Re: NEW: cannot ssh to my computer
On Mon, 22 Nov 2004 00:05:33 -0500, Ivan Georgiev [EMAIL PROTECTED] wrote: Just another thing ... If I remove myself from the group wheel then I CAN ssh to my computer; if I put myself back to wheel - then CANNOT ssh to the computer. How can I ssh and be a member of the wheel group? In that case, maybe PermitRootLogin yes in /etc/ssh/sshd_config and restarting sshd would help. Regards, Panagiotis ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: NEW: cannot ssh to my computer
correct me if im wrong, but just because user is a part of WHELL group does that mean he/she is a root ? or equivlent of root ? I know lot of things like su - may require you to be wheel group but Im not sure why a user has to be non wheel group in order to log in. I think using SUDO is better than putting any user in to wheel too. but thats just me. James H -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Sent: Monday, November 22, 2004 10:10 PM To: FreeBSD Subject: Re: NEW: cannot ssh to my computer Panagiotis Christias wrote: On Mon, 22 Nov 2004 00:05:33 -0500, Ivan Georgiev [EMAIL PROTECTED] wrote: Just another thing ... If I remove myself from the group wheel then I CAN ssh to my computer; if I put myself back to wheel - then CANNOT ssh to the computer. How can I ssh and be a member of the wheel group? In that case, maybe PermitRootLogin yes in /etc/ssh/sshd_config and restarting sshd would help. For testing purpose, yes. The default is no. I think allowing root login in a not-secure environment is a bad idea. R. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NEW: cannot ssh to my computer
* Panagiotis Christias [EMAIL PROTECTED] [1116 09:16]: On Mon, 22 Nov 2004 00:05:33 -0500, Ivan Georgiev [EMAIL PROTECTED] wrote: Just another thing ... If I remove myself from the group wheel then I CAN ssh to my computer; if I put myself back to wheel - then CANNOT ssh to the computer. How can I ssh and be a member of the wheel group? In that case, maybe PermitRootLogin yes in /etc/ssh/sshd_config and restarting sshd would help. That setting shouldn't affect wheel logins. -- Yeah, life is hilariously cruel. - Bender Rasputin :: Jack of All Trades - Master of Nuns ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NEW: cannot ssh to my computer
On Monday 22 November 2004 06:39 am, Dick Davies wrote: * Panagiotis Christias [EMAIL PROTECTED] [1116 09:16]: On Mon, 22 Nov 2004 00:05:33 -0500, Ivan Georgiev [EMAIL PROTECTED] wrote: Just another thing ... If I remove myself from the group wheel then I CAN ssh to my computer; if I put myself back to wheel - then CANNOT ssh to the computer. How can I ssh and be a member of the wheel group? In that case, maybe PermitRootLogin yes in /etc/ssh/sshd_config and restarting sshd would help. That setting shouldn't affect wheel logins. Changing PermitRootLogin to yes didn't do it ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NEW: cannot ssh to my computer
James Hong wrote: correct me if im wrong, but just because user is a part of WHELL group does that mean he/she is a root ? or equivlent of root ? I know lot of things like su - may require you to be wheel group but Im not sure why a user has to be non wheel group in order to log in. I think using SUDO is better than putting any user in to wheel too. but thats just me. James H To my knowledge the wheel group has no special privileges and it's only purpose is to allow a normal user to become (su) root, thats it. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NEW: cannot ssh to my computer
