subject:"ssh"

Re: Fwd: Non interactive ssh connection

2009-04-18 Thread Alex Malinovich

On Fri, 2009-04-17 at 15:39 +0200, Francesco Pietra wrote:
 I have now appended ~/.bashrc to ~/.profile, logout and login at all
 machines, and what I want to source NON-INTERACTIVELY written in
 ~/.bashrc was not sourced from command
 
 thisnode$ ssh othernode env | sort
 
 The output (below, between ===) was the same as when ~/.bashrc was not
 appended to ~/.profile

Can you post the content of your .bashrc, .profile, and .bash_profile.
(If any of those don't exist that's ok, just say that it doesn't exist.)

-- 
Alex Malinovich
Support Free Software, delete your Windows partition TODAY!
Encrypted mail preferred. You can get my public key from any of the
pgp.net keyservers. Key ID: A6D24837



signature.asc
Description: This is a digitally signed message part

Re: Non interactive ssh connection

2009-04-17 Thread Francesco Pietra

This is a cumulative reply to you and Alex, with thanks

My aim is that what is in ~/.bashrc is sourced NON-INTERACTIVELY.
Currently that does not occur and the openmpi parallelization does not
function (the command mpirun -host hostname -n
number_of_processors connectivity_c  fails because a library from
the compiler is not found. That library is sourced from ~/.bashrc,
though interactively. In fact, the command

thisnode$ ssh othernode env | sort

does not show the compiler variables set in there, nor an
LD_LIBRARY_PATH indicating where the compiler libraries are located.


Below the ~/.profile, which is the same in all machine on the internal network.

===
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.

# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022

# if running bash
if [ -n $BASH_VERSION ]; then
# include .bashrc if it exists
if [ -f $HOME/.bashrc ]; then
. $HOME/.bashrc
fi
fi

# set PATH so it includes user's private bin if it exists
if [ -d $HOME/bin ] ; then
PATH=$HOME/bin:$PATH
fi


Perhaps FOR NON_LOGIN SHELLS, I should place my settings in
/etc/bash.bashrc and have it sourced in /etc/profile. Currently
/etc/bash.bashrc reads:

==
# System-wide .bashrc file for interactive bash(1) shells.

# To enable the settings / commands in this file for login shells as well,
# this file has to be sourced in /etc/profile.

# If not running interactively, don't do anything
[ -z $PS1 ]  return

# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize

# set variable identifying the chroot you work in (used in the prompt below)
if [ -z $debian_chroot ]  [ -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
fi

# set a fancy prompt (non-color, overwrite the one in /etc/profile)
PS1='${debian_chroot:+($debian_chroot)}...@\h:\w\$ '

# Commented out, don't overwrite xterm -T title -n icontitle by default.
# If this is an xterm set the title to u...@host:dir
#case $TERM in
#xterm*|rxvt*)
#PROMPT_COMMAND='echo -ne \033]0;${us...@${hostname}: ${PWD}\007'
#;;
#*)
#;;
#esac

# enable bash completion in interactive shells
#if [ -f /etc/bash_completion ]; then
#. /etc/bash_completion
#fi

# if the command-not-found package is installed, use it
if [ -x /usr/lib/command-not-found ]; then
function command_not_found_handle {
# check because c-n-f could've been removed in the meantime
if [ -x /usr/lib/command-not-found ]; then
   /usr/bin/python /usr/lib/command-not-found -- $1
   return $?
else
   return 127
fi
}
fi
=

while /etc/profile reads:

=
# /etc/profile: system-wide .profile file for the Bourne shell (sh(1))
# and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).

if [ `id -u` -eq 0 ]; then
  PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
else
  PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
fi

if [ $PS1 ]; then
  if [ $BASH ]; then
PS1='\...@\h:\w\$ '
  else
if [ `id -u` -eq 0 ]; then
  PS1='# '
else
  PS1='$ '
fi
  fi
fi

export PATH

umask 022
=

Thans a lot for indicating how to get things running.
francesco


Thanks
francesco


On Thu, Apr 16, 2009 at 9:15 PM, Jochen Schulz m...@well-adjusted.de wrote:
 Francesco Pietra:

 when I do a non interactive ssh connection, the .bashrc
 and .bash_profile files in the home directory are not executed during
 the login. Indeed I need that ssh reads the .bashrc file during a non
 interactive login, in order to run mpi jobs, that uses program placed in
 non-conventional paths.

 Check the default shell of the user in /etc/passwd. Only bash reads
 .bash_profile. Renaming it to .profile might help (if it doesn't contain
 bashims).

 J.
 --
 It is not in my power to change anything.
 [Agree]   [Disagree]
                 http://www.slowlydownward.com/NODATA/data_enter2.html

 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.9 (GNU/Linux)

 iEYEARECAAYFAknng7sACgkQ+AfZydWK2zmY6gCgqyusFBuyk9i2yf5DW2HlYbdT
 +pgAoJhhyolOyNJ0gwsKyvHKb9ro2Yig
 =1g6u
 -END PGP SIGNATURE-




--
To UNSUBSCRIBE, email to debian-amd64-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Non interactive ssh connection

2009-04-16 Thread Francesco Pietra

From google I came across the request below to debian. As the issue
seems to be at the basis of my problems to execute parallel programs
since I upgraded from amd64 etch to amd64 lenny, I wonder whether
there is a described procedure to correct the issue for amd64 (i.e.,
to have .bashrc read on the remote machine when sshing env | sort).
Other linux users are quite surprised that this does not work (in my
hands) with amd64 lenny.

thanks
francesco pietra

I have the following problem with the debian openssh package (ver.
1:4.6p1-5):

when I do a non interactive ssh connection, the .bashrc
and .bash_profile files in the home directory are not executed during
the login. Indeed I need that ssh reads the .bashrc file during a non
interactive login, in order to run mpi jobs, that uses program placed in
non-conventional paths.

I check this feature in different linux distro (archlinux, opensuse,
etc.) and generally during a non-interactive login the .bashrc file is
executed.

It is possible to disable this feature in some way also recompiling the
packages?

Best regards

Michele Vascellari


-- 
To UNSUBSCRIBE, email to debian-amd64-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: Non interactive ssh connection

2009-04-16 Thread Alex Malinovich

On Thu, 2009-04-16 at 19:40 +0200, Francesco Pietra wrote:
--snip--
 when I do a non interactive ssh connection, the .bashrc
 and .bash_profile files in the home directory are not executed during
 the login. Indeed I need that ssh reads the .bashrc file during a non
 interactive login, in order to run mpi jobs, that uses program placed in
 non-conventional paths.

Depending on how you log in, at least one of those should be available.
By default, a non-interactive login shell *will* read ~/.bash_profile,
but *not* ~/.bashrc. Can you verify that neither of them is being
executed?

-- 
Alex Malinovich
Support Free Software, delete your Windows partition TODAY!
Encrypted mail preferred. You can get my public key from any of the
pgp.net keyservers. Key ID: A6D24837



signature.asc
Description: This is a digitally signed message part

Re: Non interactive ssh connection

2009-04-16 Thread Jochen Schulz

Francesco Pietra:
 
 when I do a non interactive ssh connection, the .bashrc
 and .bash_profile files in the home directory are not executed during
 the login. Indeed I need that ssh reads the .bashrc file during a non
 interactive login, in order to run mpi jobs, that uses program placed in
 non-conventional paths.

