SSH on Fedora 16
Daniel J Walsh
dwalsh at redhat.com
Wed Dec 28 13:55:04 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/23/2011 03:47 PM, Daniel Bossert wrote:
> Hello
>
>> echo 0>/selinux/enforce
>
> doesn't work at me: [root at merkur ssh]# echo 0 >/selinux/enforce
> -bash: /selinux/enforce: No such file or directory
use
setenforce 0
/selinux has been moved to /sys/fs/selinux
Why do you want to put SELinux into permissive mode?
> [root at merkur ssh]#
>
> # Change to no to disable s/key passwords
> #ChallengeResponseAuthentication yes
> ChallengeResponseAuthentication no
>
>
>>>> so why are you doing this if you want password-login?
>>> I know I had e mess... I changed to yes; even though it isn't
>>> working...
>> well, i read from top to post and stop after the first error
>>
>> Dec 23 17:01:59 merkur sshd[9744]: error: Could not get shadow
>> information for daniel
>>
>> privude output of the follwoing commands: cat /etc/shadow | grep
>> daniel cat /etc/passwd | grep daniel stat /etc/shadow stat
>> /etc/passwd
> [root at merkur ~]# cat /etc/shadow | grep daniel
> daniel:$6$wf04zvEHF.xMgd2Y$u6ULiAbq9zzt3oljsQ2jr8qwR2IVu1Mz2KlmeTPkKCHPrEo1/pfwNODtsGtho9UOTn/UW18uskl4SnKnpayn/.:15328:0:99999:7:::
>
> [root at merkur ~]# cat /etc/passwd | grep daniel
> daniel:x:1000:1000:Daniel Bossert:/home/daniel:/bin/bash
> [root at merkur ~]# stat /etc/shadow File: `/etc/shadow' Size: 1135
> Blocks: 8 IO Block: 4096 regular file Device:
> fd01h/64769d Inode: 156332 Links: 1 Access:
> (0000/----------) Uid: ( 0/ root) Gid: ( 0/ root)
> Context: system_u:object_r:shadow_t:s0 Access: 2011-12-23
> 18:01:01.649903474 +0100 Modify: 2011-12-21 17:54:32.800954152
> +0100 Change: 2011-12-21 17:54:32.837953216 +0100 Birth: -
> [root at merkur ~]# stat /etc/shadow File: `/etc/shadow' Size: 1135
> Blocks: 8 IO Block: 4096 regular file Device:
> fd01h/64769d Inode: 156332 Links: 1 Access:
> (0000/----------) Uid: ( 0/ root) Gid: ( 0/ root)
> Context: system_u:object_r:shadow_t:s0 Access: 2011-12-23
> 18:01:01.649903474 +0100 Modify: 2011-12-21 17:54:32.800954152
> +0100 Change: 2011-12-21 17:54:32.837953216 +0100 Birth: -
> [root at merkur ~]# stat /etc/passwd File: `/etc/passwd' Size: 1881
> Blocks: 8 IO Block: 4096 regular file Device:
> fd01h/64769d Inode: 156565 Links: 1 Access:
> (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
> Context: system_u:object_r:etc_t:s0 Access: 2011-12-23
> 17:55:01.431858018 +0100 Modify: 2011-12-21 17:54:32.725956049
> +0100 Change: 2011-12-21 17:54:32.762955114 +0100 Birth: -
>
>
>
>
>> ______________________________________________
>>
>> for ssh permissions are very important if they are messed up and
>> too open it refuses
>>
>> /etc/passwd Zugriff: (0644/-rw-r--r--)
>>
>> /etc/shadow Zugriff: (0400/-r--------)
>> ______________________________________________
> [root at merkur ~]# ls -l /etc/passwd -rw-r--r--. 1 root root 1881 Dec
> 21 17:54 /etc/passwd [root at merkur ~]# ls -l /etc/shadow ----------.
> 1 root root 1135 Dec 21 17:54 /etc/shadow [root at merkur ~]#
>
> --->>>> I see, that /etc/shadow has no permissions.. ???? can that
> be?I changed to 0400, but login doesn't work neither.
