[protomyth]

Well, if you use certificates, you can immediately ban anyone trying to do password authentication.

[pnutjam]

True, but having supported an sftp server for other b2b clients to upload data, ssh keys are black magic to too many people. I can't count the hours I've spent trying to explain them, how to generate them and why you should never "show anyone your privates", just your publics.

[jooize]

It would be more obvious if the private key files were named “id_ed25519.private”.

Why not make it “identity.ed25519.private.sshkey” and default to “20200916{,T224400Z}.ed25519.{private,public}.sshkey”?

[pnutjam]

Put in a feature request to the openssh guys. Theo can probably tell you why it's not a good idea, or why it is good idea.

[dawnerd]

Just an obvious protip to test that your cert works before banning password auths. I uh, found out the hard way.

[efreak]

I never had an issue with authentication. My issue was a typo in sudoers (I allowed a user to view syslog, iirc, and had a semicolon instead of a colon) that prevented me from using sudo, as only my primary user was allowed to log in via ssh. Fortunately cloud vps still has vnc login, and I actually had a root password. Now I use a root shell to edit sudoers, so I can test it before dropping root.

[Symbiote]

You should use "visudo", which opens the file in the default editor, then validates it before saving.

[pbhjpbhj]

But make sure to change the default editor to something sane first. (* ducks *)

:q!dammitwtf

[bigbizisverywyz]

+1 to that!

I like nano, and I'm not ashamed to admit it.

[pnutjam]

if you edit outside of visudo, you can run visudo -cf <filename>.

example: visudo -cf /etc/sudoers visudoe -cf /etc/sudoers.d/extra

[protomyth]

Yeah, cannot say I've never done that.

Test then Ban.