SSH on Fedora 16

Daniel J Walsh dwalsh at redhat.com
Wed Dec 28 13:55:04 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/23/2011 03:47 PM, Daniel Bossert wrote:
> Hello
> 
>> echo 0>/selinux/enforce
> 
> doesn't work at me: [root at merkur ssh]# echo 0 >/selinux/enforce 
> -bash: /selinux/enforce: No such file or directory
use

setenforce 0

/selinux has been moved to /sys/fs/selinux

Why do you want to put SELinux into permissive mode?

> [root at merkur ssh]#
> 
> # Change to no to disable s/key passwords 
> #ChallengeResponseAuthentication yes 
> ChallengeResponseAuthentication no
> 
> 
>>>> so why are you doing this if you want password-login?
>>> I know I had e mess... I changed to yes; even though it isn't
>>> working...
>> well, i read from top to post and stop after the first error
>> 
>> Dec 23 17:01:59 merkur sshd[9744]: error: Could not get shadow 
>> information for daniel
>> 
>> privude output of the follwoing commands: cat /etc/shadow | grep
>> daniel cat /etc/passwd | grep daniel stat /etc/shadow stat
>> /etc/passwd
> [root at merkur ~]# cat /etc/shadow | grep daniel 
> daniel:$6$wf04zvEHF.xMgd2Y$u6ULiAbq9zzt3oljsQ2jr8qwR2IVu1Mz2KlmeTPkKCHPrEo1/pfwNODtsGtho9UOTn/UW18uskl4SnKnpayn/.:15328:0:99999:7:::
>
>  [root at merkur ~]# cat /etc/passwd | grep daniel 
> daniel:x:1000:1000:Daniel Bossert:/home/daniel:/bin/bash 
> [root at merkur ~]# stat /etc/shadow File: `/etc/shadow' Size: 1135
> Blocks: 8          IO Block: 4096   regular file Device:
> fd01h/64769d    Inode: 156332      Links: 1 Access:
> (0000/----------)  Uid: (    0/    root)   Gid: (    0/    root) 
> Context: system_u:object_r:shadow_t:s0 Access: 2011-12-23
> 18:01:01.649903474 +0100 Modify: 2011-12-21 17:54:32.800954152
> +0100 Change: 2011-12-21 17:54:32.837953216 +0100 Birth: - 
> [root at merkur ~]# stat /etc/shadow File: `/etc/shadow' Size: 1135
> Blocks: 8          IO Block: 4096   regular file Device:
> fd01h/64769d    Inode: 156332      Links: 1 Access:
> (0000/----------)  Uid: (    0/    root)   Gid: (    0/    root) 
> Context: system_u:object_r:shadow_t:s0 Access: 2011-12-23
> 18:01:01.649903474 +0100 Modify: 2011-12-21 17:54:32.800954152
> +0100 Change: 2011-12-21 17:54:32.837953216 +0100 Birth: - 
> [root at merkur ~]# stat /etc/passwd File: `/etc/passwd' Size: 1881
> Blocks: 8          IO Block: 4096   regular file Device:
> fd01h/64769d    Inode: 156565      Links: 1 Access:
> (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root) 
> Context: system_u:object_r:etc_t:s0 Access: 2011-12-23
> 17:55:01.431858018 +0100 Modify: 2011-12-21 17:54:32.725956049
> +0100 Change: 2011-12-21 17:54:32.762955114 +0100 Birth: -
> 
> 
> 
> 
>> ______________________________________________
>> 
>> for ssh permissions are very important if they are messed up and
>> too open it refuses
>> 
>> /etc/passwd Zugriff: (0644/-rw-r--r--)
>> 
>> /etc/shadow Zugriff: (0400/-r--------) 
>> ______________________________________________
> [root at merkur ~]# ls -l /etc/passwd -rw-r--r--. 1 root root 1881 Dec
> 21 17:54 /etc/passwd [root at merkur ~]# ls -l /etc/shadow ----------.
> 1 root root 1135 Dec 21 17:54 /etc/shadow [root at merkur ~]#
> 
> --->>>> I see, that /etc/shadow has no permissions.. ???? can that
> be?I changed to 0400, but login doesn't work neither.
> 
> 
>> 
>> however - this is a working sshd-config with password AND 
>> key-authentication, root allowed only with key and copied from a
>> production server changed to your username in the allowed list
>> 
>> this is a CLEANED configuration without millions of comments and
>> nor random values by default
>> 
>> Port                            22 Protocol
>> 2 AddressFamily                   inet ListenAddress
>> 0.0.0.0 SyslogFacility                  AUTHPRIV 
>> PasswordAuthentication          yes 
>> ChallengeResponseAuthentication yes GSSAPIAuthentication
>> no GSSAPICleanupCredentials        no X11Forwarding
>> no RSAAuthentication               yes PubkeyAuthentication
>> yes PermitEmptyPasswords            no PermitRootLogin
>> without-password AllowGroups                     root users 
>> AllowUsers                      root daniel IgnoreRhosts
>> yes HostbasedAuthentication         no RhostsRSAAuthentication
>> no StrictModes                     yes UseDNS
>> no AllowTcpForwarding              no TCPKeepAlive
>> yes KeepAlive                       yes ClientAliveCountMax
>> 10 ClientAliveInterval             20 UsePrivilegeSeparation
>> yes Compression                     yes UsePAM
>> yes LoginGraceTime                  45 MaxAuthTries
>> 5 MaxStartups                     25 AuthorizedKeysFile
>> .ssh/authorized_keys AcceptEnv                       LANG
>> LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
>> AcceptEnv                       LC_PAPER LC_NAME LC_ADDRESS 
>> LC_TELEPHONE LC_MEASUREMENT AcceptEnv
>> LC_IDENTIFICATION LC_ALL Subsystem                       sftp
>> internal-sftp
> 
> The following is the new sshd_config.. I don't know further.. Kind
> regards Daniel
> 
> /etc/ssh/sshd_config (new): #    $OpenBSD: sshd_config,v 1.82
> 2010/09/06 17:10:19 naddy Exp $
> 
> # This is the sshd server system-wide configuration file.  See #
> sshd_config(5) for more information.
> 
> # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
> 
> # The strategy used for options in the default sshd_config shipped
> with # OpenSSH is to specify options with their default value
> where # possible, but leave them commented.  Uncommented options
> change a # default value.
> 
> Port 22 AddressFamily inet ListenAddress 0.0.0.0 #ListenAddress ::
> 
> # The default requires explicit activation of protocol 1 Protocol
> 2
> 
> # HostKey for protocol version 1 # HostKey /etc/ssh/ssh_host_key #
> HostKeys for protocol version 2 # HostKey
> /etc/ssh/ssh_host_rsa_key # HostKey /etc/ssh/ssh_host_dsa_key 
> #HostKey /etc/ssh/ssh_host_ecdsa_key
> 
> # Lifetime and size of ephemeral version 1 server key 
> KeyRegenerationInterval 1h ServerKeyBits 1024
> 
> # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility
> AUTH SyslogFacility AUTHPRIV #LogLevel INFO
> 
> # Authentication:
> 
> LoginGraceTime 30 PermitRootLogin without-password StrictModes no 
> MaxAuthTries 5 #MaxSessions 10
> 
> RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile
> .ssh/authorized_keys #AuthorizedKeysCommand none 
> #AuthorizedKeysCommandRunAs nobody
> 
> # For this to work you will also need host keys in
> /etc/ssh/ssh_known_hosts RhostsRSAAuthentication no # similar for
> protocol version 2 HostbasedAuthentication no # Change to yes if
> you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication
> and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read
> the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes
> 
> # To disable tunneled clear text passwords, change to no here! 
> PasswordAuthentication yes PermitEmptyPasswords no
> 
> # Change to no to disable s/key passwords 
> ChallengeResponseAuthentication yes
> 
> # Kerberos options #KerberosAuthentication no 
> #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes 
> #KerberosGetAFSToken no #KerberosUseKuserok yes
> 
> # GSSAPI options GSSAPIAuthentication no #GSSAPIAuthentication yes 
> #GSSAPICleanupCredentials yes GSSAPICleanupCredentials no 
> #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no
> 
> # Set this to 'yes' to enable PAM authentication, account
> processing, # and session processing. If this is enabled, PAM
> authentication will # be allowed through the
> ChallengeResponseAuthentication and # PasswordAuthentication.
> Depending on your PAM configuration, # PAM authentication via
> ChallengeResponseAuthentication may bypass # the setting of
> "PermitRootLogin without-password". # If you just want the PAM
> account and session checks to run without # PAM authentication,
> then enable this but set PasswordAuthentication # and
> ChallengeResponseAuthentication to 'no'. # WARNING: 'UsePAM no' is
> not supported in Fedora and may cause several # problems. #UsePAM
> no UsePAM yes
> 
> # Accept locale-related environment variables AcceptEnv LANG
> LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
> AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS
> 
> #AllowAgentForwarding yes AllowTcpForwarding no #GatewayPorts no 
> #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 
> #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes TCPKeepAlive
> yes KeepAlive yes #UseLogin no UsePrivilegeSeparation yes 
> #PermitUserEnvironment no #Compression delayed ClientAliveInterval
> 20 ClientAliveCountMax 10 #ShowPatchLevel no UseDNS no #PidFile
> /var/run/sshd.pid MaxStartups 25 #PermitTunnel no #ChrootDirectory
> none
> 
> # no default banner path #Banner none
> 
> # override default of no subsystems Subsystem    sftp
> /usr/libexec/openssh/sftp-server
> 
> # Uncomment this if you want to use .local domain #Host *.local #
> CheckHostIP no
> 
> # Example of overriding settings on a per-user basis #Match User
> anoncvs #    X11Forwarding no #    AllowTcpForwarding no #
> ForceCommand cvs server
> 
> 
> AllowGroups    root users AllowUsers    root daniel

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk77H7gACgkQrlYvE4MpobPw/gCgkKjqltS8g0wnBWfx4QDgAlBi
xykAoKLDtKmzowgVf5OZ5GqGPDIb2TRw
=CnMN
-----END PGP SIGNATURE-----

More information about the users mailing list