Re: New Deb 8 and no sshd access from other hosts

2016-03-30 Thread David Wright 
On Wed 30 Mar 2016 at 07:02:46 (-0500), Tom Browder wrote:
> On Saturday, March 26, 2016, David Wright  wrote:
> >
> > A bit early for [SOLVED], I think.
> 
> I respectively disagree, David.

Correct me if I'm wrong, but I make the assumption that putting
[SOLVED] in the subject line is so that people searching for



will find such a tagged post and be able to follow the method therein
to potentially fix their problem.

> > On Sat 26 Mar 2016 at 12:08:37 (-0500), Tom Browder wrote:
> > > On Fri, Mar 25, 2016 at 12:12 PM, Tom Browder  
> > > wrote:
> > > > I have installed Deb on my laptop and reused my old Deb 7 .ssh 
> > > > directory.
> ...
> >
> > Not such a wonderful resource if it is so easily misunderstood. The
> > idea is to fix the permissions, not make your installation less secure.
> 
> I agree.

But it's the first step on your solution post. It would be usual to
edit out false trails and red herrings from a solution.

> > > Base on the comments from jvp, I looked closer at my home directory on
> > > the laptop and, sure enough, the permissions were too loose (first I
> ...

In the snipped section, you would have people set their home directory
permissions to 0700. Debian by default sets them to 0755, which others
might be unwittingly relying on.

> > > Then, in the upper widow, I saw the problem.  Directory '/usr/local',
> > > under which my .ssh directory is actually located, was reported to
> > > have bad permissions:
> > >
> > >   Authentication refused: bad ownership or modes for directory /usr/local
> ...> >
> > >  I checked and they were, surprisingly:
> > >
> > >   # ls -ld /usr/local
> > >   drwxrwsr-x 31 root staff 4096 Mar 24 07:37 /usr/local
> > >
> > > I don't know how that happened, but it must have happened during the
> > > upgrade two days ago when I continued to use my original partition
> > > mounted as '/usr/local' which was not supposed to have been touched.
> ...

If this was a Debian installation, one would expect the ownerships and
permissions as posted.

> > I don't know what happened long before that! When did /usr/local
> > become your home directory?
> 
> See below.
> 
> > > Anyway, as root, I fixed the permissions back to what I think is correct:
> > >
> > >   # chmod 00755 /usr/local
> > >   # ls -ld /usr/local
> > >   drwxr-xr-x 31 root staff 4096 Mar 24 07:37 /usr/local
> >
> > So now the system is degraded a bit more. The correct permissions, in
> > fact the entire contents, are:
> ...
> 
> Who says those permissions are correct? I checked the file system
> standard which says that /usr/local is optional. I provide my own
> /usr/local partion which I save when reinstalling a new OS and see no
> reason to provide setuid or setgid for it.

The last paragraph of section 9.1.2 Site-specific programs in the
Debian Policy Manual.

> When I first started
> administering Unix systems on SGI in 1993, the user home directories
> were in /usr/local/people and I kept using that as I transitioned the
> hosts under my control to Linux systems in 1994.

That is very historical. While you're free to configure your system
any way you choose, it's not sensible to suggest that others should
do this by tagging your post [SOLVED]. AFAICT Linux has never used
/usr/local/ in that way.

> Over the years on my own systems I have found it convenient to keep
> home system resource directories and files (.bashrc, .profile,
> .bash_aliase, .xemacs, .ssh, etc.) in a version-controlled, personal
> directory under /usr/local. I then soft link those back to whatever
> the newly installed system sets as my home directory. It has worked
> fine until the Debian 8 install set the permissions as noted which
> interfered with strict ssh.

Again, you're free to configure your system any way you choose.
However, /usr should effectively be readonly software with, possibly,
configuration files, whereas your .ssh/ directory is not readonly;
for example, known_hosts and authorized_keys get modified on the fly.
So your way of fixing your problem is not a general solution for
anyone because most of the post concerns your highly individually
configured system. That's what made me unhappy about your [SOLVED]
tag. I hope you'll understand.

Cheers,
David.

Re: New Deb 8 and no sshd access from other hosts

2016-03-30 Thread Tom Browder 
On Saturday, March 26, 2016, David Wright  wrote:
>
> A bit early for [SOLVED], I think.

