Can't login via ssh after update!

Hi guys,
yesterday I’ve update my OSMC running on Raspberry Pi 3+ using:
‘sudo apt-get update;sudo apt-get dist-upgrade’

Something has been updated (ssl ?) and after that I’m not able to connect via ssh using username and password from any of my devices!!!
On my laptop I’m able to get connected because I configured the ssh key so I don’t have to insert the password.
I’ve checked and the password is still the same because if I type ‘passwd’ and I enter the wrong password it correctly refuse the changing password.

Any idea? The good thing is that I can connect via ssh from the laptop with ssh key configured but how to solve it? What is the problem?

Share your sshd_conf from OSMC.

Also what are the client ssh versions you use?

# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file. See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented. Uncommented options override the

# default value.

#Port 22

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_ecdsa_key

#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying

#RekeyLimit default none

# Logging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

#LoginGraceTime 2m

PermitRootLogin yes

#StrictModes yes

#MaxAuthTries 6

#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.

#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none

#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with

# some PAM modules and threads)

ChallengeResponseAuthentication no

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes

#GSSAPIStrictAcceptorCheck yes

#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication. Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

UsePAM yes

#AllowAgentForwarding yes

#AllowTcpForwarding yes

#GatewayPorts no

X11Forwarding yes

#X11DisplayOffset 10

#X11UseLocalhost yes

#PermitTTY yes

PrintMotd no

#PrintLastLog yes

#TCPKeepAlive yes

#UseLogin no

#UsePrivilegeSeparation sandbox

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval 0

#ClientAliveCountMax 3

#UseDNS no

#PidFile /var/run/sshd.pid

#MaxStartups 10:30:100

#PermitTunnel no

#ChrootDirectory none

#VersionAddendum none

# no default banner path

#Banner none

# Allow client to pass locale environment variables

AcceptEnv LANG LC_*

# override default of no subsystems

Subsystem sftp /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis

#Match User anoncvs

# X11Forwarding no

# AllowTcpForwarding no

# PermitTTY no

# ForceCommand cvs server

Try reinstalling ssh-app-osmc:

sudo apt-get install --reinstall ssh-app-osmc

If that doesn’t work, please supply full logs (grab-logs -A).

Are you sure that is from the OSMC machine? Did you install your own SSH server instead the one from OSMC Store?

This is very similar to the sshd config file from a machine that was compromised by a hacker.

@Bullone, did you have any ports on the Pi running OSMC open to the Internet? Or any of the other machines on your home network?

Thanks for response!

I’ve tried sudo apt-get install --reinstall ssh-app-osmc but still got the issue!

Maybe I’ve followed some guide for installation of jdownloader and-or fail2ban recently but everything was working fine until yesterday when I’ve updated OSMC.

:frowning:

I just remember that some days before I’ve updated OSMC and it asked to me to merge the ssh_config file!!! Auch! Maybe something went wrong? I’ve saved the old file but I didn’t care because everything worked well…

Do you have port 22 open on the router? If so, consider your device to be compromised, in which case you need to do a full reinstall.

No I don’t have port 22 opened on my router, I’m using a different port with port forwarding…

Why do you think I can get compromised?
I’ve tried to restore the old ssh_config file but… same problem, I can get connected only with ssh key not with user and password

Port 22 is the low-hanging fruit but there’s nothing to stop all ports from being probed by the bad guys; it just takes them more time and resources to do so.

What exactly does this mean? What old ssh_config are you referring to? Did you then reboot the box?

If you don’t want to reinstall, please provide full logs (grab-logs -A) and also the output from running ls -l /etc/ssh, together with a listing of the latest sshd_config.

1 Like