Need help using Webmin to tell SSH to allow logins
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Need help using Webmin to tell SSH to allow logins
Hello everyone.
I'm having a slight problem that I can't wrap my mind around today.
I've built myself a server running Mandrake 9 and set the security level to 'Paranoid'.
This effectively closed my box from the outside world, which is great. and it actually listened to me when I told it I wanted to use FTP, HTTP and Samba SWAT and Webmin publicly through the firewall. Except for SSHd. this lil' bugger won't let me connect to it, it will simply disconnect without warning.
So I need help using Webmin to alter the SSH server settings so it -will- allow users to log in remotely (Except root ofcourse.)
If I attempt SSH to the IP of the box from say, my work office, I don't
get anything, the terminal just disconnects. (Using PuTTY with default settings)
Basicly I think my error lies in the fact that users aren't authorised to log in
(need a public key first?) and that SSHd doesn't present me with a login prompt
but rather tries to determine who is attempting a login and then simply disconnects
when it doesn't see a valid username (and possibly an accompanying key).
Greetings
Looks like root login in not allowed. That's actually a smarting to do security-wise. Look at your .conf file and see who is in the valid users list as well.
Indeed Root isn't allowed to use SSH, nor is he allowed to log into the system directly
However when I look at Webmin's page for SSH's Access Control, the part where it says 'Only allow users' the check is set to 'All'. that leads me to think all users are allowed to log into SSH, but it doesn't appear to work that way.
Code:
Network and login access control options
Only allow users All
Only allow members of groups None
Deny users None
Deny members of groups All
These are the default settings.
Edit:
I forgot to mention that i've tried to alter these settings in a previous install, to:
Code:
Network and login access control options
Only allow users user1 user2 user3 user4
Only allow members of groups user1 user2 user3 user4
Deny users None
Deny members of groups (Any non-user group here)
But that didn't change anything as far as I could see, even after a full reboot.
Clean start, reinstalled the entire machine from scratch.
Still need to get SSH working for my users. SSHd is running, but does not allow login. default settings so far, but could use a hint or two for Webmin.. i'll try some stuff later when I have free time, since i'm at the office right now.
Well, checked the firewall and it's in there alright... but it doesn't work. It's SSHd itself that is disconnecting me when I try to log in.
Here's a bit out of iptables -L:
Code:
Chain net2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
newnotsyn tcp -- anywhere anywhere state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:domain
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:swat
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:8000
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:8001
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:8888
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:10000
ACCEPT udp -- anywhere anywhere state NEW udp dpt:domain
net2all all -- anywhere anywhere
So I think port 22 is open, as SSHd does take the connection in the first two seconds..
I've tried ssh -v localhost to get some verbose output, maybe it's of use:
Code:
[root@Xolo bin]# ssh -v localhost
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host
debug1: Calling cleanup 0x8068fc0(0x0)
Do I need to set up public keys or something? if yes, how? i'm not having much luck with ssh-keygen..
Here's my sshd_config, by the way [edited for user privacy]:
Code:
# $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
Protocol 1,2
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 600
#PermitRootLogin yes
#StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#AFSTokenPassing no
# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no
# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#Compression yes
#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
PermitRootLogin no
IgnoreRhosts yes
RhostsRSAAuthentication no
RhostsAuthentication no
IgnoreUserKnownHosts no
PrintMotd yes
StrictModes yes
RSAAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication yes
ReverseMappingCheck no
GatewayPorts no
AllowTcpForwarding yes
LoginGraceTime 120
KeepAlive yes
DenyGroups adm apache bin ctools user5 ftp games gdm lp machines mail mysql named news nogroup postdrop postfix postgres root rpm sshd
AllowGroups user1 user2 user3 user4
AllowUsers user1 user2 user3 user4
KeyRegenerationInterval 1800
And my ssh_config file:
Code:
# $OpenBSD: ssh_config,v 1.15 2002/06/20 20:03:34 stevesk Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for various options
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsAuthentication no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# BatchMode no
# CheckHostIP yes
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
Host *
ForwardX11 yes
Protocol 1,2
StrictHostKeyChecking no
I can't really tell if there is an error in there anywhere. I did not edit either file by hand, any non-default lines were created through Webmin's control panel for SSH Server.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.