Re: SSH on FreeBSD
Hi, On Tue, 15 Jan 2013 10:10:16 + Mannase Nyathi mann...@cipherwave.co.za wrote: CipherWave Fibre Broadband with FREE installation from only R8840/month Good day, I have just configured FreeBSD on my server. I would like to find out how can I be able to login to it via ssh? Looking forward to hear from you soon. Thank you you must enable ssh in /etc/inetd.conf and then read man ssh If you could tell us more what you really want, we could give you a better answer. Erich ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH on FreeBSD
Hi, I have just configured FreeBSD on my server. I would like to find out how can I be able to login to it via ssh? Looking forward to hear from you soon. Thank you you must enable ssh in /etc/inetd.conf and then read Or better, in /etc/rc.conf sshd_enable=YES Olivier man ssh If you could tell us more what you really want, we could give you a better answer. Erich ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH on FreeBSD
On 15/01/2013 10:10, Mannase Nyathi wrote: I have just configured FreeBSD on my server. I would like to find out how can I be able to login to it via ssh? Start by editing /etc/rc.conf and add the line: sshd_enable=YES (anywhere in the file -- order doesn't matter) Then as root: /etc/rc.d/sshd start It should generate some host keys and then start the sshd daemon. That's all. sshd will restart automatically after any reboots. You should be able to log into any ordinary user account remotely using the account username and password. Note: if your system is exposed to the internet, it will be attacked by bots attempting to brute-force SSH username and passwords. Make sure you have good passwords on all user accounts -- see the archives of this list for many, many discussions of further steps you can take to prevent this activity filling up your logfiles... Cheers, Matthew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH on FreeBSD
On 15/01/2013 10:52, Matthew Seaman wrote: That's all. sshd will restart automatically after any reboots. You should be able to log into any ordinary user account remotely using the account username and password. Note ordinary user account - sshd on FreeBSD disallows root logins by default. You can change that by editing /etc/ssh/sshd_config . -- Bruce Cran ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH on FreeBSD
El día Tuesday, January 15, 2013 a las 05:45:36PM +0700, Erich Dollansky escribió: Hi, On Tue, 15 Jan 2013 10:10:16 + Mannase Nyathi mann...@cipherwave.co.za wrote: CipherWave Fibre Broadband with FREE installation from only R8840/month Good day, I have just configured FreeBSD on my server. I would like to find out how can I be able to login to it via ssh? Looking forward to hear from you soon. Thank you you must enable ssh in /etc/inetd.conf and then read In FreeBSD it is in rc.conf $ man rc.conf | col -b | fgrep -i ssh matthias -- Sent from my FreeBSD netbook Matthias Apitz | - No system with backdoors like Apple/Android E-mail: g...@unixarea.de | - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | - No proprietary attachments phone: +49-170-4527211 | - Respect for open standards ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH on FreeBSD
On Tue, 15 Jan 2013 10:52:04 + Matthew Seaman articulated: On 15/01/2013 10:10, Mannase Nyathi wrote: I have just configured FreeBSD on my server. I would like to find out how can I be able to login to it via ssh? Start by editing /etc/rc.conf and add the line: sshd_enable=YES (anywhere in the file -- order doesn't matter) Then as root: /etc/rc.d/sshd start It should generate some host keys and then start the sshd daemon. That's all. sshd will restart automatically after any reboots. You should be able to log into any ordinary user account remotely using the account username and password. Note: if your system is exposed to the internet, it will be attacked by bots attempting to brute-force SSH username and passwords. Make sure you have good passwords on all user accounts -- see the archives of this list for many, many discussions of further steps you can take to prevent this activity filling up your logfiles... You might want to consider using certificates rather than 'usernames' 'passwords' for logging in. Your system will be far more secure. As Matthew stated, you can check the archives. If needed, start a new thread and ask for assistance on the subject here. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH on FreeBSD
15.01.2013 12:50, Matthias Apitz: El día Tuesday, January 15, 2013 a las 05:45:36PM +0700, Erich Dollansky escribió: Hi, On Tue, 15 Jan 2013 10:10:16 + Mannase Nyathi mann...@cipherwave.co.za wrote: CipherWave Fibre Broadband with FREE installation from only R8840/month Good day, I have just configured FreeBSD on my server. I would like to find out how can I be able to login to it via ssh? Looking forward to hear from you soon. Thank you you must enable ssh in /etc/inetd.conf and then read In FreeBSD it is in rc.conf $ man rc.conf | col -b | fgrep -i ssh In FreeBSD there are two ways of enabling sshd: default, fast and easy through rc.conf and a bit tricky and secure via inetd.conf. Everyone can select their own poison. I personally prefer the latter one. -- Sphinx of black quartz, judge my vow. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH on FreeBSD
