question

nhenderson avatar image
nhenderson asked

ssh private key login missing details in sshd_config

I have been configuring my CCGX for password-less (public key) login and I believe that the stock sshd configuration is missing some things, specifically:

1) There are no host keys in /etc/ssh. These can be generated with

ssh-keygen -A 

2) In /etc/ssh/sshd_config, the following line(s) should be uncommented or inserted:

HostKey /etc/ssh/ssh_host_xxxx_key

(xxxx being your choice(s) of rsa, dsa, ecdsa, or ed25519 I am using ed25519 which is apparently the most secure).

The above is unfortunately not covered in the documentation here: www.victronenergy.com/live/ccgx:root_access

For security I also set the following options:

PermitEmptyPasswords no
ChallengeResponseAuthentication no

I did not however have the courage to disable password login entirely, not wanting to get locked out if something goes south in the future.

Of course sshd must be restarted after changes are made.

I think I understand correctly that such changes won't survive an update, therefore I copied the modified sshd_config and the host key files to a new directory /data/ssh and put the following in /data/rcS.local :

cp /data/ssh/* /etc/ssh/

I will be interested in any comments/ corrections from those more experienced !

CCGX Color ControlVenus GX - VGXgx device
2 |3000

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

1 Answer
bathnm avatar image
bathnm answered ·

Interesting, Just logged into two VenusOS devices, and both have an ssd process running with reference to host keys. I think you will find that they are specified as parameters to sshd using the -h option and not through the configuration file.

If you also look at the running process, you will see that the keys are stored on /data already so no upgrade will over write the keys.

1 comment
2 |3000

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

bathnm avatar image bathnm commented ·

Within ssd the default for PermitEmptyPasswords is no, and Victron have overruled that for a reason.

I suspect that the PermitEmptyPasswords is forced, as root does not generally have a password. If one is not set through the superuser configuration in the GUI, then remote SSH for administration purposes from VRM doesn't work. This may block Victron staff from being able to remotely interrogate and support your setup should you need it.



0 Likes 0 ·