I respectively disagree, David.

> On Sat 26 Mar 2016 at 12:08:37 (-0500), Tom Browder wrote:
> > On Fri, Mar 25, 2016 at 12:12 PM, Tom Browder  wrote:
> > > I have installed Deb on my laptop and reused my old Deb 7 .ssh directory.
...
>
> Not such a wonderful resource if it is so easily misunderstood. The
> idea is to fix the permissions, not make your installation less secure.

I agree.

> > Base on the comments from jvp, I looked closer at my home directory on
> > the laptop and, sure enough, the permissions were too loose (first I
...
> > Then, in the upper widow, I saw the problem.  Directory '/usr/local',
> > under which my .ssh directory is actually located, was reported to
> > have bad permissions:
> >
> >   Authentication refused: bad ownership or modes for directory /usr/local
...> >
> >  I checked and they were, surprisingly:
> >
> >   # ls -ld /usr/local
> >   drwxrwsr-x 31 root staff 4096 Mar 24 07:37 /usr/local
> >
> > I don't know how that happened, but it must have happened during the
> > upgrade two days ago when I continued to use my original partition
> > mounted as '/usr/local' which was not supposed to have been touched.
...
> I don't know what happened long before that! When did /usr/local
> become your home directory?

See below.

> > Anyway, as root, I fixed the permissions back to what I think is correct:
> >
> >   # chmod 00755 /usr/local
> >   # ls -ld /usr/local
> >   drwxr-xr-x 31 root staff 4096 Mar 24 07:37 /usr/local
>
> So now the system is degraded a bit more. The correct permissions, in
> fact the entire contents, are:
...

Who says those permissions are correct? I checked the file system
standard which says that /usr/local is optional. I provide my own
/usr/local partion which I save when reinstalling a new OS and see no
reason to provide setuid or setgid for it. When I first started
administering Unix systems on SGI in 1993, the user home directories
were in /usr/local/people and I kept using that as I transitioned the
hosts under my control to Linux systems in 1994.

Over the years on my own systems I have found it convenient to keep
home system resource directories and files (.bashrc, .profile,
.bash_aliase, .xemacs, .ssh, etc.) in a version-controlled, personal
directory under /usr/local. I then soft link those back to whatever
the newly installed system sets as my home directory. It has worked
fine until the Debian 8 install set the permissions as noted which
interfered with strict ssh.

Anyway, all is well now.

Thanks, David.

Best regards,

-Tom

Re: New Deb 8 and no sshd access from other hosts [SOLVED]

2016-03-26 Thread Andrew McGlashan 
Hi,

On 27/03/2016 10:04 AM, Tom Browder wrote:
> On Saturday, March 26, 2016, Andrew McGlashan
> I usually restrict with known IP addresses (static ones) and sometimes
> with users having to be in a specific group that allows ssh.  Also,
> authorized keys enforced instead of passwords.
> 
> At the moment I'm the sole user, although I'm considering giving limited
> access to a few folks later.  How do you manage the server while
> traveling--some kind of personal VPN?

I have access to a couple of servers via a secure RDP tool [1] that I
can work from, those servers have a static IP and those IPs are in my
allowed list.  Firewall's stop access unless it isn't coming from the
right locations and I also implement hosts.deny and hosts.allow in the mix.

I used to have a static IP HSPA service, I should have kept that as it
gives static IP on a 4G LTE network (actually I think it was only a 3G
network).  In the past I have rebuilt an Oracle database from export
dump files via a Nokia 9000 Communicator's terminal app with a 9600 baud
GSM modem who say's Apple were first to /real/ smart phones ;-)

Have considered port knocking, but never set that up.

There are lots of options I can work with, even an email to my own mail
server, specially crafted to run a script to open up the connecting IP.

Another option would be to setup OpenVPN that shouldn't be too hard,
but I haven't had to do it, yet.

So, right now, it is more simple with the AADS servers being available.

Kind Regards
AndrewM

[1] http://aads-worldwide.com/





signature.asc
Description: OpenPGP digital signature

Re: New Deb 8 and no sshd access from other hosts [SOLVED]

2016-03-26 Thread Tom Browder 
On Saturday, March 26, 2016, Andrew McGlashan <
andrew.mcglas...@affinityvision.com.au
>
wrote:
>
> On 27/03/2016 4:08 AM, Tom Browder wrote:
> > On Fri, Mar 25, 2016 at 12:12 PM, Tom Browder 
> wrote:

...

> > I found this wonderful resource:
> >
> >   http://www.unixlore.net/articles/troubleshooting-ssh-connections.html
>
> That was a JIT find (just in time) only written up 26th March, 2016.


JIT, indeed!  I hadn't noticed the date!  I give my thanks to the
author(s). (I haven't found any attribution there yet.)


> Once you have everything good, make sure that you change StrictModes
> back to default.


Thanks, Andrew. I did but forgot to say so.


> I usually restrict with known IP addresses (static ones) and sometimes
> with users having to be in a specific group that allows ssh.  Also,
> authorized keys enforced instead of passwords.


At the moment I'm the sole user, although I'm considering giving limited
access to a few folks later.  How do you manage the server while
traveling--some kind of personal VPN?

Best regards,

-Tom

Re: New Deb 8 and no sshd access from other hosts [SOLVED]

2016-03-26 Thread Andrew McGlashan 


On 27/03/2016 4:08 AM, Tom Browder wrote:
> On Fri, Mar 25, 2016 at 12:12 PM, Tom Browder  wrote:
>> I have installed Deb on my laptop and reused my old Deb 7 .ssh directory.
>>
>> I can now ssh into the existing remote servers but cannot ssh into my
>> laptop from them (as a normal user)--I always get asked for a
>> password.  So the remote servers recognize my old Deb 7 keys, but
>> apparently my laptop doesn't recognize the other servers' keys.
> ...
> 
> I found this wonderful resource:
> 
>   http://www.unixlore.net/articles/troubleshooting-ssh-connections.html

That was a JIT find (just in time) only written up 26th March, 2016.

Once you have everything good, make sure that you change StrictModes
back to default.

I usually restrict with known IP addresses (static ones) and sometimes
with users having to be in a specific group that allows ssh.  Also,
authorized keys enforced instead of passwords.

Cheers
A.



signature.asc
Description: OpenPGP digital signature

Re: New Deb 8 and no sshd access from other hosts

2016-03-26 Thread David Wright 
A bit early for [SOLVED], I think.

On Sat 26 Mar 2016 at 12:08:37 (-0500), Tom Browder wrote:
> On Fri, Mar 25, 2016 at 12:12 PM, Tom Browder  wrote:
> > I have installed Deb on my laptop and reused my old Deb 7 .ssh directory.
> >
> > I can now ssh into the existing remote servers but cannot ssh into my
> > laptop from them (as a normal user)--I always get asked for a
> > password.  So the remote servers recognize my old Deb 7 keys, but
> > apparently my laptop doesn't recognize the other servers' keys.
> ...
> I found this wonderful resource:
>   http://www.unixlore.net/articles/troubleshooting-ssh-connections.html
> which helped me solve the problem.
> 
> First, in file '/etc/ssh/sshd_config', I changed the line
>   StrictModes yes
> to this
>   StrictModes no
> and restarted the ssh server.  As root:
>   # invoke-rc.d ssh restart
> Then I attempted the ssh login and it worked!

Not such a wonderful resource if it is so easily misunderstood. The
idea is to fix the permissions, not make your installation less secure.

> Base on the comments from jvp, I looked closer at my home directory on
> the laptop and, sure enough, the permissions were too loose (first I
> have ever heard of that, but then again I haven't looked at 'man ssh'
> in many years).  Note that I have for all the years after ssh came
> along been setting the .ssh permissions correctly, but I've never run
> into a problem with the home directory.  In fact, when I was working
> at our office on site (up until the end of 2008), we commonly allowed
> read access between user directories but ssh still worked.
> 
> But after setting the home directory permissions to 00700 and
> restarting ssh, the login still didn't work!

[...]

> Then, in the upper widow, I saw the problem.  Directory '/usr/local',
> under which my .ssh directory is actually located, was reported to
> have bad permissions:
> 
>   Authentication refused: bad ownership or modes for directory /usr/local
> 
>  I checked and they were, surprisingly:
> 
>   # ls -ld /usr/local
>   drwxrwsr-x 31 root staff 4096 Mar 24 07:37 /usr/local
> 
> I don't know how that happened, but it must have happened during the
> upgrade two days ago when I continued to use my original partition
> mounted as '/usr/local' which was not supposed to have been touched.

