LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Other *NIX Forums > Solaris / OpenSolaris
User Name
Password
Solaris / OpenSolaris This forum is for the discussion of Solaris, OpenSolaris, OpenIndiana, and illumos.
General Sun, SunOS and Sparc related questions also go here. Any Solaris fork or distribution is welcome.

Notices


Reply
  Search this Thread
Old 08-13-2009, 11:57 AM   #1
paidbythehour
LQ Newbie
 
Registered: Jan 2009
Posts: 20

Rep: Reputation: 0
SSH will not allow root logins


Hi there,

First of all, I'm aware that root logins are disabled by default in Solaris 10. Here are the steps I've taken so far:

- Enabled ssh via svcadm enable ssh
- Edited /etc/ssh/ssh_config to include PermitRootLogin yes
- Verified that /etc/default/login has CONSOLE=/dev/console/ commented out.
- Restarted ssh via svcadm restart ssh
- Rebooted the host, and verified configuration files retained their changes.
- Confirmed ssh is running via ps -ef | grep ssh
- Verified ssh is accepting logins with user account


After the above steps, I am still unable to log in with the root account. Telnet is enabled on this host as well, and it accepts root logins without issue.

When I check /var/adm/messages, the only message who's time stamp matches my login attempt is as follows:


Aug 13 12:43:33 uotts047 sshd[1252]: [ID 722452 auth.error] user2netname: (nis+ lookup): Error in accessing NIS+ cold start file... is NIS+ installed?



I do not get this message for successful ssh logins using my user account. The root and user accounts are local accounts (not NIS).


Does anyone have any suggestions on where to go from here? I've been crawling forums looking for someone else who has this problem ... if anyone else has a link to a thread that covers all the points I have, it would be greatly appreciated.

Am I missing something simple here?
 
Old 08-13-2009, 12:06 PM   #2
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Arch
Posts: 8,529

Rep: Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899
Login as user and su to root.
Disable telnet
 
Old 08-13-2009, 12:06 PM   #3
Nevahre
LQ Newbie
 
Registered: Aug 2009
Posts: 21

Rep: Reputation: 16
If it is a typo I cannot help, but shouldn't this: ssh_config be sshd_config (ssh vs sshd)??
 
Old 08-13-2009, 12:19 PM   #4
paidbythehour
LQ Newbie
 
Registered: Jan 2009
Posts: 20

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by repo View Post
Login as user and su to root.
Disable telnet
Telnet is now disabled, but this hasn't changed the behavior of SSH. I am still unable to log in as root, but I can log in as another user.

Quote:
Originally Posted by Nevahre
If it is a typo I cannot help, but shouldn't this: ssh_config be sshd_config (ssh vs sshd)??
It's just ssh_config:

# ls -la /etc/ssh/ssh_config
-rw-r--r-- 1 root sys 882 Aug 13 12:42 /etc/ssh/ssh_config
 
Old 08-13-2009, 12:27 PM   #5
karamarisan
Member
 
Registered: Jul 2009
Location: Illinois, US
Distribution: Fedora 11
Posts: 374

Rep: Reputation: 55
Quote:
Originally Posted by paidbythehour View Post
Telnet is now disabled, but this hasn't changed the behavior of SSH. I am still unable to log in as root, but I can log in as another user.
You missed his point. Allowing root to log in over ssh is VERY BAD, and you shouldn't allow it. Log in as yourself, then switch to root. Telnet is unrelated to your problem, but since it sends passwords plaintext (read: anyone between you and the destination or on the same line can read them), it is EXTRA VERY BAD.

Also, I don't know your distro, but I believe sshd_config is the correct file for... er, sshd. Double-check that the file you have is configuring the service you think it is.
 
