I have public IP address so I set SSH honey pot according documentation, but I don’t know how disable password and keyboard interactive access. I tried to change /etc/config/sshd file in many ways but without success. Changes are propagated to /var/etc/ssh/sshd_config:
PermitRootLogin without-password
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no
UsePrivilegeSeparation sandbox
Subsystem sftp /usr/lib/sftp-server
but when I restart Turris Omnia, disable certificate and try to connect:
Authentications that can continue: publickey, keyboard-interactive,password
Next authentication method: publickey
How can I disable everything except publickey?
There’s no point in disabling password authentication for the Honeypot. Your router act just as a proxy forwarding the SSH traffic towards the real honeypot, which is located in CZ.NIC so you are not able to alter its settings.
Sorry for missing informations. I have real ssh on random number port and I am solving this issue for real ssh not for honeypot. It would be perfect to extend official turris documentation with “how to disable password authentication” instead of not helpful links to external linux tutorials.
In my case, it works as expected. I’ve added this to /etc/config/sshd:
option PasswordAuthentication no
option ChallengeResponseAuthentication no
And now the SSH is asking only for the public key:
$ SSH_AUTH_SOCK= ssh -lroot 192.168.1.1 -S none -v
…
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
…
debug1: No more authentication methods to try.
Permission denied (publickey).
Can you show me content of your /var/etc/ssh/sshd_config?
# cat /var/etc/ssh/sshd_config
# auto-generated config file from /etc/config/sshd
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePrivilegeSeparation sandbox
TrustedUserCAKeys /etc/ssh/sshd_authorized_CA
Subsystem sftp /usr/lib/sftp-server
BTW, are you sure you are not hitting the honeypot? Are you able to log in normally?
Yes I am sure 
I have honeypot on port 22 and normal ssh on port 3xxx and with enabled certificate I can login without problem. When I disable certificate I am asked for password. No password works so it looks good but I want remove the option from “Authentications that can continue”
UPDATE: I set my /etc/config/sshd to produce /var/etc/ssh/sshd_config exactly like yours and when I try connect I get:
Authentications that can continue: publickey, keyboard-interactive,password
UPDATE 2: The problem is not on Turris Omnia side. I switch my android SSH app from JuiceSSH to ConnectBot and result is much better.
Trying to authenticate
[Your host doesn't support 'password' or 'keyboard-interactive' authentication]
Connection Lost
So it looks like everything is good 
thanks for your time
Where do I put my public key?
I don’t find the default folder (.ssh/authorized_keys).
There are some keys in /etc/sshd/, but I don’t think that is the right place.
Dropbear had a Luci interface, is there an interface for SSHd?
Create the folder and file:
ssh root@192.168.1.1
mkdir ~/.ssh
chmod 0700 ~/.ssh
cat > ~/.ssh/authorized_keys
# paste the contents of id_rsa.pub and press ctrl+d
chmod 0600 ~/.ssh/authorized_keys
1 Like
Thank you.
That worked.
I was expecting the folder to exist, because it is in the default config file.