Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
As long as you know the password, and interactive password logins are allowed it should be no problem. Just remove the client ssh public key from the embedded device authorized_keys list. Before doing this though make sure you will be able to login using a password, a simple test for this would be just attempting a login from a different client. You should also review the /etc/ssh/sshd_config file to see how it is setup, and adjust as needed
As long as you know the password, and interactive password logins are allowed it should be no problem. Just remove the client ssh public key from the embedded device authorized_keys list. Before doing this though make sure you will be able to login using a password, a simple test for this would be just attempting a login from a different client. You should also review the /etc/ssh/sshd_config file to see how it is setup, and adjust as needed
Almost everything in /etc/ssh/sshd_config is commented out.
It looks like this:
Code:
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
#----------------
Port 2222
#SyslogFacility AUTH
#LogLevel INFO
AuthorizedKeysFile /etc/ssh/authorized-keys
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# ----------------
# Local Variables:
# mode: conf
# End:
I think I need to keep using port 2222 because port 22 wont get through the firewalls, which I don't feel like changing now. Do I just need to change PasswordAuthentication to yes? That would be really easy, I don't know why I didn't try that before, probably because I didn't really understand what was going on..
Anyways, I still need help, but thanks for helping me with everything so far. Once I get this set up, I will be that much closer to making this device usable. I finally got prBoom (Doom) running on it today at 4:32am! Its unplayable because it doesnt actually have a keyboard... but its progress.
Well in general yes you would just change that to yes. However since this is some type of embedded system it is possible there are other problems which would prevent you from doing what you want. If this is some type of security device (firewall, etc.) then messing around with it like this is probably a bad idea. Requiring a key based authentication system is more secure, and installing any additional software (especially a game) doesn't do anything to help it perform as intended.
Which /etc/ssh/sshd_config file did you display? The /etc/ssh/sshd_config file is for configuring the server, which is the host accepting the connection.
Your computer, and the device, each have its own key pair.
The port setting is the port that the server is listening to.
Please indicate which host you are referring to when providing information. The computer (ssh client) or the device (ssh server).
Last edited by jschiwal; 03-22-2011 at 07:19 AM.
Reason: removed Mistaken advice.
Well in general yes you would just change that to yes. However since this is some type of embedded system it is possible there are other problems which would prevent you from doing what you want. If this is some type of security device (firewall, etc.) then messing around with it like this is probably a bad idea. Requiring a key based authentication system is more secure, and installing any additional software (especially a game) doesn't do anything to help it perform as intended.
No, it is not a firewall or other security device. And I have absolutely no interest in making it function "as intended". On the contrary, I want it to function as I intend, which is most definitely not how it was intended to run. (and actually, running games isnt my intention either, just thought it would be fun to have doom running on it). I am actually trying to make this device as multi purpose as possible, and utilize all of its hardware features.
Yes, that sshd_config file is from the server (embedded device).
I was mistaken on the PasswordAuthentication entry. It should be no.
Code:
PasswordAuthentication no
Must have been tired. I downloaded the ssh rpm and extracted the original default sshd_config.
Does the device use PAM? If so, you need a UsePAM yes entry in /etc/ssh/sshd_config of the server.
Try to log in using the -vv option. This will include debugging messages, indicating what was tried and failed.
Thats funny, I changed it to yes and now its working the way I want it to. I do not think its using PAM, although, I am not entirely sure how to check, but I have been messing with this device for awhile, and I haven't seen a reference to PAM. And plus, its working fine now. I'm not going to mark this thread as solved because I kinda changed my question.
You are authenticating in the clear. If the port is open to the internet, you will want to fix that.
Already talked about this.
I don't mean to sound like a jerk or anything, but this is my pet-peeve, don't make assumptions about what I want. In this case, that is exactly what I want, nothing needs to be "fixed".
sed 's/you will want to/it would be more secure to /' <previousmessage
Thats acceptable. Thank you for humoring me.
I do want less security though. I want someone to be able to ssh to this device without having exchanged files with me. If somebody logs in to this device and totally trashes it, all I have to do is dd a new image to the USB drive that its booting from. But who would want to do that anyway? I would bet a significant amount of money that nobody will ever do that (even though that would be a terrible bet because my winning conditions wouldn't be fulfilled until "forever" is over...), and there is no protected information on the device.
Anyway, I'm out of my element here in the security forum, I need to get back to practicing writing drivers and stuff.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
