[opensuse] Sshd _config options
Hi folks: I can't find a good write up of the options of PermitRootLogin - yes, no, without-passwd, etc... Can someone point me in the right directoin> thanks -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Jan 17, 2008, at 10:08 AM, Kain, Becki (B.) wrote:
Hi folks:
I can't find a good write up of the options of PermitRootLogin - yes, no, without-passwd, etc... Can someone point me in the right directoin> thanks
from 'man sshd_config' PermitRootLogin Specifies whether root can log in using ssh(1). The argument must be ``yes'', ``without-password'', ``forced-commands- only'', or ``no''. The default is ``yes''. If this option is set to ``without-password'', password authentication is disabled for root. If this option is set to ``forced-commands-only'', root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authenti- cation methods are disabled for root. If this option is set to ``no'', root is not allowed to log in. Systems Administrator --------------------------------------------- Soho VFX - Visual Effects Studio 99 Atlantic Avenue, Suite 303 Toronto, Ontario, M6K 3J8 (416) 516-7863 http://www.sohovfx.com --------------------------------------------- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
M. Todd Smith wrote:
On Jan 17, 2008, at 10:08 AM, Kain, Becki (B.) wrote:
Hi folks:
I can't find a good write up of the options of PermitRootLogin - yes, no, without-passwd, etc... Can someone point me in the right directoin> thanks
from 'man sshd_config'
PermitRootLogin Specifies whether root can log in using ssh(1). The argument must be ``yes'', ``without-password'', ``forced-commands-only'', or ``no''. The default is ``yes''.
If this option is set to ``without-password'', password authentication is disabled for root.
Becki, Note that setting this to "without-password" is probably a security violation at Ford, so if you want to keep working at Ford, then don't use it. It's just asking for trouble.
If this option is set to ``forced-commands-only'', root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authenti- cation methods are disabled for root.
If this option is set to ``no'', root is not allowed to log in.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 2008-01-17 at 15:41 -0500, Aaron Kulkis wrote:
Becki, Note that setting this to "without-password" is probably a security violation at Ford, so if you want to keep working at Ford, then don't use it. It's just asking for trouble.
<snip> Hi Aaron, In order to make proper use of this mechanism, the client must add his public-ssh-key to the authorizedkeys of root, Which only the root user of the receiving machine can do. What's wrong with that, given that the the key itself, passphrase for the private-key is long enough and the key can only be used from a single machine? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Thank you Hans, I was curious of that as well. Thank you for asking -----Original Message----- From: Hans Witvliet [mailto:hwit@a-domani.nl] Sent: Monday, January 21, 2008 3:35 PM To: opensuse@opensuse.org Subject: Re: [opensuse] Sshd _config options On Thu, 2008-01-17 at 15:41 -0500, Aaron Kulkis wrote:
Becki, Note that setting this to "without-password" is probably a security violation at Ford, so if you want to keep working at Ford, then don't use it. It's just asking for trouble.
<snip> Hi Aaron, In order to make proper use of this mechanism, the client must add his public-ssh-key to the authorizedkeys of root, Which only the root user of the receiving machine can do. What's wrong with that, given that the the key itself, passphrase for the private-key is long enough and the key can only be used from a single machine? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Kain, Becki (B.) wrote:
Thank you Hans, I was curious of that as well. Thank you for asking
-----Original Message----- From: Hans Witvliet [mailto:hwit@a-domani.nl] Sent: Monday, January 21, 2008 3:35 PM To: opensuse@opensuse.org Subject: Re: [opensuse] Sshd _config options
On Thu, 2008-01-17 at 15:41 -0500, Aaron Kulkis wrote:
Becki, Note that setting this to "without-password" is probably a security violation at Ford, so if you want to keep working at Ford, then don't use it. It's just asking for trouble.
<snip>
Hi Aaron,
In order to make proper use of this mechanism, the client must add his public-ssh-key to the authorizedkeys of root, Which only the root user of the receiving machine can do. What's wrong with that, given that the the key itself, passphrase for the private-key is long enough and the key can only be used from a single machine?
Nothing, as long as the box with the ssh key is locked in a steel safe every night that will prevent any chance of any one popping the install dvd in and adding /bin/bash as a boot parameter at the grub menu. -- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 01/17/2008 11:22 PM, M. Todd Smith wrote:
On Jan 17, 2008, at 10:08 AM, Kain, Becki (B.) wrote:
I can't find a good write up of the options of PermitRootLogin - yes, no, without-passwd, etc... Can someone point me in the right directoin>
from 'man sshd_config'
PermitRootLogin Specifies whether root can log in using ssh(1). The argument must be ``yes'', ``without-password'', ``forced-commands-only'', or ``no''. <snip>
If this option is set to ``no'', root is not allowed to log in. Just for clarity, this means root cannot directly log in via ssh (best for security). After logging in via ssh, you can as a user su to root to do any kind of admin work. Root is not prevented from working via ssh if set to no, just not allowed to log in directly.
-- Joe Morris Registered Linux user 231871 running openSUSE 10.3 x86_64 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe Morris (NTM) wrote:
On 01/17/2008 11:22 PM, M. Todd Smith wrote:
On Jan 17, 2008, at 10:08 AM, Kain, Becki (B.) wrote:
I can't find a good write up of the options of PermitRootLogin - yes, no, without-passwd, etc... Can someone point me in the right directoin>
from 'man sshd_config'
PermitRootLogin Specifies whether root can log in using ssh(1). The argument must be ``yes'', ``without-password'', ``forced-commands-only'', or ``no''. <snip>
If this option is set to ``no'', root is not allowed to log in. Just for clarity, this means root cannot directly log in via ssh (best for security). After logging in via ssh, you can as a user su to root to do any kind of admin work. Root is not prevented from working via ssh if set to no, just not allowed to log in directly.
To follow up on this, what would be involved for an automated process to log in as root in this manner? I understand doing this manually, like any shell on the machine, but does there exist any automated login scripts that try to get user, then root, or is this considered too many steps to be practical from a crackers standpoint? Also, if you set the SSH login to accept only a key (with or without passphrase), is it considered "secure" to allow direct root logins (or rather authentications) using a key only? TIA, Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 01/18/2008 10:48 AM, Jim Flanagan wrote:
To follow up on this, what would be involved for an automated process to log in as root in this manner? I would guess using sudo. I understand doing this manually, like any shell on the machine, but does there exist any automated login scripts that try to get user, then root, or is this considered too many steps to be practical from a crackers standpoint?
Not sure, but you could allow a user restricted root commands using sudo, instead of suing to root to run a command.
Also, if you set the SSH login to accept only a key (with or without passphrase), is it considered "secure" to allow direct root logins (or rather authentications) using a key only?
I would think so, and is probably the best way to run a root required command remotely via ssh, since sudo would give the local user access to those root commands if local, while the key restricted root login would keep that process secure and not give more privilege to a user. -- Joe Morris Registered Linux user 231871 running openSUSE 10.3 x86_64 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jim Flanagan wrote:
To follow up on this, what would be involved for an automated process to log in as root in this manner?
Out of curiosity, when would this be necessary? What task cannot be done by the local root - e.g. as a cron job - or by a specific userid created for remote access? Cheers, Dave -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi all Does/ has anybody used the "encrypt your home partition" feature ON SUSE 10.3? How transparent is it in use? Any performance overheads? Any technical primers available? Thanks wayne -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wayne and Leanne Roberts wrote:
Hi all
Does/ has anybody used the "encrypt your home partition" feature ON SUSE 10.3? How transparent is it in use? Any performance overheads? Any technical primers available?
Maybe if you start a new thread, instead of just hijacking the thread "Subject: Re: [opensuse] Sshd _config options" then people might be more responsive to your plea. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, January 18, 2008 5:38 am, Aaron Kulkis wrote:
Wayne and Leanne Roberts wrote:
Hi all
Does/ has anybody used the "encrypt your home partition" feature ON SUSE 10.3? How transparent is it in use? Any performance overheads? Any technical primers available?
