LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices



Reply
 
Search this Thread
Old 07-18-2011, 10:43 AM   #1
oxident
LQ Newbie
 
Registered: May 2009
Posts: 16

Rep: Reputation: 0
my sshd accepts root login without password


Hello.

I'm trying to figure out why my industrial appliance (x86, running kernel 2.6.21.7 and OpenSSH_4.3p2 / OpenSSL 0.9.7m) accepts ssh connections without asking for a password (even for root)!

When I log on to the local console as root I have to enter a password but strangely this prompt won't appear using a ssh connection (although I'm not using any client certificates).

Of course that not acceptable but I just can't find the related configuration entry to disable this "password-less" authentification.

Is this related to the sshd or has it something to do with the PAM module?

Thanks for any help!

- Update ->
While looking at /var/log/secure, I've found the following lines:
Jul 18 16:55:07 localhost sshd[5712]: Accepted none for root from XXX port 6393 ssh2
Jul 18 16:55:07 localhost sshd[5712]: Deprecated pam_stack module called from service "sshd"
Jul 18 16:55:07 localhost sshd[5712]: Deprecated pam_stack module called from service "sshd"
Jul 18 16:55:07 localhost sshd[5712]: pam_unix(sshd:session): session opened for user root by (uid=0)

Last edited by oxident; 07-18-2011 at 11:02 AM.
 
Old 07-18-2011, 11:09 AM   #2
MCD555
Member
 
Registered: May 2009
Location: Milan, Italy
Distribution: Ubuntu, Debian, Fedora, Oracle Linux
Posts: 106

Rep: Reputation: 9
Quote:
Originally Posted by oxident View Post
Hello.

I'm trying to figure out why my industrial appliance (x86, running kernel 2.6.21.7 and OpenSSH_4.3p2 / OpenSSL 0.9.7m) accepts ssh connections without asking for a password (even for root)!

When I log on to the local console as root I have to enter a password but strangely this prompt won't appear using a ssh connection (although I'm not using any client certificates).

Of course that not acceptable but I just can't find the related configuration entry to disable this "password-less" authentification.

Is this related to the sshd or has it something to do with the PAM module?

Thanks for any help!

- Update ->
While looking at /var/log/secure, I've found the following lines:
Jul 18 16:55:07 localhost sshd[5712]: Accepted none for root from XXX port 6393 ssh2
Jul 18 16:55:07 localhost sshd[5712]: Deprecated pam_stack module called from service "sshd"
Jul 18 16:55:07 localhost sshd[5712]: Deprecated pam_stack module called from service "sshd"
Jul 18 16:55:07 localhost sshd[5712]: pam_unix(sshd:session): session opened for user root by (uid=0)

Try posting the /etc/ssh/sshd_config to check the parameters.
Or just verify the your /etc/ssh/sshd_config contains the follow instruction:

PermitRootLogin no

that is always a good minimum security policy to follow....

Hope this helps!
 
Old 07-19-2011, 06:36 AM   #3
oxident
LQ Newbie
 
Registered: May 2009
Posts: 16

Original Poster
Rep: Reputation: 0
Well, that's my sshd_config:
Code:
#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PermitEmptyPasswords yes 
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication mechanism. 
# Depending on your PAM configuration, this may bypass the setting of 
# PasswordAuthentication, PermitEmptyPasswords, and 
# "PermitRootLogin without-password". If you just want the PAM account and 
# session checks to run without PAM authentication, then enable this but set 
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server
But I really want to allow root login using ssh. My only problem is that I need SSHd to ask for the account's password.
 
Old 07-19-2011, 09:02 AM   #4
vinaytp
Member
 
Registered: Apr 2009
Location: Bengaluru, India
Distribution: RHEL 5.4, 6.0, Ubuntu 10.04
Posts: 704

Rep: Reputation: 55
Hi,

Please read some literature on Password less SSH login in google( which is normally used in automation, with scripts without any user intervention). It is advisable to disable direct ssh login for root for security reasons.

Here is a link to help you on password less login, which someone might have configured on your system.
Password Less Login
 
Old 07-19-2011, 09:39 AM   #5
oxident
LQ Newbie
 
Registered: May 2009
Posts: 16

Original Poster
Rep: Reputation: 0
Yes, I have already read a lot regarding password-less login (and I also use the process for scripting issues on other machines) but every site, I've visited deals with client-side certificates. As far as I've understood your link, this involves generating a certificate which is used to authentificate with the server.

