How to access file system without SSH?

alve89 · January 18, 2021, 12:16pm

Hey guys!

I want to make mit HA installation remotly accessible with an SSH tunnel (I installed the SSH+Terminal add-on). It is running on a RPi 4 with Home Assistant OS. Following this guide Securing - Home Assistant (home-assistant.io) I would forbid root login via SSH. I think once disabled this function I won’t be able to access the file system with root permissions, right? How would I reset this without access?

Thanks in advance and best regards
Stefan

wmaker · January 18, 2021, 6:01pm

FYI,
I just ran a little experiment. I used the ssh add-on to login and made the changes per the guide you referenced (PermitRootLogin no) then logged out and restarted the add-on. I was able to relogin back in. It turns out that on a container restart, the add-on rewrites the /etc/ssh/sshd_config file back to what it was originally with PermitRootLogin yes. While the guide is a good idea, apparently it does not apply to hassos. Also, to add to this, there don’t appear to be any regular users known by the ssh addon container, so even if you could change PermitRootLogin no there really isn’t another user to use as a login.

alve89 · January 19, 2021, 4:16am

Thank you for this information!

That’s a bit of a security problem I think. Do you know how I could restrict root login (for example only from local network)? I guess not if there’s no other user available to login as.

It seems you’re not a real root: https://github.com/home-assistant/addons/blob/aa4f2d7f0f447c57b4cd4ebda24ebc738a3d3176/ssh/DOCS.md#known-issues-and-limitations

wmaker · January 19, 2021, 4:45pm

To let you know as well, the add-on prevents password based logins (PasswordAuthentication no), so I think the only way for someone to get in using ssh is to have the key.

alve89 · January 20, 2021, 6:44am

Actually I only found this option in the documentation:
password: '' for not permitting password login. Where do you have this option from?

wmaker · January 20, 2021, 5:08pm

PasswordAuthentication is a setting in the ssh addon container’s /etc/ssh/sshd_config file.

alve89 · November 23, 2021, 10:53am

Just to have a final update on this.

I just changed to this SSH addon. Changing the default ssh username in the configuration of the addon will automatically result in the setting PermitRootLogin no in /etc/ssh/sshd_config. This setting will stay even after restarting the addon.

So in my opinion a hacker would have need to have 1. the changed username and 2. the key (if one is still using passwords: the password).