Solaris / OpenSolaris This forum is for the discussion of Solaris, OpenSolaris, OpenIndiana, and illumos.
General Sun, SunOS and Sparc related questions also go here. Any Solaris fork or distribution is welcome. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
08-13-2009, 11:57 AM
|
#1
|
LQ Newbie
Registered: Jan 2009
Posts: 20
Rep:
|
SSH will not allow root logins
Hi there,
First of all, I'm aware that root logins are disabled by default in Solaris 10. Here are the steps I've taken so far:
- Enabled ssh via svcadm enable ssh
- Edited /etc/ssh/ssh_config to include PermitRootLogin yes
- Verified that /etc/default/login has CONSOLE=/dev/console/ commented out.
- Restarted ssh via svcadm restart ssh
- Rebooted the host, and verified configuration files retained their changes.
- Confirmed ssh is running via ps -ef | grep ssh
- Verified ssh is accepting logins with user account
After the above steps, I am still unable to log in with the root account. Telnet is enabled on this host as well, and it accepts root logins without issue.
When I check /var/adm/messages, the only message who's time stamp matches my login attempt is as follows:
Aug 13 12:43:33 uotts047 sshd[1252]: [ID 722452 auth.error] user2netname: (nis+ lookup): Error in accessing NIS+ cold start file... is NIS+ installed?
I do not get this message for successful ssh logins using my user account. The root and user accounts are local accounts (not NIS).
Does anyone have any suggestions on where to go from here? I've been crawling forums looking for someone else who has this problem ... if anyone else has a link to a thread that covers all the points I have, it would be greatly appreciated.
Am I missing something simple here?
|
|
|
08-13-2009, 12:06 PM
|
#2
|
LQ 5k Club
Registered: May 2001
Location: Belgium
Distribution: Arch
Posts: 8,529
|
Login as user and su to root.
Disable telnet
|
|
|
08-13-2009, 12:06 PM
|
#3
|
LQ Newbie
Registered: Aug 2009
Posts: 21
Rep:
|
If it is a typo I cannot help, but shouldn't this: ssh_config be sshd_config (ssh vs sshd)??
|
|
|
08-13-2009, 12:19 PM
|
#4
|
LQ Newbie
Registered: Jan 2009
Posts: 20
Original Poster
Rep:
|
Quote:
Originally Posted by repo
Login as user and su to root.
Disable telnet
|
Telnet is now disabled, but this hasn't changed the behavior of SSH. I am still unable to log in as root, but I can log in as another user.
Quote:
Originally Posted by Nevahre
If it is a typo I cannot help, but shouldn't this: ssh_config be sshd_config (ssh vs sshd)??
|
It's just ssh_config:
# ls -la /etc/ssh/ssh_config
-rw-r--r-- 1 root sys 882 Aug 13 12:42 /etc/ssh/ssh_config
|
|
|
08-13-2009, 12:27 PM
|
#5
|
Member
Registered: Jul 2009
Location: Illinois, US
Distribution: Fedora 11
Posts: 374
Rep:
|
Quote:
Originally Posted by paidbythehour
Telnet is now disabled, but this hasn't changed the behavior of SSH. I am still unable to log in as root, but I can log in as another user.
|
You missed his point. Allowing root to log in over ssh is VERY BAD, and you shouldn't allow it. Log in as yourself, then switch to root. Telnet is unrelated to your problem, but since it sends passwords plaintext (read: anyone between you and the destination or on the same line can read them), it is EXTRA VERY BAD.
Also, I don't know your distro, but I believe sshd_config is the correct file for... er, sshd. Double-check that the file you have is configuring the service you think it is.
|
|
|
08-13-2009, 12:38 PM
|
#6
|
LQ Newbie
Registered: Aug 2009
Posts: 21
Rep:
|
Quote:
Originally Posted by paidbythehour
It's just ssh_config:
# ls -la /etc/ssh/ssh_config
-rw-r--r-- 1 root sys 882 Aug 13 12:42 /etc/ssh/ssh_config
|
My system has a ssh_config and a sshd_config. The 'PermitRootLogin yes' is in the sshd_config file, not the ssh_config file........
|
|
|
08-13-2009, 12:40 PM
|
#7
|
LQ 5k Club
Registered: May 2001
Location: Belgium
Distribution: Arch
Posts: 8,529
|
Why do you want to login as root using ssh?
|
|
|
08-13-2009, 01:09 PM
|
#8
|
LQ Newbie
Registered: Jan 2009
Posts: 20
Original Poster
Rep:
|
Karamarisan, Repo, Nevahre ... thank you all for taking the time to reply.
First of all, I should try and save my reputation a bit:
I am aware of the security implications involved with allowing root access via SSH. Perhaps I should have mentioned this earlier (or updated my LQ profile) but I work in a hardware development lab on and isolated network. We have no firewalls, no access to the internet, or any other security concerns. Our hosts are used strictly for testing hardware designed by our engineers. As an avid OpenBSD user, I'm glad to see you share the same security concerns regarding SSH/Telnet as I do. I have no idea why our engineers have requested root access via ssh, but that's really none of my business.
Now for my brain-fart moment:
Nevahre nailed it. I was editing ssh_config instead of sshd_config, which is embarrassing. I'd like to sincerely thank Nevahre for addressing my problem, instead of questioning my motives.
Karamarisan and Repo did the right thing by pointing out the security implications, but Nevahre gets the glory.
