Notices

Hello,

Thanks to everyone who posted a suggestion.
This is what I did, I ssh'ed in as root and gave `user' a password. Then I cleared the known_hosts files in both the N900 and the ubuntu machine. I also chmod'ed to 400 the file authorized_keys in the N900.
(I originally had copied the id_rsa.pub file ssh'ing as root and chown'ed the file to user:users to copy it to /home/users/authorized_keys. )

Now I can ssh in as `user' and I don't get prompted for the password, only the passphrase for the public key.
I plan to edit sshd_config to have
PasswordAuthentication no
PermitRootLogin no

I will also try installing rootsh to become root if necessary.

Thanks,

I looked in /tmp and /var and there does not seem to be a log file for the ssh server, or anything else for that matter. I read in a post yesterday that apparently one has to install something to have logs. Perhaps it's like that to save space on growing log files?
Thanks,

Yes, that's the reason: Growing log files would sooner or later create a problem for the common user.

hi, i have got 2 questions regarding SSH (using OpenSSH) ...

1. How do you shut the daemon down ? :-\
/etc/init.d/ssh stop gives me a message saying SSH stopped. But 'ps aux' shows the server to be running.
kill -9 'pid of /usr/sbin/sshd -D' executes successfully but the SSH sever respawns with a different pid.
Any suggestions ?

2. Is anyone facing performance issues with SSH? i tried using putty to connect to the ssh server running on the N900. But the performance is quite slow. Takes 3-4 second for typed commands to show. Can wifi PSM be a reason ? (http://talk.maemo.org/showthread.php?p=380339)

Appreciate any help. Thanks

I don't see any problems. One thing you could do to find out if wifi is the issue is to try USB networking first and see if that works correctly.

will try that out .. seems my machine needs a fresh installation as it does not detect my device for installation .. does an installed pc suite cause any conflicts by any chance ?

any ideas on how to stop the ssh server ?

thanks ..

Yes, in order for the key to be accepted, the user account needs a password set. Do (as root):
passwd user

The permissions for the ~/.ssh directory and authorized hosts files can be u+rw[x] but must be go-rw[x] (you may want to be able to update known_hosts if shelling out).

If you want to prevent sshd from running automatically, you can remove it from runlevel 2 by using the update-rc.d script. Alternatively, you can prevent the init.d script from starting the daemon by creating a file in ssh config directory (which you would have to (say) rename in order to start the daemon manually):
touch /etc/ssh/sshd_not_to_be_run.

Not sure if removing the init script from the runlevel would prevent it from respawning, though.

For starting/stopping sshd use `start sshd` and `stop sshd` respectively. The N900/maemo5 uses upstart instead of sysv-init, startup files are in /etc/event.d/ instead of init.d, the list of services is shown by `initctl list`.

Some notes for those that want to allow ssh for 'user' with publickey authentication without setting a password for the account:

sshd prevents successful authentication since it sees 'user' as locked, i.e. it has a '!' in the /etc/passwd file and there is no /etc/shadow file. The only way I found to change that is to create an /etc/shadow file with 'NP' in the password field for user, e.g.::

user:NP:1000::::::

Then, if the authorized_keys are set up, publickey ssh login works, and until now I have not seen any negative effect because of the new shadow file.
(Please tell me if you can think of one!)

I'm not sure of any reason to not give the user account a password (on this platform). If enabling any kind of external access methods (and really, for any reason whatsoever), it would seem contrary to general principles of security consciousness. I also recommend assigning a strong root password, to help insulate against generic userland exploits.

If the passwordless method described is chosen, the user MUST disable password authentication in /etc/ssh/sshd_config (or anyone connecting will be granted shell access (and presumably, soon thereafter, root)). I recommend the following settings, regardless:

PermitRootLogin no
PasswordAuthentication no

Also, consider changing the default port if operating in a hostile zone.

If the sshd_config file were overwritten with a "fresh" (unedited) copy, then a passwordless user account would be granted shell access without authentication.