Transcript from the "Security Settings" Lesson
>> Jem Young: As long as everybody can log in with their ssh key, with their new user tester, whatever you wanna call that. Let's go and add a password for root, that's generally always a good idea. So can I switch to root?
>> Jem Young: No, I can't. Because you can't just switch back to roots from your current user cuz it doesn't have a password yet.
[00:00:22] So the way we're gonna solve that is we're gonna log out. Exit. Then I'm gonna log in as root for now.
>> Jem Young: And I'm just gonna use the password. Make sure that's right, yes. The password command.
>> Jem Young: Oops, did I misspell that? Pass, you know they took out the word, the or, but not the pass part.
[00:00:49] All right, let's type it again. I am just off today, I apologize. Password, and I'm just gonna make it something simple for now.
>> Jem Young: So we just ran the password command and we added a password for the root user. By default it's blank, but ironically, in the configuration by default, it says no blank passwords.
[00:01:10] Which is why you can't switch to root user.
>> Jem Young: Yeah, it's tricky. That's the pros and cons of setting something up with DigitalOcean or Amazon, is they have secure defaults. But you have to know what those are ahead of time, lest you get yourself into a corner. Now if you wanna start this fresh, like you have a home machine, you could do whatever you want.
[00:01:31] You'd say blank passwords are fine, doesn't matter. But for now, it's probably a good idea to always have a root password of some sort. So let's go ahead and exit. And let's log back in as our test user. I just wanna make sure I can switch the root just in case I need to.
>> Jem Young: Did it work? Did I put the wrong password? Maybe I did. All right, no, we're good.
>> Jem Young: But in general you shouldn't do things as root. Why is that, from the first one? Someone remind me. Anybody?
>> Speaker 2: You can do bad things without sudo.
>> Jem Young: Yes, yeah, you can do bad things without sudo.
[00:02:09] Sudo is just a way of saying, are you sure? Are you really sure? But if root, it won't tell you. You can say rm-rf/ delete your whole directory, it will not give you a warning. I think it might now, probably won't. You could disable your firewall, you can do also sorts of nasty things and you just won't know because you're not paying attention.
[00:02:25] So you always wanna keep sudo cuz it's just a quick safety check. And I'm just gonna exit, and I'll be back to my test user shell.
>> Jem Young: All right, now let's disable root login. How do we do that? Someone remind me.
>> Speaker 3: Mash profiles, batch config.
>> Jem Young: Batch config, no.
>> Speaker 3: SSH.
>> Jem Young: Yes.
>> Speaker 2: SSHD.
>> Jem Young: Yes, so as a refresher, because I honestly don't remember. So sudo vi /etc/sshd/config.
>> Jem Young: Make you a little bigger.
>> Jem Young: If you just woke up, we are back on the slides from the first course, cuz it has all the instructions already.
[00:03:13] Cuz you'll be like, I don't see these in the slides. This is the first course, there's a link. So sudo vi I, edit your sshd_config.
>> Jem Young: Except for you. If you have not been able to log in as your test user, do not disable root login yet. You will be locked out of your server.
>> Jem Young: And by default, DigitalOcean, if you use SSH key, password authentication is no. But just double check to make sure that's set to no. All right, so I'm going to edit in mine, sudo/etc/sshd [INAUDIBLE].
>> Jem Young: That's without sshd.
>> Jem Young: So the,
>> Jem Young: And we're disabling the permit. So, lazy way, permits, RootLogin, gonna say no.
>> Jem Young: And oops, say password login, currency passwords, no. And PasswordAuthentication is set to no as well.
>> Jem Young: All right? Good to go.
>> Jem Young: Actually show you this line. The great thing about a lot of Linux defaults is it's pretty well commented. You can go through this file and you can see different ways of configuring SSHD.
[00:04:55] Remember earlier how we said the authorized key files can be anything? Well we can just comment this line, cuz this is the default. We can comment this and change it to authorize users. We can change it to whatever we want. But we keep it as a default. But in the future, if you ever wanna just move where your public keys are, just change this line.
[00:05:10] Nothing to it. It's not that scary. And I'm just gonna write quit, so sudo service, sshd, restart. It's gonna restart the daemon, so we pick up the new config.
>> Jem Young: All right.
>> Jem Young: Everybody with me? Now, if you want, you can test to make sure you did things correctly.
[00:05:40] You can try to log in as root. It'll say permission denied (publickey). I know, not the most useful error. But it works. Now if you run into errors with ssh, which at some point in the future you probably will. Let's run this with the v command for verbose.
>> Jem Young: [INAUDIBLE], and it tells you everything that's happening with that handshake. [SOUND] And it tells you all the files it's running through, all the keys it's trying to pick up, things like that. So /v is pretty useful. In the future, if you have an issue with SSH, I'm gonna say, run SSH with verbose and tell me what's happening.
[00:06:22] And you could usually figure out pretty quickly about what the issue is.
>> Jem Young: And let's log back in.
>> Jem Young: All right. Everybody with me? No one confused? We're all happy.
>> Speaker 2: So it shouldn't still be asking you for a password if you have enabled the sshd?
>> Jem Young: No, it should not.
>> Speaker 2: It is. Do you have sense of what might be going on?
>> Jem Young: Did you put password on your SSH key?
>> Speaker 2: Yes.
>> Jem Young: Okay, that's what it's asking for.
>> Speaker 2: Really?
>> Jem Young: Yeah, so that's actually a pretty good authentication step if you had a big secure server, is you can put a password on top of your SSH key.
[00:06:57] That way, in case someone steals that, they still have to put in a password to decrypt it. That's smart. We didn't do it cuz I'm lazy and I hate typing passwords every time. But you're much better at security than I am. Shame on me, shame on me.
>> Jem Young: Oops, all right.
[00:07:16] And we disabled root login, we disabled password login, excellent.