Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a number of remote machines I connect to, and I set up my rsa keys so I don't have to type my password every time. There's one remote machine worked for months, and now, does not (prompts me for password). I've checked permissions on the ~/.ssh directory, and everything looks fine. I've double-checked ~/.ssh/authorized_keys, and it looks fine. Config file, as well, should be okay. Yet, here I am.
I ssh in with verbose output, but it's not much of a help. Just shows me "trying private key, offering public key, [fail], trying dsa key, etc.".
Any idea? In my experience, it's almost always permissions, but that doesn't seem to be the case. The other thing is the IP address not changing (didn't) or the target machine not detecting it properly. I've put my key in authorized_keys in 3 places, once by raw IP, another by hostname (as shown in /etc/hosts) and a third for safe measure as what the machine thinks is the hostname (what is shown when I run 'who').
/etc/ssh/sshd_config
Code:
$OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
Port 11122
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel DEBUG
# Authentication:
#LoginGraceTime 120
PermitRootLogin no
StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#AFSTokenPassing no
# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no
# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt no
#X11Forwarding no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd yes
PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
DenyUsers root
DenyGroups root nossh
DenyGroups nossh
Well it does. You have made it group writable. Here's the problem with that:
Tito in your group decides to delete your .ssh directory and create his own.
He also makes his own authorized_keys file using his public key.
Now Tito can authenticate as you; successful account hijack.
From here he can put pieces back in place to make it less likely that you'll find the problem. (i.e. Appends your own public key to authorized_keys, etc.)
Remove the group writable permissions and you should be able to use pubkey authentication for this account again (assuming you don't have other unidentified issues as well). I just ran into this with a user last week.
------------------
edit: After posting this I wasn't able to reconstruct this crack on one of my own FBSD boxes. But that doesn't mean a bad guy who is lots smarter than me can't. In any event, I am sure this is what your problem is.
Last edited by anomie; 03-01-2008 at 11:28 AM.
Reason: addendum
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.