To lock down the SSH service I’d like to (1) enable publickey authentication and (2) disable password authentication. I’ve enabled and tested pubkey auth by adding key to /storage/.ssh/authorized_keys. But what is the correct way (i.e. recommended and able to persist through reboots/upgrades)? Is there a config overlay somewhere for the sshd_config file?
2 Likes
Did you ever figure this out? I’m looking to do the same thing and have yet to find any definitive answer on the topic
I’m not familiar with Lakka specifically but I imagine it would be like most other Linux distros. SSH to the device, edit /etc/ssh/sshd_config with vi or nano and change “PasswordAuthentication yes” to “PasswordAuthentication no”
Then restart the sshd service with sudo systemctl restart sshd.service or if lakka doesn’t use systemd, sudo service sshd restart. Alternatively simply reboot the device.
In order to edit /etc/ssh/sshd_config you will need to have root permissions so use sudo. IE: sudo vi /etc/ssh/sshd_config
If you have never done this type of thing before it may be prudent to create a backup first with sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
There is indeed a general overlay mechanism using files within /storage/.config/, though my brief attempts have not been successful in overriding /etc/ssh/sshd_config
I am successful, 'll post how I did it in this thread. If anyone else knows how, please do the same. The concern is that changes within /etc itself will not survive reboot, nevermind upgrades.
I read somewhere, some time ago, that one way (perhaps the only way?) is to use autostart.sh to stop the SSH server, write the setting to /etc/ssh/sshd_config and then restart the server.
Using autostart.sh in this way is a great idea. I bet it would be possible to change the well-known default root password in this way, as well.
My brief experiments with using autostart.sh in this way have been unsuccessful. The entire “etc” file system is read-only (by design). No changes can be made to /etc/ssh/sshd_config, nor can that file simply be overwritten.
However, it does appear that LibreElec has a feature in its UI (see here) called “Disable SSH Passwords” (requiring public key, instead). Perhaps that is something that can be supported in the Lakka UI. Perhaps it already is supported within underlying config files used by the Lakka UI?
Additionally, it does appear that systemctl is able to pass args to sshd on startup, at least according to this Lakka file on github. I haven’t determined where $SSH_ARG is configured, though. With this, it would presumably be possible to pass PasswordAuthentication=no to sshd (which is a good idea only after specifying a key in /storage/.ssh/authorized_keys for public key authentication).
Success, though in a limited way.
Define “SSH_ARGS” in /storage/.cache/services/sshd.conf
SSH_ARGS="-o PasswordAuthentication=no"
Any sshd parameters supported by /etc/ssh/sshd_config can be specified in this way. They are used on the command line when sshd is activated. Command line parameters override parameters found in /etc/ssh/sshd_config.
However, the contents of /storage/.cache/services/sshd.conf do not survive reboot. 
Adding the following to “autostart.sh” is possible though
SSHDCONF=/storage/.cache/services/sshd.conf
[[ -e ${SSHDCONF} ]] && echo 'SSH_ARGS="-o PasswordAuthentication=no"' >> ${SSHDCONF} && systemctl restart sshd &
Works for me ™, even with reboots
1 Like