What id like to do is disable password authentication and root login via ssh.
I am using the X86_64 Version of DietPi v8.11.2 and OpenSSH as SSH Server.
What i did so far was creating SSH Keypairs and getting them to work with all my clients.
I already edited /etc/ssh/sshd_config:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
PermitRootLogin no
However, my dietpi/openssh server seems to ignore these changes (of course i reloaded the config and restarted the service) as i am still able to login as root via SSH and can still use passwords for login.
I am doing this, because in some scenarios it might be helpful to me to access my server from external via SFTP, or probably SSH even right into it. I plan on doing that by implementing remote.it (which i can also install using dietpi-software) as i already used it in similar scenarios to reduce the attack surface.
Any help is appreciated …
Thanks!
PS: and can somebody probably explain to me why some tools offer a conversion to putty format (e.g. winscp) and my server rejects those keys once converted?
I’m just guessing, because I use dropbear and not OpenSSH, but I think you need to change /etc/ssh/sshd_config.d/dietpi.conf
The config is stored in there, because when an update of the software happens, the default config file get’s overridden and your changes would be lost, but not with the custom files in *.d/ folders.
Hi, I am trying to disable password login after having established a working private/public key connection.Up to now it does not work. I tried to SOFTWARE_DISABLE_SSH_PASSWORD_LOGINS=1 in /boot/dietpi.txt with no effect. I’am using the default dropbear ssh-server on a fresh Bullseye installation. The above mentioned /etc/ssh/ folder does not exist. Should I create “/etc/ssh/sshd_config.d/dietpi.conf”
with
PasswordAuthentication no
to get this working ?
The value themselves did no trigger anything. It will take into account on next SSH server installation. However you could run following to get it done as well
Thanks for that. I even tried that and modified the “dietpi-set_software” file, again with no effect. Actively triggering the command might make a difference here, and yes it worked : -)
What about dietpi-user ? I would prefer to deactivate password login for dietpi as well.