LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-16-2004, 02:25 PM   #1
Xolo
Member
 
Registered: Jul 2004
Location: The Netherlands
Distribution: Mandrake, Knoppix, Coyote Linux, RedHat
Posts: 354
Blog Entries: 3

Rep: Reputation: 31
Need help using Webmin to tell SSH to allow logins


Hello everyone.

I'm having a slight problem that I can't wrap my mind around today.
I've built myself a server running Mandrake 9 and set the security level to 'Paranoid'.
This effectively closed my box from the outside world, which is great. and it actually listened to me when I told it I wanted to use FTP, HTTP and Samba SWAT and Webmin publicly through the firewall. Except for SSHd. this lil' bugger won't let me connect to it, it will simply disconnect without warning.

So I need help using Webmin to alter the SSH server settings so it -will- allow users to log in remotely (Except root ofcourse.)


Thanks for your time.
 
Old 11-16-2004, 10:14 PM   #2
guitarman85281
Member
 
Registered: Aug 2004
Location: Tempe, Arizona
Distribution: RedHat 9, SuSE 9.1, Fedora Core 4, Gentoo
Posts: 52

Rep: Reputation: 15
Greetings
Is SSHd allowing login initially then booting you off or is it refusing the connection altogether?
 
Old 11-17-2004, 01:26 AM   #3
Xolo
Member
 
Registered: Jul 2004
Location: The Netherlands
Distribution: Mandrake, Knoppix, Coyote Linux, RedHat
Posts: 354
Blog Entries: 3

Original Poster
Rep: Reputation: 31
SSHd is started at boot, but it does not allow connections from the outside.
Here's a sample terminal from the box itself:
Code:
[xander@Xolo xander]$ ssh localhost
bash: /usr/bin/ssh: Permission denied
[xander@Xolo xander]$ su
Password:
[root@Xolo xander]# ssh localhost
root@localhost's password:
Permission denied, please try again.
root@localhost's password:
If I attempt SSH to the IP of the box from say, my work office, I don't
get anything, the terminal just disconnects. (Using PuTTY with default settings)

Basicly I think my error lies in the fact that users aren't authorised to log in
(need a public key first?) and that SSHd doesn't present me with a login prompt
but rather tries to determine who is attempting a login and then simply disconnects
when it doesn't see a valid username (and possibly an accompanying key).
 
Old 11-17-2004, 08:11 AM   #4
guitarman85281
Member
 
Registered: Aug 2004
Location: Tempe, Arizona
Distribution: RedHat 9, SuSE 9.1, Fedora Core 4, Gentoo
Posts: 52

Rep: Reputation: 15
Greetings
Looks like root login in not allowed. That's actually a smarting to do security-wise. Look at your .conf file and see who is in the valid users list as well.
 
Old 11-17-2004, 03:57 PM   #5
Xolo
Member
 
Registered: Jul 2004
Location: The Netherlands
Distribution: Mandrake, Knoppix, Coyote Linux, RedHat
Posts: 354
Blog Entries: 3

Original Poster
Rep: Reputation: 31
Indeed Root isn't allowed to use SSH, nor is he allowed to log into the system directly
However when I look at Webmin's page for SSH's Access Control, the part where it says 'Only allow users' the check is set to 'All'. that leads me to think all users are allowed to log into SSH, but it doesn't appear to work that way.

Code:
Network and login access control options

Only allow users 	All
Only allow members of groups 	None
Deny users 	None
Deny members of groups 	All
These are the default settings.

Edit:
I forgot to mention that i've tried to alter these settings in a previous install, to:

Code:
Network and login access control options

Only allow users 	user1 user2 user3 user4
Only allow members of groups 	user1 user2 user3 user4
Deny users 	None
Deny members of groups 	(Any non-user group here)
But that didn't change anything as far as I could see, even after a full reboot.

Last edited by Xolo; 11-17-2004 at 04:06 PM.
 
Old 11-22-2004, 03:29 AM   #6
Xolo
Member
 
Registered: Jul 2004
Location: The Netherlands
Distribution: Mandrake, Knoppix, Coyote Linux, RedHat
Posts: 354
Blog Entries: 3

Original Poster
Rep: Reputation: 31
Clean start, reinstalled the entire machine from scratch.
Still need to get SSH working for my users. SSHd is running, but does not allow login. default settings so far, but could use a hint or two for Webmin.. i'll try some stuff later when I have free time, since i'm at the office right now.
 
