RimuHosting SSH access

Per the setup email RimuHosting will add their public key to the /root/.ssh/authorized_keys file.

This permits us to log into your server.  We would do this in order to help out with a support ticket that you submit, or to investigate in the event of a problem e.g. high load on your server, your server being out of memory, or after a report of an exploit coming from your server.

We have an SSH access page to see if that access is working.

You can check on the server to see if our key is present by running the following commands.

[ ! -d /root/.ssh ] && echo 'no /root/.ssh directory.  mkdir /root/.ssh'
[ -d /root/.ssh ] && [ ! -f /root/.ssh/authorized_keys ] && echo 'no /root/.ssh/authorized_keys file.'
[ -f /root/.ssh/authorized_keys ] && ! grep -qai 'ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBufK3VvFDfjRAswyZibINSWLILZ4sTGuW8ffF5tmMRouGbA55SbUqjOeDQgBfUs0HRp5K34Qnw608DEhZw' /root/.ssh/authorized_keys && ! grep -qai 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYJNLDw+9V54mo3EBU1ZpOh8/FZ18DlknVS2Z0t+qI22Fiws1syRxHtby0C7K4gT5pibtqaSpNssCzPcF/IfiRAEBpI6mDWgJTEhaJk/rA+zUmtQmJyAcieSkvop8NFAktOlA7mVn2IZbq2iUNV+v91ZBO1Mv2A3Hqcf8K4uZF76LgvtQWkGWFVoz//E/Sr7EXE9WRzNXnY8u4gEMFPD8oAxMv57DLDYv7SSQe9Ao5ntlDPimYt8ihQBxkHdJYafaz9+3WZgqeFic0cWuKEn6DA+jRgoRUE2MGaPp15YpLZ1iBGIR/hsWywol8pqEXGopbUbkCxR4mA1fsDjOxF/Fn' /root/.ssh/authorized_keys && echo "/root/.ssh/authorized_keys exists but does not contain the rimuhosting key"
if [ -f /root/.ssh/authorized_keys ] ; then if [ $(find /root/.ssh/authorized_keys -perm /o+rw,g+r | wc -l) -gt 0 ] ; then echo "/root/.ssh/authorized_keys permissions are too open"; fi; fi
if [ -d /root/.ssh ] ; then if [ $(find /root/.ssh -type d -perm /o+rw,g+w | wc -l) -gt 0 ] ; then echo "/root/.ssh directory should not be other or group writable"; fi; fi
echo 'sshd settings.  Check PermitRootLogin is not 'no'.  That the Port is 22 or matches RimuHostings records.  And that AllowUsers (if set) includes root.'
egrep '^PermitRootLogin|^Port|^AllowUsers|^ *AuthorizedKeysFile' /etc/ssh/sshd_config
[ -e /etc/hosts.allow ] && [ $(cat /etc/hosts.allow | egrep -v '^$|#' | wc -l) -gt 0 ] && echo "Contents of /etc/hosts.allow:" && cat /etc/hosts.allow | egrep -v '^$|#'
[ -e /etc/hosts.deny ] && [ $(cat /etc/hosts.deny | egrep -v '^$|#' | wc -l) -gt 0 ] && echo "Contents of /etc/hosts.deny:" && cat /etc/hosts.deny | egrep -v '^$|#'
owners="$(find /root /root/.ssh /root/.ssh/authorized_keys -maxdepth 0 | xargs ls -ld  | awk '{print $3}' | grep -v root | sort | uniq)"; [ ! -z "$owners" ] && echo "following files must be owned by root user not '$owners': /root /root/.ssh /root/.ssh/authorized_keys"

To add our key:

df -h 2>&1 | grep -qai 'No such' && mount -o rw,remount / && mount -t proc proc /proc
[ ! -d  /proc/$$ ] && mount -o rw,remount / && mount -t proc proc /proc
[ ! -d /root ]  && mkdir /root
[ ! -d /root/.ssh ] && mkdir /root/.ssh
[ ! -f /root/.ssh/authorized_keys ] && touch /root/.ssh/authorized_keys
if ! grep -qai '^ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYJNLDw+9V54mo3EBU1ZpOh8/FZ18DlknVS2Z0t+qI22Fiws1syRxHtby0C7K4gT5pibtqaSpNssCzPcF/IfiRAEBpI6mDWgJTEhaJk/rA+zUmtQmJyAcieSkvop8NFAktOlA7mVn2IZbq2iUNV+v91ZBO1Mv2A3Hqcf8K4uZF76LgvtQWkGWFVoz//E/Sr7EXE9WRzNXnY8u4gEMFPD8oAxMv57DLDYv7SSQe9Ao5ntlDPimYt8ihQBxkHdJYafaz9+3WZgqeFic0cWuKEn6DA+jRgoRUE2MGaPp15YpLZ1iBGIR/hsWywol8pqEXGopbUbkCxR4mA1fsDjOxF/Fn' /root/.ssh/authorized_keys ; then
  echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYJNLDw+9V54mo3EBU1ZpOh8/FZ18DlknVS2Z0t+qI22Fiws1syRxHtby0C7K4gT5pibtqaSpNssCzPcF/IfiRAEBpI6mDWgJTEhaJk/rA+zUmtQmJyAcieSkvop8NFAktOlA7mVn2IZbq2iUNV+v91ZBO1Mv2A3Hqcf8K4uZF76LgvtQWkGWFVoz//E/Sr7EXE9WRzNXnY8u4gEMFPD8oAxMv57DLDYv7SSQe9Ao5ntlDPimYt8ihQBxkHdJYafaz9+3WZgqeFic0cWuKEn6DA+jRgoRUE2MGaPp15YpLZ1iBGIR/hsWywol8pqEXGopbUbkCxR4mA1fsDjOxF/Fn rimuhosting" >> /root/.ssh/authorized_keys
fi
chmod og= /root/.ssh/authorized_keys
chmod og= /root/.ssh
for i in /root /root/.ssh /root/.ssh/authorized_keys; do [ -e $i ] && chown root $i; done
sed --in-place -e 's/^PermitRootLogin.*no.*$/PermitRootLogin without-password/g' /etc/ssh/sshd_config
if ps aux | grep '[s]sh' ; then
[ -f /etc/init.d/sshd ] && /etc/init.d/sshd restart
[ -f /etc/init.d/ssh ] && /etc/init.d/ssh restart
fi

