Bug#726661: Does not permit login as root from version 1:6.2p2-6
I think there are two separate issues here, both with the symptom can't log in over ssh as root; if the maintainer agrees with my analysis, this bug should probably be cloned. First one (suggested title: pam_loginuid(sshd:session): set_loginuid failed): On Thu, 17 Oct 2013 at 20:56:15 +, Andrea Lusuardi wrote: Oct 17 20:11:34 nl-01 sshd[25206]: Accepted password for root from IP port 44676 ssh2 Oct 17 20:11:34 nl-01 sshd[25206]: pam_loginuid(sshd:session): set_loginuid failed Oct 17 20:11:34 nl-01 sshd[25206]: pam_unix(sshd:session): session opened for user root by (uid=0) Oct 17 20:11:34 nl-01 sshd[25206]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session Oct 17 20:11:34 nl-01 sshd[25206]: Received disconnect from IP: 11: disconnected by user As Darren Tucker pointed out, the issue here is that sshd is running under sysvinit as pid 1, and has been restarted in the context of the sysadmin's login session, either by the upgrade itself or by explicit sysadmin action. This means sshd already has a loginuid set, so its child processes are not allowed to set a different loginuid for the ssh login session. systemd as pid 1 would be unaffected by this, because it always starts services as a direct child of pid 1, never a child of the login session that requested the service start; Upstart as pid 1 would probably be unaffected for the same reason. Second issue, which I think is separate (possible title: forbidding root password login by default is awkward for systems with only root user): On Sat, 27 Sep 2014 at 10:06:39 -0400, Daniel Richard G. wrote: On Sat, 2014 Sep 27 15:40+0200, Thijs Kinkhorst wrote: So am I right to conclude that this bug actually concerns the change that changes PermitRootLogin to without-password? [...] I think changing this default makes sense from a security perspective I won't argue that, but I don't see anything in openssh-server's package scripts addressing the case of a system with a root user + password but no regular user (i.e. root is the only login available). I'm not sure that this second issue is release-critical, or even a bug, although I agree it's annoying for virtual machines. It's certainly a reasonable feature request. IMHO it remains best practice of the installer to ask for enable/disable as usual (with default to no, but I KNOW HOW TO ANSWER). I would be really happy to still have the choice from the installer (this does not reduce security of a default installation). openssh-server already has a debconf question for this, but it's only used in upgrades, not new installations. I don't think the installer should ask this at normal priority, because the more questions the installer asks, the less user-friendly it is; but it might make sense to default to PermitRootLogin yes if no non-system uids exist, or ask at a low priority for the expert installer mode, or at least make it pre-seedable. S -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726661: Does not permit login as root from version 1:6.2p2-6
Am Samstag, 27. September 2014, 10:06:39 schrieb Daniel Richard G.: On Sat, 2014 Sep 27 15:40+0200, Thijs Kinkhorst wrote: So am I right to conclude that this bug actually concerns the change that changes PermitRootLogin to without-password? I believe that's the real issue, yes. [...] However, I recognise that there are people that are using password- based root login who may be surprised by this change. The proper solution therefore may be to add a NEWS.Debian entry so everyone is informed about this change, and a release notes item at that. If those are added, this bug could be closed. Is there anything that can be done about the unhelpful auth.log messages? Package documentation is good, and the permit-root-login debconf question also helps there, but a user who is trying to diagnose the issue via syslog could use better hints as to what's going on. I didn't complain about PermitRootLogin (although this seems to be the bug's cause), my issue is that I am *not able to login as root*. Even notes in NEWS.Debian wouldn't let me login as root. If not changing would mean that it is still needed to patch the system. Digging down to manuals/config files is quite uncomfortable. IMHO it remains best practice of the installer to ask for enable/disable as usual (with default to no, but I KNOW HOW TO ANSWER). I would be really happy to still have the choice from the installer (this does not reduce security of a default installation). -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726661: Does not permit login as root from version 1:6.2p2-6
All, Thank you Paul, indeed it helped me, as I too ran into this issue in a fresh Jessie install. I didn't have to downgrade OpenSSH, however, just edit PermitRootLogin as you did. So am I right to conclude that this bug actually concerns the change that changes PermitRootLogin to without-password? I think changing this default makes sense from a security perspective as it provides the best compromise between securing a default install versus the desire to log in as root directly. However, I recognise that there are people that are using password-based root login who may be surprised by this change. The proper solution therefore may be to add a NEWS.Debian entry so everyone is informed about this change, and a release notes item at that. If those are added, this bug could be closed. Colin, what do you think? Cheers, Thijs signature.asc Description: This is a digitally signed message part.
