Welcome to refracta

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

ssh settings in jessie

Stuff that has not yet gone into the official build.

ssh settings in jessie

Postby fsmithred » Tue Oct 21, 2014 3:03 pm

I know I discussed this last time I made changes, but it's buried in a long thread. This will be easier to find later.

New setting in jessie for PermitRootLogin is "without-password" which doesn't mean what you think it means. Root can only log in with auth keys. Also changed was PasswordAuthentication, which is now set to "no". Actually, I can't remember if that was the default debian setting or if it came from live-config, which does change it to "no" in /lib/live/config/1160-openssh-server.

For the installer, this code should work:
Code: Select all
# Allow users to login to ssh with passwords if desired.
# Allow root login only with auth keys.
# or do nothing.
if [[ $ssh_pass = "yes" ]] ; then
   sed -i~ 's/PasswordAuthentication no/PasswordAuthentication yes/' /target(*/*)etc/ssh/sshd_config
   sed -i 's/PermitRootLogin yes/PermitRootLogin without-password/' /target(*/*)etc/ssh/sshd_config
elif [[ $ssh_pass = "no" ]] ; then
   sed -i~ 's/ PasswordAuthentication yes/PasswordAuthentication no/' /target(*/*)etc/ssh/sshd_config
   sed -i 's/PermitRootLogin yes/PermitRootLogin without-password/' /target(*/*)etc/ssh/sshd_config
elif [[ -n "$ssh_pass" ]] ; then   
   echo "WARNING: ssh_pass value not recognized. No changes were made to (*/*)etc/ssh/sshd_config"

Here's the config file entry:
Code: Select all
# SSH Settings
# The default setup in debian has password authentication turned off,
# and root can only log in with authentication keys.
# If ssh_pass="yes", then PasswordAuthentication will be set to "yes"
# If ssh_pass="no", then PasswordAuthentication will be set to "no"
# In either of the above cases, if PermitRootLogin was set to "yes",
# it will be changed to "without-password" (meaning with auth keys only)
# If ssh_pass is null or set to anything other than "yes" or "no", then
# (*/*)etc/ssh/sshd_config will not be altered.


For refractasnapshot, I'm thinking maybe we need 1161-openssh-server to reverse that change, along with an option in refractasnapshot to insert that file or not. dzz, does that make sense or do you have a better suggestion? The script would just need to check for the state file and run one sed command.
User avatar
Posts: 2089
Joined: Wed Mar 09, 2011 9:13 pm

Re: ssh settings in jessie

Postby fsmithred » Wed Dec 24, 2014 3:32 pm

live/config/1160-openssh-server disables password authentication in ssh with this line.
Code: Select all
sed -i -e 's|#\(PasswordAuthentication\) yes|\1 no|' (/)etc/ssh/sshd_config

In refractasnapshot 9.1.3, if ssh_pass is set to "yes", then 1161-openssh-server re-enables password authentication with the same line. I just reversed "yes" and "no".
Code: Select all
sed -i -e 's|#\(PasswordAuthentication\) no|\1 yes|' (/)etc/ssh/sshd_confi

I noticed an inconsistency - some snapshots allowed ssh login with passwords and some did not. The difference is in sshd_config. The default line is
Code: Select all
#PasswordAuthentication yes
If you remove the comment mark, 1160-openssh-server does not change the line.

I tried the following, and it works whether or not the line starts with #.
Code: Select all
sed -i -e 's|.*PasswordAuthentication.*no|#PasswordAuthentication yes|' (/)etc/ssh/sshd_config

And there probably needs to be a similar line that does the opposite, so that if the user chooses ssh_pass=no in refractasnapshot.conf, that's what they'll get, regardless of which way they have it set in their installation.

Edit/Update: ssh-keygen works in 1160-openssh-server now. Instead of 1161-openssh-server, it makes sense to edit the rsync copy of sshd_config in $work_dir.
User avatar
Posts: 2089
Joined: Wed Mar 09, 2011 9:13 pm

Return to Experimental

Who is online

Users browsing this forum: No registered users and 0 guests