Help with securing ssh

hi @vgaetera,

trying to follow your document

i followed this step Create a non-privileged user in OpenWrt
and here is the result

root@OpenWrt:~# cat /etc/passwd

i rebooted the router
as always, i am able to login as root using ssh key
when i try to ssh using asdffdsa6131, i get

16:07:57.537 Current date: 2021-01-07
16:07:57.537 Started a new SSH session.
16:07:57.553 Connecting to SSH server
16:07:57.568 Connection established.
16:07:57.568 Server version: SSH-2.0-dropbear
16:07:57.568 First key exchange started. Cryptographic provider: Windows CNG (x86) with additions
16:07:57.901 Received host key from the server. Algorithm: RSA, size: 2048 bits, SHA-256 fingerprint: DB+b3wWI0SvsBdVWoE9in7MeHDHvE4Lgzft7RSK4sgQ.
16:07:57.916 First key exchange completed using diffie-hellman-group14-sha256 (group 14, 2048-bit). Session encryption: aes256-ctr, integrity: hmac-sha2-256, compression: none.
16:07:57.916 Attempting publickey authentication. Testing client key 'Profile 1' for acceptance.
16:07:57.938 Authentication failed. The key has been rejected. Remaining authentication methods: 'publickey'.
16:07:57.938 Authentication aborted. Reason: No authentication methods available.
16:07:57.938 The SSH session has been terminated.

so root can login but not asdffsa6131

Have you copied the public key of the user to the authorized keys file on the router?

1 Like
# OpenWrt
uci set dropbear.@dropbear[0].PasswordAuth="1"
uci commit dropbear
/etc/init.d/dropbear restart

# PC
ssh -p 34431 asdffdsa6131@ \
    "mkdir -p ~/.ssh; tee -a ~/.ssh/authorized_keys" < ~/.ssh/

If the issue persists, fix ownership and permissions:

# OpenWrt
chown -R $(id -u asdffdsa6131):$(id -g asdffdsa6131) ~asdffdsa6131
chmod -R go= ~asdffdsa6131

hi again,

my pc is windows, using bitvise gui client.
not sure how to run that command via the pc?

could i do this?

  1. create a new ssh key
  2. log in using ssh as root.
  3. then using the ssh command prompt mkdir -p /home/asdffdsa6131/.ssh
  4. using sftp client, manually copy that ssh key into /home/asdffdsa6131/.ssh and name it authorized_keys
1 Like

Save the public key to ~asdffdsa6131/.ssh/authorized_keys and fix permissions/ownership as mentioned above.

but ~/ is the home dir of the root user?

root@OpenWrt:~# ls ~/.ssh
ls: /root/.ssh: No such file or directory
echo ~asdffdsa6131

not what what you want, to run that command

root@OpenWrt:~# echo ~asdffdsa6131

That's weird, check this:

ubus call system board; echo ~root; grep -e asdffdsa6131 /etc/passwd
root@OpenWrt:~# ubus call system board; echo ~root; grep -e asdffdsa6131 /etc/passwd
        "kernel": "4.14.195",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 1 (v7l)",
        "model": "Linksys WRT3200ACM",
        "board_name": "linksys,rango",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.4",
                "revision": "r11208-ce6496d796",
                "target": "mvebu/cortexa9",
                "description": "OpenWrt 19.07.4 r11208-ce6496d796"

i think this is not correct
maybe should be

1 Like

That's why I typically install the packages shadow-useradd, shadow-userdel, shadow-usermod, etc. to avoid this kind of typo. :sweat_smile:

i followed your
opkg install shadow-useradd

so what should i do now, install the other packages?
shadow-userdel, shadow-usermod

That's not actually my guide, I just made some edits there.

Anyway, in general it is recommended to use shadow utils to manage the passwd/group files.

ok, i just installed the other two shadow-userdel, shadow-usermod

is this correct?

1 Like

Yep, looks fine now.

root@OpenWrt:~# chown -R $(id -u asdffsa6131):$(id -g asdffsa6131) ~asdffsa6131
id: unknown user asdffsa6131
id: unknown user asdffsa6131
chown: unknown group
userdel asdffsa6131
userdel asdffdsa6131
sed -i -e "/^asdffsa6131/d" /etc/passwd /etc/group /etc/shadow
sed -i -e "/^asdffdsa6131/d" /etc/passwd /etc/group /etc/shadow
opkg update
opkg install shadow-useradd shadow-userdel shadow-usermod \
    shadow-groupadd shadow-groupdel shadow-groupmod sudo
groupadd -r -g 10 wheel
groupadd asdffdsa6131
useradd -m -g asdffdsa6131 -G wheel -s /bin/ash asdffdsa6131
touch /etc/environment
cat << EOF > /etc/sudoers.d/00-custom
%wheel ALL=(ALL) ALL

is this the correct output for that tee

root@OpenWrt:~# tee /etc/sudoers.d/00-custom << EOF
> %wheel ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
root@OpenWrt:~# cat /etc/sudoers.d/00-custom
%wheel ALL=(ALL) ALL

now this works without error
chown -R $(id -u asdffdsa6131):$(id -g asdffdsa6131) ~asdffdsa6131

1 Like

It appears there was a letter missing in the user name.
I've updated the code, so you can copy-paste it again.

yeah, i noticed that, oh boy...

so i can just paste that entire text into the ssh command prompt?
no need to copy and paste each line, one at a time?

1 Like