my Linux server. I no longer need his services, and would like to make sure that
he no longer has access to my server, “just in case”. Is it enough to simply
change the passwords to all the accounts he had access to, such as “root”?
Surprisingly, the answer is a resounding no. Change all the passwords
you like, but your sysadmin may have left a way in. And it turns out to be a
legitimate way in.
Become a Patron of Ask Leo! and go ad-free!
Because of the nature of the work, it’s often the case that we give our
system administrators an exceptional level of access to our systems. It’s
not uncommon for system administrators to need “root” (or total, unrestricted)
access to your server in order to do their job.
Obviously if you’ve parted on less than amicable terms, you should make sure
to scan your system for things like rootkits, additional accounts and other
less than honorable “gifts” your former admin may have left behind.
Regardless of how you parted, there’s also a legitimate technique for logging in that bypasses password authentication: SSH public key authentication. If your admin
used it, and he or you didn’t remove it, he may still have access no matter
what the passwords are set to.
This technique uses public key cryptography to create a matching public and private key pair. The public key is installed on the server, and then possession of the
private key is enough to log in.
It’s considered more secure than password authentication, because
only trusted individuals can install the key on the server, and the matching
private key is required to match in order to login. If you don’t have
the matching private key, you can’t use this technique to login.
Thus to remove someone’s access from a server, one must not only change
account passwords, but also remove that user’s public keys that may have been installed
as well … or disable public key authentication completely.
To disable public key authentication completely, on the server you’ll need to modify
the file /etc/ssh/sshd_config. Look for the line that says “#PubkeyAuthentication yes” (with, or without the leading “#”), and change it to “PubkeyAuthentication no”. Or simply add a line
saying “PubkeyAuthentication no”. Now restart the sshd service. I’m being intentionally
slightly vague here, because in reality someone that’s already familiar with ssh should be
making these changes. A mistake could lock everyone out of your server.
If you want to keep using public key authentication, which is understandable since
it’s quite handy, you’ll need to remove your former admin’s public key from all
the accounts that it might have been placed in. To gain access, public keys are placed
in the file “authorized_keys” in a subdirectory “.ssh” in each account’s home
directory. For example all the public keys listed in “/root/.ssh/authorized_keys”
represent possible “root” logins. Similarly, public keys in “/home/admin/.ssh/authorized_keys”
represent possible logins as “admin”.
The solution is simple … locate all authorized_keys files, and remove from them
the public keys you do not recognize, or those that you do recognize as no longer
being appropriate. Each is on a single line within the file, and legitimate ones
will almost certainly have an identifying comment at the end.
1 thought on “I've fired my sysadmin, is changing passwords enough?”
This is GREAT stuff, Leo. These days, security is not just for banks and big corporations: my server has been compromised on more than one occasion, even with what-I-thought-was-careful security. Your recent articles on this subject have been eye-openers, and gives people just a taste as to what’s involved. Kudos.