Re: Fwd: Non interactive ssh connection
On Fri, 2009-04-17 at 15:39 +0200, Francesco Pietra wrote: I have now appended ~/.bashrc to ~/.profile, logout and login at all machines, and what I want to source NON-INTERACTIVELY written in ~/.bashrc was not sourced from command thisnode$ ssh othernode env | sort The output (below, between ===) was the same as when ~/.bashrc was not appended to ~/.profile Can you post the content of your .bashrc, .profile, and .bash_profile. (If any of those don't exist that's ok, just say that it doesn't exist.) -- Alex Malinovich Support Free Software, delete your Windows partition TODAY! Encrypted mail preferred. You can get my public key from any of the pgp.net keyservers. Key ID: A6D24837 signature.asc Description: This is a digitally signed message part
Re: Non interactive ssh connection
This is a cumulative reply to you and Alex, with thanks My aim is that what is in ~/.bashrc is sourced NON-INTERACTIVELY. Currently that does not occur and the openmpi parallelization does not function (the command mpirun -host hostname -n number_of_processors connectivity_c fails because a library from the compiler is not found. That library is sourced from ~/.bashrc, though interactively. In fact, the command thisnode$ ssh othernode env | sort does not show the compiler variables set in there, nor an LD_LIBRARY_PATH indicating where the compiler libraries are located. Below the ~/.profile, which is the same in all machine on the internal network. === # ~/.profile: executed by the command interpreter for login shells. # This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login # exists. # see /usr/share/doc/bash/examples/startup-files for examples. # the files are located in the bash-doc package. # the default umask is set in /etc/profile; for setting the umask # for ssh logins, install and configure the libpam-umask package. #umask 022 # if running bash if [ -n $BASH_VERSION ]; then # include .bashrc if it exists if [ -f $HOME/.bashrc ]; then . $HOME/.bashrc fi fi # set PATH so it includes user's private bin if it exists if [ -d $HOME/bin ] ; then PATH=$HOME/bin:$PATH fi Perhaps FOR NON_LOGIN SHELLS, I should place my settings in /etc/bash.bashrc and have it sourced in /etc/profile. Currently /etc/bash.bashrc reads: == # System-wide .bashrc file for interactive bash(1) shells. # To enable the settings / commands in this file for login shells as well, # this file has to be sourced in /etc/profile. # If not running interactively, don't do anything [ -z $PS1 ] return # check the window size after each command and, if necessary, # update the values of LINES and COLUMNS. shopt -s checkwinsize # set variable identifying the chroot you work in (used in the prompt below) if [ -z $debian_chroot ] [ -r /etc/debian_chroot ]; then debian_chroot=$(cat /etc/debian_chroot) fi # set a fancy prompt (non-color, overwrite the one in /etc/profile) PS1='${debian_chroot:+($debian_chroot)}...@\h:\w\$ ' # Commented out, don't overwrite xterm -T title -n icontitle by default. # If this is an xterm set the title to u...@host:dir #case $TERM in #xterm*|rxvt*) #PROMPT_COMMAND='echo -ne \033]0;${us...@${hostname}: ${PWD}\007' #;; #*) #;; #esac # enable bash completion in interactive shells #if [ -f /etc/bash_completion ]; then #. /etc/bash_completion #fi # if the command-not-found package is installed, use it if [ -x /usr/lib/command-not-found ]; then function command_not_found_handle { # check because c-n-f could've been removed in the meantime if [ -x /usr/lib/command-not-found ]; then /usr/bin/python /usr/lib/command-not-found -- $1 return $? else return 127 fi } fi = while /etc/profile reads: = # /etc/profile: system-wide .profile file for the Bourne shell (sh(1)) # and Bourne compatible shells (bash(1), ksh(1), ash(1), ...). if [ `id -u` -eq 0 ]; then PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin else PATH=/usr/local/bin:/usr/bin:/bin:/usr/games fi if [ $PS1 ]; then if [ $BASH ]; then PS1='\...@\h:\w\$ ' else if [ `id -u` -eq 0 ]; then PS1='# ' else PS1='$ ' fi fi fi export PATH umask 022 = Thans a lot for indicating how to get things running. francesco Thanks francesco On Thu, Apr 16, 2009 at 9:15 PM, Jochen Schulz m...@well-adjusted.de wrote: Francesco Pietra: when I do a non interactive ssh connection, the .bashrc and .bash_profile files in the home directory are not executed during the login. Indeed I need that ssh reads the .bashrc file during a non interactive login, in order to run mpi jobs, that uses program placed in non-conventional paths. Check the default shell of the user in /etc/passwd. Only bash reads .bash_profile. Renaming it to .profile might help (if it doesn't contain bashims). J. -- It is not in my power to change anything. [Agree] [Disagree] http://www.slowlydownward.com/NODATA/data_enter2.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAknng7sACgkQ+AfZydWK2zmY6gCgqyusFBuyk9i2yf5DW2HlYbdT +pgAoJhhyolOyNJ0gwsKyvHKb9ro2Yig =1g6u -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-amd64-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Non interactive ssh connection
From google I came across the request below to debian. As the issue seems to be at the basis of my problems to execute parallel programs since I upgraded from amd64 etch to amd64 lenny, I wonder whether there is a described procedure to correct the issue for amd64 (i.e., to have .bashrc read on the remote machine when sshing env | sort). Other linux users are quite surprised that this does not work (in my hands) with amd64 lenny. thanks francesco pietra I have the following problem with the debian openssh package (ver. 1:4.6p1-5): when I do a non interactive ssh connection, the .bashrc and .bash_profile files in the home directory are not executed during the login. Indeed I need that ssh reads the .bashrc file during a non interactive login, in order to run mpi jobs, that uses program placed in non-conventional paths. I check this feature in different linux distro (archlinux, opensuse, etc.) and generally during a non-interactive login the .bashrc file is executed. It is possible to disable this feature in some way also recompiling the packages? Best regards Michele Vascellari -- To UNSUBSCRIBE, email to debian-amd64-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Non interactive ssh connection
On Thu, 2009-04-16 at 19:40 +0200, Francesco Pietra wrote: --snip-- when I do a non interactive ssh connection, the .bashrc and .bash_profile files in the home directory are not executed during the login. Indeed I need that ssh reads the .bashrc file during a non interactive login, in order to run mpi jobs, that uses program placed in non-conventional paths. Depending on how you log in, at least one of those should be available. By default, a non-interactive login shell *will* read ~/.bash_profile, but *not* ~/.bashrc. Can you verify that neither of them is being executed? -- Alex Malinovich Support Free Software, delete your Windows partition TODAY! Encrypted mail preferred. You can get my public key from any of the pgp.net keyservers. Key ID: A6D24837 signature.asc Description: This is a digitally signed message part
