Removing Password Authentication from SSH Services
I created a new Linux container with OpenSSH service and disabled the ability to challenge passwords, then moved keys over to eliminate passwords. I also set up a shared folder with three sub-folders, changed permissions on the keys, and restarted the SSH service. Read my blog post to learn how I did it.
Securely Eliminating Passwords with OpenSSH and Linux Containers
By Michael Levin
Monday, July 25, 2022
- Get a new LXD container that doesn’t trigger the warning.
- Don’t forget to use NAT networking mode.
- Add port 2222 to port 22 NAT map.
- Login locally to give ubuntu user a password and add openssh-server service.
- Ensure that you can login using the ssh program (re-figure-out IP?)
- Get rid of the password challenge.
- Move keys over to get rid of passwords.
- Get keys in place to git clone from github without challenge.
Eliminating Password From OpenSSH on NAS Linux Container
Create new keys? They’re auto-generated in /etc/ssh/ but just in case:
ssh-keygen -t rsa -C "email@address.com"
Do we need to turn off the ability to challenge passwords? I so:
- sudo vim /etc/ssh/sshd_config
- PasswordAuthentication no
- ChallengeResponseAuthentication no
What I’m sure I do need is a list of authorized keys. If only one then it’s the same as the actual public key being used. One public key, one line.
Much of this video went into creating the ~/data shared folder. Now all locations have the same 3 folders:
- data
- github
- py310
That’s a good setup for the videos to come!
systemd-way to restart a service:
sudo systemctl restart ssh
It wasn’t even necessary. But it was very necessary to chmod the files correctly:
sudo chmod 600 id_rsa
And so on.