August 2, 20223 yr I know I had this working on <6.9 but I built a new UnRaid box recently, installed 6.10, and I think it broke. In my /boot/config/go file I have: mkdir -p /root/.ssh cp /boot/custom/ssh/* /root/.ssh chmod 700 /root/.ssh chmod 600 /root/.ssh/* echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config echo "PasswordAuthentication no" >> /etc/ssh/sshd_config /etc/rc.d/rc.sshd restart Which should take my authorized keys file in /boot/custom/ssh/, move it to the right place, set the correct permissions, disable password login, and restart the ssh daemon. It does correctly allow me to login with a key but I can also still login with my password which I do not want. In past versions of UnRaid I know this configuration worked so I'm confused as to what I'm doing wrong this time around. I also tried uncommenting the: PermitRootLogin prohibit-password Line and restarting ssh but it didn't help. Any assistance would be greatly appreciated. Thank you!
August 4, 20223 yr Community Expert With 6.9+ you don't need those command in the go file, remove everything, you just need to generate keys and copy them to /boot/config/ssh/root. https://forums.unraid.net/topic/51160-passwordless-ssh-login/?do=findComment&comment=1086269
August 15, 20223 yr Author Sorry I missed this reply, unfortunately it doesn't solve my problem. It may make it so I can login with my keys (I already have that working) but it does nothing to prevent passwords when logging in. As in I can still `ssh root@MYIP` and get a password prompt that takes my password and logs me in. I want to completely prevent that. Make SSH key-ONLY. It's very odd to me that I've edited the `/etc/ssh/sshd_config` file and told it to not allow PasswordAuthentication and yet SSH still works without a key.
August 15, 20223 yr Author So I just found this thread and removing/commenting out `PermitRootLogin yes` does prevent password login. SSH will still prompt for the password (odd, I've never seen this before when I've setup a server to be key-only) but it will not accept the correct root password. I guess this is better than nothing but it's frustrating that I had this working perfectly before upgrading and now sshd doesn't appear to respect the config I give it (notably `PubkeyAuthentication yes` and `PasswordAuthentication no`).
August 15, 20223 yr 44 minutes ago, joshstrange said: SSH will still prompt for the password (odd, I've never seen this before when I've setup a server to be key-only) but it will not accept the correct root password. That's actually more secure, because it doesn't tip the attacker off with the knowledge that no password will ever be accepted.
November 20, 20223 yr For me, it worked copying over the sshd_config from /etc/ssh/sshd_config to /boot/config/ssh/sshd_config then uncommenting and setting to "no" the below two entries (PasswordAuthentication and PermitEmptyPasswords) + adding the entry to disable ChallengeResponseAuthentication. # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no Then a restart and I was no longer able to login with password. Please note that it is important to generate and test the key based login up front as otherwise, you will lose the capability to login via ssh. For remote client Mac users: You can create a config file in your /Users/<user_name>/.ssh folder like below to be able to use "ssh tower" to access ssh from your remote client Mac instead of typing the server address. Of course "tower" could be replaced with your shortcut / server name: 1.) Go to /Users/<user_name>/.ssh, then touch config nano config Then paste into this file: Host tower Hostname xxx.yyy.zzz user root IdentityFile ~/.ssh/ed25519 Notes: Replace host name with your IP address. The IdentityFile should point to the location of your private key. You can add multiple configs to the config file like, Host name1 Hostname aaa.bbb.ccc.ddd user uname1 IdentityFile ~/.ssh/file1 Host name2 Hostname aaa.bbb.ccc.eee user uname2 IdentityFile ~/.ssh/file2 Edited November 20, 20223 yr by rob_robot
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.