Some questions about SSH

Message

jasonnix · #1 Post by **jasonnix** » 2024-02-23 12:07

Hello,
I have two questions about SSH service:

1- By default, Debian does not allow connecting with the root account via SSH, but the PermitRootLogin no option is disabled in the sshd_config file. How does this happen?

2- When I connect to a remote server, after a few minutes of not touching the console, SSH is disconnected. I entered the following two options in the sshd_config file, but it has no effect. Why?

Code: Select all

ClientAliveInterval  1200
ClientAliveCountMax 3

Thank you.

#2 Post by **fabien** » 2024-02-23 13:02

jasonnix wrote: ↑2024-02-23 12:07 1- By default, Debian does not allow connecting with the root account via SSH, but the PermitRootLogin no option is disabled in the sshd_config file. How does this happen?

See the header of /etc/ssh/sshd_config

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.

Therefore, the default option applied is

Code: Select all

$> grep "PermitRootLogin" /etc/ssh/sshd_config
#PermitRootLogin prohibit-password
# the setting of "PermitRootLogin prohibit-password".

jasonnix wrote: ↑2024-02-23 12:07 2- When I connect to a remote server, after a few minutes of not touching the console, SSH is disconnected. I entered the following two options in the sshd_config file, but it has no effect. Why?
Code: Select all
ClientAliveInterval  1200
ClientAliveCountMax 3

sshd_config is your server configuration file, not the one you connect to. Check the configuration of the server you are connecting to.
The default is

Code: Select all

$> grep "ClientAliveInterval" /etc/ssh/sshd_config
#ClientAliveInterval 0

man 5 sshd_config wrote: ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the
client. The default is 0, indicating that these messages will not be sent to the client.

jasonnix · #3 Post by **jasonnix** » 2024-02-26 09:42

fabien wrote: ↑2024-02-23 13:02
jasonnix wrote: ↑2024-02-23 12:07 1- By default, Debian does not allow connecting with the root account via SSH, but the PermitRootLogin no option is disabled in the sshd_config file. How does this happen?
See the header of /etc/ssh/sshd_config
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Therefore, the default option applied is
Code: Select all
$> grep "PermitRootLogin" /etc/ssh/sshd_config
#PermitRootLogin prohibit-password
# the setting of "PermitRootLogin prohibit-password".
jasonnix wrote: ↑2024-02-23 12:07 2- When I connect to a remote server, after a few minutes of not touching the console, SSH is disconnected. I entered the following two options in the sshd_config file, but it has no effect. Why?
Code: Select all
ClientAliveInterval  1200
ClientAliveCountMax 3
sshd_config is your server configuration file, not the one you connect to. Check the configuration of the server you are connecting to.
The default is
Code: Select all
$> grep "ClientAliveInterval" /etc/ssh/sshd_config
#ClientAliveInterval 0
man 5 sshd_config wrote: ClientAliveInterval
Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the
client. The default is 0, indicating that these messages will not be sent to the client.

Hello,
Thank you so much for your reply.
1- I can't get your point. When "PermitRootLogin no" is disable, then I should be able to log in with the root account. Is it otherwise?

2- I put those two lines in the server's sshd_config file, not the client.

#4 Post by **CwF** » 2024-02-26 16:51

Alternatively,
ssh logon as root can be as unnecessary as a local need to log on as root. The short story is sudo/doas/polkit authority for any particular user can be active over ssh. I run my various tk programs across ssh with sudo/doas embedded scripts. I even run my beloved synaptic over ssh. There is a chicken egg in the procedure = the config of these cheats does need to be done on the remote machine prior. With a virt-viewer spice connection to the remote system these modifications can be done. So only ssh'ing as user into a bare metal machine never configured is the only snag.

I suppose from a user logon, 'su -' probably works.

reinob · #5 Post by **reinob** » 2024-02-27 16:26

jasonnix wrote: ↑2024-02-26 09:42 1- I can't get your point. When "PermitRootLogin no" is disable, then I should be able to log in with the root account. Is it otherwise?

The default for PermitRootLogin is "prohibit-password", at least in the stable debian version.

If you have something like

Code: Select all

# PermitRootLogin no

in your sshd_config, it doesn't mean that the option is "disabled", it just means that it's a comment which doesn't mean or do anything, i.e. the option PermitRootLogin is, and continues to be, the default setting.

If you want to actually change that, then you have to remove the "#" to make it actually do something.

This is what @fabien wrote already in the first reply, but it seems that you didn't quite understand, so hopefully writing it again, differently, will make it more understandable?

Alternatively: tell us what you actually need/want, i.e. do you want to be able to log in as root with password, or only with private/public key (that is the default) or not at all?

Debian User Forums

Some questions about SSH

Some questions about SSH

Re: Some questions about SSH

Re: Some questions about SSH

Re: Some questions about SSH

Re: Some questions about SSH