Connect via ssh as root with key

Moderator: Lillian.W@AST

Post Reply
anthropo
Posts: 3
youtube meble na wymiar Warszawa
Joined: Wed Jun 08, 2022 2:47 am

Connect via ssh as root with key

Post by anthropo »

Hello,

just received my AS3302T and i'm trying to connect as root on ssh with an id_rsa.pub cat in /root/ssh/authrorized_keys

i have checked /usr/etc/ssh/sshd_config and it has

Code: Select all

PermitRootLogin yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys
But it keeps on asking for the password.

What am i doing wrong please ? i did this yesterday on a synology and it worked. I'm quite sure i don't edit the good files

Thank you
sksbir
Posts: 395
Joined: Tue Aug 25, 2015 9:23 pm

Re: Connect via ssh as root with key

Post by sksbir »

hello
/$HOME/.ssh/authorized_keys must exists on nas,must contain the line extracted from id_rsa.pub on your local computer and rights must be set with chmod 600.
anthropo
Posts: 3
Joined: Wed Jun 08, 2022 2:47 am

Re: Connect via ssh as root with key

Post by anthropo »

Thank you

But I did :

sudo ls -al /root/.ssh
total 12
drwx------ 2 root root 4096 Jun 7 19:16 .
drwx------ 4 root root 4096 Jun 8 03:56 ..
-rw------- 1 root users 391 Jun 7 19:16 authorized_keys

sudo cat /root/.ssh/authorized_keys
ssh-rsa AA.........zKN root@xbmc
anthropo
Posts: 3
Joined: Wed Jun 08, 2022 2:47 am

Re: Connect via ssh as root with key

Post by anthropo »

found the culprit :

sshd[24824]: User root not allowed because account is locked

I had to activate admin account, set a password.
Is there another way ?
sksbir
Posts: 395
Joined: Tue Aug 25, 2015 9:23 pm

Re: Connect via ssh as root with key

Post by sksbir »

you can disable admin account ,it will still work.
( so it is set on my nas : admin is working when not disabled ,but is disabled )
User avatar
father.mande
Posts: 1810
Joined: Sat Sep 12, 2015 2:55 am
Location: La Rochelle (France)

Re: Connect via ssh as root with key

Post by father.mande »

Hi,

If you don't want to change default configuration, use Entware and install openssh server (and client), with another port (or same if you disable terminal) eventually with a private passwd file, so to hide other users.

The only difference is :
ssh config and keysare in /opt/etc
passwd file used is also in /opt/etc

start_up script exist and can start automatically at Entware APKG enable, even not very secure (but if you used only keys ... why not) you can forward port using EZ-Connect or directly with upnpc-shared tools (provide by Asustor).
The advantage is to manage 100% of the ssh (sftp) as you want, without restrictions ... but you are also responsible of the security ... :D

Philippe.
AS6602T / AS5202T /AS5002T / AS1002T / FS6706T
marp
Posts: 17
Joined: Tue Jan 31, 2017 4:48 pm

Re: Connect via ssh as root with key

Post by marp »

Connecting via ssh as root is bad security. Recommended is to ssh as a normal user and then do a su or sudo
domini1000
Posts: 1
Joined: Fri Dec 02, 2022 10:23 pm

Re: Connect via ssh as root with key

Post by domini1000 »

father.mande wrote: start_up script exist and can start automatically at Entware APKG enable, even not very secure (but if you used only keys ... why not) you can forward port using EZ-Connect or directly with upnpc-shared tools (provide by Asustor).
Hi Philippe,

i installed entware and openssh server and client as you recommend. After some hours i successfully connected with rsa key and without a password question. *yay* :D
How can i activate the autostart script? It's in /opt/etc/init.d/S40sshd, but after a reboot sshd is not running. When i start rc.unslung or sshd manually with "./S40sshd start" it works fine.

I tried to use another no-admin user for connecting with the keys on the asustor nas. But it only works with admin. Do you have any hint? Admin is still active.
What must i do to use opensshd on port 2222 (that works) with rsa key auth for another user than admin (doesnt work) and deactivate original ssh on port 22 and deactivate admin account (both didnt tried yet)?

greetings
Dominik
User avatar
father.mande
Posts: 1810
Joined: Sat Sep 12, 2015 2:55 am
Location: La Rochelle (France)

Re: Connect via ssh as root with key

Post by father.mande »

Hi,

Hum! For the moment for some personal reason, I used dropbear in Entware as sshd server ...
Second point, I don't use port 2222 because it is used by sftp with sshd from Asustor

With dropbear ... even dropbear.conf must be modified manually (openwrt doc. https://openwrt.org/docs/guide-user/bas ... m/dropbear ) you can use root, any administrators ... as Asustor but also standard user.

I have to verify and test using openssh-server but be sure to use a separate port (or disabling ssh and sftp in webadmin)
Another alternative is to replace passwd, group, shadow file in /opt/etc by your private one, so you can have users define in Entware different of user define in ADM ... but it's complex.

The short action to test your script is to change rc.unslug in S*| *.sh case ... adding output : . $i $ACTION $CALLER >> /tmp/opt.log ... to understand why sshd don't start.

I will build a test with openssh-server, please wait if you don't get more information from other user.

Philippe.
AS6602T / AS5202T /AS5002T / AS1002T / FS6706T
User avatar
father.mande
Posts: 1810
Joined: Sat Sep 12, 2015 2:55 am
Location: La Rochelle (France)

Re: Connect via ssh as root with key

Post by father.mande »

Hi,

OK I have build a test platform on my AS1002T (but Entware is at same level)
... install open-ssh server
... generate the key (using /opt/bin/key-gen and put in /opt/etc/ssh folder (take care to generate key with the key-gen corresponding to the install (so in /opt/bin
... modify ssd_config
... ... change port 14222 (for ex.)
... ... validate key path ...
... add system sshd user and group to avoid user separation error
... start it
... ... test with root, administrators user and standard user OK for all

Reboot
wait some time after web admin return ... APKG are start one by one ... so can be long if you have lot of APKG
... ... test again with root, administrators user and standard user OK for all

So, I can't reproduce the problem ... a trace is needed to get more information ... please change rc.unslug as proposed here before

Philippe.
N.B. I don't remove my test platform for the moment.
AS6602T / AS5202T /AS5002T / AS1002T / FS6706T
Post Reply

Return to “ADM general”