Re: Software for distribution of configuration files and changes
On Fri, Nov 23, 2007 at 02:14:14PM +0800, Quan Qiu wrote: And have you tried actually attempting to log in with root's password that way? I'm betting it doesn't work. That really worked for me. I'm running RELENG_5. The cvsid for /etc/pam.d/sshd is # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ sshd version: OpenSSH_3.8.1p1 FreeBSD-20060930, OpenSSL 0.9.7e-p1 25 Oct 2004 My proof: Using username root. Using keyboard-interactive authentication. Password: Last login: Fri Nov 23 09:14:27 2007 from 61.136.19.236 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 5.5-STABLE (JACKQQNAT) #6: Mon Nov 19 21:33:30 CST 2007 [EMAIL PROTECTED] [~] 13:51 Fri Nov 23 #cat /etc/pam.d/sshd # # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ ... Without PAM: Using username root. [EMAIL PROTECTED]'s password: Access denied [EMAIL PROTECTED]'s password: Okay, so then the difference between what you're seeing and what I'm seeing is likely attributed to either OpenSSH changes (less likely) or PAM configuration changes between RELENG_5 and RELENG_6 (more likely). http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/pam.d/sshd -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Software for distribution of configuration files and changes
i have searched alot for a software to: - distribut configuration files from one master to different systems - maintain configuration files on one machine for all systemes and then send it out - push the files, not download them like cvsup - maintaining files for all systems and files only affecting one system any ideas and hints would be greatly appreziatet. You could take a look at ISCONF: http://trac.t7a.org/isconf/ http://www.infrastructures.org/bootstrap/isconf.shtml -- FreeBSD Volunteer, http://people.freebsd.org/~jkoshy ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Software for distribution of configuration files and changes
On Nov 22, 2007 1:01 AM, Vivek Khera [EMAIL PROTECTED] wrote: On Nov 21, 2007, at 12:45 AM, Quan Qiu wrote: ChallengeResponseAuthentication no is also required to avoid sshd accepting keyboard-interactive/pam. I don't think this setting matters for PermitRootLogin without- password. At least the default on FreeBSD 6 works as expected when setting the root login limit. Sorry for not mentioning I'm on 5.5-STABLE. Using the following settings in sshd_config: PermitRootLogin without-password PasswordAuthentication no UseDNS no Subsystem sftp/usr/libexec/sftp-server PuTTY'ing to the box produces: Using username root. Using keyboard-interactive authentication. Password: -- 裘�� (QIU Quan) [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Software for distribution of configuration files and changes
On Nov 23, 2007 1:21 PM, Jeremy Chadwick [EMAIL PROTECTED] wrote: ChallengeResponseAuthentication no is also required to avoid sshd accepting keyboard-interactive/pam. This affects all users, and not just root. This is probably not what you want. Yes. But without PAM, sshd just prompts for password in a little different way. PuTTY output: PAM: Using username root. Using keyboard-interactive authentication. Password: sshd: Using username root. [EMAIL PROTECTED]'s password: And, what's worse, if the system is going down (in 5 minutes), pam_nologin.so in /etc/pam.d/sshd will kick you (non-root) out even if you have ignorenologin in your login class. While removing that line in PAM will render the nologin feature useless for all users. In other words, if a system uses PAM and forbids root login using password, administrators (staff or wheel) have no way to login again to stop the pending shutdown if they don't have the root key at hand in a timely manner. And have you tried actually attempting to log in with root's password that way? I'm betting it doesn't work. That really worked for me. I'm running RELENG_5. The cvsid for /etc/pam.d/sshd is # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ sshd version: OpenSSH_3.8.1p1 FreeBSD-20060930, OpenSSL 0.9.7e-p1 25 Oct 2004 My proof: Using username root. Using keyboard-interactive authentication. Password: Last login: Fri Nov 23 09:14:27 2007 from 61.136.19.236 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 5.5-STABLE (JACKQQNAT) #6: Mon Nov 19 21:33:30 CST 2007 [EMAIL PROTECTED] [~] 13:51 Fri Nov 23 #cat /etc/pam.d/sshd # # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ ... Without PAM: Using username root. [EMAIL PROTECTED]'s password: Access denied [EMAIL PROTECTED]'s password: -- 裘�� (QIU Quan) [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Software for distribution of configuration files and changes