Re: Non interactive ssh connection
Francesco Pietra: when I do a non interactive ssh connection, the .bashrc and .bash_profile files in the home directory are not executed during the login. Indeed I need that ssh reads the .bashrc file during a non interactive login, in order to run mpi jobs, that uses program placed in non-conventional paths. Check the default shell of the user in /etc/passwd. Only bash reads .bash_profile. Renaming it to .profile might help (if it doesn't contain bashims). J. -- It is not in my power to change anything. [Agree] [Disagree] http://www.slowlydownward.com/NODATA/data_enter2.html signature.asc Description: Digital signature
Re: ssh
Francesco Pietra wrote: That's odd. I am able to get commands to work over SSH without a password. I copied the contents of ~/.ssh/id_rsa.pub on my work computer into ~/.ssh/authorized_keys on my home computer. Now I can SSH from my work computer to my home computer like this: ssh m...@myhomepc date And it logs into my home computer and then runs the date command. I did not have to do anything with the authorized_keys file on my work computer to make this happen. That's all appropriate. You only need to modify authorized_keys in both places if you want the symmetric relationship that either machine can log into the other. Correct. I mentioned that I did not have to alter the authorized_keys file on my work PC in response to the OP's statement: I know how to solve the issue, i.e. by cross appending the authorized_keys files, in order that each machine knows itself. But there must be a simpler way. I have no idea why you would need to do something like that. I have never had to cross-append anything in order to make this work. I just wanted to clarify for the OP that the keys only need to be shared in one direction to do this. He seems to indicate that the passwordless login works just fine unless he tries to run a command through the ssh command line. I don't know why that would make a difference. Big difference for me. As I said in my original post, certain computational parallelized codes (from major supercomputer centers, latest versions) do not work unless the two machines talking to one another also know themselves. Usually, the two machines are my desktop (let say deb32) and my parallel computer (let say deb64) talking to one another via a router.The only way I found (perhaps suggested by the author of the code, I don't remember) to login passwordless (my arrangement is also passfraseless) to the parallel computer - and vice versa - while requesting the date, is to take the deb32 keys from deb64 and append them to those of deb32 itself, and vice versa. I admit that most codes do not care about that, but it happens that I am using at this very moment a code that has such idiosyncrasy. When I said there must be a simpler way, I meant to make that appending intrinsic in the configuration of ssh. Otherwise, I have to stay to ssh if I want (as I need) also to access supercomputers. I am surprised that others are able to login while running a command by simply sending one-way the keys. As I am no system expert, I assume that I am not setting up correctly ssh. regards francesco Francesco, If I understand you correctly, you are trying to ssh from your PC running 32-bit Lenny to a node in a parallel computing cluster running 64-bit Lenny. Is this correct? I'm not sure why a simple one-way shared key would not work if you are trying to run a command on the parallel computer from your PC. You shouldn't need two-way authentication unless the parallel computer needs to run something on your machine using the same tunnel. But I might be misunderstanding how you have things set up. - Dave P.S. I sent this reply back to the lists so this conversation wouldn't go completely off-list, in case someone else is interested too. -- Dave Parker Utica College Integrated Information Technology Services (315) 792-3229 Registered Linux User #408177 -- To UNSUBSCRIBE, email to debian-amd64-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
ssh
Hi: Is any 'send file' command to make so that two machines (an amd64 multisocket and a simple i386, both lenny) talk scp with one another through a router (attached to adsl) fully without asking the password? With 'fully' I mean that command: ssh target_machine_name date gives the date without asking a password. The mere sending id_rsa.pub to create the authorized_keys file only works (without asking the password) for command: ssh target_machine_name but if 'date' is also requested, the password is needed (at least in my hands). I know how to solve the issue, i.e. by cross appending the authorized_keys files, in order that each machine knows itself. But there must be a simpler way. Why that need? Certain parallelized computational codes only work if the above 'fully' is met. I came once again across the issue in reinstalling i386 following a died HD. Thanks francesco pietra -- To UNSUBSCRIBE, email to debian-amd64-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: ssh
Francesco Pietra chiendar...@gmail.com writes: ssh target_machine_name date gives the date without asking a password. The mere sending id_rsa.pub to create the authorized_keys file only works (without asking the password) for command: ssh target_machine_name In the case of the first command, are you running it interactively or non-interactively from, say, cron or a batch job system? If the latter is the case, you either must use passphrase-less SSH keys (insecure) or load an ssh-agent once interactively and cause all subsequent, non-interactive access to find and use that loaded agent. The keychain package might help here. OTOH, if you are indeed running the remote date command interactively then I have no clue Luck, -Brett. -- To UNSUBSCRIBE, email to debian-amd64-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: ssh