Bug#726661: Does not permit login as root from version 1:6.2p2-6
On Sat, 2014 Sep 27 15:40+0200, Thijs Kinkhorst wrote: So am I right to conclude that this bug actually concerns the change that changes PermitRootLogin to without-password? I believe that's the real issue, yes. I think changing this default makes sense from a security perspective as it provides the best compromise between securing a default install versus the desire to log in as root directly. I won't argue that, but I don't see anything in openssh-server's package scripts addressing the case of a system with a root user + password but no regular user (i.e. root is the only login available). That's a valid outcome of debian-installer, and a typical scenario for me when creating a Linux VM image, and is how I ended up posting here. However, I recognise that there are people that are using password- based root login who may be surprised by this change. The proper solution therefore may be to add a NEWS.Debian entry so everyone is informed about this change, and a release notes item at that. If those are added, this bug could be closed. Is there anything that can be done about the unhelpful auth.log messages? Package documentation is good, and the permit-root-login debconf question also helps there, but a user who is trying to diagnose the issue via syslog could use better hints as to what's going on. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726661: Does not permit login as root from version 1:6.2p2-6
Am 25.04.2014 23:50, schrieb Daniel Richard G.: Hope these steps help saving time the next one googling for debian jessie enable root ssh to workaround this bug ;) Thank you Paul, indeed it helped me, as I too ran into this issue in a fresh Jessie install. I didn't have to downgrade OpenSSH, however, just edit PermitRootLogin as you did. Hi Daniel, thank you very much for finding the solution to my issue! Would be indeed nice if the installer would ask if root access should be enabled or not. Best regards, Paul -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726661: Does not permit login as root from version 1:6.2p2-6
Hope these steps help saving time the next one googling for debian jessie enable root ssh to workaround this bug ;) Thank you Paul, indeed it helped me, as I too ran into this issue in a fresh Jessie install. I didn't have to downgrade OpenSSH, however, just edit PermitRootLogin as you did. I found after the fact that this change is documented in openssh- server/README.Debian.gz, under the PermitRootLogin header. It was confusing enough to find that the sshd configuration was the issue, when /var/log/auth.log suggested pam_unix was at fault: Apr 25 17:36:55 linux-image sshd[1573]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2 user=root Apr 25 17:36:57 linux-image sshd[1573]: Failed password for root from 10.0.2.2 port 35103 ssh2 Apr 25 17:37:01 linux-image sshd[1573]: Failed password for root from 10.0.2.2 port 35103 ssh2 Apr 25 17:37:05 linux-image sshd[1573]: Failed password for root from 10.0.2.2 port 35103 ssh2 Apr 25 17:37:05 linux-image sshd[1573]: Connection closed by 10.0.2.2 [preauth] Apr 25 17:37:05 linux-image sshd[1573]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.2.2 user=root Anyway, the change comes from Debian bug #298138, which lay dormant for over nine years before being wrapped up this past March. --Daniel -- Daniel Richard G. || sk...@iskunk.org My ASCII-art .sig got a bad case of Times New Roman. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726661: Does not permit login as root from version 1:6.2p2-6