On Fri, Nov 23, 2007 at 09:21:24AM +0800, Quan Qiu wrote: On Nov 22, 2007 1:01 AM, Vivek Khera [EMAIL PROTECTED] wrote: On Nov 21, 2007, at 12:45 AM, Quan Qiu wrote: ChallengeResponseAuthentication no is also required to avoid sshd accepting keyboard-interactive/pam. This affects all users, and not just root. This is probably not what you want. Using the following settings in sshd_config: PermitRootLogin without-password PasswordAuthentication no UseDNS no Subsystem sftp/usr/libexec/sftp-server PuTTY'ing to the box produces: Using username root. Using keyboard-interactive authentication. Password: And have you tried actually attempting to log in with root's password that way? I'm betting it doesn't work. Here's proof from our RELENG_6 box, where I'm attempting to log in as root on it: eos$ whoami jdc eos$ ssh [EMAIL PROTECTED] The authenticity of host 'anubis.sc1.private.lan (10.72.0.125)' can't be established. DSA key fingerprint is ... Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'anubis.sc1.private.lan' (DSA) to the list of known hosts. Password: Password: Password: And the sshd_config from anubis is all defaults values, except for PermitRootLogin without-password. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Software for distribution of configuration files and changes
On Nov 21, 2007, at 21:51 , Joseph Koshy wrote: i have searched alot for a software to: - distribut configuration files from one master to different systems - maintain configuration files on one machine for all systemes and then send it out - push the files, not download them like cvsup - maintaining files for all systems and files only affecting one system any ideas and hints would be greatly appreziatet. You could take a look at ISCONF: http://trac.t7a.org/isconf/ http://www.infrastructures.org/bootstrap/isconf.shtml isconf, cfengine, puppet, lcfg, bcfg2, radmind... http:// www.infrastructures.org is in general a good resource for such things. -- brandon s. allbery [solaris,freebsd,perl,pugs,haskell] [EMAIL PROTECTED] system administrator [openafs,heimdal,too many hats] [EMAIL PROTECTED] electrical and computer engineering, carnegie mellon universityKF8NH ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Software for distribution of configuration files and changes
On Nov 21, 2007, at 12:45 AM, Quan Qiu wrote: ChallengeResponseAuthentication no is also required to avoid sshd accepting keyboard-interactive/pam. I don't think this setting matters for PermitRootLogin without- password. At least the default on FreeBSD 6 works as expected when setting the root login limit. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Software for distribution of configuration files and changes
On Tue, Nov 20, 2007 at 01:15:56PM +0100, Karl M. Joch wrote: Karl, i have searched alot for a software to: - distribut configuration files from one master to different systems - maintain configuration files on one machine for all systemes and then send it out - push the files, not download them like cvsup - maintaining files for all systems and files only affecting one system any ideas and hints would be greatly appreziatet. http://en.wikipedia.org/wiki/Comparison_of_open_source_configuration_management_software -- Regards, Richard. /* Homo Sapiens non urinat in ventum */ ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Software for distribution of configuration files and changes
Hello, i have searched alot for a software to: - distribut configuration files from one master to different systems - maintain configuration files on one machine for all systemes and then send it out - push the files, not download them like cvsup - maintaining files for all systems and files only affecting one system any ideas and hints would be greatly appreziatet. Many thanks, best regards, Karl ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Software for distribution of configuration files and changes