On Mon, Nov 22, 2004 at 07:41:32AM -0500, Ivan Georgiev typed: On Monday 22 November 2004 06:39 am, Dick Davies wrote: * Panagiotis Christias [EMAIL PROTECTED] [1116 09:16]: On Mon, 22 Nov 2004 00:05:33 -0500, Ivan Georgiev [EMAIL PROTECTED] wrote: Just another thing ... If I remove myself from the group wheel then I CAN ssh to my computer; if I put myself back to wheel - then CANNOT ssh to the computer. How can I ssh and be a member of the wheel group? In that case, maybe PermitRootLogin yes in /etc/ssh/sshd_config and restarting sshd would help. That setting shouldn't affect wheel logins. Changing PermitRootLogin to yes didn't do it You don't by any chance have a line DenyGroups wheel in your /etc/ssh/sshd_config, do you? Ruben ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NEW: cannot ssh to my computer
On Monday 22 November 2004 08:25 am, Ruben de Groot wrote: On Mon, Nov 22, 2004 at 07:41:32AM -0500, Ivan Georgiev typed: On Monday 22 November 2004 06:39 am, Dick Davies wrote: * Panagiotis Christias [EMAIL PROTECTED] [1116 09:16]: On Mon, 22 Nov 2004 00:05:33 -0500, Ivan Georgiev [EMAIL PROTECTED] wrote: Just another thing ... If I remove myself from the group wheel then I CAN ssh to my computer; if I put myself back to wheel - then CANNOT ssh to the computer. How can I ssh and be a member of the wheel group? In that case, maybe PermitRootLogin yes in /etc/ssh/sshd_config and restarting sshd would help. That setting shouldn't affect wheel logins. Changing PermitRootLogin to yes didn't do it You don't by any chance have a line DenyGroups wheel in your /etc/ssh/sshd_config, do you? Ruben No, I do not have any Deny* entries in the /etc/sshd_config file. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NEW: cannot ssh to my computer
On Mon, 22 Nov 2004 08:35:58 -0500, Ivan Georgiev [EMAIL PROTECTED] wrote: On Monday 22 November 2004 08:25 am, Ruben de Groot wrote: On Mon, Nov 22, 2004 at 07:41:32AM -0500, Ivan Georgiev typed: On Monday 22 November 2004 06:39 am, Dick Davies wrote: * Panagiotis Christias [EMAIL PROTECTED] [1116 09:16]: On Mon, 22 Nov 2004 00:05:33 -0500, Ivan Georgiev [EMAIL PROTECTED] wrote: Just another thing ... If I remove myself from the group wheel then I CAN ssh to my computer; if I put myself back to wheel - then CANNOT ssh to the computer. How can I ssh and be a member of the wheel group? In that case, maybe PermitRootLogin yes in /etc/ssh/sshd_config and restarting sshd would help. That setting shouldn't affect wheel logins. Changing PermitRootLogin to yes didn't do it You don't by any chance have a line DenyGroups wheel in your /etc/ssh/sshd_config, do you? Ruben No, I do not have any Deny* entries in the /etc/sshd_config file. Can other wheel users log in? -Aaron ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NEW: cannot ssh to my computer
+++ Ivan Georgiev [freebsd] [22-11-04 07:41 -0500]: | On Monday 22 November 2004 06:39 am, Dick Davies wrote: | * Panagiotis Christias [EMAIL PROTECTED] [1116 09:16]: | On Mon, 22 Nov 2004 00:05:33 -0500, Ivan Georgiev [EMAIL PROTECTED] wrote: |Just another thing ... | |If I remove myself from the group wheel then I CAN ssh to my computer; |if I put myself back to wheel - then CANNOT ssh to the computer. | |How can I ssh and be a member of the wheel group? | | In that case, maybe PermitRootLogin yes in /etc/ssh/sshd_config and | restarting sshd would help. | | That setting shouldn't affect wheel logins. | | Changing PermitRootLogin to yes didn't do it what's in /etc/hosts.allow? Regards, Shantanoo ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NEW: cannot ssh to my computer
On Monday 22 November 2004 08:42 am, cape canaveral wrote: On Mon, 22 Nov 2004 08:35:58 -0500, Ivan Georgiev [EMAIL PROTECTED] wrote: On Monday 22 November 2004 08:25 am, Ruben de Groot wrote: On Mon, Nov 22, 2004 at 07:41:32AM -0500, Ivan Georgiev typed: On Monday 22 November 2004 06:39 am, Dick Davies wrote: * Panagiotis Christias [EMAIL PROTECTED] [1116 09:16]: On Mon, 22 Nov 2004 00:05:33 -0500, Ivan Georgiev [EMAIL PROTECTED] wrote: Just another thing ... If I remove myself from the group wheel then I CAN ssh to my computer; if I put myself back to wheel - then CANNOT ssh to the computer. How can I ssh and be a member of the wheel group? In that case, maybe PermitRootLogin yes in /etc/ssh/sshd_config and restarting sshd would help. That setting shouldn't affect wheel logins. Changing PermitRootLogin to yes didn't do it You don't by any chance have a line DenyGroups wheel in your /etc/ssh/sshd_config, do you? Ruben No, I do not have any Deny* entries in the /etc/sshd_config file. Can other wheel users log in? No, all of the users in the wheel group cannot ssh ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NEW: cannot ssh to my computer
