Re: SSHD AllowUsers not limiting users anymore
Hi Chris, I'm not aware of anything special in my PAM configuration, I think It is still using the default configs. user1 is a complete different user than any other, It has its unique user id. If a create a brand new user, the same problem happens. I could say I'm using the correct /etc/ssh/sshd_config because other changes to the file are read. To be sure, as you can see at my last e-mail, I passed the -f command line option to run sshd. The DenyUsers option is not working as well. I tried it with user1 and it does not block the user. Below follow my /etc/pam.d/sshd, if you need any other file, please, let me know. Thanks again for your help. # PAM configuration for the Secure Shell service # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. accountrequired pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # SELinux needs to be the first session rule. This ensures that any # lingering context has been cleared. Without this it is possible that a # module could execute code in the wrong domain. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close # Set the loginuid process attribute. sessionrequired pam_loginuid.so # Create a new session keyring. sessionoptional pam_keyinit.so force revoke # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. # This includes a dynamically generated part from /run/motd.dynamic # and a static (admin-editable) part from /etc/motd. sessionoptional pam_motd.so motd=/run/motd.dynamic sessionoptional pam_motd.so noupdate # Print the status of the user's mailbox upon successful login. sessionoptional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. sessionrequired pam_limits.so # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. sessionrequired pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. sessionrequired pam_env.so user_readenv=1 envfile=/etc/default/locale # SELinux needs to intervene at login time to ensure that the process starts # in the proper default security context. Only sessions which are intended # to run in the user's context should be run after this. session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open # Standard Un*x password updating. @include common-password On Thu, Nov 12, 2015 at 12:34 PM, Christoph Anton Mitterer < cales...@scientia.net> wrote: > On Wed, 2015-11-11 at 20:20 -0200, Paulo Roberto wrote: > > The option AllowUsers of /etc/ssh/sshd_config stopped working. > I did a small check, and it still works here, as expected... anything > special with your PAM? Are you sure that you checked on the right hosts > with the right sshd_config in place? Or could user1 be a synonym to the > allowed one (i.e. same UID)?) > > Cheers, > Chris.
Re: SSHD AllowUsers not limiting users anymore
On Wed, 2015-11-11 at 20:20 -0200, Paulo Roberto wrote: > The option AllowUsers of /etc/ssh/sshd_config stopped working. I did a small check, and it still works here, as expected... anything special with your PAM? Are you sure that you checked on the right hosts with the right sshd_config in place? Or could user1 be a synonym to the allowed one (i.e. same UID)?) Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature
Trimming posts (was ... Re: SSHD AllowUsers not limiting users anymore)
On Thu, Nov 12, 2015 at 07:25:49PM +0900, Joel Rees wrote: > 2015/11/12 7:20 "Paulo Roberto" : > > > > Dear list, > > > > I need some help. > > > > > > After upgrading the openssh-server package to the version: > > > > ii openssh-server1:6.9p1-2+b1 > amd64 secure shell (SSH) server, for secure access from > remote machines > > > > The option AllowUsers of /etc/ssh/sshd_config stopped working. > > Any user can log through ssh even not present in this option. > > AllowUsers assumes you have set the default to deny, I think. If that got > changed when you merged settings, it would result in what you are seeing. > > If you need more information, I tend to use the archives at marc.info for > the openssh and openbsd lists. Check the archives before you post to the > lists. [230+ lines snipped!!] Hey, come on people, please trim your posts! What surprises me is someone complaining about a posted log file, but seems fine with untrimmed replies. Using gmail is not an excuse, I've seen sensible replies from gmail users. -- "If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing." --- Malcolm X
Re: SSHD AllowUsers not limiting users anymore
