digitalformula Posted July 26, 2018 Share Posted July 26, 2018 Hi all, In follow up to a post the other day, I made a bunch of changes to the sshd configuration that I lost when the system rebooted. That's OK - I know why. I ended up making the changes I need via the /boot/config/go script and thought they may be useful for anyone else that wants to secure sshd like I have. - no password auth allowed - public key auth enabled - root user .ssh directory created - root user authorized_keys file created - correct permissions on the root user's authorized_keys file If there's a better/approved way to make startup changes like this, I'm definitely interested in knowing. #!/bin/bash #Setup sshd configuration mkdir -p /root/.ssh touch /root/.ssh/authorized_keys echo "<your_public_key_here>" | tee -a /root/.ssh/authorized_keys chmod 700 /root/.ssh chmod 600 /root/.ssh/authorized_keys sed -i -- 's/#.*PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config sed -i -- 's/#.*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config /etc/rc.d/rc.sshd restart #Setup drivers for hardware transcoding in Plex modprobe i915 chmod -R 777 /dev/dri # Start the Management Utility /usr/local/sbin/emhttp & Quote Link to comment
ken-ji Posted July 26, 2018 Share Posted July 26, 2018 You're making it really hard on yourself. sed -i -- 's/#.*PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config sed -i -- 's/#.*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config /etc/rc.d/rc.sshd restart No need for these lines, you can either install the @docgyver ssh plugin (not using it so so not sure about the authorized keys installation) or alternatively - just modify config/ssh/sshd_config on the flash drive Quote Link to comment
digitalformula Posted July 26, 2018 Author Share Posted July 26, 2018 (edited) 5 hours ago, ken-ji said: You're making it really hard on yourself. sed -i -- 's/#.*PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config sed -i -- 's/#.*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config /etc/rc.d/rc.sshd restart No need for these lines, you can either install the @docgyver ssh plugin (not using it so so not sure about the authorized keys installation) or alternatively - just modify config/ssh/sshd_config on the flash drive I actually looked for a default version of sshd_config but couldn't find one. It's why I ended up doing it this way. Should there be an sshd_config in /boot/config/ssh? Mine only has host keys. Edit: In any case, it's a good learning experience (I'm very familiar with Linux, but very new to unRAID). Edit: The plugin referenced above essentially does what the script changes above do (but with more options, obviously). Edited July 26, 2018 by digitalformula Quote Link to comment
ken-ji Posted July 26, 2018 Share Posted July 26, 2018 I kinda forgot, but you copy /etc/ssh/sshd_config to /boot/config/ssh and edit that copy. when ssh is re/started the files from /boot/config/ssh are copied to /etc/ssh and permissions are reset. the aforementioned plugin does allow a few other common options to be set and gives you a UI to restart the SSH daemon. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.