Karl M. Joch wrote: Hello, i have searched alot for a software to: - distribut configuration files from one master to different systems - maintain configuration files on one machine for all systemes and then send it out - push the files, not download them like cvsup - maintaining files for all systems and files only affecting one system any ideas and hints would be greatly appreziatet. I've used cfengine for the past 4-5 years and can definately recommend it, more info on http://www.cfengine.net Cfengine maintains files and changes for a single system without problems, however it is primarily made for generic changes across a large number of systems, so if most of the changes are unique to each host, you probably want to look at something else. regards, Søren ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Software for distribution of configuration files and changes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Karl M. Joch wrote: Hello, i have searched alot for a software to: - distribut configuration files from one master to different systems - maintain configuration files on one machine for all systemes and then send it out - push the files, not download them like cvsup - maintaining files for all systems and files only affecting one system any ideas and hints would be greatly appreziatet. Have you looked at aegis (aegis.sf.net)? - -- Aryeh M. Friedman Developer, not business, friendly http://www.flosoft-systems.com -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHQyWgJ9+1V27SttsRAvd0AJ0XkDvAUPZhvoONYp+yEbSUxxWpxQCfdrnk fz7gOeOmsHPkDxtf6bQo480= =0z9l -END PGP SIGNATURE- ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Software for distribution of configuration files and changes
Karl M. Joch wrote: Hello, i have searched alot for a software to: - distribut configuration files from one master to different systems - maintain configuration files on one machine for all systemes and then send it out - push the files, not download them like cvsup - maintaining files for all systems and files only affecting one system any ideas and hints would be greatly appreziatet. Have you looked at aegis (aegis.sf.net)? One way is to use eg: rlogin master_host ; su cd /site; rdist -M 20 -P /usr/bin/ssh mylabel have various /etc /usr/local/etc httpd.conf etc files symbolic linked to a parallel tree in per host copies of /site Add PermitRootLogin yes to /etc/ssh/sshd_config To make rdist as root easier. Some people prefer rsync to rdist. rdist6 rsync are in /usr/ports/net/ There's doubtless other solutions too. -- Julian Stacey. Munich Computer Consultant, BSD Unix C Linux. http://berklix.com Ihr Rauch = mein allergischer Kopfschmerz. Dump cigs 4 snuff. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Software for distribution of configuration files and changes
On Nov 20, 2007 3:15 PM, Julian H. Stacey [EMAIL PROTECTED] wrote: Karl M. Joch wrote: Hello, i have searched alot for a software to: - distribut configuration files from one master to different systems - maintain configuration files on one machine for all systemes and then send it out - push the files, not download them like cvsup - maintaining files for all systems and files only affecting one system any ideas and hints would be greatly appreziatet. Have you looked at aegis (aegis.sf.net)? One way is to use eg: rlogin master_host ; su cd /site; rdist -M 20 -P /usr/bin/ssh mylabel have various /etc /usr/local/etc httpd.conf etc files symbolic linked to a parallel tree in per host copies of /site Add PermitRootLogin yes to /etc/ssh/sshd_config To make rdist as root easier. Some people prefer rsync to rdist. rdist6 rsync are in /usr/ports/net/ There's doubtless other solutions too. Whichever technique is used, don't allow remote root login, if you value the security of your network. Proper use of sudo is probably the easiest way to avoid root in batch files. Kurt ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Software for distribution of configuration files and changes
On Wed, Nov 21, 2007 at 12:15:36AM +0100, Julian H. Stacey wrote: Add PermitRootLogin yes to /etc/ssh/sshd_config This should really be PermitRootLogin without-password. Yes, the phrase without-password looks scary, but it isn't so much -- it allows root login via passwordless SSH keys only, while simultaneously continues disallowing root logins via keyboard/password authentication. sshd_config(5) has details. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Software for distribution of configuration files and changes
On Nov 21, 2007 8:20 AM, Jeremy Chadwick [EMAIL PROTECTED] wrote: On Wed, Nov 21, 2007 at 12:15:36AM +0100, Julian H. Stacey wrote: Add PermitRootLogin yes to /etc/ssh/sshd_config This should really be PermitRootLogin without-password. Yes, the phrase without-password looks scary, but it isn't so much -- it allows root login via passwordless SSH keys only, while simultaneously continues disallowing root logins via keyboard/password authentication. sshd_config(5) has details. ChallengeResponseAuthentication no is also required to avoid sshd accepting keyboard-interactive/pam. -- 裘�� (QIU Quan) [EMAIL PROTECTED] ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
