-
configuring key-only ssh access
The "/etc/rc/rc.sshd" script only has a single function (sshd_build) that removes the existing ListenAddress & AddressFamily entries, irrespective of what their current values are. It then adds new entries for these two right after the "Port" line. This script is called during the boot process, before many services (including the sshd daemon) are even started. So even if going with the "Include" directive method, there shouldn't be a need to restart the daemon. At the very least, this is what is currently working for me and seemed like the simpler approach for my use case scenario.
-
configuring key-only ssh access
Thanks for pointing this out, otherwise I probably would not have noticed. Since I've already upgraded, I'm not sure if this is something that started with unRAID v7.0.0 or if I just completely overlooked what the /etc/rc.d/rc.sshd script does. This appears to be the script that copies the files from /boot/config/ssh/* into /etc/ssh/* (minus sub-directories). Line 51 in "/etc/rc.d/rc.sshd" has the following: cp -n $SSH_BOOT/* $SSH_ETC 2>/dev/null With the "-n" parameter, the cp command will not overwrite any existing files. I had to work around this by adding the following lines to /boot/config/go: # ensure that the custom sshd_config file is copied to /etc/ssh cp /boot/config/ssh/sshd_config /etc/ssh/sshd_config So this is what my /boot/config/go file looks like: #!/bin/bash # ensure that the custom sshd_config file is copied to /etc/ssh cp /boot/config/ssh/sshd_config /etc/ssh/sshd_config # Start the Management Utility /usr/local/sbin/emhttp I restarted my unRAID server and looks to be working as expected: ❯ ssh -o PubkeyAuthentication=no -o PreferredAuthentications=password [email protected] [email protected]: Permission denied (publickey,keyboard-interactive). ❯ ssh [email protected] Last login: Thu Jan 16 18:28:43 2025 from 192.168.1.149 root@alexandria:~#
-
configuring key-only ssh access
There were two main things that I had to do to make this work across reboots: The path "/root/.ssh" is a symlink to "/boot/config/ssh/root/" -- so, any keys added to /root/.ssh/authorized_keys should persist across reboots. Copying "/etc/ssh/sshd_config" to "/boot/config/ssh/sshd_config" and only editing the copy in "/boot/config/ssh/sshd_config". This way, changes to the sshd_config file should be persistent across reboots as well. In my particular case, the actual changes I made to "/boot/config/ssh/sshd_config" were the 3 lines below (which already exist in the file; I just uncommented/changed where needed): PermitRootLogin prohibit-password PubkeyAuthentication yes PasswordAuthentication no Once the changes to "/boot/config/ssh/sshd_config" have been made, you should be able to just restart the SSH daemon via "/etc/rc.d/rc.sshd restart". There's a section in that script that copies the contents over from /boot/config/ssh/* over to /etc/ssh/* (minus directories). Search for "sshd_start" in the script to see the actual section that does this. This has worked for me & I've been using this setup for quite some time.
Fafson
Members
-
Joined