Problem with SSH connection to TrueNAS server using password authentication - permission denied publickey

Joined
Mar 24, 2024
Messages
4
Hello,
I have a problem with enabling password authentication mode for OpenSSH server service in TrueNAS SCALE version 23.10.2 based on Linux.
Of course I can use public-private keypairs for connecting to OpenSSH server service from client computer. But I was wondering if I could also log into OpenSSH server in TrueNAS SCALE when using it in LAN just by providing username and their password which was set on this TrueNAS server.
That is to log into the TrueNAS server this way:
ssh kevin@68.18.54.42 kevin@68.18.54.42's password:

and then provide a password for Kevin user (a user who was created previously on the TrueNAS server).
Currently, I have this error instead and it doesn't allow me to type the password:
kevin@68.18.54.42: Permission denied (publickey)

I searched the whole file system for important sshd_config file for configuring SSH
sudo find / -iname "*sshd_config*"

I only found 2 such files in the TrueNAS server
  1. in /etc/ssh/
  2. in /usr/share/openssh/
When I make changes to /usr/share/openssh/sshd_config they don't seem to affect my problem with the SSH connection.
When I make changes to /etc/ssh/sshd_config like PasswordAuthentication yes instead of PasswordAuthentication no and restart the OpenSSH service manually in CLI like this:
sudo service ssh restart

Then it surprisingly works and my problem with connecting to TrueNAS server via SSH is solved.
However, every time I restart the TrueNAS server or every time I reset the OpenSSH server service in the WebGUI panel in a web browser the sshd_config content resets back to its original settings with PasswordAuthentication no instead of PasswordAuthentication yes

So now I need to make this change to /etc/ssh/sshd_config every time the OpenSSH service restarts (not in CLI) which is quite time-consuming.

A bit weird thing is that in the WebGUI panel of TrueNAS inside OpenSSH service settings the checkbox with text "Allow Password Authentication" is checked as yes initially. Therefore initially, the /etc/ssh/sshd_config file should contain the phrase
PasswordAuthentication yes instead of PasswordAuthentication no
Checking and unchecking this checkbox has no impact on the /etc/ssh/sshd_config file and also no impact on my problem with connecting to TrueNAS via SSH. It looks like a small bug of TrueNAS version 23.10.2, to me.
I tried writing auxiliary parameter in TrueNAS WebGUI settings for OpenSSH server service
PasswordAuthentication yes
But afterward this auxiliary parameter that I typed in the WebGUI just became appended to the content of /etc/ssh/sshd_config like below
PasswordAuthentication no PubkeyAuthentication yes PasswordAuthentication yes

So there are 2 contradictory parameters PasswordAuthentication and my problem is still the same when trying to log in
kevin@68.18.54.42: Permission denied (publickey).

I guess that the first occurrence of a parameter in sshd_config takes priority.
My question is how to make this password authentication option permanent without the need to change /etc/ssh/sshd_config file every time the OpenSSH service restarts.
Is there some kind of default template stored for TrueNAS OpenSSH service configuration from which sshd_config is loaded?
Below is the original content /etc/ssh/sshd_config in my TrueNAS server which resets every time the OpenSSH service restarts regardless of manual changes in CLI or checkbox changes in WebGUI.

Code:
Subsystem sftp internal-sftp -l ERROR -f AUTH
Protocol 2
UseDNS no
ChallengeResponseAuthentication no
ClientAliveCountMax 3
ClientAliveInterval 15
VersionAddendum none
Ciphers +aes128-cbc
Port 22
PermitRootLogin without-password
AllowTcpForwarding no
Compression no
PasswordAuthentication no
PubkeyAuthentication yes

SetEnv LC_ALL=C.UTF-8


I attached some screenshots showing this problem.
 

Attachments

  • WebGUI_Shell_sshd_config.png
    WebGUI_Shell_sshd_config.png
    113.5 KB · Views: 155
  • WebGUI_SSH_service_settings.png
    WebGUI_SSH_service_settings.png
    56.1 KB · Views: 112
Last edited:

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
I searched the whole file system for important sshd_config file for configuring SSH
Don't. TrueNAS is intended to be configured through the GUI
But I was wondering if I could also log into OpenSSH server in TrueNAS SCALE when using it in LAN just by providing username and their password which was set on this TrueNAS server.
You can, but why would you want to? Public-key auth is both faster and more secure. But there's no reason to be manually entering aux parameters for the SSH setup in order to allow this; just configure the service like this:
1711281957893.png
 

tprelog

Patron
Joined
Mar 2, 2016
Messages
297
You may also need to enable SSH password login for "kevin" under user credentials.

1711283268941.png
 

probain

Patron
Joined
Feb 25, 2023
Messages
211
Just a heads up..
It's never a good idea to expose SSH on a public internet facing IP-address. Put it behind a VPN. But if you absolutely, absolutely need to expose it. Then do not use password authentication. Use keys instead.
 
Joined
Mar 24, 2024
Messages
4
Hello,

Thank You all for the responses.
Ok, my problem with this connection via SSH using passwords is now solved.
I needed to enable SSH password login in the settings of kevin user, as tprelog suggested.

Of course, I will avoid exposing SSH in a global, public network, just a small experiment in the LAN network.
 
Last edited:

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,504
It's never a good idea to expose SSH on a public internet facing IP-address.
Eh, SSH is one of the safest services to expose that way. I agree, don't if you don't have to, but it's pretty well hardened.
 
Top