What was that update I just got to Mepis 8?

johnsfine · 03-23-2009, 08:31 PM

I really should have paid attention to some of the earlier details. But I'm used to trusting the suggested updates in Mepis.

But I looked at the diff in one of the files it was trying to change and it doesn't look right. The diff was

Code:

--- /etc/ssh/sshd_config	2009-03-16 23:24:23.000000000 -0400
+++ /etc/ssh/sshd_config.dpkg-new	2009-03-23 08:57:49.000000000 -0400
@@ -15,7 +15,7 @@
 ServerKeyBits 768
 LoginGraceTime 600
 KeyRegenerationInterval 3600
-PermitRootLogin no
+PermitRootLogin without-password
 #
 # Don't read ~/.rhosts and ~/.shosts files
 IgnoreRhosts yes

So what is /etc/ssh/sshd_config ?
Why does this update seem to be enabling Root Login without password?
What else was i that update? This is the only file I prevented from installing.

Drakeo · 03-23-2009, 11:38 PM

I do not know why you would not want to upgrade it Linux operating system is one big server. your xserver your host your users it is all controlled like a server /etc/ssh/sshd_config that is the secured server host.

Quote:

http://linux.about.com/od/commands/l/blcmdl1_ssh.htm

Quote:

http://linux.about.com/od/commands/l/blcmdl8_sshd.htm

you really should keep that up to date it does all your encryption stuff to.

rich_c · 03-24-2009, 03:19 AM

I'm running Mepis 8, fully up to date as of now. I just checked my /etc/ssh/sshd_config and it has an uncommented line saying

Code:

PermitRootLogin no

. I'll test it later.

johnsfine · 03-24-2009, 07:59 AM

Quote:

Originally Posted by rich_c

I'm running Mepis 8, fully up to date as of now. I just checked my /etc/ssh/sshd_config and it has an uncommented line saying

Code:

PermitRootLogin no

.

That is what my file still has because I blocked this update.

That makes the update seem even stranger.

I didn't pay attention. I just saw the "3" on the icon on the tool bar saying there were three updates pending, I clicked on it, entered the password, selected mark all updates, then apply. I didn't see which three things were being updated.

It asked about a conflict in another file (where the Mepis network assistant had stored the info when I told it to use static IP instead of DHCP). It let it update that (blowing away my static IP) because I didn't understand the other changes to that file. Then I went into Mepis network assistant and redid the static IP.

But that called my attention to the next file, in which it was changing
PermitRootLogin no
to
PermitRootLogin without-password

That doesn't sound right, so I canceled that file update.

Is there any log or date stamp or anything to let me check retroactively which updates I just got and where they came from?

Quote:

Originally Posted by Drakeo

/etc/ssh/sshd_config that is the secured server host.

I read the page you linked for that, but I still have little clue what sshd does and no clue why I might want to allow the bogus looking change that came in that update.

I don't currently access this Mepis system by ssh from anywhere. Maybe I've broken that feature by refusing this update. I'll worry about that when I someday have a need to access this system by ssh.

Meanwhile I'm still worried that the update process did something that looks untrustworthy and that differs from what rich_c reported.

rich_c · 03-24-2009, 01:01 PM

SSH on my machine seems to be working entirely normally. I can't log in as root, have to log in as user and su.

I guess if you haven't got openssh-server installed (You have to specifically install it iirc.) there's no issue with what the config file looks like.

To answer your question regarding change logs, in Synaptic there is a history option in File>History.

As luck would have it, while I was investigating this I noticed I had an upgrade to mepis-network. I opted to keep my config both times I was prompted. It appears sshd-config relates to mepis-network-common which got installed when I upgraded mepis-network from 8.0.01 to 8.0.02.

I'm gonna ask the guys over at Mepislovers what the sshd_config change was supposed to be about.

johnsfine · 03-24-2009, 01:37 PM

Quote:

Originally Posted by rich_c

As luck would have it, while I was investigating this I noticed I had an upgrade to mepis-network. I opted to keep my config both times I was prompted. It appears sshd-config relates to mepis-network-common which got installed when I upgraded mepis-network from 8.0.01 to 8.0.02.

Yes, I did see that it was installing a new package, that I now recognize "mepis-network-common" as required for the upgrade of "mepis-network from 8.0.01 to 8.0.02".

So you kept your current file for both of the files (the first one where it blew away my static IP and then I put that back manually, plus this second one that looks like it opens a security hole).

Quote:

I'm gonna ask the guys over at Mepislovers what the sshd_config change was supposed to be about.

Thanks. I'd really like to understand this one.

rich_c · 03-24-2009, 02:58 PM

There was already a thread going on Mepislovers. It's a security enchancement apparently. Something to do with logging in using keys instead of passwords..

johnsfine · 03-24-2009, 10:46 PM

That other thread still doesn't give me much confidence nor explanation.

I looked in history. The update I first asked about looks like this in history:

Code:

Commit Log for Mon Mar 23 21:18:11 2009

Upgraded the following packages:
libmozjs1d (1.9.0.6-1) to 1.9.0.7-0lenny1
libpng12-0 (1.2.27-2) to 1.2.27-2+lenny2
mepis-network (8.0.01) to 8.0.02
xulrunner-1.9 (1.9.0.6-1) to 1.9.0.7-0lenny1

Installed the following packages:
mepis-network-common (8.0.00)

But then today I have:

Code:

Commit Log for Tue Mar 24 23:34:18 2009

Upgraded the following packages:
cups-driver-gutenprint (5.0.2-4) to 5.2.3-2
foomatic-db-gutenprint (5.0.2-4) to 5.2.3-2
ijsgutenprint (5.0.2-4) to 5.2.3-2
libgutenprint2 (5.0.2-4) to 5.2.3-2
mepis-network-common (8.0.00) to 8.0.01

So the brand new package was immediately updated.

But what files changed?

That history just tells me packages and versions, not files.

archtoad6 · 03-26-2009, 07:12 AM

Quote:

Originally Posted by rich_c

It's a security enchancement apparently.

I wouldn't call it a security enchancement, rather a reasonably secure convenience enchancement.

See below, the options are listed in order of increasing security & decreasing convenience.

Quote:

Originally Posted by rich_c

Something to do with logging in using keys instead of passwords..

Exactly what it is.
From the sshd_config man page (sshd_config, not sshd-config):

Quote:

PermitRootLogin
Specifies whether root can log in using ssh(1). The argument must be “yes” “without-password” “forced-commands-only” or “no” The default is “yes”

If this option is set to “without-password” password authentication is disabled for root.

If this option is set to “forced-commands-only” root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.

If this option is set to “no” root is not allowed to log in.