Server security a pair of public & privet key vs password

PawelP · September 19, 2019, 6:19pm

Hi Craig,

It is me again. I can see your face saying - Oh now it is him again

I have a question with regards to securing servers.
I played with DigOcean today. Created the cheapest droplet and secured the server with a pair of privet & public key. I was able to log in to the server with a root password so all good.

Then I created 2 extra users: superuser pawel and non-superuser magento user and then steps started. I can’t log in to the server using newly created user’s credentials. The privet key is only for the root user.

I can’t find any article about it. There are a few but about using the same pair of keys for two or more servers. Guys are saying that there are added risks of using the same pair of two or more remote hosts but I’m after something else.

Is it possible then secure a server with a pair of keys and somehow grant access 3 users (root, pawel magento?

Probably it is an obvious question for some of you but please let me know or just send a link where I could read about it.
Thank you.

Pawel

digitalstartup · September 20, 2019, 9:38am

So, something you can do with servers is fine-tune the SSH login requirements to do all sorts of things. With DigitalOcean, you can choose between a Key or Password method upon creation. If you choose Key, then the server will automatically be configured to reject Password logins.

However, I believe you can fine-tune the settings to mix and match between which user gets to login via Password and which has to use a Key. But you might want to fact-check that somewhere like https://unix.stackexchange.com/.

Keys and Passwords have their own Pros and Cons. You have to go with something that suits the way you work. Whenever you increase security, you’re also reducing convenience:

High Security/Low Convenience <<<< vs >>>> Low Security/High Convenience

This reminds me of something I recently said to someone:

When you leave and enter your home everyday, you have to lock and unlock your doors. This is a form of inconvenience due to security, but for some reason people don’t moan about this - Me (July '19)

If you decide to enforce keys, then I would definitely setup unique keys for each user. You can’t take risks in my line of work. The whole point of creating a non-root user is to compartmentalise, but if they use the same Key or Password when you might as well use root for everything. (Note: Never use root for everything)

The cool think about assigning yourself a Key, is that you can setup that key to work on multiple servers. My only issue is, if you’re ever away from your PC/Laptop/Phone where you store your Key but you desperately need to login using another device, then you’re screwed. However, if you can remember a complex password then you’ll never run into that problem.

Also, bare in mind that a Key is stored on a device, so that device then needs to ensure that it’s secured.

There’s no right or wrong answer as to which method you should choose, just go with what’s right for you and your setup.

Yes, I know I kinda digressed from the question and not sure I even answered it.

Edit: Fixed link

PawelP · September 20, 2019, 9:51am

Hello Craig,

Thank you very much for your time.
It explain quite a lot.

I keep all my sencitive data using a password manager. I can’t remember my 80 chacracted pass with a combination of low, upper care and secial characters. I could keep the key in the pass magnager too but sometimes I think it just over protecting. Password manager is protected with crazy long pass and you need to have a usb to access it, then to use the privet key I need a pass.

Anyway I need to play with the keys. At present I can’t set up different pair of keys for different users securing access to one server. I leave it for now but defenitely reaserch it in the future.

A… the link you sent me “unix.stackoverflow.com” doesn’t work.

Regards,
Pawel