SSH will not allow root logins

paidbythehour · 08-13-2009, 11:57 AM

Hi there,

First of all, I'm aware that root logins are disabled by default in Solaris 10. Here are the steps I've taken so far:

- Enabled ssh via svcadm enable ssh
- Edited /etc/ssh/ssh_config to include PermitRootLogin yes
- Verified that /etc/default/login has CONSOLE=/dev/console/ commented out.
- Restarted ssh via svcadm restart ssh
- Rebooted the host, and verified configuration files retained their changes.
- Confirmed ssh is running via ps -ef | grep ssh
- Verified ssh is accepting logins with user account

After the above steps, I am still unable to log in with the root account. Telnet is enabled on this host as well, and it accepts root logins without issue.

When I check /var/adm/messages, the only message who's time stamp matches my login attempt is as follows:

Aug 13 12:43:33 uotts047 sshd[1252]: [ID 722452 auth.error] user2netname: (nis+ lookup): Error in accessing NIS+ cold start file... is NIS+ installed?

I do not get this message for successful ssh logins using my user account. The root and user accounts are local accounts (not NIS).

Does anyone have any suggestions on where to go from here? I've been crawling forums looking for someone else who has this problem ... if anyone else has a link to a thread that covers all the points I have, it would be greatly appreciated.

Am I missing something simple here?

repo · 08-13-2009, 12:06 PM

Login as user and su to root.
Disable telnet

Nevahre · 08-13-2009, 12:06 PM

If it is a typo I cannot help, but shouldn't this: ssh_config be sshd_config (ssh vs sshd)??

paidbythehour · 08-13-2009, 12:19 PM

Quote:

Originally Posted by repo

Login as user and su to root.
Disable telnet

Telnet is now disabled, but this hasn't changed the behavior of SSH. I am still unable to log in as root, but I can log in as another user.

Quote:

Originally Posted by Nevahre

If it is a typo I cannot help, but shouldn't this: ssh_config be sshd_config (ssh vs sshd)??

It's just ssh_config:

# ls -la /etc/ssh/ssh_config
-rw-r--r-- 1 root sys 882 Aug 13 12:42 /etc/ssh/ssh_config

karamarisan · 08-13-2009, 12:27 PM

Quote:

Originally Posted by paidbythehour

Telnet is now disabled, but this hasn't changed the behavior of SSH. I am still unable to log in as root, but I can log in as another user.

You missed his point. Allowing root to log in over ssh is VERY BAD, and you shouldn't allow it. Log in as yourself, then switch to root. Telnet is unrelated to your problem, but since it sends passwords plaintext (read: anyone between you and the destination or on the same line can read them), it is EXTRA VERY BAD.

Also, I don't know your distro, but I believe sshd_config is the correct file for... er, sshd. Double-check that the file you have is configuring the service you think it is.

Nevahre · 08-13-2009, 12:38 PM

Quote:

Originally Posted by paidbythehour

It's just ssh_config:

# ls -la /etc/ssh/ssh_config
-rw-r--r-- 1 root sys 882 Aug 13 12:42 /etc/ssh/ssh_config

My system has a ssh_config and a sshd_config. The 'PermitRootLogin yes' is in the sshd_config file, not the ssh_config file........

repo · 08-13-2009, 12:40 PM

Why do you want to login as root using ssh?

paidbythehour · 08-13-2009, 01:09 PM

Karamarisan, Repo, Nevahre ... thank you all for taking the time to reply.

First of all, I should try and save my reputation a bit:

I am aware of the security implications involved with allowing root access via SSH. Perhaps I should have mentioned this earlier (or updated my LQ profile) but I work in a hardware development lab on and isolated network. We have no firewalls, no access to the internet, or any other security concerns. Our hosts are used strictly for testing hardware designed by our engineers. As an avid OpenBSD user, I'm glad to see you share the same security concerns regarding SSH/Telnet as I do. I have no idea why our engineers have requested root access via ssh, but that's really none of my business.

Now for my brain-fart moment:

Nevahre nailed it. I was editing ssh_config instead of sshd_config, which is embarrassing. I'd like to sincerely thank Nevahre for addressing my problem, instead of questioning my motives.

Karamarisan and Repo did the right thing by pointing out the security implications, but Nevahre gets the glory.

Thanks again guys. Take care.

karamarisan · 08-13-2009, 01:19 PM

Heh, glad you've got it. Forgive the alert mode; people asking for what you wanted are vastly more likely to be n00bs (and I do mean that disparagingly for once) who think they don't need to worry about security and/or are too lazy to do it the right way.

