FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 07-13-2010, 03:49 PM
Gary Stainburn
 
Default SSH / permissions problem

Hi folks,

This seems like de ja vu, but I can't find anything in the archives.

I've got F13 on my laptop, and also on a new virtual server.

I've copied my home directory from my old server to my new one and then tried
to ssh to the new server. However, I have a problem

If I ssh to root on the new server everything is fine, but if I ssh to my user
I get errors and X forwarding doesn't work.

Can anyone suggest things for me to look at / try.

Gary

[gary@dcomp5 ~]$ ssh -Y -C lcomp3 -l root
root@lcomp3's password:
Last login: Tue Jul 13 16:04:20 2010 from gary.ringways.co.uk
[root@lcomp3 ~]# kcalc
[root@lcomp3 ~]# logout
[gary@dcomp5 ~]$ ssh -Y -C lcomp3
gary@lcomp3's password:
Last login: Tue Jul 13 15:55:16 2010 from gary.ringways.co.uk
/usr/bin/xauth: timeout in locking authority file /home/gary/.Xauthority
[gary@lcomp3 ~]$ kcalc
X11 connection rejected because of wrong authentication.
kcalc: cannot connect to X server localhost:11.0
[gary@lcomp3 ~]$

--
Gary Stainburn

This email does not contain private or confidential material as it
may be snooped on by interested government parties for unknown
and undisclosed purposes - Regulation of Investigatory Powers Act, 2000
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-13-2010, 03:51 PM
"Dr. Michael J. Chudobiak"
 
Default SSH / permissions problem

On 07/13/2010 11:49 AM, Gary Stainburn wrote:
>
> I've copied my home directory from my old server to my new one and then tried
> to ssh to the new server. However, I have a problem
>
> If I ssh to root on the new server everything is fine, but if I ssh to my user
> I get errors and X forwarding doesn't work.
>
> Can anyone suggest things for me to look at / try.

Try:

restorecon -r ~/.ssh

- Mike
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-13-2010, 03:56 PM
Gary Stainburn
 
Default SSH / permissions problem

On Tuesday 13 July 2010 16:51:57 Dr. Michael J. Chudobiak wrote:
> Try:
>
> restorecon -r ~/.ssh
>
> - Mike

Thanks Mike

The command ran without error but has made no difference.

Gary

--
Gary Stainburn

This email does not contain private or confidential material as it
may be snooped on by interested government parties for unknown
and undisclosed purposes - Regulation of Investigatory Powers Act, 2000
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-13-2010, 04:13 PM
JD
 
Default SSH / permissions problem

On 07/13/2010 08:49 AM, Gary Stainburn wrote:
> Hi folks,
>
> This seems like de ja vu, but I can't find anything in the archives.
>
> I've got F13 on my laptop, and also on a new virtual server.
>
> I've copied my home directory from my old server to my new one and then tried
> to ssh to the new server. However, I have a problem
>
> If I ssh to root on the new server everything is fine, but if I ssh to my user
> I get errors and X forwarding doesn't work.
>
> Can anyone suggest things for me to look at / try.
>
> Gary
>
> [gary@dcomp5 ~]$ ssh -Y -C lcomp3 -l root
> root@lcomp3's password:
> Last login: Tue Jul 13 16:04:20 2010 from gary.ringways.co.uk
> [root@lcomp3 ~]# kcalc
> [root@lcomp3 ~]# logout
> [gary@dcomp5 ~]$ ssh -Y -C lcomp3
> gary@lcomp3's password:
> Last login: Tue Jul 13 15:55:16 2010 from gary.ringways.co.uk
> /usr/bin/xauth: timeout in locking authority file /home/gary/.Xauthority
> [gary@lcomp3 ~]$ kcalc
> X11 connection rejected because of wrong authentication.
> kcalc: cannot connect to X server localhost:11.0
> [gary@lcomp3 ~]$
>
Delete the .ssh directory for the user gary on both machines and retry.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-13-2010, 05:37 PM
Phil Meyer
 
