| View previous topic :: View next topic |
| Author |
Message |
RAD709
n00b
Joined: 20 Jun 2004
Posts: 35
Location: Lexington, Ky
|
 Posted: Sat Sep 03, 2005 4:13 am Post subject: (easy) ssh config question!! (takes 2 seconds to read & |
 |
|
I can't find in Gentoo documentation or forums (probably from lack of trying) how to set up gentoo to allow someone to ssh to the machine with only a password. I have edited the /etc/ssh/ssh_config file to not use rsa keys and done /etc/init.d/sshd restart but it still yells at me for no rsa-key matchup. what other files need to be edited?!?
p.s.: I am not trying to log on as root, I have every option in ssh_config set to no except login with passwd (i would post the file but I can't ssh to the machine to copy/paste and I haven't figured out how to do that with links yet)
_________________
Mathematicians are a device for turning coffee into theorems |
|
| Back to top |
|
 |
jmbsvicetto
Moderator
Joined: 27 Apr 2005
Posts: 4735
Location: Angra do Heroísmo (PT)
|
| Posted: Sat Sep 03, 2005 4:36 am Post subject: Re: (easy) ssh config question!! (takes 2 seconds to read &a |
|
|
| RAD709 wrote: | I can't find in Gentoo documentation or forums (probably from lack of trying) how to set up gentoo to allow someone to ssh to the machine with only a password. I have edited the /etc/ssh/ssh_config file to not use rsa keys and done /etc/init.d/sshd restart but it still yells at me for no rsa-key matchup. what other files need to be edited?!?
p.s.: I am not trying to log on as root, I have every option in ssh_config set to no except login with passwd (i would post the file but I can't ssh to the machine to copy/paste and I haven't figured out how to do that with links yet) |
Hi.
First, you probably made a typo, but you're talking about /etc/ssh/sshd_config and not /etc/ssh/ssh_config. Then, you should enable UsePAM yes in the config file.
Does this work?
_________________
Jorge.
Your twisted, but hopefully friendly daemon.
AMD64 / x86 / Sparc Gentoo
Help answer || emwrap.sh
|
|
| Back to top |
|
|
RAD709
n00b
Joined: 20 Jun 2004
Posts: 35
Location: Lexington, Ky
|
| Posted: Sat Sep 03, 2005 4:50 am Post subject: |
|
|
okay, so this wasn't a typo, I guess I meant to be editing the sshd_config file and after configing this file as the other one, it still wont accept me...
_________________
Mathematicians are a device for turning coffee into theorems |
|
| Back to top |
|
|
Dlareh
Advocate
Joined: 06 Aug 2005
Posts: 2102
|
| Posted: Sat Sep 03, 2005 4:55 am Post subject: |
|
|
The default configuration will accept both passwords and keys. Perhaps you should revert to it.
_________________
"Mr Thomas Edison has been up on the two previous nights discovering 'a bug' in his phonograph." --Pall Mall Gazette (1889)
Are we THERE yet?
Last edited by Dlareh on Sat Sep 03, 2005 4:56 am; edited 1 time in total |
|
| Back to top |
|
|
jmbsvicetto
Moderator
Joined: 27 Apr 2005
Posts: 4735
Location: Angra do Heroísmo (PT)
|
| Posted: Sat Sep 03, 2005 4:55 am Post subject: |
|
|
You have the service running /etc/init.d/sshd status, right?
What did you change in the sshd_config file?
_________________
Jorge.
Your twisted, but hopefully friendly daemon.
AMD64 / x86 / Sparc Gentoo
Help answer || emwrap.sh
Last edited by jmbsvicetto on Sat Sep 03, 2005 5:07 am; edited 1 time in total |
|
| Back to top |
|
|
RAD709
n00b
Joined: 20 Jun 2004
Posts: 35
Location: Lexington, Ky
|
| Posted: Sat Sep 03, 2005 5:04 am Post subject: |
|
|
I uncommented the passwordauthentication yes line and that is it. is there somewhere in the documentation where this is possibly better explained?
I also ran | Code: | | /etc/init.d/sshd status |
but I am not sure what it does. nothing different yet though[/code][/i]
_________________
Mathematicians are a device for turning coffee into theorems |
|
| Back to top |
|
|
jmbsvicetto
Moderator
Joined: 27 Apr 2005
Posts: 4735
Location: Angra do Heroísmo (PT)
|
| Posted: Sat Sep 03, 2005 5:09 am Post subject: |
|
|
Make sure that the UsePAM line is not commented.
