AW: [suse-security] AW: Antwort: AW: Antwort: [suse-security] sshd, harden_suse, pam und md5
sorry for german language sshd must have some troubles with md5, when i disable md5 then i can login (also with root) when i enable md5 then i get a access denied. the harden_suse script is from 7.3 best regards -----Ursprüngliche Nachricht----- Von: Philippe Vogel [mailto:filiaap@freenet.de] Gesendet: Freitag, 13. September 2002 17:39 An: Wolfgang Rest Betreff: Re: [suse-security] AW: Antwort: AW: Antwort: [suse-security] sshd, harden_suse, pam und md5 1) english mailinglist - see www.suse.de! 2) harden_suse will work for 7.3, maybe you used the false attributes and said everywhere yes! 3) read the rest
ups...
sorry.. habe das alte config file mit dem neu erstellen von harden_suse verglichen.. und es ist mir nicht aufgefallen...
hab nun logischerweise PermitRootLogin = yes
This is security hole, better allow you user xy and deny root. Then switch to root with "su" + password.
und mal PAMAuthenticationViaKbdInt = yes
This is bad! Change it to "No"!
probiert.. hat aber nichts gebracht. kann es sein das in /etc/pam.d/sshd etwas nicht stimmt?
The file was O.K. as it was brought to you. Maybe harden_suse changed something. Was the harden_suse you used written for SuSE 8.0?
hier nochmals das nun korrekte sshd_config files:
Port 22 Protocol 1,2
I would prefer "Protocol 2" for use of Protocol 2 only.
ListenAddress 192.168.2.2
You have the firewall with internal and external networkcard? Then it is a fine thing to have ssh on both cards. Therefor you may deactivate this entry.
#ListenAddress :: HostKey /etc/ssh/ssh_host_key #HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key
You have these keys? SSH looks for them and makes authentification with them. ssh_host_key -> protocol 1 ssh_host_rsa_key -> protocol 2 ssh_host_dsa_key -> protocol 2 You need this keys been generated for your user to authentificate: ssh-keygen -t rsa passphrase ... ssh-keygen -t dsa passphrase ...
ServerKeyBits 768 LoginGraceTime 300 KeyRegenerationInterval 3600
This is for protocol 1 usage only.
PermitRootLogin yes
Deny it! The rest looks normal. The harden_suse script does more, it sets kernel cap bits. What did you say yes to? Rest seems O.K.!
# # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes StrictModes yes X11Forwarding no X11DisplayOffset 10 PrintMotd yes #PrintLastLog no KeepAlive yes
# Logging SyslogFacility AUTH LogLevel INFO #obsoletes QuietMode and FascistLogging
RhostsAuthentication no # # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # RSAAuthentication yes
# To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no
# Uncomment to disable s/key passwords ChallengeResponseAuthentication no
# Uncomment to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt yes
# To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no
# Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes
#CheckMail yes #UseLogin no
#MaxStartups 10:30:60 #Banner /etc/issue.net #ReverseMappingCheck yes
Subsystem sftp /usr/lib/ssh/sftp-server
sshd must have some troubles with md5, when i disable md5 then i can login (also with root) when i enable md5 then i get a access denied. Did you add "md5" to /etc/pam.d/sshd, lines
On Sep 16, Wolfgang Rest
sshd must have some troubles with md5, when i disable md5 then i can login (also with root) when i enable md5 then i get a access denied. Did you add "md5" to /etc/pam.d/sshd, lines
/etc/pam.d/sshd looks correct.
i also have some redhat 7.3 boxes here.. and ssh with md5 works on them..
checked the redhat against the suse config.. redhat handles the pam.d config
a little bit different.. but its the same matter.
on the suse 7.3 it looks like:
/etc/pam.d/sshd
#%PAM-1.0
auth required /lib/security/pam_unix.so # set_secrpc
auth required /lib/security/pam_nologin.so
auth required /lib/security/pam_env.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_pwcheck.so md5 use_cracklib
password required /lib/security/pam_unix.so md5 use_first_pass use_authtok
session required /lib/security/pam_unix.so none # trace or debug
session required /lib/security/pam_limits.so
best regards
Wolfgang
-----Ursprungliche Nachricht-----
Von: Markus Gaugusch [mailto:markus@gaugusch.at]
Gesendet: Montag, 16. September 2002 14:35
An: SuSE-Security
Betreff: Re: AW: [suse-security] AW: Antwort: AW: Antwort:
[suse-security] sshd, harden_suse, pam und md5
On Sep 16, Wolfgang Rest
participants (2)
-
Markus Gaugusch
-
Wolfgang Rest