2015/11/12 7:20 "Paulo Roberto" : > > Dear list, > > I need some help. > > > After upgrading the openssh-server package to the version: > > ii openssh-server1:6.9p1-2+b1 amd64 secure shell (SSH) server, for secure access from remote machines > > The option AllowUsers of /etc/ssh/sshd_config stopped working. > Any user can log through ssh even not present in this option. AllowUsers assumes you have set the default to deny, I think. If that got changed when you merged settings, it would result in what you are seeing. If you need more information, I tend to use the archives at marc.info for the openssh and openbsd lists. Check the archives before you post to the lists. > Before the upgrade everything worked fine. > > I tested the same sshd_config file in my OpenBSD box and there everything worked as expected. > > OpenSSH_6.7, LibreSSL 2.0 > > Could it be a BUG? > > Below follow the sshd debug and my /etc/ssh/sshd_config > > Thanks in advance for your time and help. > > > # /usr/sbin/sshd -D -f /etc/ssh/sshd_config -d > debug1: sshd version OpenSSH_6.9, OpenSSL 1.0.2d 9 Jul 2015 > debug1: private host key #0: ssh-rsa SHA256:* > debug1: private host key #1: ssh-dss SHA256:* > debug1: private host key #2: ecdsa-sha2-nistp521 SHA256:* > debug1: rexec_argv[0]='/usr/sbin/sshd' > debug1: rexec_argv[1]='-D' > debug1: rexec_argv[2]='-f' > debug1: rexec_argv[3]='/etc/ssh/sshd_config' > debug1: rexec_argv[4]='-d' > Set /proc/self/oom_score_adj from 0 to -1000 > debug1: Bind to port 22 on 0.0.0.0. > Server listening on 0.0.0.0 port 22. > debug1: Bind to port 22 on ::. > Server listening on :: port 22. > debug1: Server will not fork when running in debugging mode. > debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 > debug1: inetd sockets after dupping: 3, 3 > Connection from 200.137.21.34 port 53540 on 192.168.1.3 port 22 > debug1: Client protocol version 2.0; client software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 > debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH_6.6.1* compat 0x0400 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_6.9p1 Debian-2+b1 > debug1: permanently_set_uid: 112/65534 [preauth] > debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp521 [preauth] > debug1: SSH2_MSG_KEXINIT sent [preauth] > debug1: SSH2_MSG_KEXINIT received [preauth] > debug1: kex: client->server aes256-...@openssh.com none [preauth] > debug1: kex: server->client aes256-...@openssh.com none [preauth] > debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] > debug1: SSH2_MSG_NEWKEYS sent [preauth] > debug1: expecting SSH2_MSG_NEWKEYS [preauth] > debug1: SSH2_MSG_NEWKEYS received [preauth] > debug1: KEX done [preauth] > debug1: userauth-request for user user1 service ssh-connection method none [preauth] > debug1: attempt 0 failures 0 [preauth] > debug1: user user1 does not match group list hg-users at line 93 > debug1: PAM: initializing for "user1" > debug1: PAM: setting PAM_RHOST to "200.137.21.34" > debug1: PAM: setting PAM_TTY to "ssh" > debug1: userauth-request for user user1 service ssh-connection method publickey [preauth] > debug1: attempt 1 failures 0 [preauth] > debug1: test whether pkalg/pkblob are acceptable [preauth] > debug1: temporarily_use_uid: 1000/1000 (e=0/0) > debug1: trying public key file /home/user1/.ssh/authorized_keys > debug1: fd 4 clearing O_NONBLOCK > debug1: restore_uid: 0/0 > debug1: temporarily_use_uid: 1000/1000 (e=0/0) > debug1: trying public key file /home/user1/.ssh/authorized_keys2 > debug1: Could not open authorized keys '/home/user1/.ssh/authorized_keys2': No such file or directory > debug1: restore_uid: 0/0 > Failed publickey for user1 from 200.137.21.34 port 53540 ssh2: RSA SHA256:*** > debug1: userauth-request for user user1 service ssh-connection method password [preauth] > debug1: attempt 2 failures 1 [preauth] > debug1: PAM: password authentication accepted for user1 > debug1: do_pam_account: called > Accepted password for user1 from 200.137.21.34 port 53540 ssh2 > debug1: monitor_child_preauth: user1 has been authenticated by privileged process > debug1: monitor_read_log: child log fd closed > debug1: PAM: establishing credentials > User child is on pid 13122 > debug1: SELinux support disabled > debug1: PAM: establishing credentials > debug1: permanently_set_uid: 1000/1000 > debug1: ssh_packet_set_postauth: called > debug1: Entering interactive session for SSH2. > debug1: server_init_dispatch_20 > debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384 > debug1: input_session_request > debug1: channel 0: new [server-session] > debug1: session_new: session 0 > debug1: session_open: channel 0 > debug1: session_open: session 0: link with channel 0 > debug1: server_input_channel_open: confirm session > debug1: server_input_global_request: rtype no-more-sessi
