So I have been successful at disambiguating the hundreds of conflicting and incomplete stories about how to connect to a user account by SSH on a Centos 7 server.
Meaning So I can login in without a password and I am asked to verify my owner’s password on the certificate.
However, I cannot find an explanation about how to login by SSH as the ROOT user that does not focus on the sshd_config settings that refer to PermitRootLogin yes or without-passowrd or password-prohibited.
Based on my experience so far, the sshd_config settings will straighten out after the correct public keys are registered as host_keys in a valid location known to the AuthorizedKeysFile value setting in sshd_config.
There are a number of problems to avoid: 1. Centos 7 (current) encrypts the user folders preventing the SSH tools from reading the contents of the critical /user/.ssh folder. This requires the admin to create a folder for each user in /etc/ssh to hold the public_keys/authorized_keys for each user outside of the context of the user’s folder.
Centos 7 has limited the host_keys type values to ssh_host_rsa_key and ssh_host_rsa_ed25518_key, again in the sshd_config.
The only solution for managing the public keys of remote users so that the server can verify them that seems robust is referred to by the HostBasedAuthentication flag in sshd_config. But the actual solutions, described at https://www.ssh.com/ssh/host-key, and https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Host-based_Authentication, seem to be overkill for any modest group of servers.
However, trying to re-utilize the method for creating private/public key pairs using ssh-keygen and ssh-copy-id’ing them to /etc/ssh/%u/authorized_keys folders proves to be extremely difficult when you want the rsa content to include the fully qualified name of the root@server_id. And trying to fake one from another user is unworkable.
So I’ve worked it to the point that I could set the sshd_config back to allowing password-based SSH logins for the the root@server-id to login from the client machine. But there is no local user and .ssh folder for that root@server-id user to use. So the rest of the normal ‘create an ssh login’ for a new user workflow cannot be completed.
So if anyone knows how this is actually accomplished, taking into account that just setting some flags in the sshd_config file isn’t enough, I’d appreciate your advice.