Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Can't disable SSH passwords after private key login setup

Featured Replies

I'm on v6b6 but I don't think this is a v6 issue.

 

I setup SSH for autologin for root using the RSA key generated on my mac and authorizedKeys on the server, and it's working fine-- instant connection. I have a dyndns url passed through port 22 on my dd-wrt router to the unRAID server.

 

With the server open to the interwebs, my logs show that I am getting hammered with SSH login attempts.  Now that private key logins are working I'd like to disable password logins and I have followed several online procedures to do that, but none have worked to disable password logins.  I edited the /boot/config/ssh/ssh_config file I think appropriately, with the relevant sections below.  I note that this file is propagated appropriately to /etc/ssh/ on boot.

 

#   RhostsRSAAuthentication yes
#   RSAAuthentication yes
    ChallengeResponseAuthentication no
    PasswordAuthentication no
    UsePAM no
#   HostbasedAuthentication no

 

I *thought* that the "PasswordAuthentication no" was the relevant line.

 

However, when I try to login with a bogus userid, SSH doggedly asks for my password:

 

x-caliber:~ dennis$ ssh joe@****.us.to
joe@****.us.to's password: 
Permission denied, please try again.
joe@****.us.to's password: 
Permission denied, please try again.
joe@****.us.to's password: 
Permission denied (publickey,password,keyboard-interactive).

 

I'd really like to lock the server down and it seems like I have followed the guidleines for ssh_config to to disable passwords, an approach that is widely recommended.

 

Can anyone see what I should do instead, or have any other advice to reduce the likelihood of a password breakin?

 

TIA

 

Dennis

I can't help with the specific issue, but you could open a different port on the router and then forward that to port 22 in. unraid. There will be far fewer people trying to connect. The port should be higher than 1024, ideally higher than 10000, and you should ensure that it isn't a known port used by other services.

 

Sent from a mobile device, sorry for any typos.

 

 

Found this googling around, don't know if it's relevant, but it looks like it may be.

5.1 These entries must be set to yes:
RSAAuthentication yes
PubkeyAuthentication yes

Can anyone see what I should do instead, or have any other advice to reduce the likelihood of a password breakin?

 

The PasswordAuthentication parameter doesn't prevent SSH from asking for a password, it just means SSH will never use passwords as a means to authenticate a login.

 

When you run SSH on the standard port 22, you'll have to accept that script kiddies will hit your server if it's open to the Internet.  Your best bet is to do as sureguy states and move SSH to a non-standard port.  If this is not an option, then you can look at using scripts such as DenyHosts or Fail2Ban which monitors the syslog for failed attempts and adds entries into hosts.deny to prevent repeated connection attempts. 

 

Shameless plug; feel free to try my denyhosts plugin.  There's an x64 version which is compatible with v6 unRAID.  Also an SSH plugin which is an extension to the default SSH in v6, allowing changes to parameters such as PasswordAuthentication from within the unRAID webgui.  See sig for details.

 

Regards,

overbyrn

 

  • Author

Found this googling around, don't know if it's relevant, but it looks like it may be.

5.1 These entries must be set to yes:
RSAAuthentication yes
PubkeyAuthentication yes

 

Thanks;  I found your source for this and this additional info seems relevant:

9.1 The following settings should be set to no:
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

 

They also suggest temporarily changing the name of your rsa key to prove that it won't login.

 

It's working now, Thanks

  • Author

The PasswordAuthentication parameter doesn't prevent SSH from asking for a password, it just means SSH will never use passwords as a means to authenticate a login.

 

 

Thanks!  That was not clear to me, and I suspect I had it right at some point and didn't understand the expected behavior.

 

I'll look into your plugin too, though I've been trying not to put too many plugins in until the beta stabilizes.

 

Dennis

 

Thanks;  I found your source for this and this additional info seems relevant:

9.1 The following settings should be set to no:
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

 

They also suggest temporarily changing the name of your rsa key to prove that it won't login.

 

It's working now, Thanks

Heh. I didn't quote that part, because you already had it set that way in the snippet you posted. Did you have to do any other modifications?

 

Perhaps you could write up a quick guide in the wiki since the procedures are fresh in your mind?

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.