Old 08-13-2009, 12:38 PM   #6
Nevahre
LQ Newbie
 
Registered: Aug 2009
Posts: 21

Rep: Reputation: 16
Quote:
Originally Posted by paidbythehour View Post
It's just ssh_config:

# ls -la /etc/ssh/ssh_config
-rw-r--r-- 1 root sys 882 Aug 13 12:42 /etc/ssh/ssh_config
My system has a ssh_config and a sshd_config. The 'PermitRootLogin yes' is in the sshd_config file, not the ssh_config file........
 
Old 08-13-2009, 12:40 PM   #7
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Arch
Posts: 8,529

Rep: Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899Reputation: 899
Why do you want to login as root using ssh?
 
Old 08-13-2009, 01:09 PM   #8
paidbythehour
LQ Newbie
 
Registered: Jan 2009
Posts: 20

Original Poster
Rep: Reputation: 0
Karamarisan, Repo, Nevahre ... thank you all for taking the time to reply.


First of all, I should try and save my reputation a bit:

I am aware of the security implications involved with allowing root access via SSH. Perhaps I should have mentioned this earlier (or updated my LQ profile) but I work in a hardware development lab on and isolated network. We have no firewalls, no access to the internet, or any other security concerns. Our hosts are used strictly for testing hardware designed by our engineers. As an avid OpenBSD user, I'm glad to see you share the same security concerns regarding SSH/Telnet as I do. I have no idea why our engineers have requested root access via ssh, but that's really none of my business.


Now for my brain-fart moment:

Nevahre nailed it. I was editing ssh_config instead of sshd_config, which is embarrassing. I'd like to sincerely thank Nevahre for addressing my problem, instead of questioning my motives.

Karamarisan and Repo did the right thing by pointing out the security implications, but Nevahre gets the glory.

Thanks again guys. Take care.
 
Old 08-13-2009, 01:19 PM   #9
karamarisan
Member
 
Registered: Jul 2009
Location: Illinois, US
Distribution: Fedora 11
Posts: 374

Rep: Reputation: 55
Heh, glad you've got it. Forgive the alert mode; people asking for what you wanted are vastly more likely to be n00bs (and I do mean that disparagingly for once) who think they don't need to worry about security and/or are too lazy to do it the right way.

Strange that you had this problem, though - any insight as to why sshd_config wasn't there to begin with? You said this is Solaris; done anything weird with it or does it ship that way?
 
Old 08-13-2009, 01:31 PM   #10
Nevahre
LQ Newbie
 
Registered: Aug 2009
Posts: 21

Rep: Reputation: 16


Karamarisan and Repo have a point! I agree.
 
Old 08-13-2009, 01:50 PM   #11
paidbythehour
LQ Newbie
 
Registered: Jan 2009
Posts: 20

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by karamarisan View Post
Strange that you had this problem, though - any insight as to why sshd_config wasn't there to begin with? You said this is Solaris; done anything weird with it or does it ship that way?

This is where I had my brain-fart. The OS ships with both ssh_config (ssh client config) and sshd_config (ssh daemon config).

The issue was purely my oversight. I'll correct that with more caffeine shortly ...

Thx again.
 
Old 08-13-2009, 02:10 PM   #12
karamarisan
Member
 
Registered: Jul 2009
Location: Illinois, US
Distribution: Fedora 11
Posts: 374

Rep: Reputation: 55
No, I get you (and believe me, I have those all the time). It just seems weird to me that the package didn't even create a blank file - usually there's a fully decked-out config file as both documentation of how to configure it and of the defaults. Oh, well. Good luck (with whatever).
 
Old 08-13-2009, 06:01 PM   #13
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 27,794

Rep: Reputation: 8196Reputation: 8196Reputation: 8196Reputation: 8196Reputation: 8196Reputation: 8196Reputation: 8196Reputation: 8196Reputation: 8196Reputation: 8196Reputation: 8196
Quote:
Originally Posted by paidbythehour View Post
Karamarisan, Repo, Nevahre ... thank you all for taking the time to reply.