The /etc/init.d/* status command, shows you if the service * is running. It should show if a service is stopped or started. You can also use start, stop and restart to control the service.
_________________
Jorge.
Your twisted, but hopefully friendly daemon.
AMD64 / x86 / Sparc Gentoo
Help answer || emwrap.sh
|
|
| Back to top |
|
|
RAD709
n00b
Joined: 20 Jun 2004
Posts: 35
Location: Lexington, Ky
|
| Posted: Sat Sep 03, 2005 5:15 am Post subject: |
|
|
the usepam option wasn't commented so that didn't need to change. does the status just mean the process just shows up in ps ? I knew about the start/stop/restart though-tnx anyway.
_________________
Mathematicians are a device for turning coffee into theorems |
|
| Back to top |
|
|
RAD709
n00b
Joined: 20 Jun 2004
Posts: 35
Location: Lexington, Ky
|
| Posted: Sat Sep 03, 2005 5:19 am Post subject: |
|
|
the default sshd_config file had everything commented out except for the UsePAM option set to yes. should this allow for both authentications then? if both are set to yes, do you need both?
Maybe I will just try to come up with my uber-prime-sieve to crack 2048 bit RSA-keys...
_________________
Mathematicians are a device for turning coffee into theorems |
|
| Back to top |
|
|
jmbsvicetto
Moderator
Joined: 27 Apr 2005
Posts: 4735
Location: Angra do Heroísmo (PT)
|
| Posted: Sat Sep 03, 2005 5:24 am Post subject: |
|
|
My sshd_config file, which I haven't touched, has only the following lines not commented
| Code: | atl64 atlantis # grep -v \# /etc/ssh/sshd_config
Protocol 2
PasswordAuthentication no
UsePAM yes
Subsystem sftp /usr/lib64/misc/sftp-server
atl64 atlantis # |
_________________
Jorge.
Your twisted, but hopefully friendly daemon.
AMD64 / x86 / Sparc Gentoo
Help answer || emwrap.sh
|
|
| Back to top |
|
|
RAD709
n00b
Joined: 20 Jun 2004
Posts: 35
Location: Lexington, Ky
|
| Posted: Sat Sep 03, 2005 5:30 am Post subject: |
|
|
and the only difference I should make in mine is? | Code: | | PasswordAuthentication yes |
_________________
Mathematicians are a device for turning coffee into theorems |
|
| Back to top |
|
|
jmbsvicetto
Moderator
Joined: 27 Apr 2005
Posts: 4735
Location: Angra do Heroísmo (PT)
|
| Posted: Sat Sep 03, 2005 5:30 am Post subject: |
|
|
| RAD709 wrote: | | the usepam option wasn't commented so that didn't need to change. does the status just mean the process just shows up in ps ? I knew about the start/stop/restart though-tnx anyway. |
The status command tells if a service is running, stopped or dead. I think that the services use the start-stop-daemon to start and stop services. This is a binary file that is part of the baselayout package. I don't think it uses ps to determine if an app is running. I suspect that it starts by looking at the pid files in /var/run/ to determine the status of a service.
_________________
Jorge.
Your twisted, but hopefully friendly daemon.
AMD64 / x86 / Sparc Gentoo
Help answer || emwrap.sh
|
|
| Back to top |
|
|
Dlareh
Advocate
Joined: 06 Aug 2005
Posts: 2102
|
| Posted: Sat Sep 03, 2005 5:36 am Post subject: |
|
|
"/etc/init.d/<servicename> status" uses the records in /var/lib/init.d to report on the status of a process.
rc-status does this as well, just for all processes in a particular runlevel (default is the current one)
ps is independent of the init script system and is not affected; it simply reports what the kernel knows is running
the pid files in /var/run have other purposes, do not necessarily correspond to services started by the init script system, and certainly and do not affect the rc/init status commands
_________________
"Mr Thomas Edison has been up on the two previous nights discovering 'a bug' in his phonograph." --Pall Mall Gazette (1889)
Are we THERE yet? |
|
| Back to top |
|
|
zeek
Guru
Joined: 16 Nov 2002
Posts: 480
Location: Bantayan Island
|
| Posted: Sat Sep 03, 2005 5:40 am Post subject: Re: (easy) ssh config question!! (takes 2 seconds to read &a |
|
|
| RAD709 wrote: | | I can't find in Gentoo documentation or forums (probably from lack of trying) how to set up gentoo to allow someone to ssh to the machine with only a password. |
I hope you got that bassackwards because keys are a good idea and passwords are a bad idea. Passwords will probably go away in a couple of years. |
|
| Back to top |
|
|
RAD709
n00b
Joined: 20 Jun 2004
Posts: 35
Location: Lexington, Ky
|
| Posted: Sat Sep 03, 2005 5:49 am Post subject: |
|
|
For very specific reasons I can't use keys to authenticate. It turns out just being more secure with my setup.
