| View previous topic :: View next topic |
| Author |
Message |
UncleVan
n00b
Joined: 08 Feb 2011
Posts: 72
|
 Posted: Fri Nov 06, 2015 9:17 pm Post subject: Urgent: no ssh possible since net-misc/openssh-7.1_p1-r2 |
 |
|
Hello everybody ,
After recent update | Code: | | net-misc/openssh-6.9_p1-r2 -> net-misc/openssh-7.1_p1-r2 |
I can not login with ssh anymore (I'm using two identical machines Thinkpad Edge 11). In the /var/log/messages there is following: | Code: | Jul 15 22:44:11 thinkkiste sshd[31065]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.50 user=root
Jul 15 22:44:14 thinkkiste sshd[31061]: error: PAM: Authentication failure for root from 192.168.0.50 |
After recherche I'm pretty sure there is something with the keys-pairs ssh uses, but I'm completely ignorant of how to solve this.
For now I reverted to 6.9 again and it works OK, but I highly appreciate any suggestion/help/info to solve this issue ASAP .
Thanks in advance ! |
|
| Back to top |
|
 |
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54831
Location: 56N 3W
|
| Posted: Fri Nov 06, 2015 9:54 pm Post subject: |
|
|
UncleVan,
net-misc/openssh-7.x depreciates one sort of key as its no longer considered secure.
You can enable if if you want but it will go away one day.
See the news item 2015-08-13 OpenSSH 7.0 disables ssh-dss keys by default
Password logins for root are also disabled by default.
| /etc/ssh/sshd_config: | | #PermitRootLogin prohibit-password |
Allowing root password logins via ssh has always been insecure.
Set up sudo. Log in as normal user and use to become root.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
UncleVan
n00b
Joined: 08 Feb 2011
Posts: 72
|
| Posted: Fri Nov 06, 2015 11:45 pm Post subject: |
|
|
Thank you for th quick response !
So far its fine but: How am I supposed to set up "new" keys for use ?
It is a local segment only - apart from internet - so login as root would not be an issue... BTW that was literally the same statement forcing me to not use telnet anymore 
Last edited by UncleVan on Fri Nov 06, 2015 11:58 pm; edited 1 time in total |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Fri Nov 06, 2015 11:54 pm Post subject: |
|
|
Had the same problem with root login. I did NOT change the conf file. Kept rejecting the password. I could log in as "guest" and su with the password but log in directly. I only ssh for admin work like emerge's and kernel builds, so that's a PITA.
I wound up blocking 7.0 and above like you.
Last edited by Tony0945 on Sat Nov 07, 2015 1:26 am; edited 1 time in total |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Fri Nov 06, 2015 11:55 pm Post subject: |
|
|
New keys:
| Code: | ssh-keygen -t ed25519
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@$remote |
If you've restarted sshd on the remote side recently, it'll already have an ed25519 server key. |
|
| Back to top |
|
|
UncleVan
n00b
Joined: 08 Feb 2011
Posts: 72
|
| Posted: Sat Nov 07, 2015 12:04 am Post subject: |
|
|
Thank you guys,
I'll try to set up ssh 7 for root logins and report the results. |
|
| Back to top |
|
|
Moriah
Advocate
Joined: 27 Mar 2004
Posts: 2383
Location: Kentucky
|
| Posted: Sat Nov 07, 2015 3:39 pm Post subject: |
|
|
Forcing this on people who have a bunch of machines to administer without even a "news readme" notice at the time the force is made is presumptuous to the point of arragonce! 
I started a bunch of weekly updates last night and went to bed while they ran. I woke up this morning to chaos! I have many automation scripts that log in from one machine to another to perform various operations, not the least of which is nightly backups. Everything is broken! I kept all the old sshd config files, so why did everything change? Because some nanny of a developer decided that they knew bettter than I what was good for my network!
Only 2 of these machines is internet facing, yet all of them have been affected by this gentoo induced denial of service attack!
I was going to clean the fallen leaves out of the yard today, but know I have a broken network to fix instead.
(Maybe that's a good thing?) 
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
| Back to top |
|
|
UncleVan
n00b
Joined: 08 Feb 2011
Posts: 72
|
| Posted: Sat Nov 07, 2015 3:50 pm Post subject: |
|
|
OK, pretty trivial (shame on me .....): Just add/change in /etc/ssh/sshd_config
| Code: | ....
# Authentication:
...
PermitRootLogin yes
...
|
and everything is working again.
No need to generate new keys, because I type the password from the keyboard - in a local wired segment it is not an issue. |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Sat Nov 07, 2015 3:56 pm Post subject: |
|
|
| Moriah wrote: | | Forcing this on people who have a bunch of machines to administer without even a "news readme" notice at the time the force is made is presumptuous to the point of arragonce! |
https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html
| Moriah wrote: | | affected by this gentoo induced denial of service attack! |
| the famous non existing news wrote: | Be aware though that eventually OpenSSH will drop support for DSA keys
entirely, so this is only a stop gap solution.
More details can be found on OpenSSH's website:
http://www.openssh.com/legacy.html |
Mean, it's a step from openssh.
so:
For missing news: 0 points
For missing target: 0 points
Rant score is 0, sorry Moriah, better luck next time  |
|
| Back to top |
|
|
Moriah
Advocate
Joined: 27 Mar 2004
Posts: 2383
Location: Kentucky
|
| Posted: Sat Nov 07, 2015 4:35 pm Post subject: |
|
|
Pleaase note the phrase at the time the force .