Check the default shell of the user in /etc/passwd. Only bash reads
.bash_profile. Renaming it to .profile might help (if it doesn't contain
bashims).

J.
-- 
It is not in my power to change anything.
[Agree]   [Disagree]
 http://www.slowlydownward.com/NODATA/data_enter2.html


signature.asc
Description: Digital signature

Re: ssh

2009-01-21 Thread David A. Parker


Francesco Pietra wrote:

That's odd.  I am able to get commands to work over SSH without a
password.
 I copied the contents of ~/.ssh/id_rsa.pub on my work computer into
~/.ssh/authorized_keys on my home computer.  Now I can SSH from my work
computer to my home computer like this:

ssh m...@myhomepc date

And it logs into my home computer and then runs the date command.  I did
not
have to do anything with the authorized_keys file on my work computer to
make this happen.

That's all appropriate.

You only need to modify authorized_keys in both places if you want the
symmetric relationship that either machine can log into the other.


Correct.

I mentioned that I did not have to alter the authorized_keys file on my work
PC in response to the OP's statement:


I know how to solve the issue, i.e. by cross appending the
authorized_keys files, in order that each machine knows itself. But
there must be a simpler way.

I have no idea why you would need to do something like that.  I have never
had to cross-append anything in order to make this work.  I just wanted to
clarify for the OP that the keys only need to be shared in one direction to
do this.

He seems to indicate that the passwordless login works just fine unless he
tries to run a command through the ssh command line.  I don't know why that
would make a difference.


Big difference for me. As I said in my original post, certain
computational parallelized codes (from major supercomputer centers,
latest versions) do not work unless the two machines talking to one
another also know themselves. Usually, the two machines are my
desktop (let say deb32) and my parallel computer (let say deb64)
talking to one another via a router.The only way I found (perhaps
suggested by the author of the code, I don't remember) to login
passwordless (my arrangement is also passfraseless) to the parallel
computer - and vice versa - while requesting the date, is to take the
deb32 keys from deb64 and append them to those of deb32 itself, and
vice versa. I admit that most codes do not care about that, but it
happens that I am using at this very moment a code that has such
idiosyncrasy.

When I said there must be a simpler way, I meant to make that
appending intrinsic in the configuration of ssh. Otherwise, I have to
stay to ssh if I want (as I need) also to access supercomputers.

I am surprised that others are able to login while running a command
by simply sending one-way the keys. As I am no system expert, I
assume that I am not setting up correctly ssh.

regards
francesco



Francesco,

If I understand you correctly, you are trying to ssh from your PC 
running 32-bit Lenny to a node in a parallel computing cluster running 
64-bit Lenny.  Is this correct?


I'm not sure why a simple one-way shared key would not work if you are 
trying to run a command on the parallel computer from your PC.  You 
shouldn't need two-way authentication unless the parallel computer needs 
to run something on your machine using the same tunnel.  But I might be 
misunderstanding how you have things set up.


- Dave

P.S.  I sent this reply back to the lists so this conversation wouldn't 
go completely off-list, in case someone else is interested too.


--

Dave Parker
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177


--
To UNSUBSCRIBE, email to debian-amd64-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

ssh

2009-01-20 Thread Francesco Pietra

Hi:
Is any 'send file' command to make so that two machines (an amd64
multisocket and a simple i386, both lenny) talk scp with one another
through a router (attached to adsl) fully without asking the password?

With 'fully' I mean that command:

ssh target_machine_name date

gives the date without asking a password. The mere sending id_rsa.pub
to create the authorized_keys file only works (without asking the
password) for command:

ssh target_machine_name

but if 'date' is also requested, the password is needed (at least in my hands).

I know how to solve the issue, i.e. by cross appending the
authorized_keys files, in order that each machine knows itself. But
there must be a simpler way.

Why that need? Certain parallelized computational codes only work if
the above 'fully' is met. I came once again across the issue in
reinstalling i386 following a died HD.

Thanks

francesco pietra


-- 
To UNSUBSCRIBE, email to debian-amd64-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: ssh

2009-01-20 Thread Brett Viren

Francesco Pietra chiendar...@gmail.com writes:

 ssh target_machine_name date

 gives the date without asking a password. The mere sending id_rsa.pub
 to create the authorized_keys file only works (without asking the
 password) for command:

 ssh target_machine_name

In the case of the first command, are you running it interactively or
non-interactively from, say, cron or a batch job system?

If the latter is the case, you either must use passphrase-less SSH
keys (insecure) or load an ssh-agent once interactively and cause all
subsequent, non-interactive access to find and use that loaded agent.
The keychain package might help here.

OTOH, if you are indeed running the remote date command
interactively then I have no clue

Luck,
-Brett.


-- 
To UNSUBSCRIBE, email to debian-amd64-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: ssh

2009-01-20 Thread David A. Parker


Is any 'send file' command to make so that two machines (an amd64
multisocket and a simple i386, both lenny) talk scp with one another
through a router (attached to adsl) fully without asking the password?

With 'fully' I mean that command:

ssh target_machine_name date

gives the date without asking a password. The mere sending id_rsa.pub
to create the authorized_keys file only works (without asking the
password) for command:

ssh target_machine_name

but if 'date' is also requested, the password is needed (at least in my hands).

I know how to solve the issue, i.e. by cross appending the
authorized_keys files, in order that each machine knows itself. But
there must be a simpler way.



That's odd.  I am able to get commands to work over SSH without a 
password.  I copied the contents of ~/.ssh/id_rsa.pub on my work 
computer into ~/.ssh/authorized_keys on my home computer.  Now I can SSH 
from my work computer to my home computer like this:


ssh m...@myhomepc date

And it logs into my home computer and then runs the date command.  I did 
not have to do anything with the authorized_keys file on my work 
computer to make this happen.


- Dave

--

Dave Parker
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177


--
To UNSUBSCRIBE, email to debian-amd64-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

passwordless ssh

2009-01-20 Thread Johan Elmerfjord

Other alternatives (that doesn't work as well over internet) - and only 
if there is a limited number of programs that you need access to would be to
use snmp or inetd.

SNMP:
Set up a own oid to return the values you are asking for.

Inetd/Xinetd:
telnet to a specific port - will start a program on the master that returns
some output.

But if we are talking about a arbitrary program - and especially over the
internet 
- ssh with exchanged keys are preferable.

If you find any of the above alternatives attractive - please let me know
and I can give you some examples.




Johan Elmerfjord 
Manager, Unix Systems Administration EMEA 
Omniture


-- 
To UNSUBSCRIBE, email to debian-amd64-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: ssh

2009-01-20 Thread Christopher Browne

On Tue, Jan 20, 2009 at 11:06 AM, David A. Parker dpar...@utica.edu wrote:
 Is any 'send file' command to make so that two machines (an amd64
 multisocket and a simple i386, both lenny) talk scp with one another
 through a router (attached to adsl) fully without asking the password?