If you do not want us to have root ssh access to your server you can remove our public key from /root/.ssh/authorized_keys.  This may hinder our ability to help you.

IP address whitelist

If you are restricting ssh access via firewall rules or through an ssh whitelist, please make sure to allow at a minimum the below sources

rimuhosting.com (174.136.11.74)
staff.rimuhosting.com (65.99.223.183)

Check also that you are not blocking our connections via /etc/hosts.allow

Non-root logins only

You may prefer to restrict logins to your server to non root users. There are a number of pretty good reasons to do that. If you need us to connect in this way, just open a support ticket describing how you want us to work. Do be aware that many of the tools we use to help you require root access, we recommend you enable sudo login to allow that flexibility.

PermitRootLogin no?

Some customers modify their /etc/ssh/sshd_config file to set PermitRootLogin no.  This disables root logins via ssh.  Instead those customers log in as other users then 'su' or 'sudo' if they need root privileges.

Rather than setting PermitRootLogin no we advise using PermitRootLogin without-password.  That option permits logins if the public/private key authentication is used.  Which means we can log in to your server.  Regular interactive/password logins are disabled for root.

Check on how its set by running

grep PermitRootLogin /etc/ssh/sshd_config

Change it to use 'without-password' by running

sed --in-place -e 's/^PermitRootLogin.*no$/PermitRootLogin without-password/g' /etc/ssh/sshd_config

Run /etc/init.d/sshd restart after making the sshd_config file change.

Custom SSHPort?

Have you set a custom SSHPort in /etc/ssh/sshd_config?  Then remember to mention that when you submit a support ticket with us or via our SSH access page.

A custom SSH Port is actually a pretty reasonable idea.  Since most brute force ssh attacks only try the default (22) port.

Do a quick check to see what port you are using with

grep Port /etc/ssh/sshd_config

Reminder: brute force ssh attacks are very common.  Please ensure _all_ user accounts you create (including, and especially) root have good, strong, non-dictionary passwords.

Run /etc/init.d/sshd restart after making the sshd_config file change.

AllowUsers changed

Have you set an AllowUsers line so that only certain users can log in?  Then make sure that includes root. Check for this line and how it reads with

grep AllowUsers /etc/ssh/sshd_config

You may have set ssh to restrict logins from particular IPs. If you do that, please whitelist us as well, at least add 174.136.11.74 (rimuhosting.com) and 65.99.223.183 (staff.rimuhosting.com). We may also use 49.50.247.78 (office.rimuhosting.com)

Removed our key from /root/.ssh/authorized_keys?

If so add the following to /root/.ssh/authorized_keys:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYJNLDw+9V54mo3EBU1ZpOh8/FZ18DlknVS2Z0t+qI22Fiws1syRxHtby0C7K4gT5pibtqaSpNssCzPcF/IfiRAEBpI6mDWgJTEhaJk/rA+zUmtQmJyAcieSkvop8NFAktOlA7mVn2IZbq2iUNV+v91ZBO1Mv2A3Hqcf8K4uZF76LgvtQWkGWFVoz//E/Sr7EXE9WRzNXnY8u4gEMFPD8oAxMv57DLDYv7SSQe9Ao5ntlDPimYt8ihQBxkHdJYafaz9+3WZgqeFic0cWuKEn6DA+jRgoRUE2MGaPp15YpLZ1iBGIR/hsWywol8pqEXGopbUbkCxR4mA1fsDjOxF/Fn rimuhosting

This is the 'master' Rimuhosting public key.  If individual staff members need to log in to your server (e.g. as a result of a request for help in a support ticket) then they will use this key to add their own public keys.  These keys will have the staff member's Rimuhosting email address as the key comment.  Rimuhosting staff will only add their keys on an 'as needed' basis.  We keep an audit log of all staff who add their keys to your server.

Still not working?

See if there are any error messages in the security logs (likely /var/log/auth.log or /var/log/secure).

Check that the permissions on /root/.ssh folder and subfiles are set to 700. SSH requires that only the user have access permission to the associated files, otherwise it will reject access. To make sure this is correct make sure you are the root user and run chmod -R 700 /root/.ssh If you continue to have problems, let us know what steps you have taken and we will try to help.