Is any 'send file' command to make so that two machines (an amd64 multisocket and a simple i386, both lenny) talk scp with one another through a router (attached to adsl) fully without asking the password? With 'fully' I mean that command: ssh target_machine_name date gives the date without asking a password. The mere sending id_rsa.pub to create the authorized_keys file only works (without asking the password) for command: ssh target_machine_name but if 'date' is also requested, the password is needed (at least in my hands). I know how to solve the issue, i.e. by cross appending the authorized_keys files, in order that each machine knows itself. But there must be a simpler way. That's odd. I am able to get commands to work over SSH without a password. I copied the contents of ~/.ssh/id_rsa.pub on my work computer into ~/.ssh/authorized_keys on my home computer. Now I can SSH from my work computer to my home computer like this: ssh m...@myhomepc date And it logs into my home computer and then runs the date command. I did not have to do anything with the authorized_keys file on my work computer to make this happen. - Dave -- Dave Parker Utica College Integrated Information Technology Services (315) 792-3229 Registered Linux User #408177 -- To UNSUBSCRIBE, email to debian-amd64-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
passwordless ssh
Other alternatives (that doesn't work as well over internet) - and only if there is a limited number of programs that you need access to would be to use snmp or inetd. SNMP: Set up a own oid to return the values you are asking for. Inetd/Xinetd: telnet to a specific port - will start a program on the master that returns some output. But if we are talking about a arbitrary program - and especially over the internet - ssh with exchanged keys are preferable. If you find any of the above alternatives attractive - please let me know and I can give you some examples. Johan Elmerfjord Manager, Unix Systems Administration EMEA Omniture -- To UNSUBSCRIBE, email to debian-amd64-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: ssh
On Tue, Jan 20, 2009 at 11:06 AM, David A. Parker dpar...@utica.edu wrote: Is any 'send file' command to make so that two machines (an amd64 multisocket and a simple i386, both lenny) talk scp with one another through a router (attached to adsl) fully without asking the password? With 'fully' I mean that command: ssh target_machine_name date gives the date without asking a password. The mere sending id_rsa.pub to create the authorized_keys file only works (without asking the password) for command: ssh target_machine_name but if 'date' is also requested, the password is needed (at least in my hands). I know how to solve the issue, i.e. by cross appending the authorized_keys files, in order that each machine knows itself. But there must be a simpler way. That's odd. I am able to get commands to work over SSH without a password. I copied the contents of ~/.ssh/id_rsa.pub on my work computer into ~/.ssh/authorized_keys on my home computer. Now I can SSH from my work computer to my home computer like this: ssh m...@myhomepc date And it logs into my home computer and then runs the date command. I did not have to do anything with the authorized_keys file on my work computer to make this happen. That's all appropriate. You only need to modify authorized_keys in both places if you want the symmetric relationship that either machine can log into the other. What's going on is that when you copy id_rsa.pub (or id_dsa.pub, or some other *.pub that might be specifically configured) from host A into ~/.ssh/authorized_keys on host B, then this authorizes connections from A to B. If you put that file into ~/.ssh/authorized_keys on host *A*, then that would enable connections from B to A. Copy the data twice, and you get two results. As for the original poster's question about other mechanisms, it's certainly *possible* to come up with other ways to connect without using a password, but that seems likely to be somewhat risky, security-wise. The package openssh-client includes a utility called ssh-copy-id which provides a way to copy a key into ~/.ssh/authorized_keys a bit more easily. Typical usage would be: $ ssh-agent bash [this starts up an ssh agent, which ssh-copy-id needs in order to be able to know where to get a key to copy over...] $ ssh-add ~/.ssh/id_rsa [this tells the ssh agent about this key. This could require entering a password, depending on how the key was set up] $ ssh-copy-id some-u...@some-host Password: [You'll need to enter the password, the first time; ssh-copy-id then copies the public key into place...] After that, you'd be able to submit, without further password requests, or any further copying of ssh data... $ ssh some-u...@somehost date and get the expected result. -- http://linuxfinances.info/info/linuxdistributions.html Katharine Hepburn - Death will be a great relief. No more interviews. -- To UNSUBSCRIBE, email to debian-amd64-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: ssh
Christopher Browne wrote: On Tue, Jan 20, 2009 at 11:06 AM, David A. Parker dpar...@utica.edu wrote: Is any 'send file' command to make so that two machines (an amd64 multisocket and a simple i386, both lenny) talk scp with one another through a router (attached to adsl) fully without asking the password? With 'fully' I mean that command: ssh target_machine_name date gives the date without asking a password. The mere sending id_rsa.pub to create the authorized_keys file only works (without asking the password) for command: ssh target_machine_name but if 'date' is also requested, the password is needed (at least in my hands). I know how to solve the issue, i.e. by cross appending the authorized_keys files, in order that each machine knows itself. But there must be a simpler way. That's odd. I am able to get commands to work over SSH without a password. I copied the contents of ~/.ssh/id_rsa.pub on my work computer into ~/.ssh/authorized_keys on my home computer. Now I can SSH from my work computer to my home computer like this: ssh m...@myhomepc date And it logs into my home computer and then runs the date command. I did not have to do anything with the authorized_keys file on my work computer to make this happen. That's all appropriate. You only need to modify authorized_keys in both places if you want the symmetric relationship that either machine can log into the other. Correct. I mentioned that I did not have to alter the authorized_keys file on my work PC in response to the OP's statement: I know how to solve the issue, i.e. by cross appending the authorized_keys files, in order that each machine knows itself. But there must be a simpler way. I have no idea why you would need to do something like that. I have never had to cross-append anything in order to make this work. I just wanted to clarify for the OP that the keys only need to be shared in one direction to do this. He seems to indicate that the passwordless login works just fine unless he tries to run a command through the ssh command line. I don't know why that would make a difference. He also mentioned scp, and I think the better alternative would be to run sftp with a batch file. - Dave -- Dave Parker Utica College Integrated Information Technology Services (315) 792-3229 Registered Linux User #408177 -- To UNSUBSCRIBE, email to debian-amd64-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Solved: Problem loggin in via ssh AND ldap