Old 11-22-2004, 05:03 AM   #7
mardanian
Member
 
Registered: Mar 2004
Distribution: Fedora
Posts: 254

Rep: Reputation: 30
okay I assume to have direct access to this machine? if yes then do this and then try to ssh to the box

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

if stll not working then poke into sshd.conf file.
 
Old 11-22-2004, 06:31 AM   #8
Xolo
Member
 
Registered: Jul 2004
Location: The Netherlands
Distribution: Mandrake, Knoppix, Coyote Linux, RedHat
Posts: 354
Blog Entries: 3

Original Poster
Rep: Reputation: 31
I did enable SSH access in the firewall but I will re-check it anyway against what you told me to use when I get home.
 
Old 11-22-2004, 11:26 AM   #9
Xolo
Member
 
Registered: Jul 2004
Location: The Netherlands
Distribution: Mandrake, Knoppix, Coyote Linux, RedHat
Posts: 354
Blog Entries: 3

Original Poster
Rep: Reputation: 31
Well, checked the firewall and it's in there alright... but it doesn't work. It's SSHd itself that is disconnecting me when I try to log in.
Here's a bit out of iptables -L:

Code:
Chain net2fw (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
newnotsyn  tcp  --  anywhere             anywhere           state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp dpt:swat
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp dpt:8000
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp dpt:8001
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp dpt:8888
ACCEPT     tcp  --  anywhere             anywhere           state NEW tcp dpt:10000
ACCEPT     udp  --  anywhere             anywhere           state NEW udp dpt:domain
net2all    all  --  anywhere             anywhere
So I think port 22 is open, as SSHd does take the connection in the first two seconds..

I've tried ssh -v localhost to get some verbose output, maybe it's of use:
Code:
[root@Xolo bin]# ssh -v localhost
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host
debug1: Calling cleanup 0x8068fc0(0x0)
Do I need to set up public keys or something? if yes, how? i'm not having much luck with ssh-keygen..
 
Old 11-22-2004, 03:57 PM   #10
Xolo
Member
 
Registered: Jul 2004
Location: The Netherlands
Distribution: Mandrake, Knoppix, Coyote Linux, RedHat
Posts: 354
Blog Entries: 3

Original Poster
Rep: Reputation: 31
Here's my sshd_config, by the way [edited for user privacy]:

Code:
#	$OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
Protocol 1,2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 600
#PermitRootLogin yes
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication 
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#Compression yes

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem	sftp	/usr/lib/ssh/sftp-server
PermitRootLogin no
IgnoreRhosts yes
RhostsRSAAuthentication no
RhostsAuthentication no
IgnoreUserKnownHosts no
PrintMotd yes
StrictModes yes
RSAAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication yes
ReverseMappingCheck no
GatewayPorts no
AllowTcpForwarding yes
LoginGraceTime 120
KeepAlive yes
DenyGroups adm apache bin ctools user5 ftp games gdm lp machines mail mysql named news nogroup postdrop postfix postgres root rpm sshd
AllowGroups user1 user2 user3 user4
AllowUsers user1 user2 user3 user4
KeyRegenerationInterval 1800

And my ssh_config file:

Code:
#	$OpenBSD: ssh_config,v 1.15 2002/06/20 20:03:34 stevesk Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsAuthentication no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   BatchMode no
#   CheckHostIP yes
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#   EscapeChar ~

Host *
	ForwardX11 yes
	Protocol 1,2
	StrictHostKeyChecking no

I can't really tell if there is an error in there anywhere. I did not edit either file by hand, any non-default lines were created through Webmin's control panel for SSH Server.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
enabling ssh logins on debian rjshirts Linux - Software 12 11-11-2013 04:09 PM
How do i monitor SSH logins? gtwilliams Linux - Security 5 06-08-2005 10:43 PM
Restricting SSH logins. bullium Linux - Security 3 05-10-2005 01:15 AM
Massive SSH Logins zeeshanhayat Linux - Security 1 03-08-2005 12:49 PM
SSH and SCP user logins sopiaz57 Linux - Security 11 01-27-2004 09:38 PM


All times are GMT -5. The time now is 05:06 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration