On 06/18/2017 09:57 AM, Harry Putnam wrote: > David Christensen <[email protected]> writes: > >> On 06/12/2017 06:39 AM, Harry Putnam wrote: >>> Running debian jesse in a vbox vm on a Solaris host >>> >>> I have what seems like an unusual problem with root login on this >>> host. > > [...] > >>> I'm fresh out of ideas as to what else to do here. >>> >>> The auth log shows: >>> >>> Jun 11 14:50:55 d2 sshd[2830]: pam_unix(sshd:auth): authentication >>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=d.local.lan >>> user=root >>> >>> Jun 11 14:50:57 d2 sshd[2830]: Failed password for root from >>> 127.0.0.1 port 54522 ssh2 >> >> Please run the following commands from the console of the jesse vm as >> root and paste your console session (prompts, commands entered, output >> obtained). If you redact anything, substitute the phrase >> '<redacted>': >> >> # cat /etc/debian_version >> >> # uname -a >> >> # dpkg-query --show openssh-server >> >> # dpkg-query --show openssh-client >> >> # ls -1 /etc/ssh/*ssh* >> >> # ls -1 /root/.ssh >> >> # egrep -v '^.*#' /etc/ssh/sshd_config | grep . >> >> # ssh localhost >> >> # tail /var/log/auth.log > > Thanks for the prod... I should have included at least some of that. > > ------- ------- ---=--- ------- ------- > > diagnostic_data: > > root # cat /etc/debian_version > 8.8 > > root # uname -a > Linux d2 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30) x86_64 GNU/Linux > > root # dpkg-query --show openssh-server > openssh-server 1:6.7p1-5+deb8u3 > > root # dpkg-query --show openssh-client > openssh-client 1:6.7p1-5+deb8u3 > > root # ls -1 /etc/ssh/*ssh* > /etc/ssh/ssh_config > /etc/ssh/sshd_config > /etc/ssh/sshd_config~ > /etc/ssh/ssh_host_dsa_key > /etc/ssh/ssh_host_dsa_key.pub > /etc/ssh/ssh_host_ecdsa_key > /etc/ssh/ssh_host_ecdsa_key.pub > /etc/ssh/ssh_host_ed25519_key > /etc/ssh/ssh_host_ed25519_key.pub > /etc/ssh/ssh_host_rsa_key > /etc/ssh/ssh_host_rsa_key.pub > > root # egrep -v '^.*#' /etc/ssh/sshd_config | grep . > Port 22 > Protocol 2 > HostKey /etc/ssh/ssh_host_rsa_key > HostKey /etc/ssh/ssh_host_dsa_key > HostKey /etc/ssh/ssh_host_ecdsa_key > HostKey /etc/ssh/ssh_host_ed25519_key > UsePrivilegeSeparation yes > KeyRegenerationInterval 3600 > ServerKeyBits 1024 > SyslogFacility AUTH > LogLevel INFO > LoginGraceTime 120 > PermitRootLogin without-password
This will prevent root login using a password. Only other methods, such as RSA authentication are to be permitted. > StrictModes yes > RSAAuthentication yes > PubkeyAuthentication yes > IgnoreRhosts yes > RhostsRSAAuthentication no > HostbasedAuthentication no > PermitEmptyPasswords no > ChallengeResponseAuthentication no > PasswordAuthentication yes > X11Forwarding yes > X11DisplayOffset 10 > PrintMotd no > PrintLastLog yes > TCPKeepAlive yes > AcceptEnv LANG LC_* > Subsystem sftp /usr/lib/openssh/sftp-server > UsePAM yes > PermitRootLogin yes This may or may not be effective owing the the above setting of "PermitRootLogin without-password" depending on how sshd treats duplicate setting. My (jessie) man page does not say whether the first or last setting will be effective. > > root # ssh localhost > root@localhost's password: > Permission denied, please try again. > root@localhost's password: > > **** Could not login **** -ed Harry > > root # tail /var/log/auth.log > Jun 18 11:43:17 d2 sshd[1894]: Accepted password for reader from 192.168.1.42 > port 40945 ssh2 > Jun 18 11:43:17 d2 sshd[1894]: pam_unix(sshd:session): session opened for > user reader by (uid=0) > Jun 18 11:43:17 d2 systemd-logind[477]: New session 185 of user reader. > Jun 18 11:43:17 d2 sshd[1897]: Setting tty modes failed: Invalid argument > Jun 18 11:43:59 d2 su[1917]: Successful su for root by reader > Jun 18 11:43:59 d2 su[1917]: + /dev/pts/4 reader:root > Jun 18 11:43:59 d2 su[1917]: pam_unix(su:session): session opened for user > root by reader(uid=1000) > Jun 18 11:45:56 d2 sshd[1963]: pam_unix(sshd:auth): authentication failure; > logname= uid=0 euid=0 tty=ssh ruser= rhost=d.local.lan user=root > Jun 18 11:45:58 d2 sshd[1963]: Failed password for root from 127.0.0.1 port > 54526 ssh2 > Jun 18 11:46:03 d2 sshd[1963]: Connection closed by 127.0.0.1 [preauth] > My preferences, for what it is worth, are PermitRootLogin without-password ChallengeResponseAuthentication no PasswordAuthentication no AllowUsers netuser1 \ netuser2 \ ... \ root@localhost \ root@backuphost On some systems, "localhost" doesn't work; root@::1 [email protected] is a workaround. I have not got around to figuring out the differences, and as the circumvention is trivial it is not a high priority. This requires arranging to install each user's public key in his or her .ssh/authorized_keys file, which can be a pain on a large or active network, but not that much of a problem with up to a few dozen users and systems. Regards, Tom Dial
