[LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

Philip Prindeville philipp at redfish-solutions.com
Thu Feb 8 16:28:47 PST 2018


From: Philip Prindeville <philipp at redfish-solutions.com>

Allowing password logins leaves you vulnerable to dictionary
attacks.  We disable password-based authentication, limiting
authentication to keys only which are more secure.

Note: You'll need to pre-populate your image with some initial
keys. To do this:

1. Create the appropriate directory as "mkdir -p files/root/.ssh"
   from your top-level directory;
2. Copy your "~/.ssh/id_rsa.pub" (or as appropriate) into
   "files/root/.ssh/authorized_keys" and indeed, you can collect
   keys from several sources this way by concatenating them;
3. Set the permissions on "authorized_keys" to 644 or 640.

Signed-off-by: Philip Prindeville <philipp at redfish-solutions.com>
---
 net/openssh/Makefile | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/openssh/Makefile b/net/openssh/Makefile
index 3a19387b0d0110fc5c25d7ffccb524a61c0588c4..7ca61f6ce6d5916016a554b4a283a874e950232c 100644
--- a/net/openssh/Makefile
+++ b/net/openssh/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssh
 PKG_VERSION:=7.6p1
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \
@@ -248,7 +248,10 @@ define Package/openssh-server/install
 	$(INSTALL_DIR) $(1)/etc/ssh
 	chmod 0700 $(1)/etc/ssh
 	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/etc/ssh/sshd_config $(1)/etc/ssh/
-	sed -r -i 's,^#(HostKey /etc/ssh/ssh_host_(rsa|ecdsa|ed25519)_key)$$$$,\1,' $(1)/etc/ssh/sshd_config
+	sed -r -i \
+	    -e 's,^#(HostKey /etc/ssh/ssh_host_(rsa|ecdsa|ed25519)_key)$$$$,\1,' \
+	    -e 's,^#PasswordAuthentication yes$$$$,PasswordAuthentication no,' \
+		$(1)/etc/ssh/sshd_config
 	$(INSTALL_DIR) $(1)/etc/init.d
 	$(INSTALL_BIN) ./files/sshd.init $(1)/etc/init.d/sshd
 	$(INSTALL_DIR) $(1)/usr/sbin
-- 
2.7.4




More information about the Lede-dev mailing list