Maybe if you start a new thread, instead of just hijacking the thread "Subject: Re: [opensuse] Sshd _config options" then people might be more responsive to your plea.
Thread? This is email. There is no thread. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, 19 Jan 2008 06:18:51 -0800 (PST), PerfectReign wrote:
This is email. There is no thread.
Either you simply forgot a smiley or I don't get it. Of cause there are mail threads. What do you think In-Reply-To and References in the mail header were invented for? Yes, there are those wannabe MUAs such as Outlook, Groupwise and Notes that constantly ignore the existence of In-Reply-To, but that's a different story. Philipp -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, January 19, 2008 7:11 am, Philipp Thomas wrote:
On Sat, 19 Jan 2008 06:18:51 -0800 (PST), PerfectReign wrote:
This is email. There is no thread.
Either you simply forgot a smiley or I don't get it. Of cause there are mail threads. What do you think In-Reply-To and References in the mail header were invented for?
Yes, there are those wannabe MUAs such as Outlook, Groupwise and Notes that constantly ignore the existence of In-Reply-To, but that's a different story.
My apologies. I forgot that you can thread emails on KMail. I have it turned off. I do the same in KNode and Pan, but forgot you can thread in email. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Samstag, 19. Januar 2008 17:48:34 schrieb PerfectReign:
My apologies. I forgot that you can thread emails on KMail.
I have it turned off. I do the same in KNode and Pan, but forgot you can thread in email. It's not just Kmail :) it is actually a standard and part of RFC 822: 4.6.1 & 4.6.2.
Greetings Michael P.S.: Sorry for PM - my bad :/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2008-01-19 at 08:48 -0800, PerfectReign wrote:
On Sat, January 19, 2008 7:11 am, Philipp Thomas wrote:
On Sat, 19 Jan 2008 06:18:51 -0800 (PST), PerfectReign wrote:
This is email. There is no thread.
Either you simply forgot a smiley or I don't get it. Of cause there are mail threads. What do you think In-Reply-To and References in the mail header were invented for?
Yes, there are those wannabe MUAs such as Outlook, Groupwise and Notes that constantly ignore the existence of In-Reply-To, but that's a different story.
My apologies. I forgot that you can thread emails on KMail.
All decent mail programs do thread. Thunderbird, Mozilla, Kmail, even text only clients like Pine or mutt. Gmail web client does thread, but it calls it "conversations". And the archive is threaded. Even Outlook does thread: X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AchZxUFbeX4hpExoQh2zru0l/TqnbgAAC2AA Although being Microsoft, it uses something else instead of the standard. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHki8LtTMYHG2NR9URAlI9AJ9pTELVoIL2nNY0l9FZ301TFyOi/gCfWIwh ljMwYa/ojbGffQDiOGNV2Kw= =Yd7a -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joe Sloan wrote:
PerfectReign wrote:
There is no thread.
The oracle will see you now.
That's the funniest thing I've read all week! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Aaron Kulkis wrote:
Joe Sloan wrote:
PerfectReign wrote:
There is no thread.
The oracle will see you now.
That's the funniest thing I've read all week!
Finally, someone got it! Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday January 18 2008 03:32:13 Wayne and Leanne Roberts wrote:
Hi all
Does/ has anybody used the "encrypt your home partition" feature ON SUSE 10.3? How transparent is it in use? Any performance overheads? Any technical primers available?
Thanks wayne I selected this feature during installation on a Lenovo T61 laptop and it just worked... no problems encountered thus far. I ran some informal tests between encrypted and non-encrypted partiions and could not see an appreciable difference in performance. The wikipedia page http://en.wikipedia.org/wiki/Cryptsetup is a launching point for some basic background on the subject.
cheers, Rick -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Thanks all for the reply. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Dave Howorth wrote:
Jim Flanagan wrote:
To follow up on this, what would be involved for an automated process to log in as root in this manner?