_________________
Mathematicians are a device for turning coffee into theorems |
|
| Back to top |
|
|
jmbsvicetto
Moderator
Joined: 27 Apr 2005
Posts: 4735
Location: Angra do Heroísmo (PT)
|
| Posted: Sat Sep 03, 2005 12:42 pm Post subject: |
|
|
| Dlareh wrote: | "/etc/init.d/<servicename> status" uses the records in /var/lib/init.d to report on the status of a process.
rc-status does this as well, just for all processes in a particular runlevel (default is the current one)
ps is independent of the init script system and is not affected; it simply reports what the kernel knows is running
the pid files in /var/run have other purposes, do not necessarily correspond to services started by the init script system, and certainly and do not affect the rc/init status commands |
Thanks for the info. I wasn't sure how it worked.
That didn't happened to me yet in Gentoo, but in SuSE if a service dies, /etc/init.d/service status shows the service as dead. Does that info come from the /var/lib/init.d or do you think that ps and or the pid files are used somehow?
_________________
Jorge.
Your twisted, but hopefully friendly daemon.
AMD64 / x86 / Sparc Gentoo
Help answer || emwrap.sh
|
|
| Back to top |
|
|
Dlareh
Advocate
Joined: 06 Aug 2005
Posts: 2102
|
| Posted: Sat Sep 03, 2005 9:48 pm Post subject: |
|
|
| jmbsvicetto wrote: | Thanks for the info. I wasn't sure how it worked.
That didn't happened to me yet in Gentoo, but in SuSE if a service dies, /etc/init.d/service status shows the service as dead. Does that info come from the /var/lib/init.d or do you think that ps and or the pid files are used somehow? |
Apparently it depends on the init script. If the start-stop-daemon command line line has "--pidfile /var/run/something.pid" then it does check when you run status (and perhaps earlier, I'm not sure).
I spend more time working with custom init scripts that don't use --pidfile because they start more than one thing and it's easier just to use pkill.
_________________
"Mr Thomas Edison has been up on the two previous nights discovering 'a bug' in his phonograph." --Pall Mall Gazette (1889)
Are we THERE yet? |
|
| Back to top |
|
|
RAD709
n00b
Joined: 20 Jun 2004
Posts: 35
Location: Lexington, Ky
|
| Posted: Sun Sep 04, 2005 7:06 pm Post subject: |
|
|
when I change the port from 22 to something random like 348 and restart sshd the change takes affect (i.e. I can only be denied ssh on 348 and on port 22 I just get the connection refused) So the config file in /etc/ssh/sshd.conf isn't being ignored. here is the file though: | Code: | rob #grep -v \# /etc/ssh/sshd_config
protocol 2
PasswordAuthentication yes
UsePAM no
Subsystem sftp /usr/lib64/misc/sftp-server |
I really didn't think the arch mattered in something this trivial but if it helps it is a single proc. Apple G5 1.8 Ghz in pure 64-bit mode.
_________________
Mathematicians are a device for turning coffee into theorems |
|
| Back to top |
|
|
jmbsvicetto
Moderator
Joined: 27 Apr 2005
Posts: 4735
Location: Angra do Heroísmo (PT)
|
| Posted: Sun Sep 04, 2005 7:39 pm Post subject: |
|
|
RAD709,
you should edit the /etc/ssh/sshd_config and activacte the UsePAM option.
Does that make any difference?
_________________
Jorge.
Your twisted, but hopefully friendly daemon.
AMD64 / x86 / Sparc Gentoo
Help answer || emwrap.sh
|
|
| Back to top |
|
|
RAD709
n00b
Joined: 20 Jun 2004
Posts: 35
Location: Lexington, Ky
|
| Posted: Sun Sep 04, 2005 8:00 pm Post subject: |
|
|
no. I have tried UsePAM yes and no with Passwordauthentication yes and no but no difference!