SSHD AllowUsers not limiting users anymore
Dear list, I need some help. After upgrading the openssh-server package to the version: ii openssh-server1:6.9p1-2+b1 amd64 secure shell (SSH) server, for secure access from remote machines The option AllowUsers of /etc/ssh/sshd_config stopped working. Any user can log through ssh even not present in this option. Before the upgrade everything worked fine. I tested the same sshd_config file in my OpenBSD box and there everything worked as expected. OpenSSH_6.7, LibreSSL 2.0 Could it be a BUG? Below follow the sshd debug and my /etc/ssh/sshd_config Thanks in advance for your time and help. # /usr/sbin/sshd -D -f /etc/ssh/sshd_config -d debug1: sshd version OpenSSH_6.9, OpenSSL 1.0.2d 9 Jul 2015 debug1: private host key #0: ssh-rsa SHA256:Qt/Tvla7baMNHE6zEeKElm9sNWGlRYUjuIDT/tq7D/c debug1: private host key #1: ssh-dss SHA256:jZ4QK8dI46HvGFEMgPnN1C9jcVDYIRSk0UKZhT7fjzM debug1: private host key #2: ecdsa-sha2-nistp521 SHA256:tpsp3EYEixbFgA4TVXiZxxu2ZGDwl4GTGYcBlnk+XiY debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-D' debug1: rexec_argv[2]='-f' debug1: rexec_argv[3]='/etc/ssh/sshd_config' debug1: rexec_argv[4]='-d' Set /proc/self/oom_score_adj from 0 to -1000 debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Server will not fork when running in debugging mode. debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from 200.137.21.34 port 53540 on 192.168.1.3 port 22 debug1: Client protocol version 2.0; client software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH_6.6.1* compat 0x0400 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.9p1 Debian-2+b1 debug1: permanently_set_uid: 112/65534 [preauth] debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp521 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug1: kex: client->server aes256-...@openssh.com none [preauth] debug1: kex: server->client aes256-...@openssh.com none [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: KEX done [preauth] debug1: userauth-request for user user1 service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug1: user user1 does not match group list hg-users at line 93 debug1: PAM: initializing for "user1" debug1: PAM: setting PAM_RHOST to "200.137.21.34" debug1: PAM: setting PAM_TTY to "ssh" debug1: userauth-request for user user1 service ssh-connection method publickey [preauth] debug1: attempt 1 failures 0 [preauth] debug1: test whether pkalg/pkblob are acceptable [preauth] debug1: temporarily_use_uid: 1000/1000 (e=0/0) debug1: trying public key file /home/user1/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug1: restore_uid: 0/0 debug1: temporarily_use_uid: 1000/1000 (e=0/0) debug1: trying public key file /home/user1/.ssh/authorized_keys2 debug1: Could not open authorized keys '/home/user1/.ssh/authorized_keys2': No such file or directory debug1: restore_uid: 0/0 Failed publickey for user1 from 200.137.21.34 port 53540 ssh2: RSA SHA256:Rf4KIuZGFt5aUAnoA890Why0iSbfItRf/shVfCEEmuw debug1: userauth-request for user user1 service ssh-connection method password [preauth] debug1: attempt 2 failures 1 [preauth] debug1: PAM: password authentication accepted for user1 debug1: do_pam_account: called Accepted password for user1 from 200.137.21.34 port 53540 ssh2 debug1: monitor_child_preauth: user1 has been authenticated by privileged process debug1: monitor_read_log: child log fd closed debug1: PAM: establishing credentials User child is on pid 13122 debug1: SELinux support disabled debug1: PAM: establishing credentials debug1: permanently_set_uid: 1000/1000 debug1: ssh_packet_set_postauth: called debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_global_request: rtype no-more-sessi...@openssh.com want_reply 0 debug1: server_input_channel_req: channel 0 request pty-req reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_new: session 0 debug1: SELinux support disabled debug1: session_pty_req: session 0 alloc /dev/pts/4 debug1: server_input_channel_req: channel 0 request env reply 0 debug1: session_by_channel: session 0 channel 0 debug