>
>
>>
>> however - this is a working sshd-config with password AND
>> key-authentication, root allowed only with key and copied from a
>> production server changed to your username in the allowed list
>>
>> this is a CLEANED configuration without millions of comments and
>> nor random values by default
>>
>> Port 22 Protocol
>> 2 AddressFamily inet ListenAddress
>> 0.0.0.0 SyslogFacility AUTHPRIV
>> PasswordAuthentication yes
>> ChallengeResponseAuthentication yes GSSAPIAuthentication
>> no GSSAPICleanupCredentials no X11Forwarding
>> no RSAAuthentication yes PubkeyAuthentication
>> yes PermitEmptyPasswords no PermitRootLogin
>> without-password AllowGroups root users
>> AllowUsers root daniel IgnoreRhosts
>> yes HostbasedAuthentication no RhostsRSAAuthentication
>> no StrictModes yes UseDNS
>> no AllowTcpForwarding no TCPKeepAlive
>> yes KeepAlive yes ClientAliveCountMax
>> 10 ClientAliveInterval 20 UsePrivilegeSeparation
>> yes Compression yes UsePAM
>> yes LoginGraceTime 45 MaxAuthTries
>> 5 MaxStartups 25 AuthorizedKeysFile
>> .ssh/authorized_keys AcceptEnv LANG
>> LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
>> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS
>> LC_TELEPHONE LC_MEASUREMENT AcceptEnv
>> LC_IDENTIFICATION LC_ALL Subsystem sftp
>> internal-sftp
>
> The following is the new sshd_config.. I don't know further.. Kind
> regards Daniel
>
> /etc/ssh/sshd_config (new): # $OpenBSD: sshd_config,v 1.82
> 2010/09/06 17:10:19 naddy Exp $
>
> # This is the sshd server system-wide configuration file. See #
> sshd_config(5) for more information.
>
> # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
>
> # The strategy used for options in the default sshd_config shipped
> with # OpenSSH is to specify options with their default value
> where # possible, but leave them commented. Uncommented options
> change a # default value.
>
> Port 22 AddressFamily inet ListenAddress 0.0.0.0 #ListenAddress ::
>
> # The default requires explicit activation of protocol 1 Protocol
> 2
>
> # HostKey for protocol version 1 # HostKey /etc/ssh/ssh_host_key #
> HostKeys for protocol version 2 # HostKey
> /etc/ssh/ssh_host_rsa_key # HostKey /etc/ssh/ssh_host_dsa_key
> #HostKey /etc/ssh/ssh_host_ecdsa_key
>
> # Lifetime and size of ephemeral version 1 server key
> KeyRegenerationInterval 1h ServerKeyBits 1024
>
> # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility
> AUTH SyslogFacility AUTHPRIV #LogLevel INFO
>
> # Authentication:
>
> LoginGraceTime 30 PermitRootLogin without-password StrictModes no
> MaxAuthTries 5 #MaxSessions 10
>
> RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile
> .ssh/authorized_keys #AuthorizedKeysCommand none
> #AuthorizedKeysCommandRunAs nobody
>
> # For this to work you will also need host keys in
> /etc/ssh/ssh_known_hosts RhostsRSAAuthentication no # similar for
> protocol version 2 HostbasedAuthentication no # Change to yes if
> you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication
> and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read
> the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes
>
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication yes PermitEmptyPasswords no
>
> # Change to no to disable s/key passwords
> ChallengeResponseAuthentication yes
>
> # Kerberos options #KerberosAuthentication no
> #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes
> #KerberosGetAFSToken no #KerberosUseKuserok yes
>
> # GSSAPI options GSSAPIAuthentication no #GSSAPIAuthentication yes
> #GSSAPICleanupCredentials yes GSSAPICleanupCredentials no
> #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no
>
> # Set this to 'yes' to enable PAM authentication, account
> processing, # and session processing. If this is enabled, PAM
> authentication will # be allowed through the
> ChallengeResponseAuthentication and # PasswordAuthentication.
> Depending on your PAM configuration, # PAM authentication via
> ChallengeResponseAuthentication may bypass # the setting of
> "PermitRootLogin without-password". # If you just want the PAM
> account and session checks to run without # PAM authentication,
> then enable this but set PasswordAuthentication # and
> ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is
> not supported in Fedora and may cause several # problems. #UsePAM
> no UsePAM yes
>
> # Accept locale-related environment variables AcceptEnv LANG
> LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS
>
> #AllowAgentForwarding yes AllowTcpForwarding no #GatewayPorts no
> #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10
> #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes TCPKeepAlive
> yes KeepAlive yes #UseLogin no UsePrivilegeSeparation yes
> #PermitUserEnvironment no #Compression delayed ClientAliveInterval
> 20 ClientAliveCountMax 10 #ShowPatchLevel no UseDNS no #PidFile
> /var/run/sshd.pid MaxStartups 25 #PermitTunnel no #ChrootDirectory
> none
>
> # no default banner path #Banner none
>
> # override default of no subsystems Subsystem sftp
> /usr/libexec/openssh/sftp-server
>
> # Uncomment this if you want to use .local domain #Host *.local #
> CheckHostIP no
>
> # Example of overriding settings on a per-user basis #Match User
> anoncvs # X11Forwarding no # AllowTcpForwarding no #
> ForceCommand cvs server
>
>
> AllowGroups root users AllowUsers root daniel
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk77H7gACgkQrlYvE4MpobPw/gCgkKjqltS8g0wnBWfx4QDgAlBi
xykAoKLDtKmzowgVf5OZ5GqGPDIb2TRw
=CnMN
-----END PGP SIGNATURE-----
More information about the users
mailing list