On Monday 22 November 2004 02:59 pm, Shantanoo Mahajan wrote: +++ Ivan Georgiev [freebsd] [22-11-04 07:41 -0500]: | On Monday 22 November 2004 06:39 am, Dick Davies wrote: | * Panagiotis Christias [EMAIL PROTECTED] [1116 09:16]: | On Mon, 22 Nov 2004 00:05:33 -0500, Ivan Georgiev [EMAIL PROTECTED] wrote: |Just another thing ... | |If I remove myself from the group wheel then I CAN ssh to my |computer; if I put myself back to wheel - then CANNOT ssh to the |computer. | |How can I ssh and be a member of the wheel group? | | In that case, maybe PermitRootLogin yes in /etc/ssh/sshd_config and | restarting sshd would help. | | That setting shouldn't affect wheel logins. | | Changing PermitRootLogin to yes didn't do it what's in /etc/hosts.allow? Whatever is in the default 5-3-RELEASE installation. I haven't touched that : ALL : ALL : allow #sshd : .evil.cracker.example.com : deny ALL : PARANOID : RFC931 20 : deny ALL : localhost 127.0.0.1 [::1] : allow ALL : my.machine.example.com 192.0.2.35 : allow ALL : [fe80::%fxp0]/10 : allow ALL : [fe80::]/10 : deny ALL : [2001:db8:2:1:2:3:4:3fe1] : deny ALL : [2001:db8:2:1::]/64 : allow sendmail : localhost : allow sendmail : .nice.guy.example.com : allow sendmail : .evil.cracker.example.com : deny sendmail : ALL : allow exim : localhost : allow exim : .nice.guy.example.com : allow exim : .evil.cracker.example.com : deny exim : ALL : allow rpcbind : 192.0.2.32/255.255.255.224 : allow rpcbind : 192.0.2.96/255.255.255.224 : allow rpcbind : ALL : deny ypserv : localhost : allow ypserv : .unsafe.my.net.example.com : deny ypserv : .my.net.example.com : allow ypserv : ALL : deny ftpd : localhost : allow ftpd : .nice.guy.example.com : allow ftpd : .evil.cracker.example.com : deny ftpd : ALL : allow fingerd : ALL \ : spawn (echo Finger. | \ /usr/bin/mail -s tcpd\: [EMAIL PROTECTED] fingered me! root) \ : deny ALL : ALL \ : severity auth.info \ : twist /bin/echo You are not welcome to use %d from %h. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NEW: cannot ssh to my computer
On Mon, 22 Nov 2004 00:05:33 -0500 Ivan Georgiev [EMAIL PROTECTED] wrote: Just another thing ... If I remove myself from the group wheel then I CAN ssh to my computer; if I put myself back to wheel - then CANNOT ssh to the computer. How can I ssh and be a member of the wheel group? hello ivan, it might be worth your while to check /etc/login.access to see if you have refused remote logins by wheel. hth, epi Ivan ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NEW: cannot ssh to my computer
Just another thing ... If I remove myself from the group wheel then I CAN ssh to my computer; if I put myself back to wheel - then CANNOT ssh to the computer. How can I ssh and be a member of the wheel group? hello ivan, it might be worth your while to check /etc/login.access to see if you have refused remote logins by wheel. hth, epi Thank you so very much Epi !!! I guess I have put this -:wheel:ALL EXCEPT LOCAL in /etc/login.access but had no recollection of doing it. After commenting it out the problem is gone. Many thanks to all that helped solving my mysterious/trivial problem ! Regards, Ivan ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NEW: cannot ssh to my computer
