Ssh

IwantLINUX · 12-27-2005, 01:22 PM

Hello,

Can anybody pls tell me how to "setuid root" for ssh. I set the suid bit for ssh and it looks like:

-rws--x--x 1 root root 217208 Sep 17 2003 /usr/bin/ssh

But the problem is, when i try to use ssh as normal user, then it runs with normal user permissions and not with root. Say if i start ssh under user account "abc", then ps -Af shows:

abc 1671 1636 0 00:46 pts/2 00:00:00 ssh 192.168.0.10

That means it is starting with the authority of the user and not root.

any ideas??

PS: I am doing this to set RhostsAuthentication with /etc/hosts.equiv, but cannot get it to work.

makuyl · 12-27-2005, 03:16 PM

Why would you run ssh as root? If a howto said so, which howto?
Don't run it suid root that is.
AFAIK /etc/hosts.equiv only works on a private network, not when logging in from unknown IP's. You can use rsa authentication instead. Try this one http://programming.linux.com/howtos/Domain-8.shtml There are plenty more on google.

true_atlantis · 12-27-2005, 10:55 PM

if you want to have root privlidges, why not just log on as the root user? or, just SSH as a normal user, and do a 'su'... SSH was not mean to have every user have root privledges

makuyl · 12-28-2005, 12:56 AM

and don't log on as root!

IwantLINUX · 12-28-2005, 01:21 PM

opppssss....sorry for the dual replies..i am editing this..

IwantLINUX · 12-28-2005, 01:22 PM

Hi,

I understand that it is dangerous to give root permissions, but the issue is if you want to use RhostsAuthentication then you need to enable privileged ports for ssh i.e. UsePrivilegedPorts yes in ssh_config, which requires ssh to setuid root. Actually thats the way it has been written in man ssh_config. Here is what it says:

RhostsAuthentication
Specifies whether to try rhosts based authentication. Note that
this declaration only affects the client side and has no effect
whatsoever on security. Most servers do not permit RhostsAuthen-
tication because it is not secure (see RhostsRSAAuthentication).
The argument to this keyword must be “yes” or “no”. The default
is “no”. This option applies to protocol version 1 only and
requires ssh to be setuid root and UsePrivilegedPort to be set to
“yes”.

PS: Also, i am enabling this form of Authentication only for my private network.

makuyl · 12-29-2005, 02:20 PM

Must admit I don't know why it's not running as root if you set suid bit on it.
You might as well go with protocol 2 as it doesn't require ssh set as suid.
Alternatively you could set the key files under /etc/ssh/ world readable which should make protocol 1 work without running ssh with setuid. This is definitely not safe so only do it if you only connect from your private network, and even then I'd still go with protocol 2.

IwantLINUX · 12-30-2005, 12:47 AM

Hello,

Yes, protocol 2 does not require ssh to setuid root, but it takes help of another application ssh-keysign, which is setuid root. The issue here is not about the files makuyl, actually I require root permissions to use the privileged port ( < 1024 ), which cannot be used with non-root program. Pls correct me if i am wrong.

makuyl · 12-30-2005, 11:11 AM

Did you try tunneling through a specific port, like:
server: sshd -p 443
client: ssh -p 443 login@ip

IwantLINUX · 12-30-2005, 02:42 PM

Yes, i tried to use specific port and this is what i am getting, on client:

debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: Connecting to 192.168.0.10 [192.168.0.10] port 443.
debug1: Connection established.

Again the same problem, the bolded line. ssh cannot use the Rhosts as it is not using privileged port.

makuyl · 12-30-2005, 03:47 PM

Hmm, check if the host key is just a single line in the ssh_known_hosts without carriage returns.
You do have "HostbasedAuthentication yes" on the clients ssh_config I suppose.
Try adding a ~/.rhosts on the server in the users home with this in it: hostname username
You can also try adding IdentityFile to ssh_config on the client.
Other than that, beats me, sorry.

IwantLINUX · 01-01-2006, 12:47 AM

Problem resolved partially!!!!!

Hi,

Sorry for the delay. Actually i did a mistake while trying to resolve the issue, I changed the permissions of the ssh_config file to 600, whereas the correct permissions should be 644. So I change the permissions back and now ssh is allocated a port < 1024. Also, there is one thing very interesting, if you run ssh(with setuid root) as normal user and then do ps -Af, it will show the UID of the normal user and not the root, but still binds to a privileged port, I mean:

[ps -Af output is]

abc 5097 5062 0 11:47 pts/2 00:00:00 ssh -vv 192.168.0.10

[ssh -vv output is]

OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 1
debug1: Connecting to 192.168.0.10 [192.168.0.10] port 22.
debug1: Allocated local port 1023.
debug1: Connection established.

And now the problem!!!

I cannot login without a password. Though i have made an entry in /etc/hosts.equiv and /etc/ssh/shosts.equiv like this:

+ 192.168.0.20 abc

Here is the output of ssh -vv 192.168.0.10

debug1: Trying rhosts authentication.
debug1: RSA authentication using agent refused.
debug1: Doing challenge response authentication.
debug1: No challenge.
debug1: Doing password authentication.

Any ideas???

makuyl · 01-02-2006, 02:30 AM

AFAICT it's still trying to use protocol 2 instead of 1, hence the rsa message.
Also try to delete the line from the known_hosts file to get a new one.
Is /etc/hosts.equiv world readable?
/etc/shosts.equiv is only used by ssh2.
Try next to create a new dsa key: ssh-keygen -t dsa
And copy to the server: cat ~/.ssh/id_dsa.pub | ssh user@server "cat - >> ~/.ssh/authorized_keys"

After all this, you still might want to consider using protocol 2 and rsa keys, safer and there are lots of posts here about using it without a password.