Out of curiosity, when would this be necessary? What task cannot be done by the local root - e.g. as a cron job - or by a specific userid created for remote access?
Cheers, Dave
As an example, for a while I was uploading web page changes remotely using scp over ssh. htdocs is root so I logged in a root. To keep things simple I didn't modify htdocs permissions to allow any other user to write. (At that time I had a router that I could administer remotely as well, so I would log into my router, open port 22 to my server, then ssh into the server as root to make the changes. After that session I would re-log into my router and close port 22 again. That router eventually failed and my current one does not allow remote admin, so I simply keep port 22 closed, but I'd like to have remote access again). Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Kain, Becki (B.) wrote:
Hi folks:
I can't find a good write up of the options of PermitRootLogin - yes, no, without-passwd, etc... Can someone point me in the right directoin> thanks
man sshd_config PermitRootLogin Specifies whether root can login using ssh(1). The argument must be ``yes'', ``without-password'', ``forced-commands-only'' or ``no''. The default is ``yes''. If this option is set to ``without-password'' password authentication is disabled for root. Note that other authentication methods (e.g., keyboard-interactive/PAM) may still allow root to login using a password. If this option is set to ``forced-commands-only'' root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root. If this option is set to ``no'' root is not allowed to login. Best regards Sylvester Lykkehus -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Kain, Becki (B.) wrote:
Hi folks:
I can't find a good write up of the options of PermitRootLogin - yes, no, without-passwd, etc... Can someone point me in the right directoin> thanks
There is a very valid and good reason you CAN'T! This is a very bad idea, see the better way below - but, at your own risk: To setup login without a password: In your home directory cd .ssh ssh-keygen -t dsa (hit return twice for no password) cp id_dsa.pub id_dsa.pub.newname (prevents overwriting id_dsa.pub on remote machine) cp or scp id_dsa.pub.newname to /root/.ssh of the machine you have allowed root logins on (Not a good or secure idea - nevertheless) login to that machine as root, cd /root/.ssh cat id_dsa.pub.newname >> authorized_keys logout ssh root@the.machineyouletrootloginon.com should now work without a password (I repeat, allowing root ssh access is NOT a good idea.) A far better way if you need to conduct business as root over ssh is to: On the machine the operations need to be done as root as root cd /root/.ssh ssh-keygen -t dsa cp id_dsa.pub id_dsa.pub.othernewname (I usually append the host name as othernewname) scp id_dsa.pub.othernewname user@remote.nonrootmachine:~/.ssh On the machine that doesn't need operations as root cd ~/.ssh cat id_dsa.pub.othernewname >> authorized_keys Now you can execute any script as root requiring root privileges on that machine, and as root ssh user@remote.nonrootmachine without a password and pull any data you need to over without ever permitting a root ssh login. On the non-root machine, you may have to give the specific user access to files needed by adding them to a few groups in /etc/group like wwwrun, mail, etc. and you may need to set the group ownership on the needed files and directories, but this is far better that gift wrapping a root exploit to all the script kiddies that will try for ever to root your box over ssh. They only have to succeed once and you are screwed! -- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
David C. Rankin wrote:
Kain, Becki (B.) wrote:
Hi folks:
I can't find a good write up of the options of PermitRootLogin - yes, no, without-passwd, etc... Can someone point me in the right directoin> thanks
There is a very valid and good reason you CAN'T! This is a very bad idea, see the better way below - but, at your own risk:
To setup login without a password:
In your home directory
cd .ssh ssh-keygen -t dsa (hit return twice for no password) cp id_dsa.pub id_dsa.pub.newname (prevents overwriting id_dsa.pub on remote machine) cp or scp id_dsa.pub.newname to /root/.ssh of the machine you have allowed root logins on (Not a good or secure idea - nevertheless) login to that machine as root, cd /root/.ssh cat id_dsa.pub.newname >> authorized_keys logout ssh root@the.machineyouletrootloginon.com should now work without a password
(I repeat, allowing root ssh access is NOT a good idea.)
A far better way if you need to conduct business as root over ssh is to:
On the machine the operations need to be done as root
as root cd /root/.ssh ssh-keygen -t dsa cp id_dsa.pub id_dsa.pub.othernewname (I usually append the host name as othernewname) scp id_dsa.pub.othernewname user@remote.nonrootmachine:~/.ssh
On the machine that doesn't need operations as root
cd ~/.ssh cat id_dsa.pub.othernewname >> authorized_keys
Now you can execute any script as root requiring root privileges on that machine, and as root ssh user@remote.nonrootmachine without a password and pull any data you need to over without ever permitting a root ssh login. On the non-root machine, you may have to give the specific user access to files needed by adding them to a few groups in /etc/group like wwwrun, mail, etc. and you may need to set the group ownership on the needed files and directories, but this is far better that gift wrapping a root exploit to all the script kiddies that will try for ever to root your box over ssh. They only have to succeed once and you are screwed!
And fired. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Kain, Becki (B.) wrote:
Hi folks:
I can't find a good write up of the options of PermitRootLogin - yes, no, without-passwd, etc... Can someone point me in the right directoin> thanks
I just saw this article yesterday. It is different than what David is recommending though. http://www.howtoforge.com/ssh-best-practices Jim F -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Kain, Becki (B.) wrote:
Hi folks:
I can't find a good write up of the options of PermitRootLogin - yes, no, without-passwd, etc... Can someone point me in the right direction
<http://www.justfuckinggoogleit.com/> Here's a more helpful answer: <http://www.google.com/search?num=100&hl=en&client=mozilla&rls=org.mozilla:en-US:unofficial&lr=lang_en&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=PermitRootLogin+without-passwd&spell=1> SSH PermitRootLogin, yes, Can be “yes”, “without-password”, “forced-commands-only” or "no". without-passwd - must use keys forced-commands-only ... www.cs.drexel.edu/~gholder/Courses/cs480/SSH.html - 3k - Cached - Similar pages sshd_conf PermitRootLogin (yes|(without-passwd|nopwd)|forced-command-only|no); StrictModes yes; PubkeyAuthentication yes; HostbasedAuthentication no # v2 /etc/hosts. ... www.pburkholder.com/sysadmin/SSH-talk/text32.htm - 2k - Cached - Similar pages ssh connection without password prompt. : password, ssh, without ... It you want to use ssh login without passwd between different box, .... Also you might want to try PermitRootLogin Yes in sshd_config and see what that does ... www.experts-exchange.com/Security/Unix_Security/Q_21420647.html - 97k - Cached - Similar pages openssh Quick Ref sshd AllowTcpForwarding, Google, Page 1. root rsh from windows to linux without passwd, Google, Page 1 .... aix sshd permitrootlogin, Google, Page 1 ... www.scribd.com/doc/3604/openssh-Quick-Ref - 564k - Cached - Similar pages openssh Quick Ref root rsh from windows to linux without passwd, Google, Page 1 .... Permitrootlogin aix, Google, Page 1. tunnelier "import key", Google, Page 1 ... www.scribd.com/doc/3604/openssh-Quick-Ref?query2=ssh+HUP - 250k - Cached - Similar pages -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Aaron Kulkis wrote:
Kain, Becki (B.) wrote:
Hi folks:
I can't find a good write up of the options of PermitRootLogin - yes, no, without-passwd, etc... Can someone point me in the right direction
I wouldn't have believed it if I hadn't seen it my self. It's a keeper. Thanks Aaron. -- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (16)
-
Aaron Kulkis -
Carlos E. R. -
Dave Howorth -
David C. Rankin -
Hans Witvliet -
Jim Flanagan -
Joe Morris (NTM) -
Joe Sloan -
Kain, Becki (B.) -
M. Skiba -
M. Todd Smith -
PerfectReign -
Philipp Thomas -
Rick Smegal -
Sylvester Lykkehus -
Wayne and Leanne Roberts