Confirming that this bug is still open: I freshly installed Debian testing Jessie with only SSH Server from tasksel and I was not able to login using root, although it is possible to do so in Wheezy. Workaround: comment out this line in /etc/pam.d/ssh: session required pam_loginuid.so Didn't work. (In fact I reverted all changes to /etc/pam.d/ssh after seeing that next step was successful) Downgrading openssh-server to the version on stable (1:6.0p1-4) fixed the problem. This was the helping hint, thank you very much! Additionally, root login must be enabled. After all, all that should be needed to downgrade and enable: echo deb http://ftp.de.debian.org/debian/ wheezy main /etc/apt/sources.list apt-get update apt-get remove openssh-server apt-get install openssh-server=1:6.0p1-4 openssh-client=1:6.0p1-4 sed -i s/^PermitRootLogin without-password/PermitRootLogin yes/ /etc/ssh/sshd_config /etc/init.d/ssh restart Hope these steps help saving time the next one googling for debian jessie enable root ssh to workaround this bug ;) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726661: Does not permit login as root from version 1:6.2p2-6
Hi. On Mon, Nov 11, 2013 at 12:58:00PM +1100, Darren Tucker wrote: Workaround: comment out this line in /etc/pam.d/ssh: session required pam_loginuid.so Would you care commenting on how this helps, and what the side effects could be ? FWIW, I'm experiencing a similar issue inside a docker container running sid, adapted from phusion/baseimage-docker, and even though the workaround helps, I'm concerned of the impact. Also, maybe #711289 is relevant to this issue, but it's a bit cryptic to me for the moment. Thanks in advance. Best regards, -- Olivier BERGER http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8 Ingenieur Recherche - Dept INF Institut Mines-Telecom, Telecom SudParis, Evry (France) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726661: Does not permit login as root from version 1:6.2p2-6
On Mon, Mar 24, 2014 at 11:06 AM, Olivier Berger olivier.ber...@telecom-sudparis.eu wrote: Hi. On Mon, Nov 11, 2013 at 12:58:00PM +1100, Darren Tucker wrote: Workaround: comment out this line in /etc/pam.d/ssh: session required pam_loginuid.so Would you care commenting on how this helps, and what the side effects could be ? I *think* the only impact is that the audit logs will not have the correct loginuid associated with them. The problem is that loginuid once set can't be changed, and any attempt to do so (eg by pam_loginuid.so writing to /proc/self/loginuid) will fail. In sshd's case this can be if you run (or restart) it from the command line. Here's the links from my notes last time around: http://www.linux-pam.org/Linux-PAM-html/sag-pam_loginuid.html https://www.cendio.com/bugzilla/show_bug.cgi?id=4634 https://bugzilla.redhat.com/show_bug.cgi?id=959418 FWIW, I'm experiencing a similar issue inside a docker container running sid, adapted from phusion/baseimage-docker, and even though the workaround helps, I'm concerned of the impact. pam_loginuid.so would try to write to /proc/self/loginuid unconditionally. If you're not actually trying to switch loginuids, https://fedorahosted.org/linux-pam/ticket/23 prevents unnecessary failures in this case by skipping the write if it's already what you want. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726661: Does not permit login as root from version 1:6.2p2-6
found 726661 1:6.4p1-2 thanks Hi, Current version on testing is also affected. I hit this bug after upgrading a machine. After rebooting it I was unable to login again. On /var/log/auth.log was the following error: sshd[10480]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session The machine is configured with PAM/LDAP. Downgrading openssh-server to the version on stable (1:6.0p1-4) fixed the problem. signature.asc Description: OpenPGP digital signature
Bug#726661: Does not permit login as root from version 1:6.2p2-6
On Thu, Feb 13, 2014 at 08:14:15PM +0100, Carlos Alberto Lopez Perez wrote: I hit this bug after upgrading a machine. After rebooting it I was unable to login again. Unfortunately I haven't successfully reproduced this yet ... On /var/log/auth.log was the following error: sshd[10480]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session Could you clarify whether pam_loginuid(sshd:session): set_loginuid failed is also in the log, as per the first message in this bug report? -- Colin Watson [cjwat...@debian.org] -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#726661: Does not permit login as root from version 1:6.2p2-6
