Does changing user's password prevent SSH key login?

Support for security such as Firewalls and securing linux
Post Reply
dhinged
Posts: 18
Joined: 2014/05/24 16:50:31

Does changing user's password prevent SSH key login?

Post by dhinged » 2014/08/07 19:42:17

I took over a server from a previous development team, and I changed their passwords, but then I noticed they had SSH keys that allowed them to login without typing their password. Does changing their password prevent them from logging in through their key or do I need to remove that as well?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Does changing user's password prevent SSH key login?

Post by TrevorH » 2014/08/07 19:47:09

You can login via ssh using either password or public/private key. You would need to remove their $USER/.ssh/authorized_keys file and also their USER/.ssh/authorized_keys2 file.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

gerald_clark
Posts: 10642
Joined: 2005/08/05 15:19:54
Location: Northern Illinois, USA

Re: Does changing user's password prevent SSH key login?

Post by gerald_clark » 2014/08/07 19:55:35

In addition, you will need to remove their key records from every user's .ssh/authorized_keys files or they will be able to ssh someuser@your server and gain access.

dhinged
Posts: 18
Joined: 2014/05/24 16:50:31

Re: Does changing user's password prevent SSH key login?

Post by dhinged » 2014/08/08 00:48:29

I know they can log in via SSH using password or keys. That's not what I asked. I asked if changing their password prevents them from logging in through keys, since I didn't discover they had keys until after I changed their passwords, and because that seemed to halt their activity, I assumed it prevented them from logging in through keys, but I haven't seen definite evidence either way and I couldn't find anything online that said so.

It sounds like you think changing their password would not prevent them from using keys, but it's really scary to think that there could be an alternate way to log in even after changing their password.

I did disallow them in the SSH config, so maybe that's why the activity stopped, so I'm assuming it wouldn't matter if I'd left their keys there if their user was disallowed in SSH config. Am I incorrect here?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Does changing user's password prevent SSH key login?

Post by TrevorH » 2014/08/08 01:00:09

What I meant when I said "You can login via ssh using either password or public/private key" is that you can use either method. If you disable one then the other is stiill available to you - so if you remove their keys and don't change their passwords (and password logins are still allowed) then they can login using passwords. If you change their password then they can still login with keys. You have to disable both to stop logins.

How exactly did you disallow them in sshd_config?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

dhinged
Posts: 18
Joined: 2014/05/24 16:50:31

Re: Does changing user's password prevent SSH key login?

Post by dhinged » 2014/08/09 14:10:26

They're not on the AllowUsers list in /etc/ssh/sshd_config

erickj
Posts: 4
Joined: 2014/08/22 01:42:53

Re: Does changing user's password prevent SSH key login?

Post by erickj » 2014/08/22 06:17:52

Re: disallowing them access from the box, trevorh is right, you need to remove the authorized keys file for the users if both PW and key based ssh login is allowed.

You may just want to remove the user accounts from the box entirely, unless that would wreck file perms or something. You can also assign them a nologin shell with

Code: Select all

usermod -s /sbin/nologin username
Re: removing them from allowusers, that's probably not the most robust way to do this. AllowUsers will only work that way as long as other users are specified, but if you ever remove that line from the ssh config then the old removed users will be allowed to login again.

You could add the users to the denyusers ssh config, but your best off just removing the keys and assigning nologin shells.

See here for more on allow/denyusers
http://www.openbsd.org/cgi-bin/man.cgi/ ... d%5fconfig

Post Reply