I don't know what happened long before that! When did /usr/local
become your home directory?

> Anyway, as root, I fixed the permissions back to what I think is correct:
> 
>   # chmod 00755 /usr/local
>   # ls -ld /usr/local
>   drwxr-xr-x 31 root staff 4096 Mar 24 07:37 /usr/local

So now the system is degraded a bit more. The correct permissions, in
fact the entire contents, are:

$ ls -l /usr/
drwxr-xr-x   2 root root  81920 Mar 26 00:59 bin
drwxr-xr-x   2 root root   4096 Apr 26  2015 games
drwxr-xr-x  39 root root  16384 Feb 16 16:55 include
drwxr-xr-x 156 root root  36864 Mar 14 07:16 lib
drwxrwsr-x  10 root staff  4096 Oct 10  2012 local
drwxr-xr-x   2 root root  12288 Mar 14 07:16 sbin
drwxr-xr-x 319 root root  12288 Jan 20 19:22 share
drwxr-xr-x   6 root root   4096 Mar  4 00:39 src
$ ls -l /usr/local/
drwxrwsr-x  2 root staff 4096 Oct 10  2012 bin
drwxrwsr-x  2 root staff 4096 Oct 10  2012 etc
drwxrwsr-x  2 root staff 4096 Oct 10  2012 games
drwxrwsr-x  2 root staff 4096 Oct 10  2012 include
drwxrwsr-x  4 root staff 4096 Dec 15  2014 lib
lrwxrwxrwx  1 root staff9 Oct 10  2012 man -> share/man
drwxrwsr-x  2 root staff 4096 Oct 10  2012 sbin
drwxrwsr-x 10 root staff 4096 Aug 21  2015 share
drwxrwsr-x  2 root staff 4096 Oct 10  2012 src
$

So is this really the case as you said it was earlier:
$ ls -l ~/.ssh/authorized_keys
-rw--- 1 yourname yourname 3136 Jul 28  2015 
/home/yourname/.ssh/authorized_keys
$ grep yourname /etc/passwd
yourname:x:1000:1000:Your Name,,,:/home/yourname:/bin/bash
$

Cheers,
David.

Re: New Deb 8 and no sshd access from other hosts [SOLVED]

2016-03-26 Thread Tom Browder 
On Fri, Mar 25, 2016 at 12:12 PM, Tom Browder  wrote:
> I have installed Deb on my laptop and reused my old Deb 7 .ssh directory.
>
> I can now ssh into the existing remote servers but cannot ssh into my
> laptop from them (as a normal user)--I always get asked for a
> password.  So the remote servers recognize my old Deb 7 keys, but
> apparently my laptop doesn't recognize the other servers' keys.
...

I found this wonderful resource:

  http://www.unixlore.net/articles/troubleshooting-ssh-connections.html

which helped me solve the problem.

First, in file '/etc/ssh/sshd_config', I changed the line

  StrictModes yes

to this

  StrictModes no

and restarted the ssh server.  As root:

  # invoke-rc.d ssh restart

Then I attempted the ssh login and it worked!

Base on the comments from jvp, I looked closer at my home directory on
the laptop and, sure enough, the permissions were too loose (first I
have ever heard of that, but then again I haven't looked at 'man ssh'
in many years).  Note that I have for all the years after ssh came
along been setting the .ssh permissions correctly, but I've never run
into a problem with the home directory.  In fact, when I was working
at our office on site (up until the end of 2008), we commonly allowed
read access between user directories but ssh still worked.

But after setting the home directory permissions to 00700 and
restarting ssh, the login still didn't work!

Then I looked at the resource page where it showed how to debug the
whole ssh login session.  I used two terminal windows stacked one
above the other.  In the top window, on the laptop (local host) I
became root and executed the following:

  # /usr/sbin/sshd -d -p 

and in the lower window I logged into the remote host and, as my
normal user self, executed the following:

  $ ssh -vv -p  jv2

where 'jv2' is the host name of my laptop.