Thanks again guys. Take care.
|
|
|
08-13-2009, 01:19 PM
|
#9
|
Member
Registered: Jul 2009
Location: Illinois, US
Distribution: Fedora 11
Posts: 374
Rep:
|
Heh, glad you've got it. Forgive the alert mode; people asking for what you wanted are vastly more likely to be n00bs (and I do mean that disparagingly for once) who think they don't need to worry about security and/or are too lazy to do it the right way.
Strange that you had this problem, though - any insight as to why sshd_config wasn't there to begin with? You said this is Solaris; done anything weird with it or does it ship that way?
|
|
|
08-13-2009, 01:31 PM
|
#10
|
LQ Newbie
Registered: Aug 2009
Posts: 21
Rep:
|
Karamarisan and Repo have a point! I agree.
|
|
|
08-13-2009, 01:50 PM
|
#11
|
LQ Newbie
Registered: Jan 2009
Posts: 20
Original Poster
Rep:
|
Quote:
Originally Posted by karamarisan
Strange that you had this problem, though - any insight as to why sshd_config wasn't there to begin with? You said this is Solaris; done anything weird with it or does it ship that way?
|
This is where I had my brain-fart. The OS ships with both ssh_config (ssh client config) and sshd_config (ssh daemon config).
The issue was purely my oversight. I'll correct that with more caffeine shortly ...
Thx again.
|
|
|
08-13-2009, 02:10 PM
|
#12
|
Member
Registered: Jul 2009
Location: Illinois, US
Distribution: Fedora 11
Posts: 374
Rep:
|
No, I get you (and believe me, I have those all the time). It just seems weird to me that the package didn't even create a blank file - usually there's a fully decked-out config file as both documentation of how to configure it and of the defaults. Oh, well. Good luck (with whatever). 
|
|
|
08-13-2009, 06:01 PM
|
#13
|
LQ Guru
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 27,794
|
Quote:
Originally Posted by paidbythehour
Karamarisan, Repo, Nevahre ... thank you all for taking the time to reply.
First of all, I should try and save my reputation a bit:
I am aware of the security implications involved with allowing root access via SSH. Perhaps I should have mentioned this earlier (or updated my LQ profile) but I work in a hardware development lab on and isolated network. We have no firewalls, no access to the internet, or any other security concerns. Our hosts are used strictly for testing hardware designed by our engineers. As an avid OpenBSD user, I'm glad to see you share the same security concerns regarding SSH/Telnet as I do. I have no idea why our engineers have requested root access via ssh, but that's really none of my business.
Now for my brain-fart moment:
Nevahre nailed it. I was editing ssh_config instead of sshd_config, which is embarrassing. I'd like to sincerely thank Nevahre for addressing my problem, instead of questioning my motives.
Karamarisan and Repo did the right thing by pointing out the security implications, but Nevahre gets the glory.
Thanks again guys. Take care.
|
Glad you got it cooking. It seems you've got a good handle on things, but this statement jumps out:
Quote:
I have no idea why our engineers have requested root access via ssh, but that's really none of my business.
|
As a long-time administrator, why people need root access IS the business of the administrator, in my opinion. Granted, they may know what they're doing...but they may not. If system work isn't their primary job, they're more likely to be careless with an "rm -fR *", and YOU will be the one to rebuild the system, while they take a long lunch or go home early, since, after all...'the system is down'.....
I'd strongly recommend using SUDO instead, and log who does what. You can just have them type in "sudo -s", and get a root shell...but will also have a trail that says "user Jerry went to root at 11:17", so if something is hosed, there's no finger-pointing. Also, if someone just decides to change the root password...EVERYONE is locked out of it. If SUDO is working, you can log in as you, and change the root password back, without having to boot single-user, etc.
Just my $0.02 worth...feel free to ignore. 
|
|
|
08-14-2009, 08:32 AM
|
#14
|
LQ Newbie
Registered: Jan 2009
Posts: 20
Original Poster
Rep:
|
Quote:
Originally Posted by TB0ne
Glad you got it cooking. It seems you've got a good handle on things, but this statement jumps out:
As a long-time administrator, why people need root access IS the business of the administrator, in my opinion. Granted, they may know what they're doing...but they may not. If system work isn't their primary job, they're more likely to be careless with an "rm -fR *", and YOU will be the one to rebuild the system, while they take a long lunch or go home early, since, after all...'the system is down'.....
I'd strongly recommend using SUDO instead, and log who does what. You can just have them type in "sudo -s", and get a root shell...but will also have a trail that says "user Jerry went to root at 11:17", so if something is hosed, there's no finger-pointing. Also, if someone just decides to change the root password...EVERYONE is locked out of it. If SUDO is working, you can log in as you, and change the root password back, without having to boot single-user, etc.
Just my $0.02 worth...feel free to ignore. 
|
Amen brother. I couldn't agree more. And to all the browsers of this post, take TBOne's advice to heart.
I don't usually go through the whole back-story when posting on forums, because it's easy to lose people's interest. But I can assure you, I would never give another user root on a production system (sudo instead). As I mentioned earlier, my Solaris hosts are used for hardware testing in a development lab. I set up a host meeting their requirements, the engineers do their best to destroy the system, then I get the system back, format the host, and the process starts over again.
But I'm glad to see that you, and the other posters, are paying attention  Keep it up. Thx again.
|
|
|
All times are GMT -5. The time now is 05:28 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|