Re: [Fedora-users-br] SSH só loga como ROOT
Alejandro Flores
alejandrorflores em gmail.com
Sexta Junho 5 00:34:56 UTC 2009
Vitor,
Por favor, após tentar logar, manda as últimas 30 linhas do /var/log/secure, ok?
Abraço!
2009/6/3 Vitor Vilas Boas <vitor em vitorvilasboas.com.br>:
> Veja bem, estava como padrão, esta opção eu adicionei para ver se resolvia.
>
> Segue.
>
> ======================================================================
>
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug3: start over, passed a different list
> publickey,password,keyboard-interactive
> debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/vitor/.ssh/identity
> debug3: no such identity: /home/vitor/.ssh/identity
> debug1: Trying private key: /home/vitor/.ssh/id_rsa
> debug3: no such identity: /home/vitor/.ssh/id_rsa
> debug1: Trying private key: /home/vitor/.ssh/id_dsa
> debug3: no such identity: /home/vitor/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup keyboard-interactive
> debug3: remaining preferred: password
> debug3: authmethod_is_enabled keyboard-interactive
> debug1: Next authentication method: keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> Password:
> debug3: packet_send2: adding 32 (len 24 padlen 8 extra_pad 64)
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> Password:
>
> =======================================================
>
> Vitor Vilas Boas
> Consultor de TI
> Linux User #484274
> www.vitorvilasboas.com.br
> vitor em vitorvilasboas.com.br
> Cel.: +55 71 8732.1156
> Cel.: +55 71 9947.2808
>
>
>
> Aldrey Galindo escreveu:
>>
>> Vitor,
>>
>> Não seria a parte que tem 'AllowUsers vitor rafael root'? Pode comentar
>> isso para que ele faça como padrão e libere todos?
>> Caso seja o seu usuário 'vitor' que não esteja passando, poderia usar o
>> 'ssh -vvv usuario em host' e postar?
>>
>> Abraços,
>> Aldrey Galindo
>>
>> 2009/6/3 Vitor Vilas Boas <vitor em vitorvilasboas.com.br
>> <mailto:vitor em vitorvilasboas.com.br>>
>>
>> Tá ai, ainda não mexi em nada, só tentei liberar os usuários, mas
>> sem sucesso.
>> Toda instalação de SSH que eu fiz, vem por padrão os usuários
>> liberados, pois a intenção é negar o logon como root e liberar
>> para os usuários.
>>
>> ===============================================================
>> # This is the sshd server system-wide configuration file. See
>> # sshd_config(5) for more information.
>>
>> # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
>>
>> # The strategy used for options in the default sshd_config shipped
>> with
>> # OpenSSH is to specify options with their default value where
>> # possible, but leave them commented. Uncommented options change a
>> # default value.
>>
>> #Port 22
>> #AddressFamily any
>> #ListenAddress 0.0.0.0
>> #ListenAddress ::
>>
>> # Disable legacy (protocol version 1) support in the server for new
>> # installations. In future the default will change to require explicit
>> # activation of protocol 1
>> Protocol 2
>>
>> # HostKey for protocol version 1
>> #HostKey /etc/ssh/ssh_host_key
>> # HostKeys for protocol version 2
>> #HostKey /etc/ssh/ssh_host_rsa_key
>> #HostKey /etc/ssh/ssh_host_dsa_key
>>
>> # Lifetime and size of ephemeral version 1 server key
>> #KeyRegenerationInterval 1h
>> #ServerKeyBits 1024
>>
>> # Logging
>> # obsoletes QuietMode and FascistLogging
>> #SyslogFacility AUTH
>> #LogLevel INFO
>>
>> # Authentication:
>>
>> #LoginGraceTime 2m
>> #PermitRootLogin yes
>> #StrictModes yes
>> #MaxAuthTries 6
>> #MaxSessions 10
>>
>> #RSAAuthentication yes
>> #PubkeyAuthentication yes
>> #AuthorizedKeysFile .ssh/authorized_keys
>>
>> # For this to work you will also need host keys in
>> /etc/ssh/ssh_known_hosts
>> #RhostsRSAAuthentication no
>> # similar for protocol version 2
>> #HostbasedAuthentication no
>> # Change to yes if you don't trust ~/.ssh/known_hosts for
>> # RhostsRSAAuthentication and HostbasedAuthentication
>> #IgnoreUserKnownHosts no
>> # Don't read the user's ~/.rhosts and ~/.shosts files
>> #IgnoreRhosts yes
>>
>> # To disable tunneled clear text passwords, change to no here!