On Mon, 22 Nov 2004 22:37:19 -0500 Ivan Georgiev [EMAIL PROTECTED] wrote: Just another thing ... If I remove myself from the group wheel then I CAN ssh to my computer; if I put myself back to wheel - then CANNOT ssh to the computer. How can I ssh and be a member of the wheel group? hello ivan, it might be worth your while to check /etc/login.access to see if you have refused remote logins by wheel. hth, epi Thank you so very much Epi !!! I guess I have put this -:wheel:ALL EXCEPT LOCAL in /etc/login.access but had no recollection of doing it. After commenting it out the problem is gone. hello again ivan, fwiw, your 'problem' may actually be better than your 'solution'. with all the script kiddies who are running ssh brute force attempts against the root user account (check your logs), it is wise to use 'su' or 'sudo' to elevate your priveleges on that box, rather than logging in as root. naturally, you can harden ssh somewhat and even restrict logins by ip addy in login.access, but if you're not doing that, i humbly suggest that you think twice about enabling root ssh to your box. cheers, epi Many thanks to all that helped solving my mysterious/trivial problem ! Regards, Ivan ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NEW: cannot ssh to my computer
I guess I have put this -:wheel:ALL EXCEPT LOCAL in /etc/login.access but had no recollection of doing it. After commenting it out the problem is gone. hello again ivan, fwiw, your 'problem' may actually be better than your 'solution'. with all the script kiddies who are running ssh brute force attempts against the root user account (check your logs), it is wise to use 'su' or 'sudo' to elevate your priveleges on that box, rather than logging in as root. naturally, you can harden ssh somewhat and even restrict logins by ip addy in login.access, but if you're not doing that, i humbly suggest that you think twice about enabling root ssh to your box. I have AllowUsers in /etc/ssh/sshd_config and root in not one of them. So, even though the members of the wheel group are allowed to ssh remotely, the root account is not compromised. Is that right? I tried, just to check, to ssh as root but cannot, the log says User root not allowed because not listed in AllowUsers Let me know if I am wrong. Thanks again, Ivan ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NEW: cannot ssh to my computer
Just another thing ... If I remove myself from the group wheel then I CAN ssh to my computer; if I put myself back to wheel - then CANNOT ssh to the computer. How can I ssh and be a member of the wheel group? Ivan ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NEW: cannot ssh to my computer
Ivan Georgiev wrote: Hello, Please excuse my re-posting of the same problem but, simply, I have no clue how to fix my account. Below you can see the previous postings. What puzzles me is that if I create a new user this user can connect trough ssh with no problems. Only my account is rejected. As far as I know, ssh stores the user's ssh files in ~/.ssh/. How about moving this .ssh out of the way by mv .ssh ssh_copy and try again? If that solves your problem, you should inspect the files in that ssh directory. Rob. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NEW: cannot ssh to my computer
On Saturday 20 November 2004 07:51 pm, Rob wrote: Ivan Georgiev wrote: Hello, Please excuse my re-posting of the same problem but, simply, I have no clue how to fix my account. Below you can see the previous postings. What puzzles me is that if I create a new user this user can connect trough ssh with no problems. Only my account is rejected. As far as I know, ssh stores the user's ssh files in ~/.ssh/. How about moving this .ssh out of the way by mv .ssh ssh_copy and try again? If that solves your problem, you should inspect the files in that ssh directory. Rob. I already did that, i.e. removed my ~/.ssh directory and tried again. Unfortunately this didn't solve the problem. Ivan ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: NEW: cannot ssh to my computer - Found word(s) XXX in the Text body
