Help needed disabling password authentication. SSH/PwnPi.


13 posts
by jeb365 » Thu Aug 02, 2012 8:44 pm
Hey all. I've been reading up on securing ssh communication by employing the use of public/private keys. I have my keys setup perfectly but I just can't seem to disable password authentication. I'm not the best linux user so please bare with me if I'm overlooking something well obvious. After following instructions from numerous online guides my sshd_config looks like this -
GNU nano 2.2.4 File: sshd_config

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM no


Again, sorry if I'm wasting peoples time with something well obvious.
Cheers.
Posts: 15
Joined: Thu Mar 15, 2012 7:37 pm
by jojopi » Thu Aug 02, 2012 9:14 pm
Your sshd_config looks good to disable passwords. Have you told sshd to reload its settings (or restarted it, or rebooted) since you changed the config file? At minimum you need "sudo service ssh reload".
User avatar
Posts: 1858
Joined: Tue Oct 11, 2011 8:38 pm
by jeb365 » Thu Aug 02, 2012 9:24 pm
jojopi wrote:Your sshd_config looks good to disable passwords. Have you told sshd to reload its settings (or restarted it, or rebooted) since you changed the config file? At minimum you need "sudo service ssh reload".


Unfortunately, yes. No joy though.
Posts: 15
Joined: Thu Mar 15, 2012 7:37 pm
by jeb365 » Thu Aug 02, 2012 9:30 pm
I should probably mention that Its a fresh install and all I've done so far is updated/upgraded, created a new user, added it to sudoers, changed passwords and created public/private keys. Am I missing a piece of the install procedure somewhere?
Posts: 15
Joined: Thu Mar 15, 2012 7:37 pm
by jojopi » Thu Aug 02, 2012 9:48 pm
I have tried using your config as my /etc/ssh/sshd_config (on foundation raspbian wheezy), and it is as expected. Key authentication still works, but passwords fail (without even asking) with "Permission denied (publickey)".

Is your config in the right place, and is the daemon reading it?
User avatar
Posts: 1858
Joined: Tue Oct 11, 2011 8:38 pm
by jeb365 » Thu Aug 02, 2012 9:54 pm
My config is in /etc/ssh. Any suggestions on how I could test if the daemon is reading it?
Thanks for the help.
Posts: 15
Joined: Thu Mar 15, 2012 7:37 pm
by Mwyann » Thu Aug 02, 2012 11:19 pm
What I often do in this case is to add a nonsense line in the config file, then restart the daemon. If it doesn't bother, then something's wrong. And if it's you case, try looking for other places using find.
Posts: 19
Joined: Thu Aug 02, 2012 12:22 am
by timothy3592 » Thu Aug 02, 2012 11:40 pm
Have you placed the private and public keys in the right places. I've just set up ssh authentication on my pi. The following steps worked for me.

The raspberry pi is the remote machine.
You are using the local machine.

1.) run ssh-keygen on the local machine, accept defaults. You now have a ~/.ssh/username and a ~/.ssh/username.pub.
2.) add your public key to ~/.ssh/authorized_keys on the remote machine. using the method of your choice copy ~/.ssh/username.pub on the local machine to the remote machine.
3.) on the remote machine append the username.pub file to ~/.ssh/authorized_keys. ex. cat username.pub >> ~/.ssh/authorized_keys
4.) good to go.

I used scp to transfer the public keys. scp ~/.ssh/username.pub 192.168.xxx.xxx:~/
It will ask you for a password like ssh does.
One more possible issue is that you are doing this across user accounts. I'm not familiar with that but if you are say copying jsmith's public key to /home/pi/.ssh/authorized_keys, then maybe it might not work. Then again the uid is the same, try ssh -l pi xxx.xxx.xxx.xxx and see if it works out. by default ssh attempts to authenticate you as the user you are logged in as on your machine. eg. it asks you the password for jsmith@raspberrypi and since that user doesn't exist any password you give it will fail.
Posts: 64
Joined: Wed Jun 13, 2012 6:06 am
by jeb365 » Thu Aug 02, 2012 11:46 pm
Mwyann wrote:What I often do in this case is to add a nonsense line in the config file, then restart the daemon. If it doesn't bother, then something's wrong. And if it's you case, try looking for other places using find.

After adding to the config file it made no change. I've narrowed it down and I've learned another trick so thanks a lot. Off to do more searching then. Any suggestions will be much appreciated.
Posts: 15
Joined: Thu Mar 15, 2012 7:37 pm
by jeb365 » Thu Aug 02, 2012 11:55 pm
Just had a poke around /init.d/ssh. Is this what I need to change:
Code: Select all
check_config() {
    if [ ! -e /etc/ssh/sshd_not_to_be_run ]; then
        /usr/sbin/sshd $SSHD_OPTS -t || exit 1
    fi
}


(completely guesswork btw)
Posts: 15
Joined: Thu Mar 15, 2012 7:37 pm
by Mwyann » Fri Aug 03, 2012 1:15 am
What is the content of your /etc/default/ssh file? Mine (default one) is as follows:

Code: Select all
# Default settings for openssh-server. This file is sourced by /bin/sh from
# /etc/init.d/ssh.

# Options to pass to sshd
SSHD_OPTS=


Also, just in case, make sure you're doing your changes on the Pi, it happens to me, rarely (but sometimes) to make changes on the wrong terminal, wondering why my changes won't have effect ^^
Posts: 19
Joined: Thu Aug 02, 2012 12:22 am
by spitecho » Fri Aug 03, 2012 1:59 am
If you're not overly attached to OpenSSH (and don't need port fowarding or ssh logging), the simplest fix would be to switch to Dropbear. You can find a nice little tutorial here for swapping it in and disabling password and root logins.
Posts: 24
Joined: Tue Jul 10, 2012 12:03 am
Location: internet
by reflex » Mon Aug 06, 2012 10:38 pm
Hi there, im the author of PwnPi and it uses dropbear, OpenSSH has been uninstalled. If there are configs files lying around then changing them wont make a difference.
Posts: 3
Joined: Sat Jun 23, 2012 2:38 am