I did not say therre was not a news item on it; I said there ought to be a "re-reminder" at the time it was actually happening.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
| Back to top |
|
|
ct85711
Veteran
Joined: 27 Sep 2005
Posts: 1791
|
| Posted: Sat Nov 07, 2015 4:49 pm Post subject: |
|
|
| that's the thing, there was a reminder... we can't force you to read it |
|
| Back to top |
|
|
Moriah
Advocate
Joined: 27 Mar 2004
Posts: 2383
Location: Kentucky
|
| Posted: Sat Nov 07, 2015 5:35 pm Post subject: |
|
|
That was my complaint: the reminder ws 2 months before the occurrance. I read it, but after 2 months, it would have been nice to announce that it was going into effect today.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
| Back to top |
|
|
Moriah
Advocate
Joined: 27 Mar 2004
Posts: 2383
Location: Kentucky
|
| Posted: Sat Nov 07, 2015 5:41 pm Post subject: |
|
|
Anyway, I am taking advantage of this inconvenient event to clear out all my stuff in my .ssh/ directories and regenerate it to the new standards. One thing I *will* keep is root login via password. I have some utility machines that have no other user besides root. I am the only administrator. I only administrate these machines because there is no one else to do it, and I need them to do myincome producing work. As I said, there are only 2 of them that are internet facing; the rest are on a well protected ethernet segment behind multiple natting firewalls. From time to time, they all need to be administered remotely, possibly from machines that have never logged into those machines before. Therefore, I need to allow root login via password on ssh.
Also, I a, *not* clearing the fallen leaves out of the yard today! 
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
| Back to top |
|
|
NeddySeagoon
Administrator
Joined: 05 Jul 2003
Posts: 54831
Location: 56N 3W
|
| Posted: Sat Nov 07, 2015 5:45 pm Post subject: |
|
|
Moriah,
| Quote: | | Therefore, I need to allow root login via password on ssh. |
That's one solution. There are others, such as key based log in as root.
You could even create a normal user that you subsequently user to gain root.
_________________
Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
| Back to top |
|
|
Moriah
Advocate
Joined: 27 Mar 2004
Posts: 2383
Location: Kentucky
|
| Posted: Sat Nov 07, 2015 6:18 pm Post subject: |
|
|
Neddy:
I also have to run a lot of scripts that login as root. Finding and changing them all would be a major pain tht I just do not have time for right now.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
| Back to top |
|
|
The LT
n00b
Joined: 23 Feb 2006
Posts: 20
Location: Moscow, Russia
|
| Posted: Sun Nov 08, 2015 2:55 pm Post subject: |
|
|
| Moriah wrote: | | Forcing this on people who have a bunch of machines to administer without even a "news readme" notice at the time the force is made is presumptuous to the point of arragonce! |
Not reading upstream changelogs before updating cricical system packages is outright ignorant. Before you accuse the maintainers, make sure you even follow the established best practices and guidelines.
| Quote: |
I started a bunch of weekly updates last night and went to bed while they ran. I woke up this morning to chaos! I have many automation scripts that log in from one machine to another to perform various operations, not the least of which is nightly backups. Everything is broken! I kept all the old sshd config files, so why did everything change? Because some nanny of a developer decided that they knew bettter than I what was good for my network! |
No, because an ignorant user like you who thinks they know better never noticed that sshd_config is COMMENTED by default and the devs changed the defaults. Should you have bothered to CONFIGURE sshd, you wouldn't run into this.
| Quote: |
Only 2 of these machines is internet facing, yet all of them have been affected by this gentoo induced denial of service attack!
|
This is irrelevant to the problem. The developers don't tailor the package for you and your two "internet-facing" machines.
| Quote: |
I was going to clean the fallen leaves out of the yard today, but know I have a broken network to fix instead.
|
I would start with fixing your practices and update habits.
| Quote: |
(Maybe that's a good thing?)
|
Definately. At least you'll learn to read through the configuration files more carefully and not login as root. And also, it might prompt you to ditch dsa if you ever used it. |
|
| Back to top |
|
|
ct85711
Veteran
Joined: 27 Sep 2005
Posts: 1791
|
| Posted: Sun Nov 08, 2015 4:39 pm Post subject: |
|
|
| iirc, the login with root has been defaulted to commented out for several years to begin with, so that change isn't anything new. Now if upstream is starting to phase out that option all together, I couldn't say. I can see arguments for both sides, and I admit I used the login with root before. Though that is only when I am setting up a new machine, once the machine is up, I leave it turned off and just login with a regular user, then su into root. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Sun Nov 08, 2015 6:39 pm Post subject: |
|
|
| ct85711 wrote: | | Though that is only when I am setting up a new machine, once the machine is up, I leave it turned off and just login with a regular user, then su into root. |
An extra, unnecessary step. |
|
| Back to top |
|
|
UberLord
Retired Dev
Joined: 18 Sep 2003
Posts: 6835
Location: Blighty
|
|
| Back to top |
|
|
Moriah
Advocate
Joined: 27 Mar 2004
Posts: 2383
Location: Kentucky
|
| Posted: Thu Dec 10, 2015 1:49 pm Post subject: |
|
|
Neddy helped me solve this problem thru a series of private messages. Thanks, Neddy!
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword
Foghorn Leghorn is a Warner Bros. cartoon character. |
|
| Back to top |
|
|
|
Networking & Security