 With 'fully' I mean that command:

 ssh target_machine_name date

 gives the date without asking a password. The mere sending id_rsa.pub
 to create the authorized_keys file only works (without asking the
 password) for command:

 ssh target_machine_name

 but if 'date' is also requested, the password is needed (at least in my
 hands).

 I know how to solve the issue, i.e. by cross appending the
 authorized_keys files, in order that each machine knows itself. But
 there must be a simpler way.


 That's odd.  I am able to get commands to work over SSH without a password.
  I copied the contents of ~/.ssh/id_rsa.pub on my work computer into
 ~/.ssh/authorized_keys on my home computer.  Now I can SSH from my work
 computer to my home computer like this:

 ssh m...@myhomepc date

 And it logs into my home computer and then runs the date command.  I did not
 have to do anything with the authorized_keys file on my work computer to
 make this happen.

That's all appropriate.

You only need to modify authorized_keys in both places if you want the
symmetric relationship that either machine can log into the other.

What's going on is that when you copy id_rsa.pub (or id_dsa.pub, or
some other *.pub that might be specifically configured) from host A
into ~/.ssh/authorized_keys on host B, then this authorizes
connections from A to B.

If you put that file into ~/.ssh/authorized_keys on host *A*, then
that would enable connections from B to A.  Copy the data twice, and
you get two results.

As for the original poster's question about other mechanisms, it's
certainly *possible* to come up with other ways to connect without
using a password, but that seems likely to be somewhat risky,
security-wise.

The package openssh-client includes a utility called ssh-copy-id
which provides a way to copy a key into ~/.ssh/authorized_keys a bit
more easily.

Typical usage would be:
$ ssh-agent bash
[this starts up an ssh agent, which ssh-copy-id needs in order to be
able to know where to get a key to copy over...]
$ ssh-add ~/.ssh/id_rsa
[this tells the ssh agent about this key.  This could require entering
a password, depending on how the key was set up]
$ ssh-copy-id some-u...@some-host
Password:
[You'll need to enter the password, the first time; ssh-copy-id then
copies the public key into place...]

After that, you'd be able to submit, without further password
requests, or any further copying of ssh data...

$ ssh some-u...@somehost date

and get the expected result.
-- 
http://linuxfinances.info/info/linuxdistributions.html
Katharine Hepburn  - Death will be a great relief. No more interviews.


-- 
To UNSUBSCRIBE, email to debian-amd64-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: ssh

2009-01-20 Thread David A. Parker


Christopher Browne wrote:

On Tue, Jan 20, 2009 at 11:06 AM, David A. Parker dpar...@utica.edu wrote:

Is any 'send file' command to make so that two machines (an amd64
multisocket and a simple i386, both lenny) talk scp with one another
through a router (attached to adsl) fully without asking the password?

With 'fully' I mean that command:

ssh target_machine_name date

gives the date without asking a password. The mere sending id_rsa.pub
to create the authorized_keys file only works (without asking the
password) for command:

ssh target_machine_name

but if 'date' is also requested, the password is needed (at least in my
hands).

I know how to solve the issue, i.e. by cross appending the
authorized_keys files, in order that each machine knows itself. But
there must be a simpler way.


That's odd.  I am able to get commands to work over SSH without a password.
 I copied the contents of ~/.ssh/id_rsa.pub on my work computer into
~/.ssh/authorized_keys on my home computer.  Now I can SSH from my work
computer to my home computer like this:

ssh m...@myhomepc date

And it logs into my home computer and then runs the date command.  I did not
have to do anything with the authorized_keys file on my work computer to
make this happen.


That's all appropriate.

You only need to modify authorized_keys in both places if you want the
symmetric relationship that either machine can log into the other.



Correct.

I mentioned that I did not have to alter the authorized_keys file on my 
work PC in response to the OP's statement:


 I know how to solve the issue, i.e. by cross appending the
 authorized_keys files, in order that each machine knows itself. But
 there must be a simpler way.

I have no idea why you would need to do something like that.  I have 
never had to cross-append anything in order to make this work.  I just 
wanted to clarify for the OP that the keys only need to be shared in one 
direction to do this.


He seems to indicate that the passwordless login works just fine unless 
he tries to run a command through the ssh command line.  I don't know 
why that would make a difference.


He also mentioned scp, and I think the better alternative would be to 
run sftp with a batch file.


- Dave

--

Dave Parker
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177


--
To UNSUBSCRIBE, email to debian-amd64-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Re: Solved: Problem loggin in via ssh AND ldap

2005-11-23 Thread Heinrich Rebehn

Heinrich Rebehn wrote:
 Heinrich Rebehn wrote:
 
Hi all,

this is my first post to this list. I searched the archives for this
problem but could not find anything.

I installed Debian Sarge on an Athlon64 3000+ from amd64.debian.net.
I configured the machine to use ldap for authentication and
automounting. This setup is working fine on our i386 machines running Sarge.
Relevant packages installed:
autofs-ldap4.1.3+4.1.4bet LDAP map support for autofs
ldap-utils 2.2.23-8   OpenLDAP utilities
libldap-2.2-7  2.2.23-8   OpenLDAP libraries
libldap2   2.1.30-8   OpenLDAP libraries
libnss-ldap238-1  NSS module for using LDAP as a naminservic
ssh3.8.1p1-8.sarg Secure rlogin/rsh/rcp replacement(OpenSSH)

The following things work:
- login as root (localuser) or rebehn (ldap user) via console
- login as root via ssh

The following does *not* work:
- login as rebehn via ssh

/var/log/auth.log shows:

sshd[17022]: Illegal user rebehn from :::134.102.176.10
sshd[17022]: (pam_unix) check pass; user unknown
sshd[17022]: (pam_unix) authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=bremerhaven.ant.uni-bremen.de
sshd[17022]: error: PAM: User not known to the underlying authentication
module for illegal user rebehn from bremerhaven.ant.uni-bremen.de
sshd[17022]: Failed keyboard-interactive/pam for illegal user rebehn
from :::134.102.176.10 port 57494 ssh2

getent is working:

[EMAIL PROTECTED] [~] # getent passwd rebehn
rebehn:crypted pwd:232:1020:Heinrich Rebehn:/home/rebehn:/bin/bash


How does all this fit together? Why do getent and login via console work
whereas login via ssh does not?
It cannot be a ldap problem because i can login as rebehn via console.
It also cannot be a ssh problem because i can login as root via ssh.

I did not change any of the pam config files.

Can anyone help? Need more info?

 
 
 Problem solved. A simple reboot did the trick. Normally a reboot after
 system changes is only rquired with another widely used OS ;-)
 
 Nevertheless i am happy now :-)
 
 Sorry for the noise,
 
 Heinrich
 
 
Update: I was able to reproduce the problem with a new install.
After installing libnss-ldap and configuring /etc/nsswitch.com to use
ldap, one has to do a 'pkill -HUP sshd'.
Just for the records.

--Heinrich


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Problem loggin in via ssh AND ldap

2005-11-22 Thread Heinrich Rebehn

Hi all,

this is my first post to this list. I searched the archives for this
problem but could not find anything.