_________________
Mathematicians are a device for turning coffee into theorems |
|
| Back to top |
|
|
RAD709
n00b
Joined: 20 Jun 2004
Posts: 35
Location: Lexington, Ky
|
| Posted: Sun Sep 04, 2005 8:07 pm Post subject: |
|
|
does it matter which user I am trying to log in as? i.e. if i made a newuser with wheel privileges and tried to log on as him from another computer (ssh newuser@192.168.0.9 should this config allow it?
| Code: | protocol 2
ListenAddress 192.168.0.98
PasswordAuthentication yes
UsePAM yes
Subsystem sftp /usr/lib64/misc/sftp-server |
_________________
Mathematicians are a device for turning coffee into theorems |
|
| Back to top |
|
|
truc
Advocate
Joined: 25 Jul 2005
Posts: 3199
|
| Posted: Sun Sep 04, 2005 9:56 pm Post subject: |
|
|
hey, I had the same problem just today and didn't find any Howto, But the Docs I found told me default file should be *enough* to ssh as root
just to let you know, sshd isn't running by default.
Each ssh*_config was the default one (since I never used ssh before)
The problem was, I gave my monitor (to my mother  ) So I've got nothing to display what I'm typing on my gentoo box  .
turn on my gentoo box, log in as root and then
| Code: | | #/etc/init.d/sshd start |
As I didn't see anything of what I were doing, I couldn't check wether sshd was running or not, but...
I'm also using a laptop Mac OSX, and it has an interesting feature which tells which port are open and so on
Then I could know ssh was running: | Code: | Port Scanning host: 192.168.0.2
Open Port: 22 ssh |
yeah, great, I finally foundthe right comand to ssh as root my gentoo box through the terminal of OSX:
| Code: | $ssh 192.168.0.2 -l root
Password: |
(where password is the root password)
As it was also connected to the internet, i wanted the modify the sshd_config *bad idea*
After playing a bit with gentoo ( (...) emerge world -Du then etc-update (...) ), I quited (exited?) ssh, but could not ssh again 
Here comes the interesting things for you (i think)
I had to rescue the default ssh config files, in an easy way since I still can't see anything (no monitor, no ssh  )
So Still blindly, I did | Code: | #/etc/init.d/sshd stop (in order to be sure)
#emerge -C openssh
#emerge openssh (then I waited till nothings seemed to happen
#etc-update |
Then I chose " -5 "(it's not using mv -i as far as i remember) since there was only the ssh config files
Then | Code: | | #/etc/init.d/sshd start |
Then yeah!! I could ssh again!!
hope it can help;)
Sorry for my bad english
Last edited by truc on Mon Sep 05, 2005 8:08 am; edited 1 time in total |
|
| Back to top |
|
|
Dlareh
Advocate
Joined: 06 Aug 2005
Posts: 2102
|
| Posted: Sun Sep 04, 2005 10:05 pm Post subject: |
|
|
| truc wrote: | hey, I had the same problem just today and didn't find any Howto, But the Docs I found told me default file should be *enough* to ssh as root
just to let you know, sshd wasn't is running by default.
Each ssh*_config was the default one (since I never used ssh before)
The problem was, I gave my monitor (to my mother ) So I've got nothing to display what I'm typing on my gentoo box .
turn on my gentoo box, log in as root and then
| Code: | | #/etc/init.d/sshd start |
As I didn't see anything of what I were doing, I couldn't check wether sshd was running or not, but... |
Three ways:
| Code: | ps aux | grep sshd
netstat -atpn
emerge -u nmap
nmap -p22 localhost |
_________________
"Mr Thomas Edison has been up on the two previous nights discovering 'a bug' in his phonograph." --Pall Mall Gazette (1889)
Are we THERE yet? |
|
| Back to top |
|
|
RAD709
n00b
Joined: 20 Jun 2004
Posts: 35
Location: Lexington, Ky
|
| Posted: Mon Sep 05, 2005 3:58 am Post subject: |
|
|
hmm this was one of the first things I did. reinstall openssh. it gave me the clean sshd_config file and everything, but no dice.
_________________
Mathematicians are a device for turning coffee into theorems |
|
| Back to top |
|
|
RAD709
n00b
Joined: 20 Jun 2004
Posts: 35
Location: Lexington, Ky
|
| Posted: Mon Sep 05, 2005 4:07 am Post subject: |
|
|
truc ==> as this worked for you i thought I'd try it anyway... it doesn't actually recover any config files: it leaves the old ones untouched. so this didn't do the trick. can someone just post a fresh/clean config file or tell me how to recover one? this is a very quirky bug...
_________________
Mathematicians are a device for turning coffee into theorems |
|
| Back to top |
|
|
|
Networking & Security
