Table of Contents
How to: setup SSCS account with SSH public-key authentication
On linux servers, it is recommended to use public-key authentication rather than password authentication for SSH. This is especially true for when port 22 or SSH will be open to off-campus access through the UCI border firewall.
One-stop script to create the sscs account
You can simply copy and paste the below code to download a script that we've set up for this purpose and execute it with sudo:
curl -O -L https://sites.socsci.uci.edu/~jnilsson/sscs/setup-sscs-account.sh chmod +x ./setup-sscs-account.sh sudo ./setup-sscs-account.sh
Or if you prefer to run commands yourself, these are the equivalent commands:
SSCS_HOME=/home/sscs sudo useradd -c "Computing Services" -m -d $SSCS_HOME -s /bin/bash sscs echo "sscs ALL=(ALL) ALL" | sudo tee /etc/sudoers.d/sscs > /dev/null sudo mkdir -p $SSCS_HOME/.ssh sudo chmod 700 $SSCS_HOME/.ssh sudo touch $SSCS_HOME/.ssh/authorized_keys sudo chmod 600 $SSCS_HOME/.ssh/authorized_keys sudo chown -R sscs:sscs $SSCS_HOME/.ssh echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPWfC91AllbEn9VYT9a0838A/55rWtrSY/dm48fedc38 jnilsson@storgy.local" | sudo tee -a $SSCS_HOME/.ssh/authorized_keys echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDoygQr0UQLtpguLWJYiEBZWXUFEkUXVacE6sBZtn/6Z jnilsson@devjpn" | sudo tee -a $SSCS_HOME/.ssh/authorized_keys echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKH3jg7avVgdyx1jltUp9nJ02DOE9XH3hfcGBQI6KrVs sscs@gunship" | sudo tee -a $SSCS_HOME/.ssh/authorized_keys echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqAc8VSY9DFEzzumkn1d2S1ytpYOWHSJkbOWN1HjFQR sscs@crateria" | sudo tee -a $SSCS_HOME/.ssh/authorized_keys echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC4u9RrufB93/AS2lsBVet4+U5rizO8noDKTSHhcLmli justip6@Zaire" | sudo tee -a $SSCS_HOME/.ssh/authorized_keys echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIErG9uQN2VUNqIjNowRw1J18T8dORd2HhJi3zl9Vs7+t justip6@zeon.ss2k.uci.edu" | sudo tee -a $SSCS_HOME/.ssh/authorized_keys
If you don't want the home directory to be /home/sscs, you can easily set your own SSCS_HOME variable to whatever location you choose and then copy/paste the rest of the commands. Or if you download the setup-sscs-account.sh script and you want to change the location of the sscs account home directory, modify the script accordingly before executing it.
How to: Disable SSH Password Authentication
Disabling Password Authentication is generally as simple as setting the option PasswordAuthentication no in the /etc/ssh/sshd_config file and then restarting the sshd service.
However, we've discovered that some linux distributions add another configuration file /etc/ssh/sshd_config.d/50-cloud-init.conf which contains PasswordAuthentication yes to force password authentication to be enabled.
Therefore, the easiest way to universally disable password authentication is to create a new file that sorts lexicographically before any other files that might be created in there, such as 00-disable-password-auth.conf:
PasswordAuthentication no
After setting the PasswordAuthentication option to no you must reload the sshd daemon to get this setting to take effect:
- on Debian/Ubuntu:
systemctl reload ssh
- on RHEL/Rocky:
systemctl reload sshd