I installed Debian Sarge on an Athlon64 3000+ from amd64.debian.net.
I configured the machine to use ldap for authentication and
automounting. This setup is working fine on our i386 machines running Sarge.
Relevant packages installed:
autofs-ldap4.1.3+4.1.4bet LDAP map support for autofs
ldap-utils 2.2.23-8   OpenLDAP utilities
libldap-2.2-7  2.2.23-8   OpenLDAP libraries
libldap2   2.1.30-8   OpenLDAP libraries
libnss-ldap238-1  NSS module for using LDAP as a naminservic
ssh3.8.1p1-8.sarg Secure rlogin/rsh/rcp replacement(OpenSSH)

The following things work:
- login as root (localuser) or rebehn (ldap user) via console
- login as root via ssh

The following does *not* work:
- login as rebehn via ssh

/var/log/auth.log shows:

sshd[17022]: Illegal user rebehn from :::134.102.176.10
sshd[17022]: (pam_unix) check pass; user unknown
sshd[17022]: (pam_unix) authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=bremerhaven.ant.uni-bremen.de
sshd[17022]: error: PAM: User not known to the underlying authentication
module for illegal user rebehn from bremerhaven.ant.uni-bremen.de
sshd[17022]: Failed keyboard-interactive/pam for illegal user rebehn
from :::134.102.176.10 port 57494 ssh2

getent is working:

[EMAIL PROTECTED] [~] # getent passwd rebehn
rebehn:crypted pwd:232:1020:Heinrich Rebehn:/home/rebehn:/bin/bash


How does all this fit together? Why do getent and login via console work
whereas login via ssh does not?
It cannot be a ldap problem because i can login as rebehn via console.
It also cannot be a ssh problem because i can login as root via ssh.

I did not change any of the pam config files.

Can anyone help? Need more info?

Regards,

Heinrich Rebehn

University of Bremen
Physics / Electrical and Electronics Engineering
- Department of Telecommunications -

Phone : +49/421/218-4664
Fax   :-3341


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Solved: Problem loggin in via ssh AND ldap

2005-11-22 Thread Heinrich Rebehn

Heinrich Rebehn wrote:
 Hi all,
 
 this is my first post to this list. I searched the archives for this
 problem but could not find anything.
 
 I installed Debian Sarge on an Athlon64 3000+ from amd64.debian.net.
 I configured the machine to use ldap for authentication and
 automounting. This setup is working fine on our i386 machines running Sarge.
 Relevant packages installed:
 autofs-ldap4.1.3+4.1.4bet LDAP map support for autofs
 ldap-utils 2.2.23-8   OpenLDAP utilities
 libldap-2.2-7  2.2.23-8   OpenLDAP libraries
 libldap2   2.1.30-8   OpenLDAP libraries
 libnss-ldap238-1  NSS module for using LDAP as a naminservic
 ssh3.8.1p1-8.sarg Secure rlogin/rsh/rcp replacement(OpenSSH)
 
 The following things work:
 - login as root (localuser) or rebehn (ldap user) via console
 - login as root via ssh
 
 The following does *not* work:
 - login as rebehn via ssh
 
 /var/log/auth.log shows:
 
 sshd[17022]: Illegal user rebehn from :::134.102.176.10
 sshd[17022]: (pam_unix) check pass; user unknown
 sshd[17022]: (pam_unix) authentication failure; logname= uid=0 euid=0
 tty=ssh ruser= rhost=bremerhaven.ant.uni-bremen.de
 sshd[17022]: error: PAM: User not known to the underlying authentication
 module for illegal user rebehn from bremerhaven.ant.uni-bremen.de
 sshd[17022]: Failed keyboard-interactive/pam for illegal user rebehn
 from :::134.102.176.10 port 57494 ssh2
 
 getent is working:
 
 [EMAIL PROTECTED] [~] # getent passwd rebehn
 rebehn:crypted pwd:232:1020:Heinrich Rebehn:/home/rebehn:/bin/bash
 
 
 How does all this fit together? Why do getent and login via console work
 whereas login via ssh does not?
 It cannot be a ldap problem because i can login as rebehn via console.
 It also cannot be a ssh problem because i can login as root via ssh.
 
 I did not change any of the pam config files.
 
 Can anyone help? Need more info?
 

Problem solved. A simple reboot did the trick. Normally a reboot after
system changes is only rquired with another widely used OS ;-)

Nevertheless i am happy now :-)

Sorry for the noise,

Heinrich


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Again ssh-agent problem on kde start

2005-10-20 Thread antongiulio05

Hi,

I have updated 'ssl', but problem on start KDE persists (my last update was 
yesterday). And so it need to comment line in /etc/X11/Xsession.options.

Giulio


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Again ssh-agent problem on kde start

2005-10-20 Thread antonio giulio

 I have updated 'ssl', but problem on start KDE persists (my last update was 
 yesterday). And so it need to comment line in /etc/X11/Xsession.options.

Sorry, my mistake:)

ssl works perfectly and now I have not more problems

Giulio

Re: Again ssh-agent problem on kde start

2005-10-20 Thread Tobias Wolter

On 2005-10-20T10:29:22+0200 (Thursday), antongiulio05 wrote:
 I have updated 'ssl', but problem on start KDE persists (my last update was 
 yesterday). And so it need to comment line in /etc/X11/Xsession.options.

It should've been fixed with 0.9.8a-2 of libssl/openssl.

-towo
-- 
Gegen Softwarepatente in Europa: http://swpat.ffii.org./
Mister Teatime had a truly brilliant mind, but it was brilliant like a frac-
tured mirror, all marvellous facets and rainbows but, ultimately, also some-
thing that was broken.  (Terry Pratchett in `Hogfather')


signature.asc
Description: Digital signature

Latest libssl0.9.8a-1 causes ssh to segfault

2005-10-18 Thread Bharath Ramesh

I just did a apt-get upgrade which upgraded libssl to libssl0.9.8a-1.
After this ssh segfaults. Reverting to libssl0.9.8-3 fixes this problem.
Is anyone else noticiing this.

Thanks,

Bharath

---
Bharath Ramesh   [EMAIL PROTECTED]   http://people.cs.vt.edu/~bramesh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Latest libssl0.9.8a-1 causes ssh to segfault

2005-10-18 Thread Graham Smith

On Tuesday 18 October 2005 16:49, Bharath Ramesh wrote:
 I just did a apt-get upgrade which upgraded libssl to libssl0.9.8a-1.
 After this ssh segfaults. Reverting to libssl0.9.8-3 fixes this problem.
 Is anyone else noticiing this.

Yep, me and just about everyone else it would seem. Nearly every message 
posted today seems to be related to this problem. Thanks for the work around 
though.

Graham


 Thanks,

 Bharath

 ---
 Bharath Ramesh   [EMAIL PROTECTED]  
 http://people.cs.vt.edu/~bramesh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Latest libssl0.9.8a-1 causes ssh to segfault

2005-10-18 Thread Kurt Roeckx

On Tue, Oct 18, 2005 at 11:49:09AM -0400, Bharath Ramesh wrote:
 I just did a apt-get upgrade which upgraded libssl to libssl0.9.8a-1.
 After this ssh segfaults. Reverting to libssl0.9.8-3 fixes this problem.
 Is anyone else noticiing this.

I've just uploaded an libssl0.9.8a-2 which should fix this.