>> PasswordAuthentication yes
>> #PermitEmptyPasswords no
>>
>> # Change to no to disable s/key passwords
>> #ChallengeResponseAuthentication yes
>>
>> # Kerberos options
>> #KerberosAuthentication no
>> #KerberosOrLocalPasswd yes
>> #KerberosTicketCleanup yes
>> #KerberosGetAFSToken no
>>
>> # GSSAPI options
>> #GSSAPIAuthentication no
>> #GSSAPICleanupCredentials yes
>>
>> # Set this to 'yes' to enable support for the deprecated 'gssapi'
>> authentication
>> # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic'
>> mechanism is included
>> # in this release. The use of 'gssapi' is deprecated due to the
>> presence of
>> # potential man-in-the-middle attacks, which 'gssapi-with-mic' is
>> not susceptible to.
>> #GSSAPIEnableMITMAttack no
>>
>>
>> # Set this to 'yes' to enable PAM authentication, account processing,
>> # and session processing. If this is enabled, PAM authentication will
>> # be allowed through the ChallengeResponseAuthentication and
>> # PasswordAuthentication. Depending on your PAM configuration,
>> # PAM authentication via ChallengeResponseAuthentication may bypass
>> # the setting of "PermitRootLogin without-password".
>> # If you just want the PAM account and session checks to run without
>> # PAM authentication, then enable this but set PasswordAuthentication
>> # and ChallengeResponseAuthentication to 'no'.
>> UsePAM yes
>> #AllowAgentForwarding yes
>> AllowUsers vitor rafael root
>> #AllowTcpForwarding yes
>> #GatewayPorts no
>> X11Forwarding yes
>> #X11DisplayOffset 10
>> #X11UseLocalhost yes
>> #PrintMotd yes
>> #PrintLastLog yes
>> #TCPKeepAlive yes
>> #UseLogin no
>> #UsePrivilegeSeparation yes
>> #PermitUserEnvironment no
>> #Compression delayed
>> #ClientAliveInterval 0
>> #ClientAliveCountMax 3
>> #UseDNS yes
>> #PidFile /var/run/sshd.pid
>> #MaxStartups 10
>> #PermitTunnel no
>> #ChrootDirectory none
>>
>> # no default banner path
>> Banner /etc/issue.net <http://issue.net>
>>
>> # override default of no subsystems
>> Subsystem sftp /usr/lib/ssh/sftp-server
>>
>> # This enables accepting locale enviroment variables LC_* LANG,
>> see sshd_config(5).
>> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
>> LC_MESSAGES
>> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
>> AcceptEnv LC_IDENTIFICATION LC_ALL
>>
>> # Example of overriding settings on a per-user basis
>> #Match User anoncvs
>> # X11Forwarding no
>> # AllowTcpForwarding no
>> # ForceCommand cvs server
>>
>>
>> ==========================================================================
>>
>>
>>
>> Vitor Vilas Boas
>> Consultor de TI
>> Linux User #484274
>> www.vitorvilasboas.com.br <http://www.vitorvilasboas.com.br>
>> vitor em vitorvilasboas.com.br <mailto:vitor em vitorvilasboas.com.br>
>> Cel.: +55 71 8732.1156
>> Cel.: +55 71 9947.2808
>>
>>
>>
>> Alejandro Flores escreveu:
>>
>> Vitor,
>>
>>
>> Galera, tô migrando os servidores proxy/firewall e o
>> fileserver/backup de
>> openSUSE para o CentOS 5.3, mas tô com um probleminha, o
>> SSH só loga como
>> ROOT, já criei o usuário mas n dá permissão de acesso ao
>> SSH, já vasculhei a
>> net e o arquivo de configuração, alguém tem alguma dica?
>>
>>
>> Um comportamento bem atipico!
>> Você pode postar o /etc/ssh/sshd_config ?
>>
>>
>>
>>
>> --
>> Fedora-users-br mailing list
>> Fedora-users-br em redhat.com <mailto:Fedora-users-br em redhat.com>
>> https://www.redhat.com/mailman/listinfo/fedora-users-br
>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> Fedora-users-br mailing list
>> Fedora-users-br em redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-users-br
>>
>
> --
> Fedora-users-br mailing list
> Fedora-users-br em redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-users-br
>
--
Alejandro Flores
http://www.triforsec.com.br/
Mais detalhes sobre a lista de discussão br-users