Default SSH / permissions problem

On 07/13/2010 09:49 AM, Gary Stainburn wrote:
> Hi folks,
>
> This seems like de ja vu, but I can't find anything in the archives.
>
> I've got F13 on my laptop, and also on a new virtual server.
>
> I've copied my home directory from my old server to my new one and then tried
> to ssh to the new server. However, I have a problem
>
> If I ssh to root on the new server everything is fine, but if I ssh to my user
> I get errors and X forwarding doesn't work.
>
> Can anyone suggest things for me to look at / try.
>
> Gary
>
> [gary@dcomp5 ~]$ ssh -Y -C lcomp3 -l root
> root@lcomp3's password:
> Last login: Tue Jul 13 16:04:20 2010 from gary.ringways.co.uk
> [root@lcomp3 ~]# kcalc
> [root@lcomp3 ~]# logout
> [gary@dcomp5 ~]$ ssh -Y -C lcomp3
> gary@lcomp3's password:
> Last login: Tue Jul 13 15:55:16 2010 from gary.ringways.co.uk
> /usr/bin/xauth: timeout in locking authority file /home/gary/.Xauthority
> [gary@lcomp3 ~]$ kcalc
> X11 connection rejected because of wrong authentication.
> kcalc: cannot connect to X server localhost:11.0
> [gary@lcomp3 ~]$
>
>


When you copy over a .ssh directory, there are at least two things to
consider:

1. permissions.
$ scp -rp .ssh <target_host>:

2. do you really want your private key on the target system? Probably
all you wanted was to be able to login with ssh key authentication. To
do that, you should run:
$ ssh-copy-id <target_host>:

If you allow your private key to reside on other systems, then that key
can be used against you quite easily. If only the public key is exposed
in authorized_keys, your account is as secure as it can be.

Rule of thumb is: never expose a private key on a host with direct
internet access, like a web server. Use only one private key on your
desktop, and use ssh-copy-id to set up public keys for any remote ssh
access.

If you want access to those servers from another system, like a laptop,
generate a new private key on the laptop and use ssh-copy-id again to
enable ssh access to the other systems.

Good Luck!
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-13-2010, 06:40 PM
Rick Sewill
 
Default SSH / permissions problem

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/13/2010 10:49 AM, Gary Stainburn wrote:
> Hi folks,
>
> This seems like de ja vu, but I can't find anything in the archives.
>
> I've got F13 on my laptop, and also on a new virtual server.
>
> I've copied my home directory from my old server to my new one and then tried
> to ssh to the new server. However, I have a problem
>
> If I ssh to root on the new server everything is fine, but if I ssh to my user
> I get errors and X forwarding doesn't work.
>
> Can anyone suggest things for me to look at / try.
>
> Gary
>
> [gary@dcomp5 ~]$ ssh -Y -C lcomp3 -l root
> root@lcomp3's password:
> Last login: Tue Jul 13 16:04:20 2010 from gary.ringways.co.uk
> [root@lcomp3 ~]# kcalc
> [root@lcomp3 ~]# logout
> [gary@dcomp5 ~]$ ssh -Y -C lcomp3
> gary@lcomp3's password:
> Last login: Tue Jul 13 15:55:16 2010 from gary.ringways.co.uk
> /usr/bin/xauth: timeout in locking authority file /home/gary/.Xauthority
> [gary@lcomp3 ~]$ kcalc
> X11 connection rejected because of wrong authentication.
> kcalc: cannot connect to X server localhost:11.0
> [gary@lcomp3 ~]$
>

If root works, but your local user does not, and you appear to have
gotten beyond the initial login sequence--it seemed to accept password
authentication in both cases--I would suspect something in one of your
~/.bash* files. I've been burned, multiple times, having something in
my .bashrc or .bash_profile that does something "interactive",
forgetting an ssh shell is batch.

I have the same problem when I try to do things in a cron job when I
forget a cron job is also batch.

I have carefully separated my .bash_profile and .bashrc file into those
parts I always want done and those parts that are interactive.

I place a check in my .bashrc file to prevent interactive stuff being
done in a batch job.

# check for shell is not interactive
[ -z "${PS1}" ] && return

As a "quick" test, could you save your .bash_profile and .bashrc files,
get the "default" files, and see if you can ssh in? The default files
should be found /etc/skel/.bash_profile and /etc/skel/.bashrc

Also, I strongly recommend you disable ssh root login and have people
first log into their own account and then su to root. To disable root
login, please look at /etc/ssh/sshd_config.
In this file, I have
PermitRootLogin no

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkw8swIACgkQyc8Kn0p/AZRgbACffvA3UUlqVw4ICErb/H7NfLk0
8AcAoKe0WgTDz7OwcDb6gPjjXvjNxJz8
=K3YZ
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-13-2010, 07:23 PM
Patrick Kobly
 
Default SSH / permissions problem

On 7/13/2010 12:40 PM, Rick Sewill wrote:
>
>> If I ssh to root on the new server everything is fine, but if I ssh to my user
>> I get errors and X forwarding doesn't work.
>>
>> Can anyone suggest things for me to look at / try.
>>
>> Gary
>>
>> [gary@dcomp5 ~]$ ssh -Y -C lcomp3 -l root
>> root@lcomp3's password:
>> Last login: Tue Jul 13 16:04:20 2010 from gary.ringways.co.uk
>> [root@lcomp3 ~]# kcalc
>> [root@lcomp3 ~]# logout
>> [gary@dcomp5 ~]$ ssh -Y -C lcomp3
>> gary@lcomp3's password:
>> Last login: Tue Jul 13 15:55:16 2010 from gary.ringways.co.uk
>> /usr/bin/xauth: timeout in locking authority file /home/gary/.Xauthority
>>
Late to the party, but:

$ ls -ld /home/gary
$ ls -l /home/gary/.Xauthority

post the results

$ rm /home/gary/.Xauthority

try again.

Chances are a stale .Xauthority file exists that's owned by the UID of
the gary account on the old server. Might want to recursively chown the
contents of the home dir if that's the case:

# chown -R gary /home/gary

PK
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-13-2010, 08:12 PM
Bill Davidsen
 
Default SSH / permissions problem

Gary Stainburn wrote:
> Hi folks,
>
> This seems like de ja vu, but I can't find anything in the archives.
>
> I've got F13 on my laptop, and also on a new virtual server.
>
> I've copied my home directory from my old server to my new one and then tried
> to ssh to the new server. However, I have a problem
>
> If I ssh to root on the new server everything is fine, but if I ssh to my user
> I get errors and X forwarding doesn't work.
>
> Can anyone suggest things for me to look at / try.
>
Well my first thought is that you should disable shh to root... It's a security
hole.

On your question:

Did you copy the public key for the machine you ssh from to the authorized keys
file? Are the machines you use in each other's known hosts file? Has the UID on
the new machine changed to not match the original?

And can you be a little more specific than "I get errors" and show us exactly
what errors?

--
Bill Davidsen <davidsen@tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-14-2010, 07:32 AM
birger
 
Default SSH / permissions problem

On Tue, 2010-07-13 at 16:49 +0100, Gary Stainburn wrote:

> [gary@dcomp5 ~]$ ssh -Y -C lcomp3
> gary@lcomp3's password:
> Last login: Tue Jul 13 15:55:16 2010 from gary.ringways.co.uk
> /usr/bin/xauth: timeout in locking authority file /home/gary/.Xauthority
> [gary@lcomp3 ~]$ kcalc
> X11 connection rejected because of wrong authentication.
> kcalc: cannot connect to X server localhost:11.0
> [gary@lcomp3 ~]$

Usually, the problem is that xauth isn't installed. Here, you seem to
have xauth, but xauth is unable to lock the ~/.Xauthority file. I would
try removing that file and retrying. Removing it could affect existing X
sessions on that host, but being a virtual system I assume you are not
logged in on the console. The next ssh should then recreate the file
with only a cookie for the ssh session.

birger

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 07-14-2010, 08:48 AM
Gary Stainburn
 
Default SSH / permissions problem

On Tuesday 13 July 2010 18:37:21 Phil Meyer wrote:
> When you copy over a .ssh directory, there are at least two things to
> consider:
>
> 1. permissions.
> $ scp -rp .ssh <target_host>:
>
> 2. do you really want your private key on the target system? Probably
> all you wanted was to be able to login with ssh key authentication. To
> do that, you should run:
> $ ssh-copy-id <target_host>:
>
> If you allow your private key to reside on other systems, then that key
> can be used against you quite easily. If only the public key is exposed
> in authorized_keys, your account is as secure as it can be.
>
> Rule of thumb is: never expose a private key on a host with direct
> internet access, like a web server. Use only one private key on your
> desktop, and use ssh-copy-id to set up public keys for any remote ssh
> access.
>
> If you want access to those servers from another system, like a laptop,
> generate a new private key on the laptop and use ssh-copy-id again to
> enable ssh access to the other systems.
>
> Good Luck!

Hi Phil,

I copied the server as I did because I want to new f13 virtual server to
completely replace the old F8 physical server - hence the 1-for-1 copy.

None of these machines are visible to the internet either so I don't have that
risk to worry about. Having said that, I will read further into your
suggestions.

Gary

--
Gary Stainburn

This email does not contain private or confidential material as it
may be snooped on by interested government parties for unknown
and undisclosed purposes - Regulation of Investigatory Powers Act, 2000
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 04:35 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org