Kurt


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: ssh login delay

2005-10-04 Thread Gudjon I. Gudjonsson

On Monday 03 October 2005 15:54, Lennart Sorensen wrote:
 On Mon, Oct 03, 2005 at 12:51:56AM +0200, Gudjon I. Gudjonsson wrote:
 This is most probably not an amd64 related problem but could someone
  tell me where the delay time for the failed login in ssh is set in
  Debian. All the computers I have access to have delay but not my amd64
  one. I have looked through the internet for 2 hours without success.

 Usually delay on connect/login is caused by not having working DNS/hosts
 file to resolve the incoming IP.  If DNS is working fine, it tends to be
 able to quickly determine if it can or can not resolve the name of the
 IP connecting.  If DNS is not working, you will get a long delay while
 it waits for name lookup timeout.

 Len Sorensen
I don't think there is any DNS problem. ssh works perfectly on all the 
machines I have access to (or administrate) but one does not have any delay 
on password after a failed password. I would like to be able to control this 
parameter. 

Regards
Gudjon


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: ssh login delay

2005-10-03 Thread Lennart Sorensen

On Mon, Oct 03, 2005 at 12:51:56AM +0200, Gudjon I. Gudjonsson wrote:
This is most probably not an amd64 related problem but could someone tell 
 me where the delay time for the failed login in ssh is set in Debian. All the 
 computers I have access to have delay but not my amd64 one. I have looked 
 through the internet for 2 hours without success.

Usually delay on connect/login is caused by not having working DNS/hosts
file to resolve the incoming IP.  If DNS is working fine, it tends to be
able to quickly determine if it can or can not resolve the name of the
IP connecting.  If DNS is not working, you will get a long delay while
it waits for name lookup timeout.

Len Sorensen


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

ssh login delay

2005-10-02 Thread Gudjon I. Gudjonsson

Hi
   This is most probably not an amd64 related problem but could someone tell 
me where the delay time for the failed login in ssh is set in Debian. All the 
computers I have access to have delay but not my amd64 one. I have looked 
through the internet for 2 hours without success.

Thanks
Gudjon


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: ssh login delay

2005-10-02 Thread Hamish Moffatt

On Mon, Oct 03, 2005 at 12:51:56AM +0200, Gudjon I. Gudjonsson wrote:
 Hi
This is most probably not an amd64 related problem but could someone tell 
 me where the delay time for the failed login in ssh is set in Debian. All the 
 computers I have access to have delay but not my amd64 one. I have looked 
 through the internet for 2 hours without success.

Possibly /etc/login.defs. I'm not sure if that applies to ssh or not.

Hamish
-- 
Hamish Moffatt VK3SB [EMAIL PROTECTED] [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: ssh login delay

2005-10-02 Thread Jamie Rollins

is it a pam auth issue?  I don't see a pam module that controls that in my
/etc/pam.d/ssh, but I'm not sure.

jamie.

On Mon, Oct 03, 2005 at 11:53:28AM +1000, Hamish Moffatt wrote:
 On Mon, Oct 03, 2005 at 12:51:56AM +0200, Gudjon I. Gudjonsson wrote:
  Hi
 This is most probably not an amd64 related problem but could someone 
  tell 
  me where the delay time for the failed login in ssh is set in Debian. All 
  the 
  computers I have access to have delay but not my amd64 one. I have looked 
  through the internet for 2 hours without success.
 
 Possibly /etc/login.defs. I'm not sure if that applies to ssh or not.
 
 Hamish
 -- 
 Hamish Moffatt VK3SB [EMAIL PROTECTED] [EMAIL PROTECTED]
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: ssh

2005-07-12 Thread Alexander Voss

Hjalmar the Destroyer wrote:

 On Fri, Jul 08, 2005 at 12:56:35AM +0300, Modestas Vainius wrote:
 2005 m. Liepos 8 d., Penktadienis 00:52, Hjalmar the Destroyer ra??:
  OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: Connecting to computer2 [192.168.1.2] port 22.
  debug1: connect to address 192.168.1.2 port 22: Connection refused
  ssh: connect to host computer2 port 22: Connection refused
 I guess, sshd (ssh server) is not enabled on computer2. try
 
 dpkg-reconfigure ssh
 
 and answer Yes to the question about the server.
 
 Hey,
 I am still having some problems with ssh. I am running the ssh server.
 When I use nmap localhost on computer2 I get
 
 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:11
 CEST Interesting ports on localhost.localdomain (127.0.0.1):
 (The 1661 ports scanned but not shown below are in state: closed)
 PORT   STATE SERVICE
 22/tcp open  ssh
 25/tcp open  smtp
 
 Nmap finished: 1 IP address (1 host up) scanned in 0.159 seconds
 
 When I run nmap from my server on computer2 I get the following
 
 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:13
 CEST All 1663 scanned ports on computer2 (192.168.1.2) are: closed
 
 Nmap finished: 1 IP address (1 host up) scanned in 0.429 seconds
 
 How can this be? Any help or tips would be greatly appreciated.
 
 

Try iptables -L -n. 
What does it say??


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: ssh

2005-07-12 Thread Hjalmar the Destroyer

On Tue, Jul 12, 2005 at 10:37:41AM +0200, Alexander Voss wrote:
 Hjalmar the Destroyer wrote:
 
  On Fri, Jul 08, 2005 at 12:56:35AM +0300, Modestas Vainius wrote:
  2005 m. Liepos 8 d., Penktadienis 00:52, Hjalmar the Destroyer ra??:
   OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004
   debug1: Reading configuration data /etc/ssh/ssh_config
   debug1: Connecting to computer2 [192.168.1.2] port 22.
   debug1: connect to address 192.168.1.2 port 22: Connection refused
   ssh: connect to host computer2 port 22: Connection refused
  I guess, sshd (ssh server) is not enabled on computer2. try
  
  dpkg-reconfigure ssh
  
  and answer Yes to the question about the server.
  
  Hey,
  I am still having some problems with ssh. I am running the ssh server.
  When I use nmap localhost on computer2 I get
  
  Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:11
  CEST Interesting ports on localhost.localdomain (127.0.0.1):
  (The 1661 ports scanned but not shown below are in state: closed)
  PORT   STATE SERVICE
  22/tcp open  ssh
  25/tcp open  smtp
  
  Nmap finished: 1 IP address (1 host up) scanned in 0.159 seconds
  
  When I run nmap from my server on computer2 I get the following
  
  Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:13
  CEST All 1663 scanned ports on computer2 (192.168.1.2) are: closed
  
  Nmap finished: 1 IP address (1 host up) scanned in 0.429 seconds
  
  How can this be? Any help or tips would be greatly appreciated.
  
