SSHD Direct Root Logins

C4talyst · 08-17-2010, 05:29 PM

Ok, so I have a customer running an older Fedora Core release and using it for production web hosting. He's also using cpanel and has asked them to help with migrating some of his sites to a new server.

Apparently the cpanel staff have requested temporary direct-root logins enabled so they can use some of their mgiration tools. Well, I have PermitRootLogin set to yes in sshd_config, sshd is restarted, and when you try to login via putty as root, you get the "Access Denied" message.

Strangely, /var/log/messages shows the following:

Aug 17 15:23:04 linux1 sshd[19432]: Failed password for root from 216.xxx.xx.xx port 16055 ssh2

HOWEVER, I know I'm using the correct root password as I just set it and I can 'su -' with it. What the heck is going on with this????

...and thanks!

Meson · 08-17-2010, 05:42 PM

The gods are letting you know not to give up root access.

jys17 · 08-17-2010, 05:53 PM

check your /etc/hosts.allow and /etc/hosts.deny, I think there is something about SSHD blocking from some ports in there.

C4talyst · 08-17-2010, 06:18 PM

Quote:

Originally Posted by jys17

check your /etc/hosts.allow and /etc/hosts.deny, I think there is something about SSHD blocking from some ports in there.

I'll look, but I can login as other users, just not root.

jschiwal · 08-17-2010, 06:18 PM

Could you post the /etc/sshd/sshd_config file. Also look at the pam configuration.

Try logging in with "ssh -vv" for more debug information. ( I don't know if putty has a verbosity setting )

You could use pubkey authentication. I believe using "PermitRoot without-password" will allow you to use public key authentication for root while the default for regular users remains the same. It is possible to use both types as well.

Also look in /etc/security/ to see if there are prohibitions against root logins on certain interfaces or terminals.

Does the problem exist if you try to log in from a Linux system instead of Windows? My thinking here is character encoding issues. Such as if windows is using utf-16 instead of utf-8. Does root use a different encoding then your regular user?

Quote:

I know I'm using the correct root password as I just set it and I can 'su -' with it.

Could you give them a regular account so they can run "su -" themselves and then run their tools?

C4talyst · 08-18-2010, 10:12 AM

Everything in /etc/security was set to defaults...no blockage there. Here is the sshd_config file:

C4talyst · 08-18-2010, 10:13 AM

Everything in /etc/security was set to defaults...no blockage there. Here is the sshd_config file:

Code:

#       $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
Protocol 2
#AddressFamily any
ListenAddress xxx.xxx.xxx.xxx
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /usr/local/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /usr/local/etc/ssh_host_rsa_key
#HostKey /usr/local/etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem       sftp    /usr/local/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server

C4talyst · 08-18-2010, 10:15 AM

I think the kicker here is that /var/log/messages reports that password problem...even though I'm using the correct password.