Heinrich Rebehn wrote: Heinrich Rebehn wrote: Hi all, this is my first post to this list. I searched the archives for this problem but could not find anything. I installed Debian Sarge on an Athlon64 3000+ from amd64.debian.net. I configured the machine to use ldap for authentication and automounting. This setup is working fine on our i386 machines running Sarge. Relevant packages installed: autofs-ldap4.1.3+4.1.4bet LDAP map support for autofs ldap-utils 2.2.23-8 OpenLDAP utilities libldap-2.2-7 2.2.23-8 OpenLDAP libraries libldap2 2.1.30-8 OpenLDAP libraries libnss-ldap238-1 NSS module for using LDAP as a naminservic ssh3.8.1p1-8.sarg Secure rlogin/rsh/rcp replacement(OpenSSH) The following things work: - login as root (localuser) or rebehn (ldap user) via console - login as root via ssh The following does *not* work: - login as rebehn via ssh /var/log/auth.log shows: sshd[17022]: Illegal user rebehn from :::134.102.176.10 sshd[17022]: (pam_unix) check pass; user unknown sshd[17022]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=bremerhaven.ant.uni-bremen.de sshd[17022]: error: PAM: User not known to the underlying authentication module for illegal user rebehn from bremerhaven.ant.uni-bremen.de sshd[17022]: Failed keyboard-interactive/pam for illegal user rebehn from :::134.102.176.10 port 57494 ssh2 getent is working: [EMAIL PROTECTED] [~] # getent passwd rebehn rebehn:crypted pwd:232:1020:Heinrich Rebehn:/home/rebehn:/bin/bash How does all this fit together? Why do getent and login via console work whereas login via ssh does not? It cannot be a ldap problem because i can login as rebehn via console. It also cannot be a ssh problem because i can login as root via ssh. I did not change any of the pam config files. Can anyone help? Need more info? Problem solved. A simple reboot did the trick. Normally a reboot after system changes is only rquired with another widely used OS ;-) Nevertheless i am happy now :-) Sorry for the noise, Heinrich Update: I was able to reproduce the problem with a new install. After installing libnss-ldap and configuring /etc/nsswitch.com to use ldap, one has to do a 'pkill -HUP sshd'. Just for the records. --Heinrich -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Problem loggin in via ssh AND ldap
Hi all, this is my first post to this list. I searched the archives for this problem but could not find anything. I installed Debian Sarge on an Athlon64 3000+ from amd64.debian.net. I configured the machine to use ldap for authentication and automounting. This setup is working fine on our i386 machines running Sarge. Relevant packages installed: autofs-ldap4.1.3+4.1.4bet LDAP map support for autofs ldap-utils 2.2.23-8 OpenLDAP utilities libldap-2.2-7 2.2.23-8 OpenLDAP libraries libldap2 2.1.30-8 OpenLDAP libraries libnss-ldap238-1 NSS module for using LDAP as a naminservic ssh3.8.1p1-8.sarg Secure rlogin/rsh/rcp replacement(OpenSSH) The following things work: - login as root (localuser) or rebehn (ldap user) via console - login as root via ssh The following does *not* work: - login as rebehn via ssh /var/log/auth.log shows: sshd[17022]: Illegal user rebehn from :::134.102.176.10 sshd[17022]: (pam_unix) check pass; user unknown sshd[17022]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=bremerhaven.ant.uni-bremen.de sshd[17022]: error: PAM: User not known to the underlying authentication module for illegal user rebehn from bremerhaven.ant.uni-bremen.de sshd[17022]: Failed keyboard-interactive/pam for illegal user rebehn from :::134.102.176.10 port 57494 ssh2 getent is working: [EMAIL PROTECTED] [~] # getent passwd rebehn rebehn:crypted pwd:232:1020:Heinrich Rebehn:/home/rebehn:/bin/bash How does all this fit together? Why do getent and login via console work whereas login via ssh does not? It cannot be a ldap problem because i can login as rebehn via console. It also cannot be a ssh problem because i can login as root via ssh. I did not change any of the pam config files. Can anyone help? Need more info? Regards, Heinrich Rebehn University of Bremen Physics / Electrical and Electronics Engineering - Department of Telecommunications - Phone : +49/421/218-4664 Fax :-3341 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Solved: Problem loggin in via ssh AND ldap
Heinrich Rebehn wrote: Hi all, this is my first post to this list. I searched the archives for this problem but could not find anything. I installed Debian Sarge on an Athlon64 3000+ from amd64.debian.net. I configured the machine to use ldap for authentication and automounting. This setup is working fine on our i386 machines running Sarge. Relevant packages installed: autofs-ldap4.1.3+4.1.4bet LDAP map support for autofs ldap-utils 2.2.23-8 OpenLDAP utilities libldap-2.2-7 2.2.23-8 OpenLDAP libraries libldap2 2.1.30-8 OpenLDAP libraries libnss-ldap238-1 NSS module for using LDAP as a naminservic ssh3.8.1p1-8.sarg Secure rlogin/rsh/rcp replacement(OpenSSH) The following things work: - login as root (localuser) or rebehn (ldap user) via console - login as root via ssh The following does *not* work: - login as rebehn via ssh /var/log/auth.log shows: sshd[17022]: Illegal user rebehn from :::134.102.176.10 sshd[17022]: (pam_unix) check pass; user unknown sshd[17022]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=bremerhaven.ant.uni-bremen.de sshd[17022]: error: PAM: User not known to the underlying authentication module for illegal user rebehn from bremerhaven.ant.uni-bremen.de sshd[17022]: Failed keyboard-interactive/pam for illegal user rebehn from :::134.102.176.10 port 57494 ssh2 getent is working: [EMAIL PROTECTED] [~] # getent passwd rebehn rebehn:crypted pwd:232:1020:Heinrich Rebehn:/home/rebehn:/bin/bash How does all this fit together? Why do getent and login via console work whereas login via ssh does not? It cannot be a ldap problem because i can login as rebehn via console. It also cannot be a ssh problem because i can login as root via ssh. I did not change any of the pam config files. Can anyone help? Need more info? Problem solved. A simple reboot did the trick. Normally a reboot after system changes is only rquired with another widely used OS ;-) Nevertheless i am happy now :-) Sorry for the noise, Heinrich -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Again ssh-agent problem on kde start
Hi, I have updated 'ssl', but problem on start KDE persists (my last update was yesterday). And so it need to comment line in /etc/X11/Xsession.options. Giulio -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Again ssh-agent problem on kde start
I have updated 'ssl', but problem on start KDE persists (my last update was yesterday). And so it need to comment line in /etc/X11/Xsession.options. Sorry, my mistake:) ssl works perfectly and now I have not more problems Giulio
