-1

I am changing different parameters like RSAAuthentication, PubkeyAuthentication and PasswordAuthentication (sudo vim /etc/ssh/sshd_config) to disable ssh password authentication to force ssh login via public key only.

The experiments are adversely affecting many users as they suddenly find "Connection refused" while trying to ssh to the server. I want to avoid these experiments. Is there any work around to enable public key authentication without touching system files like /etc/ssh/ssd_config?

user1766169
  • 1,932
  • 3
  • 22
  • 44
user3565150
  • 884
  • 5
  • 21
  • 49

1 Answers1

2

Sure. Set up an alternative configuration file, and run sshd on another port while you are experimenting:

cp sshd_config sshd_config_working
/usr/sbin/sshd -p 2222 -f sshd_config_working

Now you can connect with:

ssh -p 2222 user@localhost

And you can make as many changes as you want until you it working as desired. At that point, copy your _working config back to the main config file and restart sshd.

Alternatively, stop mucking about on a production server and set up a virtual machine or cotainer for testing, where you can modify the sshd configuration as much as you want without affecting anybody.

larsks
  • 277,717
  • 41
  • 399
  • 399
  • Thank you for your valuable response. Yes I discussed with my system admin about the alternative you mentioned. But I will discuss regarding opening port 2222 and copying the config file there in next week. In the mean time I gave a search on opening ports other than 22, found the link, would like to know your comments: https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/ – user3565150 Feb 06 '15 at 15:09
  • And one more question larsks, what I understood is after I change the port from 22 to 2222, only I have to connect to the server with "ssh -p 2222 user@localhost", while others login command remain unchanged (ssh user@localhost). I hope I am right – user3565150 Feb 06 '15 at 15:12
  • Your second comment is correct (you will use an alternate port to connect to your "experimental" sshd, and normal users will not be affected). The article you linked to has nothing to do with using an alternate port for experimenting with configs; it is addressing the practice of using an alternate port as a security measure and hence is not relevant to what you are doing. – larsks Feb 06 '15 at 15:39