sorry for german language sshd must have some troubles with md5, when i disable md5 then i can login (also with root) when i enable md5 then i get a access denied. the harden_suse script is from 7.3 best regards -----Ursprüngliche Nachricht----- Von: Philippe Vogel [mailto:filiaap@freenet.de] Gesendet: Freitag, 13. September 2002 17:39 An: Wolfgang Rest Betreff: Re: [suse-security] AW: Antwort: AW: Antwort: [suse-security] sshd, harden_suse, pam und md5 1) english mailinglist - see www.suse.de! 2) harden_suse will work for 7.3, maybe you used the false attributes and said everywhere yes! 3) read the rest

ups...

sorry.. habe das alte config file mit dem neu erstellen von harden_suse verglichen.. und es ist mir nicht aufgefallen...

hab nun logischerweise PermitRootLogin = yes

This is security hole, better allow you user xy and deny root. Then switch to root with "su" + password.

und mal PAMAuthenticationViaKbdInt = yes

This is bad! Change it to "No"!

probiert.. hat aber nichts gebracht. kann es sein das in /etc/pam.d/sshd etwas nicht stimmt?

The file was O.K. as it was brought to you. Maybe harden_suse changed something. Was the harden_suse you used written for SuSE 8.0?

hier nochmals das nun korrekte sshd_config files:

Port 22 Protocol 1,2

I would prefer "Protocol 2" for use of Protocol 2 only.

ListenAddress 192.168.2.2

You have the firewall with internal and external networkcard? Then it is a fine thing to have ssh on both cards. Therefor you may deactivate this entry.

#ListenAddress :: HostKey /etc/ssh/ssh_host_key #HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key

You have these keys? SSH looks for them and makes authentification with them. ssh_host_key -> protocol 1 ssh_host_rsa_key -> protocol 2 ssh_host_dsa_key -> protocol 2 You need this keys been generated for your user to authentificate: ssh-keygen -t rsa passphrase ... ssh-keygen -t dsa passphrase ...

ServerKeyBits 768 LoginGraceTime 300 KeyRegenerationInterval 3600

This is for protocol 1 usage only.

PermitRootLogin yes

Deny it! The rest looks normal. The harden_suse script does more, it sets kernel cap bits. What did you say yes to? Rest seems O.K.!

# # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes StrictModes yes X11Forwarding no X11DisplayOffset 10 PrintMotd yes #PrintLastLog no KeepAlive yes

# Logging SyslogFacility AUTH LogLevel INFO #obsoletes QuietMode and FascistLogging

RhostsAuthentication no # # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # RSAAuthentication yes

# To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no

# Uncomment to disable s/key passwords ChallengeResponseAuthentication no

# Uncomment to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt yes

# To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes

#CheckMail yes #UseLogin no

#MaxStartups 10:30:60 #Banner /etc/issue.net #ReverseMappingCheck yes

Subsystem sftp /usr/lib/ssh/sftp-server