# Can't login to a newly installed freeBSD host by ssh (secure shell)



## freeink (Mar 25, 2020)

Can't login from a debian terminal (192.168.1.31) to a freeBSD host( 192.168.23 ) , in a same Local Area Network.
sshd_enable="YES" have been set in freeBSD /etc/rc.conf


----------



## zirias@ (Mar 25, 2020)

maybe choose "yes" there?


----------



## mark_j (Mar 25, 2020)

Zirias said:


> maybe choose "yes" there?


LOL


----------



## Deleted member 48958 (Mar 25, 2020)

You should definitely type "yes" and then confirm this with enter key press.
This message appears on first ssh login to host, which is not added yet to your "list of known hosts"
(~/.ssh/known_hosts file).


----------



## freeink (Mar 27, 2020)

sam@192.168.1.31   uncle sam is angry; input empty password ,hit enter key three times,got above result.
mas@192.168.1.23   mas host is anxious (user "mas" password is confirmed tested on freeBSD host, really is blank no mistake )
I did not change anything of ssh config setting. default setting do not allow blank password?
Should I change config file  ?
vi /etc/ssh/sshd_config
:set number
:79
line 62 have an option  #PermitEmptyPasswords no


----------



## freeink (Mar 27, 2020)

Zirias said:


> maybe choose "yes" there?


of course choose "yes" , really an aspiring suggestion from an Aspiring Daemon


----------



## ljboiler (Mar 27, 2020)

The default for 'PermitEmptyPasswords' is no; you must set it to 'Yes' if that's what you really want to do (but why?)


----------



## freeink (Mar 27, 2020)

ILUXA said:


> You should definitely type "yes" and then confirm this with enter key press.
> This message appears on first ssh login to host, which is not added yet to your "list of known hosts"
> (~/.ssh/known_hosts file).


$ sudo service sshd restart


----------



## balanga (Mar 27, 2020)

ljboiler said:


> The default for 'PermitEmptyPasswords' is no; you must set it to 'Yes' if that's what you really want to do (but why?)



I've never been sure what constitutes an empty password in FreeBSD...

On a new installation of FreeBSD I always set 

*PermitRootLogin yes*

in /etc/ssh/sshd_config but am not allowed to login initially because no password has been using passwd(). However I am able to enter a blank password by jest pressing ENTER twice and then I can login. 

So does that constitute an empty password? I guess not.


----------



## freeink (Mar 27, 2020)

PermitEmptyPasswords yes, config altered ,sshd restarted , user mas with empty passwords  still can't login.  
Any user with passwords include root can login.


----------



## freeink (Mar 27, 2020)

balanga said:


> I've never been sure what constitutes an empty password in FreeBSD...
> 
> On a new installation of FreeBSD I always set
> 
> ...





balanga said:


> I've never been sure what constitutes an empty password in FreeBSD...
> 
> On a new installation of FreeBSD I always set
> 
> ...


 empty password=auto login after input username ? system even don't bother asking you for a password


----------



## Eric A. Borisch (Mar 27, 2020)

Why not set up a pre-shared key rather than have an empty password?


----------



## Zvoni (Mar 27, 2020)

Eric A. Borisch said:


> Why not set up a pre-shared key rather than have an empty password?


Yep! That's how i've set it up on my servers.
Why anyone in our times today wants to allow root to login from outside and/or use a password-less user-account escapes me.....


----------



## Criosphinx (Mar 27, 2020)

balanga said:


> I've never been sure what constitutes an empty password in FreeBSD...
> 
> On a new installation of FreeBSD I always set
> 
> ...



Please don't do that. Instead create a user, add it to wheel group, and configure sshd to allow key-based authentication (set *AuthenticationMethods* to publickey in sshd_config)

The handbook: https://www.freebsd.org/doc/handbook/openssh.html and the man pages for sshd_config()


----------



## Phishfry (Mar 27, 2020)

Generating the keys is easy. I like to specify what encryption to use for the key.
`ssh-keygen -t ed25519`
`ssh-copy-id -i ~/.ssh/id_ed25519.pub -p 1798 user@123.456.789.001`





						How To Configure SSH Key-Based Authentication on a FreeBSD Server  | DigitalOcean
					

SSH, or secure shell, is a network protocol that provides a secure, encrypted way to communicate with and administer your servers. As SSH is the most common …




					www.digitalocean.com


----------



## Criosphinx (Mar 28, 2020)

freeink said:


> PermitEmptyPasswords yes, config altered ,sshd restarted , user mas with empty passwords  still can't login.
> Any user with passwords include root can login.



Last paragraph of AuthenticationMethods in sshd_config() man page:

_The available authentication methods are: "gssapi-with-mic",
"hostbased", "keyboard-interactive", "none" (used for access to
password-less accounts when *PermitEmptyPasswords* is enabled),
"password"    and "publickey"._

But as above, please don't do that! Follow a guide like the one Phishfry posted or at least leave it at defaults(any method and no root allowed).


----------



## Phishfry (Mar 28, 2020)

What about public key passphrase? Does everyone use passphrase protected keys?
I use them because it feels secure but you are really adding another step by having to send a passphrase.
I understand it is more secure but it it really worth it?


----------



## zirias@ (Mar 28, 2020)

Phishfry said:


> but you are really adding another step by having to send a passphrase.


ssh-agent(1)


----------



## xtaz (Mar 28, 2020)

In newer versions of OpenSSH, certainly the one in the port, but I'm not sure about the version in the base, the default is PermitRootLogin prohibit-password. This allows you to authenticate directly as root using a key but will refuse a password.

This is a reasonable compromise as long as you still understand the consequences. Although as I said, might need to use the port/pkg version rather than the base.


```
% /usr/local/bin/ssh -V
OpenSSH_8.2p1, OpenSSL 1.1.1e  17 Mar 2020
% /usr/bin/ssh -V
OpenSSH_7.8p1, OpenSSL 1.1.1d-freebsd  10 Sep 2019
```

Although, now I read the man page. It looks like without-password might work on older versions?

_If this option is set to prohibit-password (or its deprecated alias, without-password), password and keyboard-interactive authentication are disabled for root._


----------



## Eric A. Borisch (Mar 28, 2020)

Phishfry said:


> What about public key passphrase? Does everyone use passphrase protected keys?
> I use them because it feels secure but you are really adding another step by having to send a passphrase.
> I understand it is more secure but it it really worth it?



Depending on your use case, a PK with a passphrase used with ssh-agent(1) and ssh-add(1) can give you the best of both worlds: encrypted (password phrase) on disk, but passwordless connections (after you’ve entered the password during the _add_) for your session.


----------



## Andy Mender (Mar 29, 2020)

xtaz said:


> In newer versions of OpenSSH, certainly the one in the port, but I'm not sure about the version in the base, the default is PermitRootLogin prohibit-password. This allows you to authenticate directly as root using a key but will refuse a password.
> 
> This is a reasonable compromise as long as you still understand the consequences. Although as I said, might need to use the port/pkg version rather than the base.
> 
> ...



I would also recommend creating a pair of SSH keys, adding the public key to the target host and setting PermitRootLogin prohibit-password in the sshd config. Many cloud providers default to root as the only user after all. Creating users with empty passwords is, in my experience, useful mostly for local-only purposes.


----------

