How do I disable password access for the default SSHd?

[No Expert]

Hi,

I wan to disable password access for both the default and OpenSSH servers so that only key authentication is active.

For OpenSSH I know that I can make the change in the sshd_config file:

Code: Select all

PasswordAuthentication no

Does anyone know how to do the same for the default ("Qnap") SSHd server?

Thanks.

[pwilson]

Hi,

I wan to disable password access for both the default and OpenSSH servers so that only key authentication is active.

For OpenSSH I know that I can make the change in the sshd_config file:

Code: Select all

PasswordAuthentication no

Does anyone know how to do the same for the default ("Qnap") SSHd server?

Thanks.

There is no official way of doing it, but it can be done. To do it, you simply have to implement changes within the "autorun.sh" file on your NAS, per QNAPedia article: Running Your Own Application at Startup so that it modifies the settings at every boot.

The following code might do it for you:

Code: Select all

echo -n "Shutting down sshd services:" 
/sbin/daemon_mgr sshd stop /usr/sbin/sshd
/usr/bin/killall sshd
rm -f /var/lock/subsys/sshd
echo "sshd"
/bin/sed -i -e 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
echo "Disabled SSHd Password Authentication in config file: /etc/ssh/sshd_config"
echo -n "Restarting sshd services:" 
/sbin/daemon_mgr sshd start /usr/sbin/sshd -f /etc/ssh/sshd_config -p $(/sbin/getcfg LOGIN "SSH Port" -d 22)
echo "sshd"

I have NOT tested this code, so please enable your TELNET access temporarily to ensure you don't lock yourself out while attempting to get this working. Once you are satisfied that it is working you can re-disable TELNET again.

[No Expert]

Patrick - thanks.

I will give it a go.

Incidentally, is there anything from this script that is useful to include?
viewtopic.php?p=211720#p211720

[pwilson]

Patrick - thanks.

I will give it a go.

Incidentally, is there anything from this script that is useful to include?
viewtopic.php?p=211720#p211720

Not really. It is simply explicitly setting the defaults that are already present.

[No Expert]

Hi,

a follow up to this question.
The background to this is that I am trying to prevent any password logins.
I have set up OpenSSH running on another port which only allows key authentication.

So, wouldn't it be easier if I just disabled the default "Qnap" SSH server on port 22 and just keep OpenSSH running on port X?

[schumaku]

You can change and disable whatever you want on your NAS.

Don't whine later if your mod does no longer work when a firmware upgrade fails, the NAS does not fully boot, or QNAP features misbehave or fail.

As you already have a dedicated port because of the OpenSSH install, you only expose this to the bad Internet. Or do you desperately want to avoid password auth on the LAN, too?

[No Expert]

OK I get it.
Port 22 is not open on my router so it's not accessible anyway by the "bad internet".
I'm OK on the LAN as it's only me that logs in.

I'll keep it as it is in that case.

[JB09]

Code: Select all

echo -n "Shutting down sshd services:" 
/sbin/daemon_mgr sshd stop /usr/sbin/sshd
/usr/bin/killall sshd
rm -f /var/lock/subsys/sshd
echo "sshd"
/bin/sed -i -e 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
echo "Disabled SSHd Password Authentication in config file: /etc/ssh/sshd_config"
echo -n "Restarting sshd services:" 
/sbin/daemon_mgr sshd start /usr/sbin/sshd -f /etc/ssh/sshd_config -p $(/sbin/getcfg LOGIN "SSH Port" -d 22)
echo "sshd"

For anyone else intersted this line-->

Code: Select all

/sbin/daemon_mgr sshd start /usr/sbin/sshd -f /etc/ssh/sshd_config -p $(/sbin/getcfg LOGIN "SSH Port" -d 22)

needs to be changed to

Code: Select all

/sbin/daemon_mgr sshd start "/usr/sbin/sshd -f /etc/ssh/sshd_config -p $(/sbin/getcfg LOGIN "SSH Port" -d 22)"

<-- Note the quotations.

[pwilson]

Code: Select all

echo -n "Shutting down sshd services:" 
/sbin/daemon_mgr sshd stop /usr/sbin/sshd
/usr/bin/killall sshd
rm -f /var/lock/subsys/sshd
echo "sshd"
/bin/sed -i -e 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
echo "Disabled SSHd Password Authentication in config file: /etc/ssh/sshd_config"
echo -n "Restarting sshd services:" 
/sbin/daemon_mgr sshd start /usr/sbin/sshd -f /etc/ssh/sshd_config -p $(/sbin/getcfg LOGIN "SSH Port" -d 22)
echo "sshd"

For anyone else intersted this line-->

Code: Select all

/sbin/daemon_mgr sshd start /usr/sbin/sshd -f /etc/ssh/sshd_config -p $(/sbin/getcfg LOGIN "SSH Port" -d 22)

needs to be changed to

Code: Select all

/sbin/daemon_mgr sshd start "/usr/sbin/sshd -f /etc/ssh/sshd_config -p $(/sbin/getcfg LOGIN "SSH Port" -d 22)"

<-- Note the quotations.

Thanks. I missed this during my efforts. Thank-you. You taught me something! I appreciate it.