OpenELEC Forum
Disable ssh password authentication? - Printable Version

+- OpenELEC Forum (https://forum.openelec.tv)
+-- Forum: Generic Forum (https://forum.openelec.tv/forumdisplay.php?fid=5)
+--- Forum: MISCELLANEOUS (https://forum.openelec.tv/forumdisplay.php?fid=23)
+--- Thread: Disable ssh password authentication? (/showthread.php?tid=70006)



Disable ssh password authentication? - bjwest - 03-21-2014

Setting aside the fact that root ssh access is a big no-no, I'm a bit concerned with having a box on my network on which I have no control over the root password and cannot disable ssh password authentication. This, combined with these instructions, which describe how to set the systems to allow no password access from the OpenELEC box to the desktop, not the other way around like they claim, throws a big red flag up on my security radar.

Seeing as how the root file system is read only, /etc/sshd_config cannot be edited, and trying to remount / as read-write fails.

Is it possible, baring rebuilding OpenELEC myself, to edit the sshd_config file?

Once again, I'm using the latest Beta.


Disable ssh password authentication? - lrusak - 03-22-2014

bjwest post=101262 Wrote:Setting aside the fact that root ssh access is a big no-no, I'm a bit concerned with having a box on my network on which I have no control over the root password and cannot disable ssh password authentication. This, combined with these instructions, which describe how to set the systems to allow no password access from the OpenELEC box to the desktop, not the other way around like they claim, throws a big red flag up on my security radar.

Security isn't a big concern on a media center. If you want to be locked down than maybe OE isn't for you.

You can enable passwordless login via the OE settings addon.


bjwest post=101262 Wrote:Seeing as how the root file system is read only, /etc/sshd_config cannot be edited, and trying to remount / as read-write fails.
Is it possible, baring rebuilding OpenELEC myself, to edit the sshd_config file?

No. You can unsquash the filesystem but this isn't recommended. If you really want to make changes to the filesystem than you should compile your own version of OE and make changes to the source.

Something simpler would be to use /storage/.cache/services/sshd.conf as a custom config. This can be see here,
https://github.com/OpenELEC/OpenELEC.tv/blob/master/packages/network/openssh/system.d/sshd.service


Disable ssh password authentication? - bjwest - 03-22-2014

lrusak post=101266 Wrote:Security isn't a big concern on a media center. If you want to be locked down than maybe OE isn't for you.

Security should always be a concern with anything having direct access to ones local network. I'm giving this box access to my file server, which is the majority of, well, everything I have in digital form.

The Mini-ITX board I'm using has plenty of power for a full Linux system and I keep media files on my file server, so perhaps you're right and OE isn't for me.

lrusak post=101266 Wrote:You can enable passwordless login via the OE settings addon.

I found that soon after I posted this question.

lrusak post=101266 Wrote:Something simpler would be to use /storage/.cache/services/sshd.conf as a custom config. This can be see here,
https://github.com/OpenELEC/OpenELEC.tv/blob/master/packages/network/openssh/system.d/sshd.service

This seems to be where the addon makes the settings happen. I'm still not happy with an ssh accessible root account in my network, but I guess can live with it for now. If I start hearing voices perhaps I'll make the switch to a full Debian or Ubuntu distro. Like I said, the system has plenty of power for it, but I like the ease of setting up OpenELEC.

Thanks for the reply lrusak.


Disable ssh password authentication? - sraue - 03-22-2014

you can disable ssh access, then ssh is not started, this is the safest method.
you should not configure your router to have access to any mediacenter/smarttv/nas/gameconsole/whatever device from outside.