Re: Again ssh-agent problem on kde start
On 2005-10-20T10:29:22+0200 (Thursday), antongiulio05 wrote: I have updated 'ssl', but problem on start KDE persists (my last update was yesterday). And so it need to comment line in /etc/X11/Xsession.options. It should've been fixed with 0.9.8a-2 of libssl/openssl. -towo -- Gegen Softwarepatente in Europa: http://swpat.ffii.org./ Mister Teatime had a truly brilliant mind, but it was brilliant like a frac- tured mirror, all marvellous facets and rainbows but, ultimately, also some- thing that was broken. (Terry Pratchett in `Hogfather') signature.asc Description: Digital signature
Latest libssl0.9.8a-1 causes ssh to segfault
I just did a apt-get upgrade which upgraded libssl to libssl0.9.8a-1. After this ssh segfaults. Reverting to libssl0.9.8-3 fixes this problem. Is anyone else noticiing this. Thanks, Bharath --- Bharath Ramesh [EMAIL PROTECTED] http://people.cs.vt.edu/~bramesh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Latest libssl0.9.8a-1 causes ssh to segfault
On Tuesday 18 October 2005 16:49, Bharath Ramesh wrote: I just did a apt-get upgrade which upgraded libssl to libssl0.9.8a-1. After this ssh segfaults. Reverting to libssl0.9.8-3 fixes this problem. Is anyone else noticiing this. Yep, me and just about everyone else it would seem. Nearly every message posted today seems to be related to this problem. Thanks for the work around though. Graham Thanks, Bharath --- Bharath Ramesh [EMAIL PROTECTED] http://people.cs.vt.edu/~bramesh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Latest libssl0.9.8a-1 causes ssh to segfault
On Tue, Oct 18, 2005 at 11:49:09AM -0400, Bharath Ramesh wrote: I just did a apt-get upgrade which upgraded libssl to libssl0.9.8a-1. After this ssh segfaults. Reverting to libssl0.9.8-3 fixes this problem. Is anyone else noticiing this. I've just uploaded an libssl0.9.8a-2 which should fix this. Kurt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh login delay
On Monday 03 October 2005 15:54, Lennart Sorensen wrote: On Mon, Oct 03, 2005 at 12:51:56AM +0200, Gudjon I. Gudjonsson wrote: This is most probably not an amd64 related problem but could someone tell me where the delay time for the failed login in ssh is set in Debian. All the computers I have access to have delay but not my amd64 one. I have looked through the internet for 2 hours without success. Usually delay on connect/login is caused by not having working DNS/hosts file to resolve the incoming IP. If DNS is working fine, it tends to be able to quickly determine if it can or can not resolve the name of the IP connecting. If DNS is not working, you will get a long delay while it waits for name lookup timeout. Len Sorensen I don't think there is any DNS problem. ssh works perfectly on all the machines I have access to (or administrate) but one does not have any delay on password after a failed password. I would like to be able to control this parameter. Regards Gudjon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh login delay
On Mon, Oct 03, 2005 at 12:51:56AM +0200, Gudjon I. Gudjonsson wrote: This is most probably not an amd64 related problem but could someone tell me where the delay time for the failed login in ssh is set in Debian. All the computers I have access to have delay but not my amd64 one. I have looked through the internet for 2 hours without success. Usually delay on connect/login is caused by not having working DNS/hosts file to resolve the incoming IP. If DNS is working fine, it tends to be able to quickly determine if it can or can not resolve the name of the IP connecting. If DNS is not working, you will get a long delay while it waits for name lookup timeout. Len Sorensen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
ssh login delay
Hi This is most probably not an amd64 related problem but could someone tell me where the delay time for the failed login in ssh is set in Debian. All the computers I have access to have delay but not my amd64 one. I have looked through the internet for 2 hours without success. Thanks Gudjon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh login delay
On Mon, Oct 03, 2005 at 12:51:56AM +0200, Gudjon I. Gudjonsson wrote: Hi This is most probably not an amd64 related problem but could someone tell me where the delay time for the failed login in ssh is set in Debian. All the computers I have access to have delay but not my amd64 one. I have looked through the internet for 2 hours without success. Possibly /etc/login.defs. I'm not sure if that applies to ssh or not. Hamish -- Hamish Moffatt VK3SB [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh login delay
is it a pam auth issue? I don't see a pam module that controls that in my /etc/pam.d/ssh, but I'm not sure. jamie. On Mon, Oct 03, 2005 at 11:53:28AM +1000, Hamish Moffatt wrote: On Mon, Oct 03, 2005 at 12:51:56AM +0200, Gudjon I. Gudjonsson wrote: Hi This is most probably not an amd64 related problem but could someone tell me where the delay time for the failed login in ssh is set in Debian. All the computers I have access to have delay but not my amd64 one. I have looked through the internet for 2 hours without success. Possibly /etc/login.defs. I'm not sure if that applies to ssh or not. Hamish -- Hamish Moffatt VK3SB [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh
Hjalmar the Destroyer wrote: On Fri, Jul 08, 2005 at 12:56:35AM +0300, Modestas Vainius wrote: 2005 m. Liepos 8 d., Penktadienis 00:52, Hjalmar the Destroyer ra??: OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to computer2 [192.168.1.2] port 22. debug1: connect to address 192.168.1.2 port 22: Connection refused ssh: connect to host computer2 port 22: Connection refused I guess, sshd (ssh server) is not enabled on computer2. try dpkg-reconfigure ssh and answer Yes to the question about the server. Hey, I am still having some problems with ssh. I am running the ssh server. When I use nmap localhost on computer2 I get Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:11 CEST Interesting ports on localhost.localdomain (127.0.0.1): (The 1661 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp Nmap finished: 1 IP address (1 host up) scanned in 0.159 seconds When I run nmap from my server on computer2 I get the following Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:13 CEST All 1663 scanned ports on computer2 (192.168.1.2) are: closed Nmap finished: 1 IP address (1 host up) scanned in 0.429 seconds How can this be? Any help or tips would be greatly appreciated. Try iptables -L -n. What does it say?? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh
On Tue, Jul 12, 2005 at 10:37:41AM +0200, Alexander Voss wrote: Hjalmar the Destroyer wrote: On Fri, Jul 08, 2005 at 12:56:35AM +0300, Modestas Vainius wrote: 2005 m. Liepos 8 d., Penktadienis 00:52, Hjalmar the Destroyer ra??: OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to computer2 [192.168.1.2] port 22. debug1: connect to address 192.168.1.2 port 22: Connection refused ssh: connect to host computer2 port 22: Connection refused I guess, sshd (ssh server) is not enabled on computer2. try dpkg-reconfigure ssh and answer Yes to the question about the server. Hey, I am still having some problems with ssh. I am running the ssh server. When I use nmap localhost on computer2 I get Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:11 CEST Interesting ports on localhost.localdomain (127.0.0.1): (The 1661 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp Nmap finished: 1 IP address (1 host up) scanned in 0.159 seconds When I run nmap from my server on computer2 I get the following Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:13 CEST All 1663 scanned ports on computer2 (192.168.1.2) are: closed Nmap finished: 1 IP address (1 host up) scanned in 0.429 seconds How can this be? Any help or tips would be greatly appreciated. Try iptables -L -n. What does it say?? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] I get the following FATAL: Module ip_tables not found. iptables v1.3.1: can't initialize iptables table filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh
On Fri, Jul 08, 2005 at 12:31:04PM -0500, David Mohr wrote: On 7/8/05, Hjalmar the Destroyer [EMAIL PROTECTED] wrote: I am still having some problems with ssh. I am running the ssh server. When I use nmap localhost on computer2 I get Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:11 CEST Interesting ports on localhost.localdomain (127.0.0.1 ): (The 1661 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp Nmap finished: 1 IP address (1 host up) scanned in 0.159 seconds When I run nmap from my server on computer2 I get the following Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:13 CEST All 1663 scanned ports on computer2 (192.168.1.2 ) are: closed Nmap finished: 1 IP address (1 host up) scanned in 0.429 seconds How can this be? Any help or tips would be greatly appreciated. Did you check with netstat to which addresses the smtp and ssh server are actually bound? Do you have a firewall (ok, nmap should've noticed that, but good to check anyways)? ~David I do not have a firewall on computer2 and this is what I got after I ran netstat -n -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp0 0 127.0.0.1:250.0.0.0:* LISTEN tcp0 0 192.168.1.2:33535 192.168.1.1:22 ESTABLISHED udp0 0 127.0.0.1:123 0.0.0.0:* udp0 0 192.168.1.2:123 0.0.0.0:* udp0 0 0.0.0.0:123 0.0.0.0:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 6 [ ] DGRAM2397 /dev/log unix 2 [ ACC ] STREAM LISTENING 2656 /tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 2726 /tmp/ssh-VBEjMI1776/agent.1776 unix 2 [ ACC ] STREAM LISTENING 13908 /tmp/orbit-hjalmar/linc-1296-0-5b8fab5c39cd7 unix 2 [ ACC ] STREAM LISTENING 16182 /tmp/orbit-hjalmar/linc-13de-0-1fe7f0fbd2751 unix 2 [ ACC ] STREAM LISTENING 16193 /tmp/orbit-hjalmar/linc-13e0-0-44faee6dd6c75 unix 3 [ ] STREAM CONNECTED 23423/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 23422 unix 4 [ ] STREAM CONNECTED 16458/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 16457 unix 3 [ ] STREAM CONNECTED 16201 /tmp/orbit-hjalmar/linc-13de-0-1fe7f0fbd2751 1 unix 3 [ ] STREAM CONNECTED 16200 unix 3 [ ] STREAM CONNECTED 16199 /tmp/orbit-hjalmar/linc-13e0-0-44faee6dd6c7 5 unix 3 [ ] STREAM CONNECTED 16198 unix 3 [ ] STREAM CONNECTED 16185 /tmp/orbit-hjalmar/linc-13de-0-1fe7f0fbd275 1 unix 3 [ ] STREAM CONNECTED 16184 unix 3 [ ] STREAM CONNECTED 16181 /tmp/orbit-hjalmar/linc-1296-0-5b8fab5c39cd 7 unix 3 [ ] STREAM CONNECTED 16180 unix 3 [ ] STREAM CONNECTED 16175/tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 16174 unix 2 [ ] DGRAM13904 unix 3 [ ] STREAM CONNECTED 2750 /tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 2749 unix 3 [ ] STREAM CONNECTED 2740 /tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 2739 unix 3 [ ] STREAM CONNECTED 2729 /tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 2728 unix 3 [ ] STREAM CONNECTED 2712 /tmp/.X11-unix/X0 unix 3 [ ] STREAM CONNECTED 2658 unix 2 [ ] DGRAM2630 unix 2 [ ] DGRAM2500 unix 2 [ ] DGRAM2409 Clyde -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh
On Fri, Jul 08, 2005 at 12:56:35AM +0300, Modestas Vainius wrote: 2005 m. Liepos 8 d., Penktadienis 00:52, Hjalmar the Destroyer ra??: OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to computer2 [192.168.1.2] port 22. debug1: connect to address 192.168.1.2 port 22: Connection refused ssh: connect to host computer2 port 22: Connection refused I guess, sshd (ssh server) is not enabled on computer2. try dpkg-reconfigure ssh and answer Yes to the question about the server. Hey, I am still having some problems with ssh. I am running the ssh server. When I use nmap localhost on computer2 I get Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:11 CEST Interesting ports on localhost.localdomain (127.0.0.1): (The 1661 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp Nmap finished: 1 IP address (1 host up) scanned in 0.159 seconds When I run nmap from my server on computer2 I get the following Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:13 CEST All 1663 scanned ports on computer2 (192.168.1.2) are: closed Nmap finished: 1 IP address (1 host up) scanned in 0.429 seconds How can this be? Any help or tips would be greatly appreciated. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh
El vie, 08-07-2005 a las 19:17 +0200, Hjalmar the Destroyer escribió: On Fri, Jul 08, 2005 at 12:56:35AM +0300, Modestas Vainius wrote: 2005 m. Liepos 8 d., Penktadienis 00:52, Hjalmar the Destroyer ra??: OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to computer2 [192.168.1.2] port 22. debug1: connect to address 192.168.1.2 port 22: Connection refused ssh: connect to host computer2 port 22: Connection refused I guess, sshd (ssh server) is not enabled on computer2. try dpkg-reconfigure ssh and answer Yes to the question about the server. Hey, I am still having some problems with ssh. I am running the ssh server. When I use nmap localhost on computer2 I get Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:11 CEST Interesting ports on localhost.localdomain (127.0.0.1): (The 1661 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp Nmap finished: 1 IP address (1 host up) scanned in 0.159 seconds When I run nmap from my server on computer2 I get the following Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:13 CEST All 1663 scanned ports on computer2 (192.168.1.2) are: closed Nmap finished: 1 IP address (1 host up) scanned in 0.429 seconds How can this be? Any help or tips would be greatly appreciated. Disable the firewall, filter rules, etc. -- Javier Kohen [EMAIL PROTECTED] ICQ: blashyrkh #2361802 Jabber: [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