First of all, I should try and save my reputation a bit:

I am aware of the security implications involved with allowing root access via SSH. Perhaps I should have mentioned this earlier (or updated my LQ profile) but I work in a hardware development lab on and isolated network. We have no firewalls, no access to the internet, or any other security concerns. Our hosts are used strictly for testing hardware designed by our engineers. As an avid OpenBSD user, I'm glad to see you share the same security concerns regarding SSH/Telnet as I do. I have no idea why our engineers have requested root access via ssh, but that's really none of my business.


Now for my brain-fart moment:

Nevahre nailed it. I was editing ssh_config instead of sshd_config, which is embarrassing. I'd like to sincerely thank Nevahre for addressing my problem, instead of questioning my motives.

Karamarisan and Repo did the right thing by pointing out the security implications, but Nevahre gets the glory.

Thanks again guys. Take care.
Glad you got it cooking. It seems you've got a good handle on things, but this statement jumps out:
Quote:
I have no idea why our engineers have requested root access via ssh, but that's really none of my business.
As a long-time administrator, why people need root access IS the business of the administrator, in my opinion. Granted, they may know what they're doing...but they may not. If system work isn't their primary job, they're more likely to be careless with an "rm -fR *", and YOU will be the one to rebuild the system, while they take a long lunch or go home early, since, after all...'the system is down'.....

I'd strongly recommend using SUDO instead, and log who does what. You can just have them type in "sudo -s", and get a root shell...but will also have a trail that says "user Jerry went to root at 11:17", so if something is hosed, there's no finger-pointing. Also, if someone just decides to change the root password...EVERYONE is locked out of it. If SUDO is working, you can log in as you, and change the root password back, without having to boot single-user, etc.

Just my $0.02 worth...feel free to ignore.
 
Old 08-14-2009, 08:32 AM   #14
paidbythehour
LQ Newbie
 
Registered: Jan 2009
Posts: 20

Original Poster
Rep: Reputation: 0
Talking

Quote:
Originally Posted by TB0ne View Post
Glad you got it cooking. It seems you've got a good handle on things, but this statement jumps out:

As a long-time administrator, why people need root access IS the business of the administrator, in my opinion. Granted, they may know what they're doing...but they may not. If system work isn't their primary job, they're more likely to be careless with an "rm -fR *", and YOU will be the one to rebuild the system, while they take a long lunch or go home early, since, after all...'the system is down'.....

I'd strongly recommend using SUDO instead, and log who does what. You can just have them type in "sudo -s", and get a root shell...but will also have a trail that says "user Jerry went to root at 11:17", so if something is hosed, there's no finger-pointing. Also, if someone just decides to change the root password...EVERYONE is locked out of it. If SUDO is working, you can log in as you, and change the root password back, without having to boot single-user, etc.

Just my $0.02 worth...feel free to ignore.
Amen brother. I couldn't agree more. And to all the browsers of this post, take TBOne's advice to heart.

I don't usually go through the whole back-story when posting on forums, because it's easy to lose people's interest. But I can assure you, I would never give another user root on a production system (sudo instead). As I mentioned earlier, my Solaris hosts are used for hardware testing in a development lab. I set up a host meeting their requirements, the engineers do their best to destroy the system, then I get the system back, format the host, and the process starts over again.

But I'm glad to see that you, and the other posters, are paying attention Keep it up. Thx again.
 
  


Reply

Tags
login, root, solaris, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Allow remote root logins using SSH brendanmcdonald Linux - Software 4 03-05-2006 06:03 PM
How do you deny root logins with ssh? Thaidog Linux - General 5 03-01-2006 04:36 PM
Massive SSH Logins zeeshanhayat Linux - Security 1 03-08-2005 12:49 PM
Need help using Webmin to tell SSH to allow logins Xolo Linux - Security 9 11-22-2004 03:57 PM
Disabling the chroot in proftpd and enabling root logins on ssh/proftpd jon_k Linux - Software 1 06-16-2004 10:27 AM

LinuxQuestions.org > Forums > Other *NIX Forums > Solaris / OpenSolaris

All times are GMT -5. The time now is 05:28 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration