FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 12-23-2011, 03:31 PM
Rick Sewill
 
Default SSH on Fedora 16

On Friday, December 23, 2011 10:07:00 AM Daniel Bossert wrote:
> On 12/23/2011 04:14 PM, Tom Horsley wrote:
> > On Fri, 23 Dec 2011 15:30:16 +0100
> >
> > suvayu ali wrote:
> >> It would be helpful if you could give more details and say what
> >> command you are trying and its output with the verbose flag set like
> >> this -vvv.
> >
> > Yep, the -vvv option on the remote ssh and taking a look at
> > /var/log/messages and /var/log/secure should provide details about why
> > failure happens. Perhaps the sshd_config file is set to only allow
> > public key connections? That would certainly make a password attempt
> > fail (and is how I have my server setup for remote connections versus
> > local network connections where I do allow passwords).
>
> Hello
>
> Here are the outputs:
>
> Output from the remote machine:
>
> daniel@saturn:~$ ssh -vvv daniel@172.25.0.1
> OpenSSH_5.5p1 Debian-6+squeeze1, OpenSSL 0.9.8o 01 Jun 2010
<...text deleted...>

> [root@merkur ~]# cat /etc/ssh/sshd_config
> # $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $
>
> # This is the sshd server system-wide configuration file. See
> # sshd_config(5) for more information.
>
<...text deleted...>
> # Set this to 'yes' to enable PAM authentication, account processing,
> # and session processing. If this is enabled, PAM authentication will
> # be allowed through the ChallengeResponseAuthentication and
> # PasswordAuthentication. Depending on your PAM configuration,
> # PAM authentication via ChallengeResponseAuthentication may bypass
> # the setting of "PermitRootLogin without-password".
> # If you just want the PAM account and session checks to run without
> # PAM authentication, then enable this but set PasswordAuthentication
> # and ChallengeResponseAuthentication to 'no'.
> # WARNING: 'UsePAM no' is not supported in Fedora and may cause several
> # problems.
> #UsePAM no
> #UsePAM yes
>

Could you try "UsePAM yes" without the leading #, as in
UsePAM yes

> # Accept locale-related environment variables
> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
> LC_MESSAGES
<...text deleted...>
>
> Kind regards
> Daniel
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-23-2011, 03:35 PM
Reindl Harald
 
Default SSH on Fedora 16

Am 23.12.2011 17:21, schrieb Daniel Bossert:
> On 12/23/2011 05:11 PM, Reindl Harald wrote:
>> Am 23.12.2011 17:07, schrieb Daniel Bossert:
>>> # Change to no to disable s/key passwords
>>> #ChallengeResponseAuthentication yes
>>> ChallengeResponseAuthentication no
>> so why are you doing this if you want password-login?
> I know I had e mess... I changed to yes; even though it isn't working...

well, i read from top to post and stop after the first error

Dec 23 17:01:59 merkur sshd[9744]: error: Could not get shadow information for daniel

privude output of the follwoing commands:
cat /etc/shadow | grep daniel
cat /etc/passwd | grep daniel
stat /etc/shadow
stat /etc/passwd
______________________________________________

for ssh permissions are very important
if they are messed up and too open it refuses

/etc/passwd
Zugriff: (0644/-rw-r--r--)

/etc/shadow
Zugriff: (0400/-r--------)
______________________________________________

however - this is a working sshd-config with password AND
key-authentication, root allowed only with key and copied
from a production server changed to your username in the
allowed list

this is a CLEANED configuration without millions of
comments and nor random values by default

Port 22
Protocol 2
AddressFamily inet
ListenAddress 0.0.0.0
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPIAuthentication no
GSSAPICleanupCredentials no
X11Forwarding no
RSAAuthentication yes
PubkeyAuthentication yes
PermitEmptyPasswords no
PermitRootLogin without-password
AllowGroups root users
AllowUsers root daniel
IgnoreRhosts yes
HostbasedAuthentication no
RhostsRSAAuthentication no
StrictModes yes
UseDNS no
AllowTcpForwarding no
TCPKeepAlive yes
KeepAlive yes
ClientAliveCountMax 10
ClientAliveInterval 20
UsePrivilegeSeparation yes
Compression yes
UsePAM yes
LoginGraceTime 45
MaxAuthTries 5
MaxStartups 25
AuthorizedKeysFile .ssh/authorized_keys
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
Subsystem sftp internal-sftp

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-23-2011, 07:47 PM
Daniel Bossert
 
Default SSH on Fedora 16

Hello


echo 0>/selinux/enforce


doesn't work at me:
[root@merkur ssh]# echo 0 >/selinux/enforce
-bash: /selinux/enforce: No such file or directory
[root@merkur ssh]#

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no



so why are you doing this if you want password-login?