Volodymyr Kostyrko c.kw...@gmail.com writes: snip In FreeBSD there are two ways of enabling sshd: default, fast and easy through rc.conf and a bit tricky and secure via inetd.conf. Everyone can select their own poison. I personally prefer the latter one. You seem to imply that enabling sshd through inetd is more secure than directly through rc.conf. Care to elaborate on that? Regards, -- - Frank ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH on FreeBSD
El día Tuesday, January 15, 2013 a las 02:40:32PM +0200, Volodymyr Kostyrko escribió: In FreeBSD it is in rc.conf $ man rc.conf | col -b | fgrep -i ssh In FreeBSD there are two ways of enabling sshd: default, fast and easy through rc.conf and a bit tricky and secure via inetd.conf. Everyone can select their own poison. I personally prefer the latter one. Why it is more secure via inetd.conf? matthias -- Sent from my FreeBSD netbook Matthias Apitz | - No system with backdoors like Apple/Android E-mail: g...@unixarea.de | - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | - No proprietary attachments phone: +49-170-4527211 | - Respect for open standards ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH on FreeBSD
On 15/01/2013 12:51, Matthias Apitz wrote: Why it is more secure via inetd.conf? You can centralise access control via TCP Wrappers - http://www.freebsd.org/doc/handbook/tcpwrappers.html . -- Bruce Cran ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH on FreeBSD
15.01.2013 14:48, Frank Staals: Volodymyr Kostyrko c.kw...@gmail.com writes: snip In FreeBSD there are two ways of enabling sshd: default, fast and easy through rc.conf and a bit tricky and secure via inetd.conf. Everyone can select their own poison. I personally prefer the latter one. You seem to imply that enabling sshd through inetd is more secure than directly through rc.conf. Care to elaborate on that? * there's no central process to target with attacks; * SSHv1 server key is regenerated every time new connection is created; * with inetd you can force max connections per minute rate or max connections per ip. -- Sphinx of black quartz, judge my vow. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: SSH on FreeBSD
Hi Guys, Thanks for your help. I have managed to sought it out. Will let you know if I require any further assistance. I have been receiving numerous emails. It's all fine now :) -Original Message- From: Matthias Apitz [mailto:g...@unixarea.de] Sent: 15 January 2013 02:51 PM To: Volodymyr Kostyrko Cc: Erich Dollansky; questi...@freebsd.org; Mannase Nyathi Subject: Re: SSH on FreeBSD El dÃa Tuesday, January 15, 2013 a las 02:40:32PM +0200, Volodymyr Kostyrko escribió: In FreeBSD it is in rc.conf $ man rc.conf | col -b | fgrep -i ssh In FreeBSD there are two ways of enabling sshd: default, fast and easy through rc.conf and a bit tricky and secure via inetd.conf. Everyone can select their own poison. I personally prefer the latter one. Why it is more secure via inetd.conf? matthias -- Sent from my FreeBSD netbook Matthias Apitz | - No system with backdoors like Apple/Android E-mail: g...@unixarea.de | - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | - No proprietary attachments phone: +49-170-4527211 | - Respect for open standards -- Mannase Nyathi Support Technician sb: 011 541 9940 fax: 011 541 9920 web: www.cipherwave.co.za This email may be confidential or privileged, and CipherWave Storage Solutions Africa (Pty) Ltd does not waive any related rights and obligations, which may include the protection of intellectual property. Any distribution, use or copying of this email or the information it contains by other than an intended recipient is unauthorised. If you have received this email in error please delete it immediately. Due to the inherent uncertainties involved in modern email transmissions, CipherWave Storage Solutions Africa (Pty) Ltd cannot accept any responsibility or liability for any errors or omissions, loss or damage from either use or misuse of the content, including viruses. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh server hashcode change on nanoBSD
On Tue, 1 Jan 2013 18:59:05 +0330, takCoder wrote: thank you for the details mentioned :) but now, a questions occurred to me about this ssh key. as i don't know enough about its process, would you please tell me whether this key is a shared key for all ssh clients who send a request? or it differs as the client changes? The key received in the first step of a SSH session is the host key which identifies the host (in your case: the nanoBSD box). This key is stored in the SSH client's key database for reference because the key of a box typically does not change. If it changes - there should be a valid reason for it, or it might look like there's something wrong here. As explained, this host key is generated when no key is found at startup. As soon as you make it permanent to your nanoBSD installation, the key will obviously stay the same, and the SSH client won't complain. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh server hashcode change on nanoBSD
