Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

I've fired my sysadmin, is changing passwords enough?

Question: I’ve been working with a system administrator for some time on my Linux server. I no longer need his services, and would like to make sure that he no longer has access to my server, “just in case”. Is it enough to simply change the passwords to all the accounts he had access to, such as “root”?

Surprisingly, the answer is a resounding no. Change all the passwords you like, but your sysadmin may have left a way in. And it turns out to be a legitimate way in.

Become a Patron of Ask Leo! and go ad-free!

Because of the nature of the work, it’s often the case that we give our system administrators an exceptional level of access to our systems. It’s not uncommon for system administrators to need “root” (or total, unrestricted) access to your server in order to do their job.

Obviously if you’ve parted on less than amicable terms, you should make sure to scan your system for things like rootkits, additional accounts and other less than honorable “gifts” your former admin may have left behind.

Regardless of how you parted, there’s also a legitimate technique for logging in that bypasses password authentication: SSH public key authentication. If your admin used it, and he or you didn’t remove it, he may still have access no matter what the passwords are set to.

This technique uses public key cryptography to create a matching public and private key pair. The public key is installed on the server, and then possession of the private key is enough to log in. It’s considered more secure than password authentication, because only trusted individuals can install the key on the server, and the matching private key is required to match in order to login. If you don’t have the matching private key, you can’t use this technique to login.

Thus to remove someone’s access from a server, one must not only change account passwords, but also remove that user’s public keys that may have been installed as well … or disable public key authentication completely.

To disable public key authentication completely, on the server you’ll need to modify the file /etc/ssh/sshd_config. Look for the line that says “#PubkeyAuthentication yes” (with, or without the leading “#”), and change it to “PubkeyAuthentication no”. Or simply add a line saying “PubkeyAuthentication no”. Now restart the sshd service. I’m being intentionally slightly vague here, because in reality someone that’s already familiar with ssh should be making these changes. A mistake could lock everyone out of your server.

If you want to keep using public key authentication, which is understandable since it’s quite handy, you’ll need to remove your former admin’s public key from all the accounts that it might have been placed in. To gain access, public keys are placed in the file “authorized_keys” in a subdirectory “.ssh” in each account’s home directory. For example all the public keys listed in  /root/.ssh/authorized_keys” represent possible “root” logins. Similarly, public keys in “/home/admin/.ssh/authorized_keys” represent possible logins as “admin”.

The solution is simple … locate all authorized_keys files, and remove from them the public keys you do not recognize, or those that you do recognize as no longer being appropriate. Each is on a single line within the file, and legitimate ones will almost certainly have an identifying comment at the end.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

1 thought on “I've fired my sysadmin, is changing passwords enough?”

  1. This is GREAT stuff, Leo. These days, security is not just for banks and big corporations: my server has been compromised on more than one occasion, even with what-I-thought-was-careful security. Your recent articles on this subject have been eye-openers, and gives people just a taste as to what’s involved. Kudos.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.