On 13/02/14 22:19, Colin Watson wrote: On Thu, Feb 13, 2014 at 08:14:15PM +0100, Carlos Alberto Lopez Perez wrote: I hit this bug after upgrading a machine. After rebooting it I was unable to login again. Unfortunately I haven't successfully reproduced this yet ... On /var/log/auth.log was the following error: sshd[10480]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session Could you clarify whether pam_loginuid(sshd:session): set_loginuid failed is also in the log, as per the first message in this bug report? Yes. The complete auth.log for a failed attempt to login as root is: Feb 13 10:57:41 bb-webkit2-rel-64 sshd[10480]: Accepted publickey for root from 192.168.0.121 port 37267 ssh2: DSA 1a:f2:16:e1:71:43:62:b6:13:af:91:67:e6:f0:59:8a Feb 13 10:57:41 bb-webkit2-rel-64 sshd[10480]: pam_loginuid(sshd:session): set_loginuid failed Feb 13 10:57:41 bb-webkit2-rel-64 sshd[10480]: pam_unix(sshd:session): session opened for user root by (uid=0) Feb 13 10:57:41 bb-webkit2-rel-64 sshd[10480]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session Feb 13 10:57:41 bb-webkit2-rel-64 sshd[10480]: Received disconnect from 192.168.0.121: 11: disconnected by user Is also worth telling that not only login as root was failing, but also login as any other normal user via PAM/LDAP: Feb 13 10:57:09 bb-webkit2-rel-64 sshd[10409]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ip121.dynamic.igalia.com user=clopez Feb 13 10:57:09 bb-webkit2-rel-64 sshd[10409]: Accepted password for clopez from 192.168.0.121 port 37262 ssh2 Feb 13 10:57:09 bb-webkit2-rel-64 sshd[10409]: pam_loginuid(sshd:session): set_loginuid failed Feb 13 10:57:09 bb-webkit2-rel-64 sshd[10409]: pam_unix(sshd:session): session opened for user clopez by (uid=0) Feb 13 10:57:09 bb-webkit2-rel-64 sshd[10409]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session Feb 13 10:57:09 bb-webkit2-rel-64 sshd[10413]: Received disconnect from 192.168.0.121: 11: disconnected by user I didn't tried with a local normal (not-root) user, but I can give it a try if you think is worth. signature.asc Description: OpenPGP digital signature
Bug#726661: Does not permit login as root from version 1:6.2p2-6
Workaround: comment out this line in /etc/pam.d/ssh: session required pam_loginuid.so -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Bug#726661: Does not permit login as root from version 1:6.2p2-6
Package: openssh-server Version: 1:6.0p1-4 Severity: grave Installed openssh-server on debian stable. As soon as i update the package to latest version (it is reported for the other version as i cannot login if the package is not at that version) login becomes impossible with the error Oct 17 20:11:34 nl-01 sshd[25206]: Accepted password for root from IP port 44676 ssh2 Oct 17 20:11:34 nl-01 sshd[25206]: pam_loginuid(sshd:session): set_loginuid failed Oct 17 20:11:34 nl-01 sshd[25206]: pam_unix(sshd:session): session opened for user root by (uid=0) Oct 17 20:11:34 nl-01 sshd[25206]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session Oct 17 20:11:34 nl-01 sshd[25206]: Received disconnect from IP: 11: disconnected by user -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: i386 (x86_64) Kernel: Linux 2.6.32-5-vserver-amd64 (SMP w/24 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Versions of packages openssh-server depends on: ii adduser3.113+nmu3 ii debconf [debconf-2.0] 1.5.51 ii dpkg 1.17.1 ii libc6 2.17-93 ii libcomerr2 1.42.8-1 ii libgssapi-krb5-2 1.11.3+dfsg-3 ii libkrb5-3 1.11.3+dfsg-3 ii libpam-modules 1.1.3-7.1 ii libpam-runtime 1.1.3-7.1 ii libpam0g 1.1.3-7.1 ii libselinux12.1.13-3 ii libssl1.0.01.0.1e-3 ii libwrap0 7.6.q-24 ii lsb-base 4.1+Debian12 ii openssh-client 1:6.0p1-4 ii procps 1:3.3.8-2 ii zlib1g 1:1.2.8.dfsg-1 Versions of packages openssh-server recommends: ii ncurses-term 5.9+20130608-1 ii openssh-blacklist0.4.1+nmu1 ii openssh-blacklist-extra 0.4.1+nmu1 ii xauth1:1.0.7-1 Versions of packages openssh-server suggests: pn molly-guard none pn monkeysphere none pn rssh none pn ssh-askpass none pn ufw none -- debconf information: ssh/vulnerable_host_keys: ssh/encrypted_host_key_but_no_keygen: * ssh/use_old_init_script: true ssh/disable_cr_auth: false -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
