I do the process in less than five minutes. If I can log in via the SSH key, I don't have to worry about the password authentication, nor do I care about it as it is being disabled.
The entire time I have failbacks:
- root login is still enabled until the final step
- initial root login session is still connected
- I have tested user login with key and sudo command functionality
I see no problems doing it all at once, especially since it's done very quickly and the final test will verify everything and nothing is locked down until that is completed.
I'm glad you can. I was making the suggestion for others that want to attempt this that find it's an easier to troubleshoot process. It's a miniscule change since this process is unchanged with the exception of disabling root sooner. It's literally one extra step and not a big one.
I agree, I just don't think the password is an issue if you are not locking things down until you verify SSH Key. The password auth is a moot point. Especially when keeping the original session open (which will persist even if you locked yourself out as long as you don't disconnect).
I guess it's just a separation of concerns.
This way if users have problems, they are isolated to what they're working. For example, if there's an issue disabling root, it can be caught early before moving on to key setup. Users aren't left wondering what went wrong.
IMHO, due to the separation of concerns, having a continuous login isn't necessary. Once
sudo
is setup, root login is disabled, and ssh with pw login is still working, then it's safe to have a new session and the user is able to make changes that requireroot
access as they need.At this point, the rest of the instructions are only related the pub/priv key auth. We are confident
sudo
is setup correctly with an admin account. Any problems from this point forward will be related to key setup alone.The key to managing the setup in discrete pieces lies in disabling root sooner.
IMHO, this is only helpful at step 1. However, once the admin account is setup, the user can connect/reconnect and execute commands as logged in as root. At some point
sshd -T
needs to be run to test the configruation. A typo will easily ruin your day. In one case, you run into it sooner and can assume it's not a problem with key setup. In the other case, it could be a problem with either admin user setup or key setup.▀