Re: ssh
On 7/8/05, Hjalmar the Destroyer [EMAIL PROTECTED] wrote: I am still having some problems with ssh. I am running the ssh server. When I use nmap localhost on computer2 I get Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:11 CEST Interesting ports on localhost.localdomain (127.0.0.1 ): (The 1661 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp Nmap finished: 1 IP address (1 host up) scanned in 0.159 seconds When I run nmap from my server on computer2 I get the following Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:13 CEST All 1663 scanned ports on computer2 (192.168.1.2 ) are: closed Nmap finished: 1 IP address (1 host up) scanned in 0.429 seconds How can this be? Any help or tips would be greatly appreciated. Did you check with netstat to which addresses the smtp and ssh server are actually bound? Do you have a firewall (ok, nmap should've noticed that, but good to check anyways)? ~David
ssh
Hey, I have recently installed ssh but am having some problems. I can ssh from computer2 to my server but can not ssh back the other way, server to computer2. I get the following when using ssh -v OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to computer2 [192.168.1.2] port 22. debug1: connect to address 192.168.1.2 port 22: Connection refused ssh: connect to host computer2 port 22: Connection refused I have read the docs and I am pretty sure everything is as it should be. I am wondering if someone might give me a clue as to what the problem might be or be able to point me in the right direction. Thanks for any type of help, Clyde -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH package concerns...
Nathan Dragun wrote: PasswordAuthentication is set to no by default, as enabling it causes cleartext password authentication (obviously defeating the point of encrypting it in the first place). No, it doesn't. It defaults to Off because Debian wants SSH to use PAM for system account authentication, and not do it itself. And yes UsePAM = yes was set, for clarification. So I'd assume that meant that PAM authentication was final? Nope, it's dependent on SSH configuration. Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Re: SSH package concerns...
but sshd.conf contains the needed flags to limit the authentication methods doing man sshd_config saids something like : UsePAM = yes PasswordAuthentication = no might do the trick PasswordAuthentication is set to no by default, as enabling it causes cleartext password authentication (obviously defeating the point of encrypting it in the first place). And yes UsePAM = yes was set, for clarification. So I'd assume that meant that PAM authentication was final? Nathan Code is poetry. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH package concerns...
On Mon, May 09, 2005 at 10:16:24PM -0400, Adam Skutt wrote: Nathan Dragun wrote: While setting up PAM in conjunction with SSH I included the following line to deny access unless found in the following file: authrequiredpam_listfile.so sense=allow onerr=fail item=user file=/etc/sshloginusers Which works, sort of. Don't use it. sshd(8) lets you deny and allow users via /etc/ssh/sshd_config. Reading the daemon documentation before doing something like this is always good idea. He didn't say there wasn't another way to do it, he said there was a security hole. --Pete -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH package concerns...
On Tue, May 10, 2005 at 10:09:59AM -0500, Pete Harlan wrote: On Mon, May 09, 2005 at 10:16:24PM -0400, Adam Skutt wrote: Nathan Dragun wrote: While setting up PAM in conjunction with SSH I included the following line to deny access unless found in the following file: authrequiredpam_listfile.so sense=allow onerr=fail item=user file=/etc/sshloginusers Which works, sort of. Don't use it. sshd(8) lets you deny and allow users via /etc/ssh/sshd_config. Reading the daemon documentation before doing something like this is always good idea. He didn't say there wasn't another way to do it, he said there was a security hole. I believe SSH supports multiple types of authentication. If pam fails, it will use the next configured one. It's a feature of ssh. It isn't as if pam can disable ssh key logins either. Is that a security hole? Misconfiguring sshd doesn't mean it is insecure. It still requires a valid account and password to login. Len Sorensen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH package concerns...
On Tue, May 10, 2005 at 11:19:15AM -0400, Lennart Sorensen wrote: On Tue, May 10, 2005 at 10:09:59AM -0500, Pete Harlan wrote: On Mon, May 09, 2005 at 10:16:24PM -0400, Adam Skutt wrote: Nathan Dragun wrote: While setting up PAM in conjunction with SSH I included the following line to deny access unless found in the following file: authrequiredpam_listfile.so sense=allow onerr=fail item=user file=/etc/sshloginusers Which works, sort of. Don't use it. sshd(8) lets you deny and allow users via /etc/ssh/sshd_config. Reading the daemon documentation before doing something like this is always good idea. He didn't say there wasn't another way to do it, he said there was a security hole. I believe SSH supports multiple types of authentication. If pam fails, it will use the next configured one. It's a feature of ssh. Thanks, that is helpful. It isn't as if pam can disable ssh key logins either. Is that a security hole? It would be nice if there were a way to have the pam module indicate, this failed, and that's final, as distinct from, this failed so try something else. It still requires a valid account and password to login. True, but I imagine that if someone is using this feature then they have some accounts they trust less than others. There are various ways to go about restricting logins (including sshd's AllowUsers), but the pam method seemed reasonable to me. Particularly because with PAM you could use the same user list for any number of services, not just sshd. (And I don't understand why it would work intermittently, but that's getting far afield.) --Pete -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH package concerns...
Pete Harlan wrote: On Mon, May 09, 2005 at 10:16:24PM -0400, Adam Skutt wrote: He didn't say there wasn't another way to do it, he said there was a security hole. Hence I said, don't use it. There is another way to do what he wants (more or less) that doesn't have this security hole assuming the real issue wasn't misconfiguration. Seeing as he wasn't apparently aware of the sshd configuration, I pointed it out to him, seeing as it does exactly what he wants. Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH package concerns...
