[opensuse] Can not log in via SSH on OSS 11.4, connection closes immediately
![](https://seccdn.libravatar.org/avatar/b521dd9262d61f3b198ccf8905cf2a27.jpg?s=120&d=mm&r=g)
Dear all, I can no longer log using SSH on a server machine. What I see on logging in is: [QUOTE]jablaka:~ web$ ssh -p19999 root@mail.test.com Last login: Tue Aug 16 11:41:01 2011 from herkules.test2.com Have a lot of fun... Connection to mail.test.com. closed.[/QUOTE] In the log file, I see: sshd: Accepted public key frrom... sshd: pam_unix2(sshd:session): session started for user root: service=sshd, tty=ssh, rhost=herkules.test2.com sshd: error: PAM: pam_open_session(): Permission denied When I start sshd -d, I see the following responses debug1: do_pam_account: called Accepted publickey for root from 10.0.0.1 port 42015 ssh2 debug1: monitor_child_preauth: root has been authenticated by privileged process debug1: PAM: establishing credentials PAM: pam_open_session(): Permission denied debug1: Entering interactive session for SSH2 The users ahould be authenticated against a (local) LDAP-Server, using SSSD; I can login via shell locally as well as via Samba, So I think, that it's not an LDAP issue. The history of theis failure was, that I had to fiddle around with the AppArmor tool before, because I have had installed AppArrmor unintentionally. I managed to make SSHD work with AppArmor; but as AppArmor caused thousands of other problems (samba, ldap, etc) I decided to switch off AppArmor again, with the side-effect, that everything works nicely now except SSHD... Would be nice to receive any hint. Best regards, Johannes -- Johannes Weberhofer Weberhofer GmbH, Austria, Vienna -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
![](https://seccdn.libravatar.org/avatar/7f76eb584c8675d5c6aa88c7fd03c584.jpg?s=120&d=mm&r=g)
Johannes Weberhofer wrote:
Dear all, I can no longer log using SSH on a server machine. What I see on logging in is:
Does this apply to other non-root user accounts as well? If so, disregard my comments as they do not apply directly to your scenario. My apologies in advance.
[QUOTE]jablaka:~ web$ ssh -p19999 [root@mail.test.com Last login: Tue Aug 16 11:41:01 2011 from herkules.test2.com Have a lot of fun... Connection to mail.test.com. closed.[/QUOTE]
In the log file, I see:
sshd: Accepted public key frrom... sshd: pam_unix2(sshd:session): session started for user root: service=sshd, tty=ssh, rhost=herkules.test2.com sshd: error: PAM: pam_open_session(): Permission denied
Most excellent. The only place you should allow a root login is on the local console.
When I start sshd -d, I see the following responses debug1: do_pam_account: called Accepted publickey for root from 10.0.0.1 port 42015 ssh2 debug1: monitor_child_preauth: root has been authenticated by privileged process debug1: PAM: establishing credentials PAM: pam_open_session(): Permission denied debug1: Entering interactive session for SSH2
The users ahould be authenticated against a (local) LDAP-Server, using SSSD;
Does not matter what/which auth scheme is in use - I would not allow any auth for root to login remotely. Period.
I can login via shell locally as well as via Samba, So I think, that it's not an LDAP issue. The history of theis failure was, that I had to fiddle around with the AppArmor tool before, because I have had installed AppArrmor unintentionally. I managed to make SSHD work with AppArmor; but as AppArmor caused thousands of other problems (samba, ldap, etc) I decided to switch off AppArmor again, with the side-effect, that everything works nicely now except SSHD...
Would be nice to receive any hint.
And again - my apologies in advance as this is most likely what you do not want hear. Never, never allow root to login remotely. Configure certain user accounts the ability to su to root, and login as those users and use 'su -'. Allowing any/all remote root logins as a general policy is a bad idea. If this is an accepted practice, the policy should be re-examined by experienced sysadmins who posses the ability to explain to management why this is a bad idea (I'm not good at such things). -Mike -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
Johannes Weberhofer
-
Michael Powell