Disable Password Auth and Root Login via SSH

akrael · 20 November 2022 18:31

Hi there,

What id like to do is disable password authentication and root login via ssh.
I am using the X86_64 Version of DietPi v8.11.2 and OpenSSH as SSH Server.

What i did so far was creating SSH Keypairs and getting them to work with all my clients.

I already edited /etc/ssh/sshd_config:

PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
PermitRootLogin no

However, my dietpi/openssh server seems to ignore these changes (of course i reloaded the config and restarted the service) as i am still able to login as root via SSH and can still use passwords for login.

I am doing this, because in some scenarios it might be helpful to me to access my server from external via SFTP, or probably SSH even right into it. I plan on doing that by implementing remote.it (which i can also install using dietpi-software) as i already used it in similar scenarios to reduce the attack surface.

Any help is appreciated …

Thanks!

PS: and can somebody probably explain to me why some tools offer a conversion to putty format (e.g. winscp) and my server rejects those keys once converted?

Jappe · 20 November 2022 20:26

I’m just guessing, because I use dropbear and not OpenSSH, but I think you need to change /etc/ssh/sshd_config.d/dietpi.conf
The config is stored in there, because when an update of the software happens, the default config file get’s overridden and your changes would be lost, but not with the custom files in *.d/ folders.

akrael · 20 November 2022 22:33

Yep - thats exactly what i did wrong… Thank you! Its now working!

Minsky · 6 March 2023 21:57

Hi, I am trying to disable password login after having established a working private/public key connection.Up to now it does not work. I tried to SOFTWARE_DISABLE_SSH_PASSWORD_LOGINS=1 in /boot/dietpi.txt with no effect. I’am using the default dropbear ssh-server on a fresh Bullseye installation. The above mentioned /etc/ssh/ folder does not exist. Should I create “/etc/ssh/sshd_config.d/dietpi.conf”
with
PasswordAuthentication no
to get this working ?

Joulinar · 6 March 2023 22:18

The value themselves did no trigger anything. It will take into account on next SSH server installation. However you could run following to get it done as well

/boot/dietpi/func/dietpi-set_software disable_ssh_password_logins root

See following GitHub post Q: Best way to disable root login via SSH · Issue #6088 · MichaIng/DietPi · GitHub

Minsky · 7 March 2023 08:29

Thanks for that. I even tried that and modified the “dietpi-set_software” file, again with no effect. Actively triggering the command might make a difference here, and yes it worked : -)

What about dietpi-user ? I would prefer to deactivate password login for dietpi as well.

/boot/dietpi/func/dietpi-set_software disable_ssh_password_logins dietpi    (?)

Joulinar · 7 March 2023 09:48

The feature themself applies for root user only. Do you like to disable SSH password login generally or just for specific users?

Minsky · 7 March 2023 10:01

Disabling password login for dietpi would be ok for now.

Update: I found out and edited /etc/default/dropbear …EXTRA_ARGS=“-s”

Restarted dropbear. Now the option “password” during login is gone and publickey is the default.

Fine! That’s what I aimed for.

Thanks for help

system · 1 February 2024 08:39

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.