Strange that you had this problem, though - any insight as to why sshd_config wasn't there to begin with? You said this is Solaris; done anything weird with it or does it ship that way?

Nevahre · 08-13-2009, 01:31 PM

Karamarisan and Repo have a point! I agree.

paidbythehour · 08-13-2009, 01:50 PM

Quote:

Originally Posted by karamarisan

Strange that you had this problem, though - any insight as to why sshd_config wasn't there to begin with? You said this is Solaris; done anything weird with it or does it ship that way?

This is where I had my brain-fart. The OS ships with both ssh_config (ssh client config) and sshd_config (ssh daemon config).

The issue was purely my oversight. I'll correct that with more caffeine shortly ...

Thx again.

karamarisan · 08-13-2009, 02:10 PM

No, I get you (and believe me, I have those all the time). It just seems weird to me that the package didn't even create a blank file - usually there's a fully decked-out config file as both documentation of how to configure it and of the defaults. Oh, well. Good luck (with whatever).

TB0ne · 08-13-2009, 06:01 PM

Quote:

Originally Posted by paidbythehour

Karamarisan, Repo, Nevahre ... thank you all for taking the time to reply.

First of all, I should try and save my reputation a bit:

I am aware of the security implications involved with allowing root access via SSH. Perhaps I should have mentioned this earlier (or updated my LQ profile) but I work in a hardware development lab on and isolated network. We have no firewalls, no access to the internet, or any other security concerns. Our hosts are used strictly for testing hardware designed by our engineers. As an avid OpenBSD user, I'm glad to see you share the same security concerns regarding SSH/Telnet as I do. I have no idea why our engineers have requested root access via ssh, but that's really none of my business.

Now for my brain-fart moment:

Nevahre nailed it. I was editing ssh_config instead of sshd_config, which is embarrassing. I'd like to sincerely thank Nevahre for addressing my problem, instead of questioning my motives.

Karamarisan and Repo did the right thing by pointing out the security implications, but Nevahre gets the glory.

Thanks again guys. Take care.

Glad you got it cooking. It seems you've got a good handle on things, but this statement jumps out:

Quote:

I have no idea why our engineers have requested root access via ssh, but that's really none of my business.

As a long-time administrator, why people need root access IS the business of the administrator, in my opinion. Granted, they may know what they're doing...but they may not. If system work isn't their primary job, they're more likely to be careless with an "rm -fR *", and YOU will be the one to rebuild the system, while they take a long lunch or go home early, since, after all...'the system is down'.....

I'd strongly recommend using SUDO instead, and log who does what. You can just have them type in "sudo -s", and get a root shell...but will also have a trail that says "user Jerry went to root at 11:17", so if something is hosed, there's no finger-pointing. Also, if someone just decides to change the root password...EVERYONE is locked out of it. If SUDO is working, you can log in as you, and change the root password back, without having to boot single-user, etc.

Just my $0.02 worth...feel free to ignore.

paidbythehour · 08-14-2009, 08:32 AM

Quote:

Originally Posted by TB0ne

Glad you got it cooking. It seems you've got a good handle on things, but this statement jumps out:

As a long-time administrator, why people need root access IS the business of the administrator, in my opinion. Granted, they may know what they're doing...but they may not. If system work isn't their primary job, they're more likely to be careless with an "rm -fR *", and YOU will be the one to rebuild the system, while they take a long lunch or go home early, since, after all...'the system is down'.....

I'd strongly recommend using SUDO instead, and log who does what. You can just have them type in "sudo -s", and get a root shell...but will also have a trail that says "user Jerry went to root at 11:17", so if something is hosed, there's no finger-pointing. Also, if someone just decides to change the root password...EVERYONE is locked out of it. If SUDO is working, you can log in as you, and change the root password back, without having to boot single-user, etc.

Just my $0.02 worth...feel free to ignore.

Amen brother. I couldn't agree more. And to all the browsers of this post, take TBOne's advice to heart.

I don't usually go through the whole back-story when posting on forums, because it's easy to lose people's interest. But I can assure you, I would never give another user root on a production system (sudo instead). As I mentioned earlier, my Solaris hosts are used for hardware testing in a development lab. I set up a host meeting their requirements, the engineers do their best to destroy the system, then I get the system back, format the host, and the process starts over again.

But I'm glad to see that you, and the other posters, are paying attention

Keep it up. Thx again.