How to disable login root via ssh?

[poldas]

I changed /etc/ssh/sshd_config:

from

Code:

PermitRootLogin yes

to

Code:

PermitRootLogin no

but when I reboot FreeNAS in sshd_config is again line

Code:

PermitRootLogin yes

How can I change sshd_config permanently?

 

[warri]

By default, root logins with password are disabled anyway (see http://doc.freenas.org/index.php/SSH).

If you want to edit the sshd_config anyway:

First, from a root shell mount the filesystem with write enabled:

Code:

mount -uw /

Then, adjust '/conf/base/etc/ssh/sshd_config' based on your needs.
Finally, reboot.

Those changes won't persist over system updates, though.

 

[poldas]

One maybe important detail. I've installed FreeNAS firmware on USB pendrive

Installing FreeNAS to USB stic

I changed /conf/base/etc/ssh/sshd_config and reboot but login for root is still possible.

In /conf/base/etc/ssh/sshd_config is line

Code:

PermitRootLogin no

 

[cyberjock]

Just uncheck the box for root login via SSH under the SSH settings page... problem solved. It is disabled by default, so if its enabled its your own fault :P

 

[poldas]

You are right :) I had to check Login as Root with password in web console. Problem solved. Thank you

 

[cyberjock]

:D

Glad you got it sorted out. While manually setting the file should have worked if you mounted the USB stick as writable, its preferred to use the GUI if it has the feature already. There really shouldn't be much of anything that you have to do that shouldn't require the GUI.

 

[qbasevisitor]

Hello,

but there's one thing really confusing me.
When I disable the option "Login as Root with password" in the gui, in sshd_config there is "permitrootlogin=without-password" ...
Doesn't that mean that it is still possible with a public key?
I don't trust the "without-password" option.
Is that right, that you still have a change to get in with "without-password" ?
I want "permitrootlogin=no" and not "permitrootlogin=without-password" :(

 

[cyberjock]

Why not try it and report back?

 

[qbasevisitor]

I don't know how to try it...
But it says "It's deactivated by default"..
For me, deactivated means the option "no" and not "without-password"..
I have been messing around with the config files, but I am just getting more and more confused..
As I read the /etc/ssh/sshd_config is stored on a ram disk. It says that changes have to be made in /conf/base/etc/ ..
So I made the mount -uw / command, changed /conf/base/etc/ssh/sshd_config from permitrootlogin = yes to permitrootlogin=no...
Then I rebooted. But it seems it has no effect.

The thing is, is it really worth it to get out how it works in the config file or to be satisfied with the "without-password" option..

 

[cyberjock]

I don't know how to try it...

I tried it. It does let you log in without a password if you are using a key-pair. I guess that makes sense since the SSH option says "Login as Root with password" and not "disable root login". If you have no key-pair setup by you, then there is no logging in as root, at all.

 

[qbasevisitor]

But isn't a key pair automatically created by the system?
So if I don't specify my own key I don't have any chance to log in in the system?
My goal is it to use the server over the Internet and I want it to be save..
I guess I need to deal a little bit more with the key authentication to understand the system :)

 

[cyberjock]

I guess I need to deal a little bit more with the key authentication to understand the system :)

You sure do.

 

[pirateghost]

My goal is it to use the server over the Internet and I want it to be save..

This is a bad idea on so many levels. Either set up a VPN tunnel into your network or configure a secure tunnel through SSH...or just dont try it. When you open up your fileserver to the internet, it is no longer safe.