SSH block root, allow me!

Okay, I know this has been discussed before, however, this is kind of unsecure.

So basically, I would like to ‘expose’ my server to the Internet. I think I’ll only expose the SSH and the SFTP, and not the Samba protocol, because IMHO, I think SFTP is more secure (?) than Samba. Note that this is my opinion, so your results may vary.

So, I have set ownership to me, made a new SFTP entry, made sure I could connect via SFTP (Cyberduck on Mac). However, SSH access with my admin account fails with my password not getting recognized??? No, it says Permission Denied or whatever. But I can log in just fine with the root account.

So, I would like the root account off the SSH config file and my account on the SSH config. If I expose to the web and some crackpot idiot finds out my password, he won’t do permanent damage because he won’t have root access and I can just switch passwords. Far more convenient than changing root passwords, making sure servers don’t get hacked…arrgh.

How can I add myself to SSH and disable root login? Thanks!

EDIT!!! SFTP does not work with Cyberduck saying
EOF while reading packet.

@anon90940919 I’m afraid I don’t have much to add security wise except that I don’t believe the samba protocol can be routed anyway.

On the Cyberduck not working issue I’m puzzled as when I prepared the Secure File Transport Protocol (SFTP) doc section I used Cyberduck in its preparation, ie in the OSX client section and as an example of a client program to use on OSX and MS windows.

If you could provide the steps to required to reproduce those Cyberduck errors wise to the setup / intended function indicated in the referenced doc then an issue could be opened with the same to address it.

Maybe there are some hints in that doc.

As for your custom requirements I would suggest that you search for openssh-server config on CentOS 7+ and try to take into account the edits that Rockstor makes to the /etc/ssh/sshd_config file. Note however that there is a potential gotcha in that Rockstor currently does a little norty and edits a line just above where it states it’s config starts.

The AllowUsers root line may be what you are after however, but note that if you manually edit the file it could well fall out of sync or be auto edited if relevant changes are made in the WebUI.

Hope that helps some.

Is your user present in File sharing > SFTP?

As for Root you can set PermitRootLogin=No which would deny root access via SSH or PermitRootLogin=without-password which would then only Allow root to login to ssh with a private/public key based auth.

Not sure if rockstor would overwrite that config though