I know I had e mess... I changed to yes; even though it isn't working...

well, i read from top to post and stop after the first error

Dec 23 17:01:59 merkur sshd[9744]: error: Could not get shadow information for daniel

privude output of the follwoing commands:
cat /etc/shadow | grep daniel
cat /etc/passwd | grep daniel
stat /etc/shadow
stat /etc/passwd

[root@merkur ~]# cat /etc/shadow | grep daniel
daniel:$6$wf04zvEHF.xMgd2Y$u6ULiAbq9zzt3oljsQ2jr8q wR2IVu1Mz2KlmeTPkKCHPrEo1/pfwNODtsGtho9UOTn/UW18uskl4SnKnpayn/.:15328:0:99999:7:::
[root@merkur ~]# cat /etc/passwd | grep daniel
daniel:x:1000:1000aniel Bossert:/home/daniel:/bin/bash
[root@merkur ~]# stat /etc/shadow
File: `/etc/shadow'
Size: 1135 Blocks: 8 IO Block: 4096 regular file
Device: fd01h/64769d Inode: 156332 Links: 1
Access: (0000/----------) Uid: ( 0/ root) Gid: ( 0/ root)
Context: system_ubject_r:shadow_t:s0
Access: 2011-12-23 18:01:01.649903474 +0100
Modify: 2011-12-21 17:54:32.800954152 +0100
Change: 2011-12-21 17:54:32.837953216 +0100
Birth: -
[root@merkur ~]# stat /etc/shadow
File: `/etc/shadow'
Size: 1135 Blocks: 8 IO Block: 4096 regular file
Device: fd01h/64769d Inode: 156332 Links: 1
Access: (0000/----------) Uid: ( 0/ root) Gid: ( 0/ root)
Context: system_ubject_r:shadow_t:s0
Access: 2011-12-23 18:01:01.649903474 +0100
Modify: 2011-12-21 17:54:32.800954152 +0100
Change: 2011-12-21 17:54:32.837953216 +0100
Birth: -
[root@merkur ~]# stat /etc/passwd
File: `/etc/passwd'
Size: 1881 Blocks: 8 IO Block: 4096 regular file
Device: fd01h/64769d Inode: 156565 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Context: system_ubject_r:etc_t:s0
Access: 2011-12-23 17:55:01.431858018 +0100
Modify: 2011-12-21 17:54:32.725956049 +0100
Change: 2011-12-21 17:54:32.762955114 +0100
Birth: -





______________________________________________

for ssh permissions are very important
if they are messed up and too open it refuses

/etc/passwd
Zugriff: (0644/-rw-r--r--)

/etc/shadow
Zugriff: (0400/-r--------)
______________________________________________

[root@merkur ~]# ls -l /etc/passwd
-rw-r--r--. 1 root root 1881 Dec 21 17:54 /etc/passwd
[root@merkur ~]# ls -l /etc/shadow
----------. 1 root root 1135 Dec 21 17:54 /etc/shadow
[root@merkur ~]#

--->>>> I see, that /etc/shadow has no permissions.. ???? can that be?I
changed to 0400, but login doesn't work neither.





however - this is a working sshd-config with password AND
key-authentication, root allowed only with key and copied
from a production server changed to your username in the
allowed list

this is a CLEANED configuration without millions of
comments and nor random values by default

Port 22
Protocol 2
AddressFamily inet
ListenAddress 0.0.0.0
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPIAuthentication no
GSSAPICleanupCredentials no
X11Forwarding no
RSAAuthentication yes
PubkeyAuthentication yes
PermitEmptyPasswords no
PermitRootLogin without-password
AllowGroups root users
AllowUsers root daniel
IgnoreRhosts yes
HostbasedAuthentication no
RhostsRSAAuthentication no
StrictModes yes
UseDNS no
AllowTcpForwarding no
TCPKeepAlive yes
KeepAlive yes
ClientAliveCountMax 10
ClientAliveInterval 20
UsePrivilegeSeparation yes
Compression yes
UsePAM yes
LoginGraceTime 45
MaxAuthTries 5
MaxStartups 25
AuthorizedKeysFile .ssh/authorized_keys
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
Subsystem sftp internal-sftp


The following is the new sshd_config.. I don't know further..
Kind regards
Daniel

/etc/ssh/sshd_config (new):
# $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

Port 22
AddressFamily inet
ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
Protocol 2

# HostKey for protocol version 1
# HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
# HostKey /etc/ssh/ssh_host_rsa_key
# HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 1h
ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

LoginGraceTime 30
PermitRootLogin without-password
StrictModes no
MaxAuthTries 5
#MaxSessions 10

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication no
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
# problems.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES

AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

#AllowAgentForwarding yes
AllowTcpForwarding no
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
TCPKeepAlive yes
KeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
ClientAliveInterval 20
ClientAliveCountMax 10
#ShowPatchLevel no
UseDNS no
#PidFile /var/run/sshd.pid
MaxStartups 25
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

# Uncomment this if you want to use .local domain
#Host *.local
# CheckHostIP no

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server


AllowGroups root users
AllowUsers root daniel
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-23-2011, 08:12 PM
Reindl Harald
 
Default SSH on Fedora 16

Am 23.12.2011 21:47, schrieb Daniel Bossert:
> too much stuff

touch only ONE thing at time

i never saw any linux where ssh-login did not work
so your starting mistake was chaning someshting around without
make sure that after each step things are working

* remove thessh-config-files COMPLELTLY
* uninstall ssh-daemon
* install it again
* it will generate new server-keys so you get a warning about the changed key on client
* verify that it works

AFTER that start with whatver you think needs to be changed

* change only one thing at time
* restart sshd
* verify connection in a new sesson


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-23-2011, 08:21 PM
Joe Zeff
 
Default SSH on Fedora 16

On 12/23/2011 01:12 PM, Reindl Harald wrote:

* remove thessh-config-files COMPLELTLY
* uninstall ssh-daemon
* install it again


You can use yum to reinstall a package in one step if you want to. Is
there any advantage to doing it this way? (I'm not being argumentative,
here, I'm wondering if there's a reason for your suggesting to do it
this way.)

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-23-2011, 08:28 PM
suvayu ali
 
Default SSH on Fedora 16

On Fri, Dec 23, 2011 at 21:47, Daniel Bossert <db@dabo.ch> wrote:
> [root@merkur ~]# ls -l /etc/shadow
> ----------. 1 root root 1135 Dec 21 17:54 /etc/shadow
> [root@merkur ~]#
>
> --->>>> I see, that /etc/shadow has no permissions.. ???? can that be?I
> changed to 0400, but login doesn't work neither.

Did you restart sshd after this permission change?

--
Suvayu

Open source is the future. It sets us free.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-23-2011, 08:44 PM
Daniel Bossert
 
Default SSH on Fedora 16

YEAH ! IT WORKS!!

Sorry for writing big letters, but I'm happy!

I did an reinstall of the openssh-server package, but that would not
have been necessary..


I did an sshd-keygen, now my server has some keys! (Probably he didn't
had any before)..


It works now!!

daniel@saturn:~$ ssh 172.25.0.1
The authenticity of host '172.25.0.1 (172.25.0.1)' can't be established.
RSA key fingerprint is 12:ec:3c:92:23:f9:10:3a:41:99:61:6d:15:13:79:d3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.0.1' (RSA) to the list of known hosts.
Password:
Password:
Last login: Wed Dec 21 18:29:36 2011 from localhost.localdomain
[daniel@merkur ~]$ ^C
[daniel@merkur ~]$ Abgemeldet
Connection to 172.25.0.1 closed.
daniel@saturn:~$

Many thanks for your help!
I was first surprised, disannoyed that ssh doesn't work on fedora...

Thanks again
and merry christmas !
Kind regards
Daniel
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-23-2011, 08:53 PM
Reindl Harald
 
Default SSH on Fedora 16

Am 23.12.2011 22:21, schrieb Joe Zeff:
> On 12/23/2011 01:12 PM, Reindl Harald wrote:
>> * remove thessh-config-files COMPLELTLY
>> * uninstall ssh-daemon
>> * install it again
>
> You can use yum to reinstall a package in one step if you want to. Is there any advantage to doing it this way?
> (I'm not being argumentative, here, I'm wondering if there's a reason for your suggesting to do it this way.)

without removing the configs they will be keeped

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-23-2011, 09:04 PM
Joe Zeff
 
Default SSH on Fedora 16

On 12/23/2011 01:53 PM, Reindl Harald wrote:



Am 23.12.2011 22:21, schrieb Joe Zeff:

On 12/23/2011 01:12 PM, Reindl Harald wrote:

* remove thessh-config-files COMPLELTLY
* uninstall ssh-daemon
* install it again


You can use yum to reinstall a package in one step if you want to. Is there any advantage to doing it this way?
(I'm not being argumentative, here, I'm wondering if there's a reason for your suggesting to do it this way.)


without removing the configs they will be keeped




Yes, I understand that. That's why I didn't suggest that the OP not
remove them as the first step, just that using yum reinstall might be
more time effective than doing it in two steps.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 12-23-2011, 09:08 PM
Reindl Harald
 
Default SSH on Fedora 16

Am 23.12.2011 23:04, schrieb Joe Zeff:
> On 12/23/2011 01:53 PM, Reindl Harald wrote:
>>
>>
>> Am 23.12.2011 22:21, schrieb Joe Zeff:
>>> On 12/23/2011 01:12 PM, Reindl Harald wrote:
>>>> * remove thessh-config-files COMPLELTLY
>>>> * uninstall ssh-daemon
>>>> * install it again
>>>
>>> You can use yum to reinstall a package in one step if you want to. Is there any advantage to doing it this way?
>>> (I'm not being argumentative, here, I'm wondering if there's a reason for your suggesting to do it this way.)
>>
>> without removing the configs they will be keeped
>
> Yes, I understand that. That's why I didn't suggest that the OP not remove them as the first step, just that using
> yum reinstall might be more time effective than doing it in two steps.

i prefer in such operations make them step for step and watch
each possible output. "yum reinstall" doe snot exactly the same
than remove/install which is good if you want to reinstall a
package because something ha messed up binary files

but it handles config files totally different
"yum reinstall" will never touch them and not
create rpmnew/rpmsave files!

so if something with conigs messed up i prefer a hard remove
if it is not a critical package killing yum/rpm/ssl and implicitly
remove a bunch of other apckages

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 

Thread Tools




All times are GMT. The time now is 08:10 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org