eastbourne Computer Services Ltd

Allowing us remote SSH access

If you are our client because We are managing, maintaining, or otherwise accessing your server without physically being in the same room with it, this section is for you.

In order to allow us to remotely access your server via ssh, you first need to make sure your sshd allows logins with public keys. Check and/or edit your /etc/ssh/sshd_config file. You need to make sure it has the following entries:

PubkeyAuthentication   yes
This may be commented out. Since the default is "yes", this is fine. The point is that it cannot be "no".


        AuthorizedKeysFile     .ssh/authorized_keys
Some older systems used the name ".ssh/authorized_keys2" instead. If yours is one of them (i.e. if this line already exists and has the other filename) that's fine- you just need to adjust the filename when installing the key (below.)


        AllowUsers
If this line exists and is un-commented in your sshd_config file, you should make sure that the userid as which you wish us to log in is listed.

In addition, if the userid you wish us to log into is "root", you will need to check this line as well:

PermitRootLogin        without-password
Note that you could also have "yes" here, although it's not as secure. The difference is that
            "without-password" means that root is allowed to log in, but only
            if they use an authentication method other than "password". This way if
            somebody happens to find out what your root password is, they can't use it
            to ssh into your machine.

            

            You should type "man ssh_config" to read more abut this option.
            We know the phrase "without-password" can be a bit misleading.

If you had to change the /etc/ssh/sshd_config file, you will need to restart sshd. This is usually done with a command like this...

# /etc/init.d/sshd restart

Adding our ssh public key

After checking the configuration of sshd, you will need to add our current ssh public key to the ".ssh/authorized_keys" file within the home directory of the user you wish us to access. This example shows how to set it up. Note that if your system uses the name ".ssh/authorized_keys2" in the AuthorizedKeysFile line (see above) you should substitute that filename below.

# cd ~userid

Substitute the userid as which you wish us to log in.

# mkdir -f -m 700 .ssh
# cd .ssh
# wget http://www.eastbournecomputerservices.ltd.uk/client/ecs-pubkey.txt

The file should transfer. If you don't have wget on the system but you do have curl, you can replace "wget" with "curl -O" and accomplish the same thing.

# cat ecs-pubkey.txt >> authorized_keys
# chmod 600 authorized_keys
# chown uid:gid authorized_keys

Substitute the userid and that user's login group ID as which you wish us to log in.