sshd lets root login! Bug?
How can we ssh into a box when root login is disabled. We have Marc Heuses New Firewall script running on a 7.1 Suse box using 2.4 kernel. Here are the open ports: Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on YaddaYaddaYadda (XXXXXXXXXXX): (The 1516 ports scanned but not shown below are in state: filtered) Port State Service 21/tcp open ftp 22/tcp open ssh 25/tcp closed smtp 53/tcp open domain 80/tcp open http 113/tcp closed auth 123/tcp closed ntp Here is root logged on my friend's box locally and me logged in as root using ssh. root tty1 Apr 21 11:34 root tty2 Apr 21 11:38 root pts/0 Apr 21 11:35 (My.Box.At.Home) root pts/1 Apr 21 11:54 (My.Box.At.Home) Here is the output of /etc/securetty on the bad box: tty1 tty2 tty3 tty4 tty5 tty6 # for devfs: vc/1 vc/2 vc/3 vc/4 vc/5 vc/6 Any help on this one would be appreciated. We have shutdown sshd for now. Thanks -- _ _ __ _____ _____ ___| |_ | '__| / __\ \ /\ / / _ \/ _ \ __| | | _ \__ \\ V V / __/ __/ |_ |_|(_) |___/ \_/\_/ \___|\___|\__| rsweet@socal.rr.com "unix soit qui mal y pense."
I concur, the same just occurred to me. sounds fishy to me. On Tue, 24 Apr 2001, Robert Sweet wrote:
How can we ssh into a box when root login is disabled. We have Marc Heuses New Firewall script running on a 7.1 Suse box using 2.4 kernel. Here are the open ports:
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on YaddaYaddaYadda (XXXXXXXXXXX): (The 1516 ports scanned but not shown below are in state: filtered) Port State Service 21/tcp open ftp 22/tcp open ssh 25/tcp closed smtp 53/tcp open domain 80/tcp open http 113/tcp closed auth 123/tcp closed ntp
Here is root logged on my friend's box locally and me logged in as root using ssh. root tty1 Apr 21 11:34 root tty2 Apr 21 11:38 root pts/0 Apr 21 11:35 (My.Box.At.Home) root pts/1 Apr 21 11:54 (My.Box.At.Home)
Here is the output of /etc/securetty on the bad box:
tty1 tty2 tty3 tty4 tty5 tty6 # for devfs: vc/1 vc/2 vc/3 vc/4 vc/5 vc/6
Any help on this one would be appreciated. We have shutdown sshd for now. Thanks -- _ _ __ _____ _____ ___| |_ | '__| / __\ \ /\ / / _ \/ _ \ __| | | _ \__ \\ V V / __/ __/ |_ |_|(_) |___/ \_/\_/ \___|\___|\__| rsweet@socal.rr.com "unix soit qui mal y pense."
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
It's just a configuration thing.
grep RootLogin /etc/ssh/sshd_config
On my firewall, I have PermitRootLogin set to no and I cannot ssh to it as
root. However, I *can* ssh as $USER and then su to root.
HTH
----- Original Message -----
From: "Robert Sweet"
How can we ssh into a box when root login is disabled. We have Marc Heuses New Firewall script running on a 7.1 Suse box using 2.4 kernel. Here are the open ports:
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on YaddaYaddaYadda (XXXXXXXXXXX): (The 1516 ports scanned but not shown below are in state: filtered) Port State Service 21/tcp open ftp 22/tcp open ssh 25/tcp closed smtp 53/tcp open domain 80/tcp open http 113/tcp closed auth 123/tcp closed ntp
Here is root logged on my friend's box locally and me logged in as root using ssh. root tty1 Apr 21 11:34 root tty2 Apr 21 11:38 root pts/0 Apr 21 11:35 (My.Box.At.Home) root pts/1 Apr 21 11:54 (My.Box.At.Home)
Here is the output of /etc/securetty on the bad box:
tty1 tty2 tty3 tty4 tty5 tty6 # for devfs: vc/1 vc/2 vc/3 vc/4 vc/5 vc/6
Any help on this one would be appreciated. We have shutdown sshd for now. Thanks -- _ _ __ _____ _____ ___| |_ | '__| / __\ \ /\ / / _ \/ _ \ __| | | _ \__ \\ V V / __/ __/ |_ |_|(_) |___/ \_/\_/ \___|\___|\__| rsweet@socal.rr.com "unix soit qui mal y pense."
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Yes it was a ssh configuration, my bad. Problem with rpm's, used to configure by hand before, completely forgot. I ASSumed since remote root login was disabled root couldn't login. I have since configured /etc/ssh/sshd_config: PermitRootLogin no Seems the rpm should reflect the same default as not allowing root to login via telnet. -- _ _ __ _____ _____ ___| |_ | '__| / __\ \ /\ / / _ \/ _ \ __| | | _ \__ \\ V V / __/ __/ |_ |_|(_) |___/ \_/\_/ \___|\___|\__| rsweet@socal.rr.com "unix soit qui mal y pense."
* Robert Sweet wrote on Tue, Apr 24, 2001 at 11:18 +0800:
How can we ssh into a box when root login is disabled.
That's nearly a FAQ. Q: I disabled remote root login in <someservice>, but SSH still works! A: Disable remote root login in sshd_config, too. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
edit /etc/ssh/sshd_config and change PermitRootLogin no That should fix your problem. On the other hand also run the harden suse script. It should be avilable on Marc's home page http://www.suse.de/~marc On Tue, 24 Apr 2001, Robert Sweet wrote:
How can we ssh into a box when root login is disabled. We have Marc Heuses New Firewall script running on a 7.1 Suse box using 2.4 kernel. Here are the open ports:
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on YaddaYaddaYadda (XXXXXXXXXXX): (The 1516 ports scanned but not shown below are in state: filtered) Port State Service 21/tcp open ftp 22/tcp open ssh 25/tcp closed smtp 53/tcp open domain 80/tcp open http 113/tcp closed auth 123/tcp closed ntp
Here is root logged on my friend's box locally and me logged in as root using ssh. root tty1 Apr 21 11:34 root tty2 Apr 21 11:38 root pts/0 Apr 21 11:35 (My.Box.At.Home) root pts/1 Apr 21 11:54 (My.Box.At.Home)
Here is the output of /etc/securetty on the bad box:
tty1 tty2 tty3 tty4 tty5 tty6 # for devfs: vc/1 vc/2 vc/3 vc/4 vc/5 vc/6
Any help on this one would be appreciated. We have shutdown sshd for now. Thanks -- _ _ __ _____ _____ ___| |_ | '__| / __\ \ /\ / / _ \/ _ \ __| | | _ \__ \\ V V / __/ __/ |_ |_|(_) |___/ \_/\_/ \___|\___|\__| rsweet@socal.rr.com "unix soit qui mal y pense."
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (5)
-
Geordon VanTassle
-
Michael Chletsos
-
Robert Sweet
-
semat
-
Steffen Dettmer