subject:"SSH question \(4.3\)"

Re: SSH question (4.3)

2008-09-11 Thread Hannah Schroeter

Hi!

On Wed, Sep 10, 2008 at 10:00:23PM +0200, Toni Mueller wrote:
On Wed, 10.09.2008 at 13:56:23 +0200, Hannah Schroeter [EMAIL PROTECTED] 
wrote:
 (I.e. check whether there's some intervening dir that's not accessible
 to user admin/group admin, but to group wheel).

that was the problem, thanks!

You're welcome.

Kind regards,
--Toni++

Kind regards,

Hannah.

SSH question (4.3)

2008-09-10 Thread Toni Mueller

Hi,

I've just experienced a strange problem with OpenSSH. Scenario:

/etc/ssh/sshd_config: PermitRootLogin without-password

= root login with ssh keys works, as expected.

I've created another user, uid 1000, on the same box, and copied root's
authorized_keys file over, adjusted ownership, permissions etc...

= SSH login (from the same remote user) does _NOT_ work.

I've added that user to the group 'wheel'

= SSH login works

I've removed said user from the group 'wheel'

= SSH login no longer works


In sshd(8), there is no mentioning of key login requiring wheel
membership.


This is what a non-working login attempt looks like on the server
side. SSH asks for a password (this is locked):

# /usr/sbin/sshd -u0 -d -e
debug1: sshd version OpenSSH_4.8
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-u0'
debug1: rexec_argv[2]='-d'
debug1: rexec_argv[3]='-e'
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: fd 6 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9
debug1: sshd version OpenSSH_4.8
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: inetd sockets after dupping: 4, 4
Connection from 192.168.1.6 port 37071
debug1: Client protocol version 2.0; client software version OpenSSH_4.3p2 
Debian-9etch2
debug1: match: OpenSSH_4.3p2 Debian-9etch2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.8
debug1: permanently_set_uid: 27/27
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client-server aes128-cbc hmac-md5 none
debug1: kex: server-client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user admin service ssh-connection method none
debug1: attempt 0 failures 0
Failed none for admin from 192.168.1.6 port 37071 ssh2
debug1: userauth-request for user admin service ssh-connection method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /H/admin/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 1000/1000 (e=0/0)
debug1: trying public key file /H/admin/.ssh/authorized_keys2
debug1: restore_uid: 0/0
Failed publickey for admin from 192.168.1.6 port 37071 ssh2
debug1: userauth-request for user admin service ssh-connection method 
keyboard-interactive
debug1: attempt 2 failures 2
debug1: keyboard-interactive devs 
debug1: auth2_challenge: user=admin devs=
debug1: kbdint_alloc: devices 'bsdauth'
debug1: auth2_challenge_start: trying authentication method 'bsdauth'
Connection closed by 192.168.1.6
debug1: do_cleanup
debug1: do_cleanup



The same thing after adding the user to the group 'wheel':

# /usr/sbin/sshd -u0 -d -e
debug1: sshd version OpenSSH_4.8
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-u0'
debug1: rexec_argv[2]='-d'
debug1: rexec_argv[3]='-e'
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: fd 6 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9
debug1: sshd version OpenSSH_4.8
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: inetd sockets after dupping: 4, 4
Connection from 192.168.1.6 port 37076
debug1: Client protocol version 2.0; client software version OpenSSH_4.3p2 
Debian-9etch2
debug1: match: OpenSSH_4.3p2 Debian-9etch2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.8
debug1: permanently_set_uid: 27/27
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client-server aes128-cbc hmac-md5 none
debug1: kex: server-client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting

Re: SSH question (4.3)

2008-09-10 Thread Hannah Schroeter

Hi!

On Wed, Sep 10, 2008 at 12:55:00PM +0200, Toni Mueller wrote:
[...]
debug1: trying public key file /H/admin/.ssh/authorized_keys2

ls -ld /H /H/admin /H/admin/.ssh /H/admin/.ssh/authorized_keys 
/H/admin/.ssh/authorized_keys2

(I.e. check whether there's some intervening dir that's not accessible
to user admin/group admin, but to group wheel).

[...]

Kind regards,

Hannah.

Re: SSH question (4.3)

2008-09-10 Thread Stuart Henderson

On 2008-09-10, Toni Mueller [EMAIL PROTECTED] wrote:
 /etc/ssh/sshd_config: PermitRootLogin without-password

= root login with ssh keys works, as expected.

 I've created another user, uid 1000, on the same box, and copied root's
 authorized_keys file over, adjusted ownership, permissions etc...

= SSH login (from the same remote user) does _NOT_ work.

 I've added that user to the group 'wheel'

= SSH login works

 I've removed said user from the group 'wheel'

= SSH login no longer works

Does this apply?


 If this file, the ~/.ssh directory, or the user's home directory
 are writable by other users, then the file could be modified or
 replaced by unauthorized users.  In this case, sshd will not al-
 low it to be used unless the StrictModes option has been set to
 ``no''.  The recommended permissions can be set by executing
 ``chmod go-w ~/ ~/.ssh ~/.ssh/authorized_keys''.

Specifically, is the user's home directory writable by wheel?

Re: SSH question (4.3)

2008-09-10 Thread Toni Mueller

Hi,

On Wed, 10.09.2008 at 11:57:46 +, Stuart Henderson [EMAIL PROTECTED] 
wrote:
 Specifically, is the user's home directory writable by wheel?

no, I've checked this. But I will have to check whether Hannah's hint,
too... (should have had this idea earlier, doh!).


Kind regards,
--Toni++

Re: SSH question (4.3)

2008-09-10 Thread Toni Mueller

Hi Hannah,

On Wed, 10.09.2008 at 13:56:23 +0200, Hannah Schroeter [EMAIL PROTECTED] 
wrote:
 (I.e. check whether there's some intervening dir that's not accessible
 to user admin/group admin, but to group wheel).

that was the problem, thanks!


Kind regards,
--Toni++

Re: SSH question (4.3)

SSH question (4.3)

Re: SSH question (4.3)

Re: SSH question (4.3)

Re: SSH question (4.3)

Re: SSH question (4.3)

6 matches

Site Navigation

Mail list logo

Footer information