7

I'm configuring my first server on Linode and going through their set up tutorials.

In their Securing Your Server tutorial, it recommends using ssh key pair authentication and disabling password authentication.

My question is if I disable password authentication - what if I lose my private key? How will I ever be able to log back into my server again?

Adam Johns
  • 315
  • 1
  • 2
  • 7

2 Answers2

16

My question is if I disable password authentication - what if I lose my private key? How will I ever be able to log back into my server again?

That's why you should always have some form of Out-of-Band management for your server. For a physical server, that would be something like Dell's DRAC card or HP's iLO card. For your Linode, that's what LISH is for. Using these OOB solutions, you can sign into the actual console of your server using your username and password. These also come in handy when networking breaks on your server and you're not able to access it.

But honestly, just don't lose your key. Protect it with a passphrase and back it up somewhere safe. Heck, print it out and stash it in your safe. They're relatively small files, and there's no excuse for not taking good care of it.

Update: Regarding LISH security: use different credentials/keys for LISH. That's all there is to it - credentials which, if compromised, would not grant access to your server.

In regards to someone finding out that Linode is your provider, well that information is available to anyone, and is just a simple whois command away.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • I guess the "excuse for not taking good care of it" is exactly that you can still get in with LISH or Out-of-Band management. If you have a Linode, you can set the box's root password to be the same as you Linode password. Then there is no reason to disable password authentication, as anyone who knows your Linode password can already do bad stuff to your server anyways. – Atsby May 11 '15 at 10:22
  • @Atsby - The reason would be that it may well be easier to dictionary attack the box than the Linode system. And if they succeed, you've just given them your Linode password too. Remember, if you reuse passwords, then _all_ those systems are as secure as the _weakest_ one. – xorsyst May 11 '15 at 11:42
  • 2
    @Atsby Well if someone does that, they deserve to get compromised. Different systems, different credentials, always. – EEAA May 11 '15 at 12:12
  • @Atsby, out-of-band management can (needs to) have its own security constraints in place. In some cases that can mean needing to physically visit a data center, or at least connect to a separately-keyed VPN. If Linode doesn't do rate-limiting to prevent LISH and kin from attack, they're not doing their jobs effectively. (Of course, rate-limiting opens the door to DOS attacks, but there are countermeasures against that as well; needing to pick good balances is part of why it's better to have security in the hands of folks who have the time and care to do it right). – Charles Duffy May 11 '15 at 14:01
  • 1
    @xorsyst I would think everyone understands that, if you have a password that can be found by a dictionary attack, that's your problem right there -- no need to look deeper at the security properties of the system. – Atsby May 11 '15 at 19:17
  • @Atsby, there are all sorts of ways that the system might be exploited and your password recovered, dictionary attack was just an example. The point is, by using the same password you've almost certainly reduced the security of your Linode password. – xorsyst May 12 '15 at 08:34
  • @xorsyst The protocol I was trying to suggest is (1) re-image the box (i.e., start fresh) (2) set root password to Linode password (3) install public key and (4) routinely use public key crypto to log in. That is, the root password login option would only be used in exceptional circumstances (private key lost) and passwords could be changed as security measure after such a circumstance. This saves having to remember an additional password and there is no risk of password being recovered *if you don't use it to log in*. – Atsby May 12 '15 at 09:12
  • So after investigating Lish, I'm still not sure about this whole process. If someone can login to my server from Lish using my username and password even after I have disabled password authentication on regular ssh logins, how have I gained any security by using ssh key pair authentication on regular logins? On second thought, I have gained a small level of security as an attacker would now also need to know that Linode was my VPS service. – Adam Johns May 12 '15 at 12:31
  • @AdamJohns Please see my edit. – EEAA May 12 '15 at 13:05
2

You'd be locked out, same as if you forgot the root password.

What you should do is back up your key on external media, and put it somewhere safe. With a passphrase inside a box at the bank if you're the paranoid type.

There's various intentional backdoors of course, like Digitalocean's VNC. And/or any managed backup service where you can push files to the machine (simply push an sshd config where password logins are allowed) like Idera.

Arthur Kay
  • 471
  • 2
  • 10
  • Just as an aside, this is exactly why my VPS has Idera. My SSH connection is extra-secure in that it outright requires that you're on a private, certificate-driven VPN. So if the VPN config goes bad, it's a total lockout. Unless I can use the management console to push a backup of the previous one. – Arthur Kay May 11 '15 at 15:59