  
 
 Try iptables -L -n. 
 What does it say??
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
 
I get the following

FATAL: Module ip_tables not found.
iptables v1.3.1: can't initialize iptables table filter': Table does not
exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: ssh

2005-07-09 Thread Hjalmar the Destroyer

On Fri, Jul 08, 2005 at 12:31:04PM -0500, David Mohr wrote:
 On 7/8/05, Hjalmar the Destroyer [EMAIL PROTECTED] wrote:
  I am still having some problems with ssh. I am running the ssh server. When
  I use nmap localhost on computer2 I get
  
  Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:11 
  CEST
  Interesting ports on localhost.localdomain (127.0.0.1 ):
  (The 1661 ports scanned but not shown below are in state: closed)
  PORT   STATE SERVICE
  22/tcp open  ssh
  25/tcp open  smtp
  
  Nmap finished: 1 IP address (1 host up) scanned in 0.159 seconds
  
  When I run nmap from my server on computer2 I get the following
  
  Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:13 
  CEST
  All 1663 scanned ports on computer2 (192.168.1.2 ) are: closed
  
  Nmap finished: 1 IP address (1 host up) scanned in 0.429 seconds
  
  How can this be? Any help or tips would be greatly appreciated.
 
 Did you check with netstat to which addresses the smtp and ssh server
 are actually bound? Do you have a firewall (ok, nmap should've noticed
 that, but good to check anyways)?
 
 ~David
 
I do not have a firewall on computer2 and this is what I got after I ran
netstat -n -a

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address   Foreign Address State
tcp0  0 0.0.0.0:22  0.0.0.0:*   LISTEN
tcp0  0 127.0.0.1:250.0.0.0:*   LISTEN
tcp0  0 192.168.1.2:33535   192.168.1.1:22
ESTABLISHED
udp0  0 127.0.0.1:123   0.0.0.0:*
udp0  0 192.168.1.2:123 0.0.0.0:*
udp0  0 0.0.0.0:123 0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags   Type   State I-Node Path
unix  6  [ ] DGRAM2397 /dev/log
unix  2  [ ACC ] STREAM LISTENING 2656 /tmp/.X11-unix/X0
unix  2  [ ACC ] STREAM LISTENING 2726
/tmp/ssh-VBEjMI1776/agent.1776
unix  2  [ ACC ] STREAM LISTENING 13908
/tmp/orbit-hjalmar/linc-1296-0-5b8fab5c39cd7
unix  2  [ ACC ] STREAM LISTENING 16182
/tmp/orbit-hjalmar/linc-13de-0-1fe7f0fbd2751
unix  2  [ ACC ] STREAM LISTENING 16193
/tmp/orbit-hjalmar/linc-13e0-0-44faee6dd6c75
unix  3  [ ] STREAM CONNECTED 23423/tmp/.X11-unix/X0
unix  3  [ ] STREAM CONNECTED 23422
unix  4  [ ] STREAM CONNECTED 16458/tmp/.X11-unix/X0
unix  3  [ ] STREAM CONNECTED 16457
unix  3  [ ] STREAM CONNECTED 16201
/tmp/orbit-hjalmar/linc-13de-0-1fe7f0fbd2751
1
unix  3  [ ] STREAM CONNECTED 16200
unix  3  [ ] STREAM CONNECTED 16199
/tmp/orbit-hjalmar/linc-13e0-0-44faee6dd6c7
5
unix  3  [ ] STREAM CONNECTED 16198
unix  3  [ ] STREAM CONNECTED 16185
/tmp/orbit-hjalmar/linc-13de-0-1fe7f0fbd275
1
unix  3  [ ] STREAM CONNECTED 16184
unix  3  [ ] STREAM CONNECTED 16181
/tmp/orbit-hjalmar/linc-1296-0-5b8fab5c39cd
7
unix  3  [ ] STREAM CONNECTED 16180
unix  3  [ ] STREAM CONNECTED 16175/tmp/.X11-unix/X0
unix  3  [ ] STREAM CONNECTED 16174
unix  2  [ ] DGRAM13904
unix  3  [ ] STREAM CONNECTED 2750 /tmp/.X11-unix/X0
unix  3  [ ] STREAM CONNECTED 2749 
unix  3  [ ] STREAM CONNECTED 2740 /tmp/.X11-unix/X0
unix  3  [ ] STREAM CONNECTED 2739 
unix  3  [ ] STREAM CONNECTED 2729 /tmp/.X11-unix/X0
unix  3  [ ] STREAM CONNECTED 2728 
unix  3  [ ] STREAM CONNECTED 2712 /tmp/.X11-unix/X0
unix  3  [ ] STREAM CONNECTED 2658 
unix  2  [ ] DGRAM2630 
unix  2  [ ] DGRAM2500 
unix  2  [ ] DGRAM2409 

Clyde






-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: ssh

2005-07-08 Thread Hjalmar the Destroyer

On Fri, Jul 08, 2005 at 12:56:35AM +0300, Modestas Vainius wrote:
 2005 m. Liepos 8 d., Penktadienis 00:52, Hjalmar the Destroyer ra??:
  OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: Connecting to computer2 [192.168.1.2] port 22.
  debug1: connect to address 192.168.1.2 port 22: Connection refused
  ssh: connect to host computer2 port 22: Connection refused
 I guess, sshd (ssh server) is not enabled on computer2. try
 
 dpkg-reconfigure ssh
 
 and answer Yes to the question about the server.
 
Hey,
I am still having some problems with ssh. I am running the ssh server. When
I use nmap localhost on computer2 I get

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:11 CEST
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1661 ports scanned but not shown below are in state: closed)
PORT   STATE SERVICE
22/tcp open  ssh
25/tcp open  smtp

Nmap finished: 1 IP address (1 host up) scanned in 0.159 seconds

When I run nmap from my server on computer2 I get the following

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:13 CEST
All 1663 scanned ports on computer2 (192.168.1.2) are: closed

Nmap finished: 1 IP address (1 host up) scanned in 0.429 seconds

How can this be? Any help or tips would be greatly appreciated.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: ssh

2005-07-08 Thread Javier Kohen

El vie, 08-07-2005 a las 19:17 +0200, Hjalmar the Destroyer escribió:
 On Fri, Jul 08, 2005 at 12:56:35AM +0300, Modestas Vainius wrote:
  2005 m. Liepos 8 d., Penktadienis 00:52, Hjalmar the Destroyer ra??:
   OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004
   debug1: Reading configuration data /etc/ssh/ssh_config
   debug1: Connecting to computer2 [192.168.1.2] port 22.
   debug1: connect to address 192.168.1.2 port 22: Connection refused
   ssh: connect to host computer2 port 22: Connection refused
  I guess, sshd (ssh server) is not enabled on computer2. try
  
  dpkg-reconfigure ssh
  
  and answer Yes to the question about the server.
  
 Hey,
 I am still having some problems with ssh. I am running the ssh server. When
 I use nmap localhost on computer2 I get
 
 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:11 CEST
 Interesting ports on localhost.localdomain (127.0.0.1):
 (The 1661 ports scanned but not shown below are in state: closed)
 PORT   STATE SERVICE
 22/tcp open  ssh
 25/tcp open  smtp
 
 Nmap finished: 1 IP address (1 host up) scanned in 0.159 seconds
 
 When I run nmap from my server on computer2 I get the following
 
 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:13 CEST
 All 1663 scanned ports on computer2 (192.168.1.2) are: closed
 
 Nmap finished: 1 IP address (1 host up) scanned in 0.429 seconds
 
 How can this be? Any help or tips would be greatly appreciated.

Disable the firewall, filter rules, etc.

