cmkelley
Very Senior Member
Not because I really need to, but just because I want to, I want to replace dropbear with OpenSSH on my RT-AC3200. I've installed openssh-keygen, openssh-moduli, openssh-server, and openssh-sftp-server from entware. I moved dropbear to port 2222 so I could still get into the router, generated the ssh_host_*_key private and public keys in opt/etc/ssh, and added the appropriate files to /jffs/configs;
group.add
gshadow.add
passwd.add
shadow.add
Made the S40ssh script explicitly point to the configuration file (you'll have to trust me on this, for some bizarre reason pasting the line that starts sshd from S40ssd makes snbforums throw a you've been blocked message.)
I create /var/empty and chmod that to 700 in init-start
I changed PermitRootLogin to yes in the sshd_confing file and restarted the router. Changing PermitRootLogin is the only change I made to the sshd_config file, everything else is as-installed from entware.
I can log into my "root" account (the name (routerroot) and password I use to log into the webgui) just fine through dropbear (it uses key exchange, not a password) on port 2222. I cannot for the life of me log in through ssh (port 22). It asks for a password, which it seems it ought not to do since I have the keys set up, and it won't let me in (permission denied). The system log shows;
The account expired message is the one that has me stumped. From googling, It seems to be related to PAM? The default in sshd_config is UsePAM no.
What am I missing???
group.add
Code:
sshd:x:22:
Code:
sshd:*:22:
Code:
sshd:x:22:22:sshd privsep:/var/empty:/dev/null
Code:
sshd:*:0:0:99999:7:0:0:
I create /var/empty and chmod that to 700 in init-start
Code:
#!/bin/sh
# This script is the first that can possibly be run
mkdir /var/empty
chmod 700 /var/empty
I can log into my "root" account (the name (routerroot) and password I use to log into the webgui) just fine through dropbear (it uses key exchange, not a password) on port 2222. I cannot for the life of me log in through ssh (port 22). It asks for a password, which it seems it ought not to do since I have the keys set up, and it won't let me in (permission denied). The system log shows;
Code:
Sep 17 10:45:27 sshd[12387]: Account routerroot has expired
Sep 17 10:45:31 sshd[12387]: error: Could not get shadow information for NOUSER
Sep 17 10:45:31 sshd[12387]: Failed password for invalid user routerroot from 10.29.3.69 port 56659 ssh2
Sep 17 10:45:34 sshd[12387]: Failed password for invalid user routerroot from 10.29.3.69 port 56659 ssh2
Sep 17 10:45:34 sshd[12387]: error: maximum authentication attempts exceeded for invalid user routerroot from 10.29.3.69 port 56659 ssh2 [preauth]
Sep 17 10:45:34 sshd[12387]: Disconnecting invalid user routerroot 10.29.3.69 port 56659: Too many authentication failures [preauth]
What am I missing???