Then, in the upper widow, I saw the problem.  Directory '/usr/local',
under which my .ssh directory is actually located, was reported to
have bad permissions:

  Authentication refused: bad ownership or modes for directory /usr/local

 I checked and they were, surprisingly:

  # ls -ld /usr/local
  drwxrwsr-x 31 root staff 4096 Mar 24 07:37 /usr/local

I don't know how that happened, but it must have happened during the
upgrade two days ago when I continued to use my original partition
mounted as '/usr/local' which was not supposed to have been touched.

Anyway, as root, I fixed the permissions back to what I think is correct:

  # chmod 00755 /usr/local
  # ls -ld /usr/local
  drwxr-xr-x 31 root staff 4096 Mar 24 07:37 /usr/local

restarted the ssh server, and the login worked as advertised--whew!

Thanks to all who offered help.

Best regards,

-Tom

Re: New Deb 8 and no sshd access from other hosts

2016-03-25 Thread Tom Browder 
On Fri, Mar 25, 2016 at 12:33 PM, Jörg-Volker Peetz  wrote:
> I'd first check file permissions in your .ssh directory (see man ssh).
> If they are o.k.,  I'd call ssh with one or more -v switches.

On, duh, forgot about the '-v' option--I'll work with that and report back.

Thanks, jvp!

-Tom

Re: New Deb 8 and no sshd access from other hosts

2016-03-25 Thread Tom Browder 
On Fri, Mar 25, 2016 at 12:38 PM, David Wright  wrote:
> On Fri 25 Mar 2016 at 12:12:44 (-0500), Tom Browder wrote:
>> I have installed Deb on my laptop and reused my old Deb 7 .ssh directory.
>>
>> I can now ssh into the existing remote servers but cannot ssh into my
>> laptop from them (as a normal user)--I always get asked for a
>> password.  So the remote servers recognize my old Deb 7 keys, but
>> apparently my laptop doesn't recognize the other servers' keys.
...
>> Can anyone suggest where to look next?
>
> What you lost on your laptop is ~/.ssh/authorized_keys which would
> have had the public keys from your ~/.ssh/ on each of the remote hosts.

No, the authorized_keys are still there.

Thanks.

-Tom

Re: New Deb 8 and no sshd access from other hosts

2016-03-25 Thread David Wright 
On Fri 25 Mar 2016 at 12:12:44 (-0500), Tom Browder wrote:
> I have installed Deb on my laptop and reused my old Deb 7 .ssh directory.
> 
> I can now ssh into the existing remote servers but cannot ssh into my
> laptop from them (as a normal user)--I always get asked for a
> password.  So the remote servers recognize my old Deb 7 keys, but
> apparently my laptop doesn't recognize the other servers' keys.
> 
> I have compared files:
> 
>   /etc/ssh/ssh_conf
>   /etc/ssh/sshd_conf
>   /etc/pam.d/ssh/sshd
> 
> between the laptop and the remote server and can see no significant
> difference for a normal user.
> 
> I can also see the host names in the .ssh/known_hosts file.  I do see
> that my laptop host's entries in the remote host's known_hosts are of
> type "EDCSA" while the remote host's entries in the laptop's
> known_hosts file are of type "RSA."
> 
> Can anyone suggest where to look next?

What you lost on your laptop is ~/.ssh/authorized_keys which would
have had the public keys from your ~/.ssh/ on each of the remote hosts.
You can write them back by typing
$ ssh-copy-id -i ~/.ssh/id_rsa.pub your-user-name@laptop
on each of the remote servers in turn.

Now, when you-on-the-remote-host try to contact the laptop with ssh,
the laptop will use the public key (that you just copied) to ascertain
that you-on-the-remote-host know the private key of the pair, and let
you in.

Cheers,
David.

Re: New Deb 8 and no sshd access from other hosts

2016-03-25 Thread Jörg-Volker Peetz 
I'd first check file permissions in your .ssh directory (see man ssh).
If they are o.k.,  I'd call ssh with one or more -v switches.

Regards,
jvp.

Re: New Deb 8 and no sshd access from other hosts

2016-03-25 Thread Tom Browder 
On Fri, Mar 25, 2016 at 12:12 PM, Tom Browder  wrote:
> I have installed Deb on my laptop and reused my old Deb 7 .ssh directory.
...
> that my laptop host's entries in the remote host's known_hosts are of
> type "EDCSA" while the remote host's entries in the laptop's

That should have been "ECDSA."