sometimes the same username is tried more than once. some that got my attention were generic users like “root” or “user”… try sudo pam_abl, it’ll give you a complete list of tried usermes, ips and their count.
will try next… havent done my research on how to do it (appreciate if youd explain) but its on my to-do list.
not really; i have an external disk (and my home folder) for additional backups that i reach through sftp with my user… dont want to change owner as there are scripts that go with it… its doable but is a hassle. additionally, i dont feel safe that my username is being tested by hackers - if only i could block them by default when an alien ip (or non-local) tried access - but then again, the mail client on my phone may not be able to sync… tough one… its my mail account more at risk - ssh ports are closed externally anyway.
It is super simple. On the host that needs to connect, assuming it is some Unix-like system, as the user that will connect, run “ssh-keygen -t ed25519”, choose a passphrase when asked to do so (same as password, but for the same level of entroy, a list of random words is much easier to remember than a list of random characters). This creates ~/.ssh/id_ed25519 and ~/.ssh/id_25519.pub.
In freedombox, when logged in via plinth, click on the user (upper right conner), modify, copy the contents of ~/.ssh/id_25519.pub in the “Allowed SSH keys” box, type your password and apply changes. Then, try to connect via ssh as usual, it should ask for the passphrase and then log in (there is some delay, this is normal). If your system has ssh-agent configured, in one session, it only asks you once for the passphrase.
If you want to connect from the same machine to other machines via ssh, add the contents of ~/.ssh/id_25519.pub in ~/ssh/authorized_keys of the user on the machines you want to connect.
The thing at the end of the .pub file, like user@host is just a comment to help you remember which user and host the key is from when you look at ~/ssh/authorized_keys (so you know what to remove if you want to remove something). If you don’t like the comment you get by default, use -C what_you_want in the ssk-keygen command.
To deactivate password authentication for ssh:
in freedombox in plinth, System->SSH and tick the option
in other systems, in /etc/ssh/sshd_config, uncomment #PasswordAuthentication yes, replace yes with no, save and restart sshd service
I deactivate password authentication in all systems I use. For sftp for freedombox remote backup (publick key authentication not supported, unfortunately), I make an exception for the backup user only and with limitation to sftp and chroot (I wrote down the details for this, can publish).
thanks @Avron - super explanation. will try next thing i sit at my pc. worth a lot : ) will get back to you on how it goes
EDIT: Configuring SSH keys solves the problem! Now, even though my user gets blocked by pam, i can login with through terminal (and file manager) with ssh key authorization. Marking thread as SOLVED! Thank you @Avron@joseph@timmy for taking the time on my thread!