But in my case, there's definitely no kind of certificate installed. I can even login from my mobile phone as root without entering any password.

I would have no problem with disabling root access via ssh, but my sshd won't even prompt for a password when using different accounts!
 
Old 07-19-2011, 12:02 PM   #6
reverend_hh
LQ Newbie
 
Registered: Mar 2008
Posts: 9

Rep: Reputation: 0
Try changing PermitEmptyPasswords to no instead of yes then restart the service.

Oh and as a side note change PermitRootLogin to no. Once you login as a regular user, just su to root.

Last edited by reverend_hh; 07-19-2011 at 12:05 PM.
 
Old 07-19-2011, 12:14 PM   #7
MCD555
Member
 
Registered: May 2009
Location: Milan, Italy
Distribution: Ubuntu, Debian, Fedora, Oracle Linux
Posts: 106

Rep: Reputation: 9
Quote:
Originally Posted by oxident View Post
Yes, I have already read a lot regarding password-less login (and I also use the process for scripting issues on other machines) but every site, I've visited deals with client-side certificates. As far as I've understood your link, this involves generating a certificate which is used to authentificate with the server.

But in my case, there's definitely no kind of certificate installed. I can even login from my mobile phone as root without entering any password.

I would have no problem with disabling root access via ssh, but my sshd won't even prompt for a password when using different accounts!
One or more line(s) to change:

PermitEmptyPasswords yes => change this to no

This should solve your doubts about root without password login: this is an HUGE security hole, I think you should change this as soon as possible!


Also you should:

1.) as root generate a DSA and a RSA server key
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
ssh-keygen -t rsa -b 4096 -f /etc/ssh/ssh_host_dsa_key
2.) enable the following config lines:
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
3.) enable strictModes
StrictModes yes
4.) enable the following (key authentication):
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

For further infos a good link would be this:
http://www.cyberciti.biz/tips/linux-...practices.html

Last, generate a key on your client machine and use the key authentication as much as you can!

Hope this helps!
 
Old 07-21-2011, 04:09 AM   #8
oxident
LQ Newbie
 
Registered: May 2009
Posts: 16

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by MCD555 View Post
One or more line(s) to change:

PermitEmptyPasswords yes => change this to no

This should solve your doubts about root without password login: this is an HUGE security hole, I think you should change this as soon as possible!
Thanks for this hint. If I change this setting I'm not able to log in using keyboard/interactive authentification anymore ("login permitted")
I think, the problem is that there's is no user with an empty password (although sshd won't ask for a password)!

Before implementing the certificate security I would really like to "restore" the behaviour to what I know from other Linux installation (which means: root login is disabled and other users can login in with their passwords)...
 
Old 07-21-2011, 07:44 AM   #9
MCD555
Member
 
Registered: May 2009
Location: Milan, Italy
Distribution: Ubuntu, Debian, Fedora, Oracle Linux
Posts: 106

Rep: Reputation: 9
Quote:
Originally Posted by oxident View Post
Thanks for this hint. If I change this setting I'm not able to log in using keyboard/interactive authentification anymore ("login permitted")
I think, the problem is that there's is no user with an empty password (although sshd won't ask for a password)!

Before implementing the certificate security I would really like to "restore" the behaviour to what I know from other Linux installation (which means: root login is disabled and other users can login in with their passwords)...
Weel, to permit password authentication just set the parameter:

PasswordAuthentication yes

On that linux box does exist the specific user with a valid password?

Try posting the output from a client point of view (using ssh -vvv user@IP or similar).

Hope this helps!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP server that accepts any username and password Gethyn Linux - Server 2 03-11-2009 04:16 PM
Password Recovery in Edubuntu 7.04 - In Terminal, Root Login : su , password : ????? farhannaeem13 Linux - Security 3 11-30-2007 10:59 AM
How to set login and password and root password in suse 10.2 sirius57 Suse/Novell 8 07-24-2007 10:51 AM
kdesu no longer accepts root password google01103 Suse/Novell 8 01-10-2007 03:36 AM
Allowing SSH to accepts ANY Password mperkel Linux - Security 14 11-01-2005 12:42 PM


All times are GMT -5. The time now is 07:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration