LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Solaris / OpenSolaris (http://www.linuxquestions.org/questions/solaris-opensolaris-20/)
-   -   SSH will not allow root logins (http://www.linuxquestions.org/questions/solaris-opensolaris-20/ssh-will-not-allow-root-logins-747311/)

paidbythehour 08-13-2009 12:57 PM

SSH will not allow root logins
 
Hi there,

First of all, I'm aware that root logins are disabled by default in Solaris 10. Here are the steps I've taken so far:

- Enabled ssh via svcadm enable ssh
- Edited /etc/ssh/ssh_config to include PermitRootLogin yes
- Verified that /etc/default/login has CONSOLE=/dev/console/ commented out.
- Restarted ssh via svcadm restart ssh
- Rebooted the host, and verified configuration files retained their changes.
- Confirmed ssh is running via ps -ef | grep ssh
- Verified ssh is accepting logins with user account


After the above steps, I am still unable to log in with the root account. Telnet is enabled on this host as well, and it accepts root logins without issue.

When I check /var/adm/messages, the only message who's time stamp matches my login attempt is as follows:


Aug 13 12:43:33 uotts047 sshd[1252]: [ID 722452 auth.error] user2netname: (nis+ lookup): Error in accessing NIS+ cold start file... is NIS+ installed?



I do not get this message for successful ssh logins using my user account. The root and user accounts are local accounts (not NIS).


Does anyone have any suggestions on where to go from here? I've been crawling forums looking for someone else who has this problem ... if anyone else has a link to a thread that covers all the points I have, it would be greatly appreciated.

Am I missing something simple here?

repo 08-13-2009 01:06 PM

Login as user and su to root.
Disable telnet

Nevahre 08-13-2009 01:06 PM

If it is a typo I cannot help, but shouldn't this: ssh_config be sshd_config (ssh vs sshd)??

paidbythehour 08-13-2009 01:19 PM

Quote:

Originally Posted by repo (Post 3642064)
Login as user and su to root.
Disable telnet

Telnet is now disabled, but this hasn't changed the behavior of SSH. I am still unable to log in as root, but I can log in as another user.

Quote:

Originally Posted by Nevahre
If it is a typo I cannot help, but shouldn't this: ssh_config be sshd_config (ssh vs sshd)??

It's just ssh_config:

# ls -la /etc/ssh/ssh_config
-rw-r--r-- 1 root sys 882 Aug 13 12:42 /etc/ssh/ssh_config

karamarisan 08-13-2009 01:27 PM

Quote:

Originally Posted by paidbythehour (Post 3642089)
Telnet is now disabled, but this hasn't changed the behavior of SSH. I am still unable to log in as root, but I can log in as another user.

You missed his point. Allowing root to log in over ssh is VERY BAD, and you shouldn't allow it. Log in as yourself, then switch to root. Telnet is unrelated to your problem, but since it sends passwords plaintext (read: anyone between you and the destination or on the same line can read them), it is EXTRA VERY BAD.

Also, I don't know your distro, but I believe sshd_config is the correct file for... er, sshd. Double-check that the file you have is configuring the service you think it is.

Nevahre 08-13-2009 01:38 PM

Quote:

Originally Posted by paidbythehour (Post 3642089)
It's just ssh_config:

# ls -la /etc/ssh/ssh_config
-rw-r--r-- 1 root sys 882 Aug 13 12:42 /etc/ssh/ssh_config

My system has a ssh_config and a sshd_config. The 'PermitRootLogin yes' is in the sshd_config file, not the ssh_config file........

repo 08-13-2009 01:40 PM

Why do you want to login as root using ssh?

paidbythehour 08-13-2009 02:09 PM

Karamarisan, Repo, Nevahre ... thank you all for taking the time to reply.


First of all, I should try and save my reputation a bit:

I am aware of the security implications involved with allowing root access via SSH. Perhaps I should have mentioned this earlier (or updated my LQ profile) but I work in a hardware development lab on and isolated network. We have no firewalls, no access to the internet, or any other security concerns. Our hosts are used strictly for testing hardware designed by our engineers. As an avid OpenBSD user, I'm glad to see you share the same security concerns regarding SSH/Telnet as I do. I have no idea why our engineers have requested root access via ssh, but that's really none of my business.


Now for my brain-fart moment:

Nevahre nailed it. I was editing ssh_config instead of sshd_config, which is embarrassing. I'd like to sincerely thank Nevahre for addressing my problem, instead of questioning my motives.

Karamarisan and Repo did the right thing by pointing out the security implications, but Nevahre gets the glory.

Thanks again guys. Take care.

karamarisan 08-13-2009 02:19 PM

Heh, glad you've got it. Forgive the alert mode; people asking for what you wanted are vastly more likely to be n00bs (and I do mean that disparagingly for once) who think they don't need to worry about security and/or are too lazy to do it the right way. :)

Strange that you had this problem, though - any insight as to why sshd_config wasn't there to begin with? You said this is Solaris; done anything weird with it or does it ship that way?

Nevahre 08-13-2009 02:31 PM

:D

Karamarisan and Repo have a point! I agree.

paidbythehour 08-13-2009 02:50 PM

Quote:

Originally Posted by karamarisan (Post 3642198)
Strange that you had this problem, though - any insight as to why sshd_config wasn't there to begin with? You said this is Solaris; done anything weird with it or does it ship that way?


This is where I had my brain-fart. The OS ships with both ssh_config (ssh client config) and sshd_config (ssh daemon config).

The issue was purely my oversight. I'll correct that with more caffeine shortly ...

Thx again.

karamarisan 08-13-2009 03:10 PM

No, I get you (and believe me, I have those all the time). It just seems weird to me that the package didn't even create a blank file - usually there's a fully decked-out config file as both documentation of how to configure it and of the defaults. Oh, well. Good luck (with whatever). :)

TB0ne 08-13-2009 07:01 PM

Quote:

Originally Posted by paidbythehour (Post 3642178)
Karamarisan, Repo, Nevahre ... thank you all for taking the time to reply.

First of all, I should try and save my reputation a bit:

I am aware of the security implications involved with allowing root access via SSH. Perhaps I should have mentioned this earlier (or updated my LQ profile) but I work in a hardware development lab on and isolated network. We have no firewalls, no access to the internet, or any other security concerns. Our hosts are used strictly for testing hardware designed by our engineers. As an avid OpenBSD user, I'm glad to see you share the same security concerns regarding SSH/Telnet as I do. I have no idea why our engineers have requested root access via ssh, but that's really none of my business.


Now for my brain-fart moment:

Nevahre nailed it. I was editing ssh_config instead of sshd_config, which is embarrassing. I'd like to sincerely thank Nevahre for addressing my problem, instead of questioning my motives.

Karamarisan and Repo did the right thing by pointing out the security implications, but Nevahre gets the glory.

Thanks again guys. Take care.

Glad you got it cooking. It seems you've got a good handle on things, but this statement jumps out:
Quote:

I have no idea why our engineers have requested root access via ssh, but that's really none of my business.
As a long-time administrator, why people need root access IS the business of the administrator, in my opinion. Granted, they may know what they're doing...but they may not. If system work isn't their primary job, they're more likely to be careless with an "rm -fR *", and YOU will be the one to rebuild the system, while they take a long lunch or go home early, since, after all...'the system is down'.....

I'd strongly recommend using SUDO instead, and log who does what. You can just have them type in "sudo -s", and get a root shell...but will also have a trail that says "user Jerry went to root at 11:17", so if something is hosed, there's no finger-pointing. Also, if someone just decides to change the root password...EVERYONE is locked out of it. If SUDO is working, you can log in as you, and change the root password back, without having to boot single-user, etc.

Just my $0.02 worth...feel free to ignore. :)

paidbythehour 08-14-2009 09:32 AM

Quote:

Originally Posted by TB0ne (Post 3642513)
Glad you got it cooking. It seems you've got a good handle on things, but this statement jumps out:

As a long-time administrator, why people need root access IS the business of the administrator, in my opinion. Granted, they may know what they're doing...but they may not. If system work isn't their primary job, they're more likely to be careless with an "rm -fR *", and YOU will be the one to rebuild the system, while they take a long lunch or go home early, since, after all...'the system is down'.....

I'd strongly recommend using SUDO instead, and log who does what. You can just have them type in "sudo -s", and get a root shell...but will also have a trail that says "user Jerry went to root at 11:17", so if something is hosed, there's no finger-pointing. Also, if someone just decides to change the root password...EVERYONE is locked out of it. If SUDO is working, you can log in as you, and change the root password back, without having to boot single-user, etc.

Just my $0.02 worth...feel free to ignore. :)

Amen brother. I couldn't agree more. And to all the browsers of this post, take TBOne's advice to heart.

I don't usually go through the whole back-story when posting on forums, because it's easy to lose people's interest. But I can assure you, I would never give another user root on a production system (sudo instead). As I mentioned earlier, my Solaris hosts are used for hardware testing in a development lab. I set up a host meeting their requirements, the engineers do their best to destroy the system, then I get the system back, format the host, and the process starts over again.

But I'm glad to see that you, and the other posters, are paying attention ;) Keep it up. Thx again.


All times are GMT -5. The time now is 03:17 AM.