joshstrange Posted August 2, 2022 Share Posted August 2, 2022 I know I had this working on <6.9 but I built a new UnRaid box recently, installed 6.10, and I think it broke. In my /boot/config/go file I have: mkdir -p /root/.ssh cp /boot/custom/ssh/* /root/.ssh chmod 700 /root/.ssh chmod 600 /root/.ssh/* echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config echo "PasswordAuthentication no" >> /etc/ssh/sshd_config /etc/rc.d/rc.sshd restart Which should take my authorized keys file in /boot/custom/ssh/, move it to the right place, set the correct permissions, disable password login, and restart the ssh daemon. It does correctly allow me to login with a key but I can also still login with my password which I do not want. In past versions of UnRaid I know this configuration worked so I'm confused as to what I'm doing wrong this time around. I also tried uncommenting the: PermitRootLogin prohibit-password Line and restarting ssh but it didn't help. Any assistance would be greatly appreciated. Thank you! Quote Link to comment
JorgeB Posted August 4, 2022 Share Posted August 4, 2022 With 6.9+ you don't need those command in the go file, remove everything, you just need to generate keys and copy them to /boot/config/ssh/root. https://forums.unraid.net/topic/51160-passwordless-ssh-login/?do=findComment&comment=1086269 Quote Link to comment
joshstrange Posted August 15, 2022 Author Share Posted August 15, 2022 Sorry I missed this reply, unfortunately it doesn't solve my problem. It may make it so I can login with my keys (I already have that working) but it does nothing to prevent passwords when logging in. As in I can still `ssh root@MYIP` and get a password prompt that takes my password and logs me in. I want to completely prevent that. Make SSH key-ONLY. It's very odd to me that I've edited the `/etc/ssh/sshd_config` file and told it to not allow PasswordAuthentication and yet SSH still works without a key. Quote Link to comment
joshstrange Posted August 15, 2022 Author Share Posted August 15, 2022 So I just found this thread and removing/commenting out `PermitRootLogin yes` does prevent password login. SSH will still prompt for the password (odd, I've never seen this before when I've setup a server to be key-only) but it will not accept the correct root password. I guess this is better than nothing but it's frustrating that I had this working perfectly before upgrading and now sshd doesn't appear to respect the config I give it (notably `PubkeyAuthentication yes` and `PasswordAuthentication no`). Quote Link to comment
JonathanM Posted August 15, 2022 Share Posted August 15, 2022 44 minutes ago, joshstrange said: SSH will still prompt for the password (odd, I've never seen this before when I've setup a server to be key-only) but it will not accept the correct root password. That's actually more secure, because it doesn't tip the attacker off with the knowledge that no password will ever be accepted. Quote Link to comment
rob_robot Posted November 20, 2022 Share Posted November 20, 2022 (edited) For me, it worked copying over the sshd_config from /etc/ssh/sshd_config to /boot/config/ssh/sshd_config then uncommenting and setting to "no" the below two entries (PasswordAuthentication and PermitEmptyPasswords) + adding the entry to disable ChallengeResponseAuthentication. # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no Then a restart and I was no longer able to login with password. Please note that it is important to generate and test the key based login up front as otherwise, you will lose the capability to login via ssh. For remote client Mac users: You can create a config file in your /Users/<user_name>/.ssh folder like below to be able to use "ssh tower" to access ssh from your remote client Mac instead of typing the server address. Of course "tower" could be replaced with your shortcut / server name: 1.) Go to /Users/<user_name>/.ssh, then touch config nano config Then paste into this file: Host tower Hostname xxx.yyy.zzz user root IdentityFile ~/.ssh/ed25519 Notes: Replace host name with your IP address. The IdentityFile should point to the location of your private key. You can add multiple configs to the config file like, Host name1 Hostname aaa.bbb.ccc.ddd user uname1 IdentityFile ~/.ssh/file1 Host name2 Hostname aaa.bbb.ccc.eee user uname2 IdentityFile ~/.ssh/file2 Edited November 20, 2022 by rob_robot Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.