Can't login to a newly installed freeBSD host by ssh (secure shell)

freeink · Mar 25, 2020

Can't login from a debian terminal (192.168.1.31) to a freeBSD host( 192.168.23 ) , in a same Local Area Network.
sshd_enable="YES" have been set in freeBSD /etc/rc.conf

zirias@ · Mar 25, 2020

maybe choose "yes" there?

mark_j · Mar 25, 2020

Zirias said:
maybe choose "yes" there?

LOL

Deleted member 48958 · Mar 25, 2020

You should definitely type "yes" and then confirm this with enter key press.
This message appears on first ssh login to host, which is not added yet to your "list of known hosts"
(~/.ssh/known_hosts file).

freeink · Mar 27, 2020

sam@192.168.1.31 uncle sam is angry; input empty password ,hit enter key three times,got above result.
mas@192.168.1.23 mas host is anxious (user "mas" password is confirmed tested on freeBSD host, really is blank no mistake )
I did not change anything of ssh config setting. default setting do not allow blank password?
Should I change config file ?
vi /etc/ssh/sshd_config
:set number
:79
line 62 have an option #PermitEmptyPasswords no

freeink · Mar 27, 2020

Zirias said:
maybe choose "yes" there?

of course choose "yes" , really an aspiring suggestion from an Aspiring Daemon

ljboiler · Mar 27, 2020

The default for 'PermitEmptyPasswords' is no; you must set it to 'Yes' if that's what you really want to do (but why?)

freeink · Mar 27, 2020

ILUXA said:
You should definitely type "yes" and then confirm this with enter key press.
This message appears on first ssh login to host, which is not added yet to your "list of known hosts"
(~/.ssh/known_hosts file).

$ sudo service sshd restart

balanga · Mar 27, 2020

ljboiler said:
The default for 'PermitEmptyPasswords' is no; you must set it to 'Yes' if that's what you really want to do (but why?)

I've never been sure what constitutes an empty password in FreeBSD...

On a new installation of FreeBSD I always set

PermitRootLogin yes

in /etc/ssh/sshd_config but am not allowed to login initially because no password has been using passwd(). However I am able to enter a blank password by jest pressing ENTER twice and then I can login.

So does that constitute an empty password? I guess not.

freeink · Mar 27, 2020

PermitEmptyPasswords yes, config altered ,sshd restarted , user mas with empty passwords still can't login.
Any user with passwords include root can login.

freeink · Mar 27, 2020

balanga said:
I've never been sure what constitutes an empty password in FreeBSD...

On a new installation of FreeBSD I always set

PermitRootLogin yes

in /etc/ssh/sshd_config but am not allowed to login initially because no password has been using passwd(). However I am able to enter a blank password by jest pressing ENTER twice and then I can login.

So does that constitute an empty password? I guess not.

empty password=auto login after input username ? system even don't bother asking you for a password

Eric A. Borisch · Mar 27, 2020

Why not set up a pre-shared key rather than have an empty password?

Zvoni · Mar 27, 2020

Eric A. Borisch said:
Why not set up a pre-shared key rather than have an empty password?

Yep! That's how i've set it up on my servers.
Why anyone in our times today wants to allow root to login from outside and/or use a password-less user-account escapes me.....

Criosphinx · Mar 27, 2020

balanga said:
I've never been sure what constitutes an empty password in FreeBSD...

On a new installation of FreeBSD I always set

PermitRootLogin yes

in /etc/ssh/sshd_config but am not allowed to login initially because no password has been using passwd(). However I am able to enter a blank password by jest pressing ENTER twice and then I can login.

So does that constitute an empty password? I guess not.

