SSH Login failures in the last 24 hours. Prohibit root password

[vlad-infra-admin]

Hello,

I am wondering if I can some how "disable password" for root, but not for others.
I mean set it with a reply to clients "root@server: Permission denied (publickey)".

Technically password for root is disabled. I use public key for this account, but if I login it will ask for a password.
It will not be accepted even if type a correct one.

In my company where I am at the moment we have our internal network scanned and tested for weak root passwords.
So I keep seeing this message in TrueNAS Scale 22.12.0.

My configuration

If it would be a manual configuration I would set it to "PermitRootLogin prohibit-password" instead of "PermitRootLogin without-password"
So is there a proper way to configure it?

 

[Samuel Tai]

The only way I can see doing this is to create a post-init init/shutdown task that appends "PermitRootLogin prohibit-password" to /etc/ssh/sshd_config.

 

[vlad-infra-admin]

The only way I can see doing this is to create a post-init init/shutdown task that appends "PermitRootLogin prohibit-password" to /etc/ssh/sshd_config.

I guess using sed

sed -i 's/^PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config

 

[Daisuke]

I use public key for this account, but if I login it will ask for a password.

That's standard Linux behaviour, your sed will not do anything. Change the ssh port from 22 to a different port say 22222, so the scanners will find a closed port. Into UI, of course. Any changes to OS will be reverted back to UI defined settings, after a reboot. Is a way for Scale to make sure you don't break things by accident. List of all used ports, pick one private port.

• The Well Known Ports (0-1023) - which are reserved for the operating system and core services.
• The Registered Ports (1024-49151) - which can be used by applications, specific services, and users.
• The Dynamic and/or Private Ports (49152-65535)

 

[vlad-infra-admin]

That's standard Linux behaviour, your sed will not do anything. Change the ssh port from 22 to a different port say 22222, so the scanners will find a closed port. Into UI, of course. Any changes to OS will be reverted back to UI defined settings, after a reboot. Is a way for Scale to make sure you don't break things by accident. List of all used ports, pick one that is free.

• The Well Known Ports (0-1023) - which are reserved for the operating system and core services.
• The Registered Ports (1024-49151) - which can be used by applications, specific services, and users.
• The Dynamic and/or Private Ports (49152-65535)

Thank you. I am aware how to change port =) This is what I usually do for my own machines, but we have restricted network. So all ssh required to be on port 22. Not standart ports are blocked.

 

[Daisuke]

So all ssh required to be on port 22.

I see, then there is nothing you can do to prohibit the port scan messages you see in UI. You were talking about performing a sed into /etc/ssh/sshd_config, which will not do anything to your port scanner messages and also revert back to previous value after reboot. See public release changes for PermitRootLogin, without-password and prohibit-password is the same thing.

* The default for the sshd_config(5) PermitRootLogin option has
changed from "yes" to "prohibit-password".

* PermitRootLogin=without-password/prohibit-password now bans all
interactive authentication methods, allowing only public-key,
hostbased and GSSAPI authentication (previously it permitted
keyboard-interactive and password-less authentication if those
were enabled).

 

[vlad-infra-admin]

I see, then there is nothing you can do to prohibit the port scan messages you see in UI. You were talking about performing a sed into /etc/ssh/sshd_config, which will not do anything to your port scanner messages and also revert back to previous value after reboot. See public release changes for PermitRootLogin, without-password and prohibit-password is the same thing.

You are right it will not do anything. Thank you for info! I will be seeing this messages. At least I know I passed the check

 

[artlessknave]

in your SSH service config you can control users.
editing config files on truenas is usually a recipe for the settings to go away on an upgrade.

Auxiliary Parameters

MaxAuthTries 6
MaxSessions 10
PubkeyAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no

Match user root
PasswordAuthentication no
PubkeyAuthentication no

 

[Daisuke]

I will be seeing this messages.

Sorry, actually there is a way to eliminate that message, I completely forgot. Go to Alerts > Alert Settings > System and change the SSH Login Failures frequency to NEVER.