passwordless ssh root logins stopped working after testing dist-upgrade
in [Debian]
|
Prev: Should you do business in the Cloud?
Next: passwordless ssh root logins stopped working after testing dist-upgrade
From: Tony Nelson on 6 Apr 2010 15:30 On 10-04-06 14:12:19, Russell L. Carter wrote: > > I dist-upgraded yesterday and ssh root logins started requiring a > password. ... ... > root(a)feyerabend> diff -u ssh_config ssh_config.dpkg-dist > --- ssh_config 2010-04-05 21:14:26.172871668 -0700 > +++ ssh_config.dpkg-dist 2010-01-04 09:05:12.000000000 -0700 > @@ -17,8 +17,8 @@ > # ssh_config(5) man page. > > Host * > -ForwardAgent yes > -ForwardX11 yes > +# ForwardAgent no > +# ForwardX11 no > # ForwardX11Trusted yes > # RhostsRSAAuthentication no > # RSAAuthentication yes I don't see any "PermitRootLogin without-password" line in your diff. -- ____________________________________________________________________ TonyN.:' <mailto:tonynelson(a)georgeanelson.com> ' <http://www.georgeanelson.com/> -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/1270581844.24480.0(a)localhost.localdomain
From: d.sastre.medina on 6 Apr 2010 15:30 On Tue, Apr 06, 2010 at 11:12:19AM -0700, Russell L. Carter wrote: > VERY CAREFULLY checked .ssh and authorized_keys permissions, > etc. No change. This affects both user->root(a)localhost ssh logins Hello, Could you try to add a new user in the box you want to log in, and create a ~/.ssh/authorized_keys with your ~/.ssh/id_dsa.pub and see what happens. A ssh -vvv output would be fine too. Remember to chmod 600 authorized_keys file and chmod 700 .ssh directory (probably less restrictive also work, but this JWFFM). Regards. -- Huella de clave = 943C D77F 0CB0 02FE 166E E06F D13A A2E1 98A5 C953
From: d.sastre.medina on 6 Apr 2010 16:10 On Tue, Apr 06, 2010 at 03:24:04PM -0400, Tony Nelson wrote: > On 10-04-06 14:12:19, Russell L. Carter wrote: > > root(a)feyerabend> diff -u ssh_config ssh_config.dpkg-dist > > --- ssh_config 2010-04-05 21:14:26.172871668 -0700 > > +++ ssh_config.dpkg-dist 2010-01-04 09:05:12.000000000 -0700 > > @@ -17,8 +17,8 @@ > > # ssh_config(5) man page. > > > > Host * > > -ForwardAgent yes > > -ForwardX11 yes > > +# ForwardAgent no > > +# ForwardX11 no > > # ForwardX11Trusted yes > > # RhostsRSAAuthentication no > > # RSAAuthentication yes > > I don't see any "PermitRootLogin without-password" line in your diff. Hello, That would disable password login for root, but does not enable per-se pubkey auth (AFAIK). man sshd_config explain this: PermitRootLogin, PubkeyAuthentication and AuthorizedKeysFile entries. Regards. -- Huella de clave = 943C D77F 0CB0 02FE 166E E06F D13A A2E1 98A5 C953
From: Stephen Powell on 6 Apr 2010 16:20 On Tue, 6 Apr 2010 14:12:19 -0400 (EDT), Russell L. Carter wrote: > > I dist-upgraded yesterday and ssh root logins started requiring a > password. OK, I'll bite. Not that this is any of my business, but why do you allow *root* logins via *ssh* _without_ a password. Isn't that dangerous? At my shop, our policy is that root is not allowed to login via ssh at all. root can only login from the system console. To login as root via ssh, one must login as a normal user first, then su to root. But you not only allow root to login via ssh, you don't even require a password! That sounds like a security hole big enough to drive a tank through! Would you mind explaining why you do this? -- .''`. Stephen Powell <zlinuxman(a)wowway.com> : :' : `. `'` `- -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/1646579125.1476531270584888497.JavaMail.root(a)md01.wow.synacor.com
From: Tony Nelson on 7 Apr 2010 15:00
On 10-04-06 16:06:14, d.sastre.medina(a)gmail.com wrote: > On Tue, Apr 06, 2010 at 03:24:04PM -0400, Tony Nelson wrote: > > On 10-04-06 14:12:19, Russell L. Carter wrote: > > > root(a)feyerabend> diff -u ssh_config ssh_config.dpkg-dist > > > --- ssh_config 2010-04-05 21:14:26.172871668 -0700 > > > +++ ssh_config.dpkg-dist 2010-01-04 09:05:12.000000000 > -0700 > > > @@ -17,8 +17,8 @@ > > > # ssh_config(5) man page. > > > > > > Host * > > > -ForwardAgent yes > > > -ForwardX11 yes > > > +# ForwardAgent no > > > +# ForwardX11 no > > > # ForwardX11Trusted yes > > > # RhostsRSAAuthentication no > > > # RSAAuthentication yes > > > > I don't see any "PermitRootLogin without-password" line in your > > diff. > Hello, > > That would disable password login for root, but does not enable per- > se pubkey auth (AFAIK). > > man sshd_config explain this: PermitRootLogin, PubkeyAuthentication > and AuthorizedKeysFile entries. Oops, yes, sorry. -- ____________________________________________________________________ TonyN.:' <mailto:tonynelson(a)georgeanelson.com> ' <http://www.georgeanelson.com/> -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/1270666631.668.1(a)localhost.localdomain |