July 17, 201411 yr I'm on v6b6 but I don't think this is a v6 issue. I setup SSH for autologin for root using the RSA key generated on my mac and authorizedKeys on the server, and it's working fine-- instant connection. I have a dyndns url passed through port 22 on my dd-wrt router to the unRAID server. With the server open to the interwebs, my logs show that I am getting hammered with SSH login attempts. Now that private key logins are working I'd like to disable password logins and I have followed several online procedures to do that, but none have worked to disable password logins. I edited the /boot/config/ssh/ssh_config file I think appropriately, with the relevant sections below. I note that this file is propagated appropriately to /etc/ssh/ on boot. # RhostsRSAAuthentication yes # RSAAuthentication yes ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no # HostbasedAuthentication no I *thought* that the "PasswordAuthentication no" was the relevant line. However, when I try to login with a bogus userid, SSH doggedly asks for my password: x-caliber:~ dennis$ ssh joe@****.us.to joe@****.us.to's password: Permission denied, please try again. joe@****.us.to's password: Permission denied, please try again. joe@****.us.to's password: Permission denied (publickey,password,keyboard-interactive). I'd really like to lock the server down and it seems like I have followed the guidleines for ssh_config to to disable passwords, an approach that is widely recommended. Can anyone see what I should do instead, or have any other advice to reduce the likelihood of a password breakin? TIA Dennis
July 17, 201411 yr I can't help with the specific issue, but you could open a different port on the router and then forward that to port 22 in. unraid. There will be far fewer people trying to connect. The port should be higher than 1024, ideally higher than 10000, and you should ensure that it isn't a known port used by other services. Sent from a mobile device, sorry for any typos.
July 17, 201411 yr Found this googling around, don't know if it's relevant, but it looks like it may be. 5.1 These entries must be set to yes: RSAAuthentication yes PubkeyAuthentication yes
July 17, 201411 yr Can anyone see what I should do instead, or have any other advice to reduce the likelihood of a password breakin? The PasswordAuthentication parameter doesn't prevent SSH from asking for a password, it just means SSH will never use passwords as a means to authenticate a login. When you run SSH on the standard port 22, you'll have to accept that script kiddies will hit your server if it's open to the Internet. Your best bet is to do as sureguy states and move SSH to a non-standard port. If this is not an option, then you can look at using scripts such as DenyHosts or Fail2Ban which monitors the syslog for failed attempts and adds entries into hosts.deny to prevent repeated connection attempts. Shameless plug; feel free to try my denyhosts plugin. There's an x64 version which is compatible with v6 unRAID. Also an SSH plugin which is an extension to the default SSH in v6, allowing changes to parameters such as PasswordAuthentication from within the unRAID webgui. See sig for details. Regards, overbyrn
July 20, 201411 yr Author Found this googling around, don't know if it's relevant, but it looks like it may be. 5.1 These entries must be set to yes: RSAAuthentication yes PubkeyAuthentication yes Thanks; I found your source for this and this additional info seems relevant: 9.1 The following settings should be set to no: ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no They also suggest temporarily changing the name of your rsa key to prove that it won't login. It's working now, Thanks
July 20, 201411 yr Author The PasswordAuthentication parameter doesn't prevent SSH from asking for a password, it just means SSH will never use passwords as a means to authenticate a login. Thanks! That was not clear to me, and I suspect I had it right at some point and didn't understand the expected behavior. I'll look into your plugin too, though I've been trying not to put too many plugins in until the beta stabilizes. Dennis
July 21, 201411 yr Thanks; I found your source for this and this additional info seems relevant: 9.1 The following settings should be set to no: ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no They also suggest temporarily changing the name of your rsa key to prove that it won't login. It's working now, Thanks Heh. I didn't quote that part, because you already had it set that way in the snippet you posted. Did you have to do any other modifications? Perhaps you could write up a quick guide in the wiki since the procedures are fresh in your mind?
Archived
This topic is now archived and is closed to further replies.