-- 
Javier Kohen [EMAIL PROTECTED]
ICQ: blashyrkh #2361802
Jabber: [EMAIL PROTECTED]


signature.asc
Description: This is a digitally signed message part

Re: ssh

2005-07-08 Thread David Mohr

On 7/8/05, Hjalmar the Destroyer [EMAIL PROTECTED] wrote:
 I am still having some problems with ssh. I am running the ssh server. When
 I use nmap localhost on computer2 I get
 
 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:11 CEST
 Interesting ports on localhost.localdomain (127.0.0.1 ):
 (The 1661 ports scanned but not shown below are in state: closed)
 PORT   STATE SERVICE
 22/tcp open  ssh
 25/tcp open  smtp
 
 Nmap finished: 1 IP address (1 host up) scanned in 0.159 seconds
 
 When I run nmap from my server on computer2 I get the following
 
 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-08 19:13 CEST
 All 1663 scanned ports on computer2 (192.168.1.2 ) are: closed
 
 Nmap finished: 1 IP address (1 host up) scanned in 0.429 seconds
 
 How can this be? Any help or tips would be greatly appreciated.

Did you check with netstat to which addresses the smtp and ssh server
are actually bound? Do you have a firewall (ok, nmap should've noticed
that, but good to check anyways)?

~David

ssh

2005-07-07 Thread Hjalmar the Destroyer

Hey,
I have recently installed ssh but am having some problems.  I can ssh from
computer2 to my server but can not ssh back the other way, server to
computer2.  I get the following when using ssh -v 

OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to computer2 [192.168.1.2] port 22.
debug1: connect to address 192.168.1.2 port 22: Connection refused
ssh: connect to host computer2 port 22: Connection refused

I have read the docs and I am pretty sure everything is as it should be. I am 
wondering if
someone might give me a clue as to what the problem might be or be able to
point me in the right direction.
Thanks for any type of help,
Clyde


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: SSH package concerns...

2005-05-15 Thread Adam Skutt

Nathan Dragun wrote:
 PasswordAuthentication is set to no by default, as enabling it causes
 cleartext password authentication (obviously defeating the point of
 encrypting it in the first place).
No, it doesn't.  It defaults to Off because Debian wants SSH to use PAM
for system account authentication, and not do it itself.


 And yes UsePAM = yes was set, for clarification.  So I'd assume that
 meant that PAM authentication was final?
Nope, it's dependent on SSH configuration.

Adam


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Re: SSH package concerns...

2005-05-11 Thread Nathan Dragun

 but sshd.conf contains the needed
flags to limit the authentication methods


 doing man sshd_config saids something like :



 UsePAM = yes
 PasswordAuthentication = no



 might do the trick
PasswordAuthentication is set to no by default, as enabling it causes 
cleartext password authentication (obviously defeating the point of 
encrypting it in the first place).

And yes UsePAM = yes was set, for clarification.  So I'd assume that 
meant that PAM authentication was final?

Nathan

Code is poetry.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: SSH package concerns...

2005-05-10 Thread Pete Harlan

On Mon, May 09, 2005 at 10:16:24PM -0400, Adam Skutt wrote:
 Nathan Dragun wrote:
  While setting up PAM in conjunction with SSH I included the following
  line to deny access unless found in the following file:
  
  authrequiredpam_listfile.so sense=allow onerr=fail item=user
  file=/etc/sshloginusers
  
  Which works, sort of.
 Don't use it.  sshd(8) lets you deny and allow users via
 /etc/ssh/sshd_config.
 
 Reading the daemon documentation before doing something like this is
 always good idea.

He didn't say there wasn't another way to do it, he said there was a
security hole.

--Pete


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: SSH package concerns...

2005-05-10 Thread Lennart Sorensen

On Tue, May 10, 2005 at 10:09:59AM -0500, Pete Harlan wrote:
 On Mon, May 09, 2005 at 10:16:24PM -0400, Adam Skutt wrote:
  Nathan Dragun wrote:
   While setting up PAM in conjunction with SSH I included the following
   line to deny access unless found in the following file:
   
   authrequiredpam_listfile.so sense=allow onerr=fail item=user
   file=/etc/sshloginusers
   
   Which works, sort of.
  Don't use it.  sshd(8) lets you deny and allow users via
  /etc/ssh/sshd_config.
  
  Reading the daemon documentation before doing something like this is
  always good idea.
 
 He didn't say there wasn't another way to do it, he said there was a
 security hole.

I believe SSH supports multiple types of authentication.  If pam fails,
it will use the next configured one.  It's a feature of ssh.  It isn't
as if pam can disable ssh key logins either.  Is that a security hole?
Misconfiguring sshd doesn't mean it is insecure.  It still requires a
valid account and password to login.

Len Sorensen


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: SSH package concerns...

2005-05-10 Thread Pete Harlan

On Tue, May 10, 2005 at 11:19:15AM -0400, Lennart Sorensen wrote:
 On Tue, May 10, 2005 at 10:09:59AM -0500, Pete Harlan wrote:
  On Mon, May 09, 2005 at 10:16:24PM -0400, Adam Skutt wrote:
   Nathan Dragun wrote:
While setting up PAM in conjunction with SSH I included the following
line to deny access unless found in the following file:

authrequiredpam_listfile.so sense=allow onerr=fail item=user
file=/etc/sshloginusers

Which works, sort of.
   Don't use it.  sshd(8) lets you deny and allow users via
   /etc/ssh/sshd_config.
   
   Reading the daemon documentation before doing something like this is
   always good idea.
  
  He didn't say there wasn't another way to do it, he said there was a
  security hole.
 
 I believe SSH supports multiple types of authentication.  If pam fails,
 it will use the next configured one.  It's a feature of ssh.

Thanks, that is helpful.

 It isn't as if pam can disable ssh key logins either.  Is that a
 security hole?

It would be nice if there were a way to have the pam module indicate,
this failed, and that's final, as distinct from, this failed so try
something else.

 It still requires a valid account and password to login.

True, but I imagine that if someone is using this feature then they
have some accounts they trust less than others.  There are various
ways to go about restricting logins (including sshd's AllowUsers), but
the pam method seemed reasonable to me.  Particularly because with PAM
you could use the same user list for any number of services, not just
sshd.

(And I don't understand why it would work intermittently, but that's
getting far afield.)

--Pete


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: SSH package concerns...

2005-05-10 Thread Adam Skutt

Pete Harlan wrote:
 On Mon, May 09, 2005 at 10:16:24PM -0400, Adam Skutt wrote:
  He didn't say there wasn't another way to do it, he said there was a
 security hole.
Hence I said, don't use it.  There is another way to do what he wants
(more or less) that doesn't have this security hole assuming the real
issue wasn't misconfiguration.

Seeing as he wasn't apparently aware of the sshd configuration, I
pointed it out to him, seeing as it does exactly what he wants.

Adam


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: SSH package concerns...

2005-05-10 Thread Adam Skutt

Pete Harlan wrote:
 It would be nice if there were a way to have the pam module indicate,
 this failed, and that's final, as distinct from, this failed so try
 something else.
There is.  Mark the module requisite, and a failure from it will stop
the stack immediately.

Adam


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: SSH package concerns...

