I'm trying to secure my Linux machine by changing a few settings in the sshd_config file on my system. Below is the sshd_config file:
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel VERBOSE
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 3
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication no
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs serverFirst off, I don't want to permit root login so I changed that setting to no. Then I reduced the maximum login attempts from 6 to 3 (This is the one that works). And finally, I disable the option to login via password and require a private key instead. However, when I try to run ssh root@localhost to test out the changes, you can see from the output below that nothing was really applied:
ssh root@localhost
root@localhost's password:
Permission denied, please try again.
root@localhost's password:
Permission denied, please try again.
root@localhost's password:
root@localhost: Permission denied (publickey,password)And here is the output of cat /var/log/syslog | grep ssh (The entire file is about 13000 lines long and I'm pretty sure there's sensitive info in it so I only included the ssh parts). At the time of the creation of this log, the LogLevel was set to INFO. I just changed it to verbose but the log below is not verbose:
Feb 20 14:34:32 kali systemd[1022]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 20 19:38:20 kali systemd[1513]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 20 19:38:20 kali gpg-agent[1620]: using fd 3 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 20 19:38:20 kali gpg-agent[1620]: listening on: std=6 extra=4 browser=5 ssh=3
Feb 20 19:38:20 kali gpg-agent[1623]: using fd 3 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 20 19:38:20 kali gpg-agent[1623]: listening on: std=6 extra=4 browser=5 ssh=3
Feb 20 19:38:29 kali systemd[1022]: Closed GnuPG cryptographic agent (ssh-agent emulation).
Feb 20 19:54:46 kali systemd[9539]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 20 19:59:43 kali systemd[9539]: Closed GnuPG cryptographic agent (ssh-agent emulation).
Feb 21 14:36:16 kali systemd[1]: Regenerate SSH host keys was skipped because of a failed condition check (ConditionPathExistsGlob=!/etc/ssh/ssh_host_*_key).
Feb 21 14:36:23 kali systemd[1013]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 21 14:36:35 kali systemd[1160]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 21 14:36:36 kali gpg-agent[1269]: using fd 4 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 21 14:36:36 kali gpg-agent[1269]: listening on: std=6 extra=5 browser=3 ssh=4
Feb 21 14:36:36 kali gpg-agent[1272]: using fd 4 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 21 14:36:36 kali gpg-agent[1272]: listening on: std=6 extra=5 browser=3 ssh=4
Feb 21 14:36:44 kali systemd[1013]: Closed GnuPG cryptographic agent (ssh-agent emulation).
Feb 21 21:02:14 kali systemd[27772]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 22 18:53:51 kali systemd[1]: Regenerate SSH host keys was skipped because of a failed condition check (ConditionPathExistsGlob=!/etc/ssh/ssh_host_*_key).
Feb 22 18:53:58 kali systemd[1009]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 22 18:54:18 kali systemd[1162]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 22 18:54:19 kali gpg-agent[1276]: using fd 6 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 22 18:54:19 kali gpg-agent[1276]: listening on: std=3 extra=4 browser=5 ssh=6
Feb 22 18:54:19 kali gpg-agent[1279]: using fd 6 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 22 18:54:19 kali gpg-agent[1279]: listening on: std=3 extra=4 browser=5 ssh=6
Feb 22 18:54:26 kali systemd[1009]: Closed GnuPG cryptographic agent (ssh-agent emulation).
Feb 22 18:56:51 kali dbus-daemon[3256]: [session uid=0 pid=3254] Activating service name='org.freedesktop.portal.Desktop' requested by ':1.0' (uid=0 pid=3250 comm="gedit /etc/ssh/sshd_config ")
Feb 22 18:56:51 kali dbus-daemon[3256]: [session uid=0 pid=3254] Activating service name='ca.desrt.dconf' requested by ':1.0' (uid=0 pid=3250 comm="gedit /etc/ssh/sshd_config ")
Feb 22 19:13:05 kali systemd[1]: ssh.service: Deactivated successfully.
Feb 22 19:15:03 kali systemd[1]: ssh.service: Deactivated successfully.
Feb 22 19:16:59 kali systemd[1]: ssh.service: Deactivated successfully.
Feb 22 19:18:52 kali systemd[1]: ssh.service: Deactivated successfully.
Feb 22 19:20:08 kali systemd[1]: Regenerate SSH host keys was skipped because of a failed condition check (ConditionPathExistsGlob=!/etc/ssh/ssh_host_*_key).
Feb 22 19:20:13 kali systemd[945]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 22 19:20:25 kali systemd[1096]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 22 19:20:26 kali gpg-agent[1203]: using fd 5 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 22 19:20:26 kali gpg-agent[1203]: listening on: std=4 extra=6 browser=3 ssh=5
Feb 22 19:20:26 kali gpg-agent[1206]: using fd 5 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 22 19:20:26 kali gpg-agent[1206]: listening on: std=4 extra=6 browser=3 ssh=5
Feb 22 19:20:35 kali systemd[945]: Closed GnuPG cryptographic agent (ssh-agent emulation).
Feb 22 19:28:55 kali dbus-daemon[4386]: [session uid=0 pid=4384] Activating service name='org.freedesktop.portal.Desktop' requested by ':1.0' (uid=0 pid=4380 comm="gedit /etc/ssh/sshd_config ")
Feb 22 19:28:55 kali dbus-daemon[4386]: [session uid=0 pid=4384] Activating service name='ca.desrt.dconf' requested by ':1.0' (uid=0 pid=4380 comm="gedit /etc/ssh/sshd_config ")
Feb 22 19:53:22 kali systemd[24743]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 22 20:14:28 kali systemd[1]: Regenerate SSH host keys was skipped because of a failed condition check (ConditionPathExistsGlob=!/etc/ssh/ssh_host_*_key).
Feb 22 20:14:34 kali systemd[947]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 22 20:16:59 kali systemd[1385]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 22 20:17:00 kali gpg-agent[1493]: using fd 4 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 22 20:17:00 kali gpg-agent[1493]: listening on: std=6 extra=5 browser=3 ssh=4
Feb 22 20:17:00 kali gpg-agent[1496]: using fd 4 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 22 20:17:00 kali gpg-agent[1496]: listening on: std=6 extra=5 browser=3 ssh=4
Feb 22 20:17:09 kali systemd[947]: Closed GnuPG cryptographic agent (ssh-agent emulation).
Feb 22 20:23:52 kali dbus-daemon[4653]: [session uid=0 pid=4651] Activating service name='org.freedesktop.portal.Desktop' requested by ':1.0' (uid=0 pid=4647 comm="gedit /etc/ssh/sshd_config ")
Feb 22 20:23:52 kali dbus-daemon[4653]: [session uid=0 pid=4651] Activating service name='ca.desrt.dconf' requested by ':1.0' (uid=0 pid=4647 comm="gedit /etc/ssh/sshd_config ")
Feb 22 20:25:04 kali systemd[1]: ssh.service: Deactivated successfully.
Feb 22 20:52:06 kali systemd[1]: ssh.service: Deactivated successfully.
Feb 22 21:04:36 kali systemd[16788]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 23 09:00:30 kali systemd[1]: Regenerate SSH host keys was skipped because of a failed condition check (ConditionPathExistsGlob=!/etc/ssh/ssh_host_*_key).
Feb 23 09:00:37 kali systemd[1012]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 23 09:00:55 kali systemd[1095]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 23 09:00:56 kali gpg-agent[1203]: using fd 3 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 23 09:00:56 kali gpg-agent[1203]: listening on: std=4 extra=5 browser=6 ssh=3
Feb 23 09:00:56 kali gpg-agent[1206]: using fd 3 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 23 09:00:56 kali gpg-agent[1206]: listening on: std=4 extra=5 browser=6 ssh=3
Feb 23 14:01:06 kali systemd[1012]: Closed GnuPG cryptographic agent (ssh-agent emulation).
Feb 23 14:09:43 kali systemd[1]: Regenerate SSH host keys was skipped because of a failed condition check (ConditionPathExistsGlob=!/etc/ssh/ssh_host_*_key).
Feb 23 14:09:49 kali systemd[1006]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 23 14:10:20 kali systemd[1383]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
Feb 23 14:10:21 kali gpg-agent[1491]: using fd 6 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 23 14:10:21 kali gpg-agent[1491]: listening on: std=4 extra=3 browser=5 ssh=6
Feb 23 14:10:21 kali gpg-agent[1494]: using fd 6 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
Feb 23 14:10:21 kali gpg-agent[1494]: listening on: std=4 extra=3 browser=5 ssh=6
Feb 23 14:10:29 kali systemd[1006]: Closed GnuPG cryptographic agent (ssh-agent emulation).
Feb 23 14:12:56 kali systemd[1]: ssh.service: Deactivated successfully.
Feb 23 14:13:11 kali systemd[1]: ssh.service: Deactivated successfully.Root login is allowed and it asks for a password. The location of my sshd_config file is /etc/ssh/sshd_config, which is an odd location for me because I thought it was supposed to be in my home directory for the normal user (e.g $HOME/.ssh/sshd_config). Maybe this has something to do with it? Can someone help me understand the issue here and suggest a solution?
EDIT: @mashuptwice pointed out that the root login prompt is a feature and works as expected. However, even though I disabled password authentication, when I try to log in as a normal user, I am allowed to use my password. Here's the output of what happens when I run ssh <username>@localhost:
ssh johnmap007@localhost
johnmap007@localhost's password:
Linux kali 5.16.0-kali1-amd64 #1 SMP PREEMPT Debian 5.16.7-2kali1 (2022-02-10) x86_64
The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Feb 23 15:12:59 2022 from ::1
Warning: PATH set to RVM ruby but GEM_HOME and/or GEM_PATH not set, see:
┌──(johnmap007㉿kali)-[~]
└─$ 1 Answer
Your output is as expected when disabling the root login.
SSH will still show the password prompt, even if root login is disabled.
This means that even if you would enter the correct password, SSH would still show you Permission denied.
It is a feature to avoid disclosing any information about a disabled root login.
If you still want to be able to login as root via key based authentication, but disable password based login, you would need to change your configuration to PermitRootLogin prohibit-password.
