Am building a docker image and container with SSH.
For the past couple days, I've manipulated /etc/ssh/sshd.config every which way I can imagine to enable
- Either no password or an acceptable password for root
- Disable key authentication.
This special instance relaxing security to ordinarily dangerous levels is being implemented in a Dev environment without security needs and may eventually be modified "as needed" for regular docker use.
Main objective:
Enable ssh login using password credentials only and no key authentication. Note that this also assumes that no client pub key should need to be copied to the Server. End desired result is username/password auth only, encryption would then use whatever keys the server and client are willing to negotiate.
Problem:
Minor issue - Interestingly although after disabling key authentication completely, sshd still wants keys available so I've generated the keys although I don't intend to use them.
Minor issue - Corollary of above is that all available keys are offered to the User despite attempts to disable key authentication altogether.
Main issue - Passwords are failing.
Have tried empty password (see my code below as one of the tries) which succeeds in building but the User is still prompted for a password
Have tried a password which passes policy on a standard openSUSE but when the image is built by Docker, openSUSE (not anything else) is rejecting that password(offered 13579Rh and somehow openSUSE thinks in some dictionary). Error follows
You don't absolutely need to read the following block of code unless you're interested in everything I've tried modifying the sshd app itself (/etc/ssh/sshd.config).
Instead of posting each and every modification I've tried, the following is an excerpt of the commands I've used modifying /etc/ssh/sshd.config... The hashes of course are past modifications which have been inactivated (by commenting out) and the active commands were my latest try
If someone needs assistance deciphering the sed commands
sed
-i means to modify the file in place
s/ specifies the beginning of the string to be matched
/ specifies the end of the string to be matched
which is then followed by the replacement text enclosed in their own forward slashes,
followed by the file to be inspected.
In a Nutshell,
I've exhausted every way I can think of to disable key authentication and configure Username/Password authentication only in SSH.
So, I'm now turning to attempting to diable password policy altogether at the system OS level (not application) and would need to know where/how to do that by script.
TIA,
TSU
For the past couple days, I've manipulated /etc/ssh/sshd.config every which way I can imagine to enable
- Either no password or an acceptable password for root
- Disable key authentication.
This special instance relaxing security to ordinarily dangerous levels is being implemented in a Dev environment without security needs and may eventually be modified "as needed" for regular docker use.
Main objective:
Enable ssh login using password credentials only and no key authentication. Note that this also assumes that no client pub key should need to be copied to the Server. End desired result is username/password auth only, encryption would then use whatever keys the server and client are willing to negotiate.
Problem:
Minor issue - Interestingly although after disabling key authentication completely, sshd still wants keys available so I've generated the keys although I don't intend to use them.
Minor issue - Corollary of above is that all available keys are offered to the User despite attempts to disable key authentication altogether.
Main issue - Passwords are failing.
Have tried empty password (see my code below as one of the tries) which succeeds in building but the User is still prompted for a password
Have tried a password which passes policy on a standard openSUSE but when the image is built by Docker, openSUSE (not anything else) is rejecting that password(offered 13579Rh and somehow openSUSE thinks in some dictionary). Error follows
Code:
Step 14 : RUN echo 'root:13579Rh' | chpasswd ---> Running in 132ee21c4001
BAD PASSWORD: it is based on a dictionary word
chpasswd: (user root) pam_chauthtok() failed, error:
Authentication token manipulation error
chpasswd: (line 1, user root) password not changedInstead of posting each and every modification I've tried, the following is an excerpt of the commands I've used modifying /etc/ssh/sshd.config... The hashes of course are past modifications which have been inactivated (by commenting out) and the active commands were my latest try
Code:
RUN sed -i 's/UsePAM yes/UsePAM no/' /etc/ssh/sshd_config
RUN ssh-keygen -f /etc/ssh/ssh_host_rsa_key -q
RUN ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -q
RUN ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -q
RUN sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication no/' /etc/ssh/sshd_config
RUN sed -i 's/#ChallengeResponseAuthentication yes/ChallengeREsponseAuthentication no/' /etc/ssh/sshd_config
RUN sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config
# RUN sed -i 's/#MaxAuthTries 6/MaxAuthTries 2/' /etc/ssh/sshd_config
RUN sed -i 's/#MaxSessions 10/MaxSessions 2/' /etc/ssh/sshd_config
RUN sed -i 's/#X11UseLocalhost yes/X11UseLocalhost yes/' /etc/ssh/sshd_config
RUN sed -i 's/#Banner none/Banner none/' /etc/ssh/sshd_config
RUN echo 'root:13579Rh' | chpasswd
# RUN echo "root:*" | chpasswd -e
# RUN sed -i 's/PermitRootLogin without-password/PermitRootLogin yes/' /etc/ssh/sshd_configsed
-i means to modify the file in place
s/ specifies the beginning of the string to be matched
/ specifies the end of the string to be matched
which is then followed by the replacement text enclosed in their own forward slashes,
followed by the file to be inspected.
In a Nutshell,
I've exhausted every way I can think of to disable key authentication and configure Username/Password authentication only in SSH.
So, I'm now turning to attempting to diable password policy altogether at the system OS level (not application) and would need to know where/how to do that by script.
TIA,
TSU