2005-05-10 Thread Ernest jw ter Kuile

On Tuesday 10 May 2005 17:46, Adam Skutt wrote:
 Pete Harlan wrote:
  It would be nice if there were a way to have the pam module indicate,
  this failed, and that's final, as distinct from, this failed so try
  something else.

 There is.  Mark the module requisite, and a failure from it will stop
 the stack immediately.

Only for pam. 

sshd is still free to try something else if pam returns a failure.


but sshd.conf contains the needed flags to limit the authentication methods

doing man sshd_config saids something like :

UsePAM = yes
PasswordAuthentication = no

might do the trick



 Adam


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: SSH package concerns...

2005-05-10 Thread Stephen Gran

This one time, at band camp, Ernest jw ter Kuile said:
 On Tuesday 10 May 2005 17:46, Adam Skutt wrote:
  Pete Harlan wrote:
   It would be nice if there were a way to have the pam module indicate,
   this failed, and that's final, as distinct from, this failed so try
   something else.
 
  There is.  Mark the module requisite, and a failure from it will stop
  the stack immediately.
 
 Only for pam. 
 
 sshd is still free to try something else if pam returns a failure.
 
 but sshd.conf contains the needed flags to limit the authentication methods
 
 doing man sshd_config saids something like :
 
 UsePAM = yes
 PasswordAuthentication = no
 
 might do the trick

As well as
PubkeyAuthentication
ChallengeResponseAuthentication
The various Kerberos options, and there used to be a Keyboard one, but I
guess that's deprecated now.

sshd supports quite a few auth mechanisms.  If you want only one to be
authoritative, you're going to have to actually disable the others.
This is not a security flaw.
-- 
 -
|   ,''`.Stephen Gran |
|  : :' :[EMAIL PROTECTED] |
|  `. `'Debian user, admin, and developer |
|`- http://www.debian.org |
 -


pgpQAcG4dIgYT.pgp
Description: PGP signature

SSH package concerns...

2005-05-09 Thread Nathan Dragun

While setting up PAM in conjunction with SSH I included the following 
line to deny access unless found in the following file:

authrequiredpam_listfile.so sense=allow onerr=fail item=user 
file=/etc/sshloginusers

Which works, sort of.
...Lets say for examples sake the user bob is trying to get in, but is 
not listed in this file.  Ie: not authorized.  If I try to connect via 
the windows program PuTTY, the first attempt fails, naturally, but if I 
re-type the password when prompted it will let me in!!!  Not good.  I 
tested this several different ways and found that if I try and go from 
linux box to linux box after about 4 attempts it will let me in.

SSH package version: OpenSSH_3.8.1p1 Debian-8.sarge.4
in conjunction with: OpenSSL 0.9.7e 25 Oct 2004
Now I was doing some research into this, figuring I configured something 
wrong or what not early on when I first noticed this authentication 
problem existed and noticed that there have been some huge changes from 
the 3.8.1p1 release back in October 2004 (Ironically if I read that 
right 4.0 was just released today). Changelog: 
ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/ChangeLog

But, why on earth is this package so out of date??  Insight into this 
would be greatly appreciated.

God Bless,
Nathan

Code is poetry.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: SSH package concerns...

2005-05-09 Thread Stephen Gran

This one time, at band camp, Nathan Dragun said:
 While setting up PAM in conjunction with SSH I included the following 
 line to deny access unless found in the following file:
 
 authrequiredpam_listfile.so sense=allow onerr=fail item=user 
 file=/etc/sshloginusers
 
 Which works, sort of.
 ...Lets say for examples sake the user bob is trying to get in, but is 
 not listed in this file.  Ie: not authorized.  If I try to connect via 
 the windows program PuTTY, the first attempt fails, naturally, but if I 
 re-type the password when prompted it will let me in!!!  Not good.  I 
 tested this several different ways and found that if I try and go from 
 linux box to linux box after about 4 attempts it will let me in.
 
 SSH package version: OpenSSH_3.8.1p1 Debian-8.sarge.4
 in conjunction with: OpenSSL 0.9.7e 25 Oct 2004
 
 Now I was doing some research into this, figuring I configured something 
 wrong or what not early on when I first noticed this authentication 
 problem existed and noticed that there have been some huge changes from 
 the 3.8.1p1 release back in October 2004 (Ironically if I read that 
 right 4.0 was just released today). Changelog: 
 ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/ChangeLog
 
 But, why on earth is this package so out of date??  Insight into this 
 would be greatly appreciated.

What you are experiencing sounds like a configuration problem to me.
You presumably have multiple auth mechanisms listed besides UsePam, and
eventually one succeeds, although the PAM one failed.
-- 
 -
|   ,''`.Stephen Gran |
|  : :' :[EMAIL PROTECTED] |
|  `. `'Debian user, admin, and developer |
|`- http://www.debian.org |
 -


pgpRTwXLPWmrX.pgp
Description: PGP signature

Re: SSH package concerns...

2005-05-09 Thread Adam Skutt

Nathan Dragun wrote:
 While setting up PAM in conjunction with SSH I included the following
 line to deny access unless found in the following file:
 
 authrequiredpam_listfile.so sense=allow onerr=fail item=user
 file=/etc/sshloginusers
 
 Which works, sort of.
Don't use it.  sshd(8) lets you deny and allow users via
/etc/ssh/sshd_config.

Reading the daemon documentation before doing something like this is
always good idea.

Adam


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

ssh

2005-04-27 Thread DR GAVIN SEDDON

Hi,
Is it possible to configure ssh to allow specific users to logon?
Gavin.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: ssh

2005-04-27 Thread Christian Hammers

Hello

On 2005-04-27 DR GAVIN SEDDON wrote:
 Is it possible to configure ssh to allow specific users to logon?
See AllowUsers in the sshd manpage.
And please try to choose a more appropriate mailing list the next time! :)

bye,

-christian-


pgp5ra8C0xHvo.pgp
Description: PGP signature

ssh with konqueror (fish)

2004-11-15 Thread Sven Krahn

Hi,
I am trying to connect from my amd64 to an i386 Debian linux in 
Konqueror with 'fish://192.168.1.32' resulting in An error occurred 
while loading fish://192.168.1.32: fish://192.168.1.32. Same result 
with any other destination. sshd is running on all machines.

The other way (from i386 to amd64 machine) works perfectly.
Are there any known issues with outgoing fish connections on amd64? Or 
am I missing something?

Thanks for any feedback.
--
Regards
Sven

Re: ssh with konqueror (fish)

2004-11-15 Thread Theodore Kisner

I just did a dist-upgrade, and I also noticed that some of the kio-slaves seem 
to be broken from konqueror (fish, smb).  ftp does work...  Hmmm, maybe I'm 
missing something stupid...

-Ted 

On Monday 15 November 2004 12:11, Sven Krahn wrote:
 Hi,

 I am trying to connect from my amd64 to an i386 Debian linux in
 Konqueror with 'fish://192.168.1.32' resulting in An error occurred
 while loading fish://192.168.1.32: fish://192.168.1.32. Same result
 with any other destination. sshd is running on all machines.

 The other way (from i386 to amd64 machine) works perfectly.

 Are there any known issues with outgoing fish connections on amd64? Or
 am I missing something?

 Thanks for any feedback.

 --
 Regards
 Sven

49 matches

Mail list logo