Please don't do that. Instead create a user, add it to wheel group, and configure sshd to allow key-based authentication (set AuthenticationMethods to publickey in sshd_config)

The handbook: https://www.freebsd.org/doc/handbook/openssh.html and the man pages for sshd_config()

Phishfry · Mar 27, 2020

Generating the keys is easy. I like to specify what encryption to use for the key.
ssh-keygen -t ed25519
ssh-copy-id -i ~/.ssh/id_ed25519.pub -p 1798 user@123.456.789.001

How To Configure SSH Key-Based Authentication on a FreeBSD Server | DigitalOcean

SSH, or secure shell, is a network protocol that provides a secure, encrypted way to communicate with and administer your servers. As SSH is the most common …

www.digitalocean.com

Criosphinx · Mar 28, 2020

freeink said:
PermitEmptyPasswords yes, config altered ,sshd restarted , user mas with empty passwords still can't login.
Any user with passwords include root can login.

Last paragraph of AuthenticationMethods in sshd_config() man page:

The available authentication methods are: "gssapi-with-mic",
"hostbased", "keyboard-interactive", "none" (used for access to
password-less accounts when PermitEmptyPasswords is enabled),
"password" and "publickey".

But as above, please don't do that! Follow a guide like the one Phishfry posted or at least leave it at defaults(any method and no root allowed).

Phishfry · Mar 28, 2020

What about public key passphrase? Does everyone use passphrase protected keys?
I use them because it feels secure but you are really adding another step by having to send a passphrase.
I understand it is more secure but it it really worth it?

zirias@ · Mar 28, 2020

Phishfry said:
but you are really adding another step by having to send a passphrase.

ssh-agent(1)

xtaz · Mar 28, 2020

In newer versions of OpenSSH, certainly the one in the port, but I'm not sure about the version in the base, the default is PermitRootLogin prohibit-password. This allows you to authenticate directly as root using a key but will refuse a password.

This is a reasonable compromise as long as you still understand the consequences. Although as I said, might need to use the port/pkg version rather than the base.

Code:

% /usr/local/bin/ssh -V
OpenSSH_8.2p1, OpenSSL 1.1.1e  17 Mar 2020
% /usr/bin/ssh -V
OpenSSH_7.8p1, OpenSSL 1.1.1d-freebsd  10 Sep 2019

Although, now I read the man page. It looks like without-password might work on older versions?

If this option is set to prohibit-password (or its deprecated alias, without-password), password and keyboard-interactive authentication are disabled for root.

Eric A. Borisch · Mar 28, 2020

Phishfry said:
What about public key passphrase? Does everyone use passphrase protected keys?
I use them because it feels secure but you are really adding another step by having to send a passphrase.
I understand it is more secure but it it really worth it?

Depending on your use case, a PK with a passphrase used with ssh-agent(1) and ssh-add(1) can give you the best of both worlds: encrypted (password phrase) on disk, but passwordless connections (after you’ve entered the password during the add) for your session.

Andy Mender · Mar 29, 2020

xtaz said:
In newer versions of OpenSSH, certainly the one in the port, but I'm not sure about the version in the base, the default is PermitRootLogin prohibit-password. This allows you to authenticate directly as root using a key but will refuse a password.

This is a reasonable compromise as long as you still understand the consequences. Although as I said, might need to use the port/pkg version rather than the base.

Code:

% /usr/local/bin/ssh -V OpenSSH_8.2p1, OpenSSL 1.1.1e 17 Mar 2020 % /usr/bin/ssh -V OpenSSH_7.8p1, OpenSSL 1.1.1d-freebsd 10 Sep 2019

Although, now I read the man page. It looks like without-password might work on older versions?

If this option is set to prohibit-password (or its deprecated alias, without-password), password and keyboard-interactive authentication are disabled for root.

I would also recommend creating a pair of SSH keys, adding the public key to the target host and setting PermitRootLogin prohibit-password in the sshd config. Many cloud providers default to root as the only user after all. Creating users with empty passwords is, in my experience, useful mostly for local-only purposes.

Can't login to a newly installed freeBSD host by ssh (secure shell)

Deleted member 48958

Guest