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Georgiev Sent: Saturday, November 20, 2004 4:21 PM To: [EMAIL PROTECTED] Subject: [KEYWORD GFI SPAM] - NEW: cannot ssh to my computer - Found word(s) XXX in the Text body Hello, Please excuse my re-posting of the same problem but, simply, I have no clue how to fix my account. Below you can see the previous postings. What puzzles me is that if I create a new user this user can connect trough ssh with no problems. Only my account is rejected. Thank you for your help, Ivan - Hello Ivan: Have you confirmed that all of your local files have the correct permissions *and* ownership? Are you the appropriate owner of your own directory? Mike ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NEW: cannot ssh to my computer
Hello, Please excuse my re-posting of the same problem but, simply, I have no clue how to fix my account. Below you can see the previous postings. What puzzles me is that if I create a new user this user can connect trough ssh with no problems. Only my account is rejected. Thank you for your help, Ivan - Hello Ivan: Have you confirmed that all of your local files have the correct permissions *and* ownership? Are you the appropriate owner of your own directory? Mike Hi Mike, Yes, all of the files/directories in my home directory have the right ownership. I do not know what you mean by right permission since each type of file can have different permissions. If you meant the permissions in my ~/.ssh directory they are: bash-2.05b$ ll total 234 drwx-- 2 ivan ivan 512 Nov 19 22:05 . drwxr-xr-x 28 ivan ivan 198656 Nov 20 21:04 .. -rw-r--r-- 1 ivan ivan 595 Nov 19 22:05 authorized_keys -rw--- 1 ivan ivan 668 Nov 19 22:00 id_dsa -rw-r--r-- 1 ivan ivan 595 Nov 19 22:00 id_dsa.pub -rw-r--r-- 1 ivan ivan1817 Nov 20 14:20 known_hosts Another interesting thing that I missed before in var/log/messages is : sshd[45489]: error: PAM: success for ivan from while in /var/log/auth.log I see: sshd[45489]: Failed keyboard-interactive/pam for ivan from ... port 56269 ssh2 Thanks for your help, Ivan ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: NEW: cannot ssh to my computer
-Original Message- From: Ivan Georgiev [mailto:[EMAIL PROTECTED] Sent: Saturday, November 20, 2004 6:11 PM To: [EMAIL PROTECTED] Cc: Michael Smith Subject: Re: NEW: cannot ssh to my computer Hello, Please excuse my re-posting of the same problem but, simply, I have no clue how to fix my account. Below you can see the previous postings. What puzzles me is that if I create a new user this user can connect trough ssh with no problems. Only my account is rejected. Thank you for your help, Ivan - Hello Ivan: Have you confirmed that all of your local files have the correct permissions *and* ownership? Are you the appropriate owner of your own directory? Mike Hi Mike, Yes, all of the files/directories in my home directory have the right ownership. I do not know what you mean by right permission since each type of file can have different permissions. If you meant the permissions in my ~/.ssh directory they are: bash-2.05b$ ll total 234 drwx-- 2 ivan ivan 512 Nov 19 22:05 . drwxr-xr-x 28 ivan ivan 198656 Nov 20 21:04 .. -rw-r--r-- 1 ivan ivan 595 Nov 19 22:05 authorized_keys -rw--- 1 ivan ivan 668 Nov 19 22:00 id_dsa -rw-r--r-- 1 ivan ivan 595 Nov 19 22:00 id_dsa.pub -rw-r--r-- 1 ivan ivan1817 Nov 20 14:20 known_hosts Another interesting thing that I missed before in var/log/messages is : sshd[45489]: error: PAM: success for ivan from while in /var/log/auth.log I see: sshd[45489]: Failed keyboard-interactive/pam for ivan from ... port 56269 ssh2 Thanks for your help, Ivan - This may be a stretch but I know that SSH can be quite finicky about directory permissions. Try setting your .ssh directory to 0700. I think the go+x on the directory itself may be causing you problems. Mike ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]