Pete Harlan wrote: It would be nice if there were a way to have the pam module indicate, this failed, and that's final, as distinct from, this failed so try something else. There is. Mark the module requisite, and a failure from it will stop the stack immediately. Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH package concerns...
On Tuesday 10 May 2005 17:46, Adam Skutt wrote: Pete Harlan wrote: It would be nice if there were a way to have the pam module indicate, this failed, and that's final, as distinct from, this failed so try something else. There is. Mark the module requisite, and a failure from it will stop the stack immediately. Only for pam. sshd is still free to try something else if pam returns a failure. but sshd.conf contains the needed flags to limit the authentication methods doing man sshd_config saids something like : UsePAM = yes PasswordAuthentication = no might do the trick Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH package concerns...
This one time, at band camp, Ernest jw ter Kuile said: On Tuesday 10 May 2005 17:46, Adam Skutt wrote: Pete Harlan wrote: It would be nice if there were a way to have the pam module indicate, this failed, and that's final, as distinct from, this failed so try something else. There is. Mark the module requisite, and a failure from it will stop the stack immediately. Only for pam. sshd is still free to try something else if pam returns a failure. but sshd.conf contains the needed flags to limit the authentication methods doing man sshd_config saids something like : UsePAM = yes PasswordAuthentication = no might do the trick As well as PubkeyAuthentication ChallengeResponseAuthentication The various Kerberos options, and there used to be a Keyboard one, but I guess that's deprecated now. sshd supports quite a few auth mechanisms. If you want only one to be authoritative, you're going to have to actually disable the others. This is not a security flaw. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpQAcG4dIgYT.pgp Description: PGP signature
SSH package concerns...
While setting up PAM in conjunction with SSH I included the following line to deny access unless found in the following file: authrequiredpam_listfile.so sense=allow onerr=fail item=user file=/etc/sshloginusers Which works, sort of. ...Lets say for examples sake the user bob is trying to get in, but is not listed in this file. Ie: not authorized. If I try to connect via the windows program PuTTY, the first attempt fails, naturally, but if I re-type the password when prompted it will let me in!!! Not good. I tested this several different ways and found that if I try and go from linux box to linux box after about 4 attempts it will let me in. SSH package version: OpenSSH_3.8.1p1 Debian-8.sarge.4 in conjunction with: OpenSSL 0.9.7e 25 Oct 2004 Now I was doing some research into this, figuring I configured something wrong or what not early on when I first noticed this authentication problem existed and noticed that there have been some huge changes from the 3.8.1p1 release back in October 2004 (Ironically if I read that right 4.0 was just released today). Changelog: ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/ChangeLog But, why on earth is this package so out of date?? Insight into this would be greatly appreciated. God Bless, Nathan Code is poetry. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SSH package concerns...
This one time, at band camp, Nathan Dragun said: While setting up PAM in conjunction with SSH I included the following line to deny access unless found in the following file: authrequiredpam_listfile.so sense=allow onerr=fail item=user file=/etc/sshloginusers Which works, sort of. ...Lets say for examples sake the user bob is trying to get in, but is not listed in this file. Ie: not authorized. If I try to connect via the windows program PuTTY, the first attempt fails, naturally, but if I re-type the password when prompted it will let me in!!! Not good. I tested this several different ways and found that if I try and go from linux box to linux box after about 4 attempts it will let me in. SSH package version: OpenSSH_3.8.1p1 Debian-8.sarge.4 in conjunction with: OpenSSL 0.9.7e 25 Oct 2004 Now I was doing some research into this, figuring I configured something wrong or what not early on when I first noticed this authentication problem existed and noticed that there have been some huge changes from the 3.8.1p1 release back in October 2004 (Ironically if I read that right 4.0 was just released today). Changelog: ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/ChangeLog But, why on earth is this package so out of date?? Insight into this would be greatly appreciated. What you are experiencing sounds like a configuration problem to me. You presumably have multiple auth mechanisms listed besides UsePam, and eventually one succeeds, although the PAM one failed. -- - | ,''`.Stephen Gran | | : :' :[EMAIL PROTECTED] | | `. `'Debian user, admin, and developer | |`- http://www.debian.org | - pgpRTwXLPWmrX.pgp Description: PGP signature
Re: SSH package concerns...
Nathan Dragun wrote: While setting up PAM in conjunction with SSH I included the following line to deny access unless found in the following file: authrequiredpam_listfile.so sense=allow onerr=fail item=user file=/etc/sshloginusers Which works, sort of. Don't use it. sshd(8) lets you deny and allow users via /etc/ssh/sshd_config. Reading the daemon documentation before doing something like this is always good idea. Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
ssh
Hi, Is it possible to configure ssh to allow specific users to logon? Gavin. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh
Hello On 2005-04-27 DR GAVIN SEDDON wrote: Is it possible to configure ssh to allow specific users to logon? See AllowUsers in the sshd manpage. And please try to choose a more appropriate mailing list the next time! :) bye, -christian- pgp5ra8C0xHvo.pgp Description: PGP signature
ssh with konqueror (fish)
Hi, I am trying to connect from my amd64 to an i386 Debian linux in Konqueror with 'fish://192.168.1.32' resulting in An error occurred while loading fish://192.168.1.32: fish://192.168.1.32. Same result with any other destination. sshd is running on all machines. The other way (from i386 to amd64 machine) works perfectly. Are there any known issues with outgoing fish connections on amd64? Or am I missing something? Thanks for any feedback. -- Regards Sven
Re: ssh with konqueror (fish)
I just did a dist-upgrade, and I also noticed that some of the kio-slaves seem to be broken from konqueror (fish, smb). ftp does work... Hmmm, maybe I'm missing something stupid... -Ted On Monday 15 November 2004 12:11, Sven Krahn wrote: Hi, I am trying to connect from my amd64 to an i386 Debian linux in Konqueror with 'fish://192.168.1.32' resulting in An error occurred while loading fish://192.168.1.32: fish://192.168.1.32. Same result with any other destination. sshd is running on all machines. The other way (from i386 to amd64 machine) works perfectly. Are there any known issues with outgoing fish connections on amd64? Or am I missing something? Thanks for any feedback. -- Regards Sven