How to enable ssh passowrd authentication?

ackema · December 9, 2022, 7:08am

Hello, I am using 1.4 rolling version.
I found ssh login by password is disabled always.

This is my ssh configure:

vyos@vyos# show service ssh 
 port 22
[edit]
vyos@vyos#

But I found ssh running config:

vyos@vyos# cat /var/run/sshd/sshd_config | grep PasswordAuthentication
PasswordAuthentication no
[edit]
vyos@vyos#

I have tried following steps but still not work!

vyos@vyos# cat /var/run/sshd/sshd_config | grep PasswordAuthentication
PasswordAuthentication no
[edit]
vyos@vyos# 
[edit]
vyos@vyos# set service ssh disable-password-authentication
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# cat /var/run/sshd/sshd_config | grep PasswordAuthentication
PasswordAuthentication no
[edit]
vyos@vyos# 
[edit]
vyos@vyos# delete service ssh disable-password-authentication
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# cat /var/run/sshd/sshd_config | grep PasswordAuthentication
PasswordAuthentication no
[edit]
vyos@vyos#

Dmitry · December 9, 2022, 7:49am

Hi @ackema , I can not confirm that ssh password login does not work on the latest 1.4 rolling even with this param PasswordAuthentication no in /run/sshd/sshd_config.

When I set set service ssh disable-password-authentication my laptop CLI return

MacBook-Pro-Dmitriy:~ dmitriy$ ssh vyos@192.0.2.1
vyos@192.0.2.1: Permission denied (publickey).

After delete this from my lab VyOS router

vyos@vyos# delete service ssh disable-password-authentication 
[edit]
vyos@vyos# commit

I can log in from my laptop to this router

MacBook-Pro-Dmitriy:~ dmitriy$ ssh vyos@192.0.2.1
Password: 
Welcome to VyOS!

Check out project news at https://blog.vyos.io
and feel free to report bugs at https://phabricator.vyos.net

You can change this banner using "set system login banner post-login" command.

VyOS is a free software distribution that includes multiple components,
you can check individual component licenses under /usr/share/doc/*/copyright
Last login: Fri Dec  9 07:39:00 2022 from x.x.x.x
vyos@vyos:~$

ackema · December 9, 2022, 7:55am

Thanks！

when you exec “delete service ssh disable-password-authentication” and “commit”, what’s the value of param PasswordAuthentication in /run/sshd/sshd_config?

Dmitry · December 9, 2022, 7:56am

The values is still no

vyos@vyos# cat /run/sshd/sshd_config | grep PasswordAuthentication
PasswordAuthentication no
[edit]

Could you please describe which behaviors do you wait?

ackema · December 9, 2022, 8:13am

Thanks.

I want to login vyos via ssh with password instead of public-key.

If PasswordAuthentication is no, why can you login with password?

refers: sshd_config(5)

PasswordAuthentication
	     Specifies whether password	authentication is allowed.  See	also
	     UsePAM.  The default is no.

Following is my sshd_config

vyos@vyos# cat /var/run/sshd/sshd_config 
### Autogenerated by ssh.py ###

# https://linux.die.net/man/5/sshd_config

#
# Non-configurable defaults
#
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTH
LoginGraceTime 120
StrictModes yes
PubkeyAuthentication yes
IgnoreRhosts yes
HostbasedAuthentication no
PermitEmptyPasswords no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
Banner /etc/issue.net
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
PermitRootLogin no
PidFile /run/sshd/sshd.pid
AddressFamily any
DebianBanner no
PasswordAuthentication no

#
# User configurable section
#

# Look up remote host name and check that the resolved host name for the remote IP
# address maps back to the very same IP address.
UseDNS yes

# Specifies the port number that sshd(8) listens on
Port 22

# Gives the verbosity level that is used when logging messages from sshd
LogLevel INFO

# Specifies whether password authentication is allowed
ChallengeResponseAuthentication yes








[edit]
vyos@vyos#

and openssh-server version info:

root@vyos:/home/vyos# apt info openssh-server
Package: openssh-server
Version: 1:8.4p1-5+deb11u1
Status: install ok installed
Priority: optional

Is there any thing wroing?

Dmitry · December 9, 2022, 8:29am

disable-password-authentication param add ChallengeResponseAuthentication to config

github.com

vyos/vyos-1x/blob/current/data/templates/ssh/sshd_config.j2#L50-L51


      
          # Specifies whether password authentication is allowed
          PasswordAuthentication {{ "no" if disable_password_authentication is vyos_defined else "yes" }}

From man

ChallengeResponseAuthentication
Specifies whether challenge-response authentication is allowed (e.g. via PAM or though authentication styles supported in login.conf(5)) The default is ''yes''.

It does not work for you when key auth configured for user?

ackema · December 9, 2022, 8:55am

Sorry, I found the reason.

If I use windows cmd: ssh vyos@192.168.x.y, it works like this:

However if I use Xshell 7, it pop-up a prompt box like this:

It seems password authentication is disabled, but Keyboard Interactive authentication is allowed.

Thanks again!

By the way, if I disable passord authentication, keyboard-interactive authentication is disabled

vyos@vyos# set service ssh disable-password-authentication 
[edit]
vyos@vyos# commit
[edit]
vyos@vyos#

system · December 11, 2022, 8:55am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.