On Tue, Jan 1, 2013 at 10:41 PM, Lowell Gilbert wrote: Don't top-post, please. Sorry for top-posting.. i'll try to keep an eye on it from now on :) well, cause i got my answer, let's have a conclusion: According to: On Tue, Jan 1, 2013 at 10:41 PM, Lowell Gilbert wrote: There are a number of keys involved in ssh. The host keys are used at the start of the connection to make sure that some other machine doesn't impersonate the one you wanted. and On Wed, Jan 2, 2013 at 2:22 PM, Polytropon wrote: The key received in the first step of a SSH session is the host key which identifies the host (in your case: the nanoBSD box). This key is stored in the SSH client's key database for reference because the key of a box typically does not change. .. As explained, this host key is generated when no key is found at startup. As soon as you make it permanent to your nanoBSD installation, the key will obviously stay the same, and the SSH client won't complain i made my ssh server key permanent on my nanoBSD server, by moving /etc/ssh/ files to /cfg/ssh files (i think those two files named dsa_key are enough, but in this test, i copied all files in the source dir..) and now there are no compliments from any clients, thanks to Polytropon and Lowell and Aldis. :) Cryptography in general is quite complicated, and ssh is a lot more complicated than just its cryptography. and also thank you all for your patience and good explanations :) Best Regards, t.a.k ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh server hashcode change on nanoBSD
-- Forwarded message -- From: Aldis Berjoza graude...@yandex.com Date: Tue, Jan 1, 2013 at 2:17 PM Subject: Re: ssh server hashcode change on nanoBSD I've never used NanoBSD, but, check if ssh daemon can write to /etc/ssh/ otherwise it won't be able to save ssh_host_* keys Or you can create ssh_host keys and embed them in you NanoBSD image -- Aldis Berjoza FreeBSD addict thank you :) for the ones who know about nanobsd, i've got a /cfg on nanobsd. during nanoBsd startup, files in /etc are replaced with their new version in /cfg, if any; (as /etc is a md here). so, in the case i explained above, i just needed to copy /etc/ssh/* to /cfg/ssh/ and now, everything is fine :) Best Regards, t.a.k Best Regards, t.a.k On Tue, Jan 1, 2013 at 2:11 PM, takCoder tak.offic...@gmail.com wrote: hi everyone, i've got a nanoBSD server. when i ssh to it from another bsd system, first time everything is fine. the source bsd system asks me whether i trust my nanoSBD server or not and i apply y and the nanoBSD hash key is written in known_hosts file. everything is fine until i restart my nanoBSD server. the problem is that each time i restart my server, the source system is complaining about that i need to edit my known_hosts file cause my nanoBSD hash-code is not matched.. how can i fix this?! it really bothers me cause i think of it as a security problem.. i can't risk such things on my server.. would someone please give me a hand on this? always grateful of all your helps here :) Best Regards, t.a.k ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh server hashcode change on nanoBSD
On Tue, 1 Jan 2013 14:11:21 +0330, takCoder wrote: everything is fine until i restart my nanoBSD server. the problem is that each time i restart my server, the source system is complaining about that i need to edit my known_hosts file cause my nanoBSD hash-code is not matched.. how can i fix this?! it really bothers me cause i think of it as a security problem.. i can't risk such things on my server.. You should make the key permanent (i. e. include it on the boot media you're using). In case no key is found at sshd startup, a new one will be generated - a different one each time, of course. So what you're seeing seems to be normal, even though not desired at all. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh server hashcode change on nanoBSD
thank you for the details mentioned :) but now, a questions occurred to me about this ssh key. as i don't know enough about its process, would you please tell me whether this key is a shared key for all ssh clients who send a request? or it differs as the client changes? (this question may sound a bit newbiesh, but i don't know much about the ssh process, sorry :) ) Best Regards, t.a.k On Tue, Jan 1, 2013 at 6:10 PM, Polytropon free...@edvax.de wrote: On Tue, 1 Jan 2013 14:11:21 +0330, takCoder wrote: everything is fine until i restart my nanoBSD server. the problem is that each time i restart my server, the source system is complaining about that i need to edit my known_hosts file cause my nanoBSD hash-code is not matched.. how can i fix this?! it really bothers me cause i think of it as a security problem.. i can't risk such things on my server.. You should make the key permanent (i. e. include it on the boot media you're using). In case no key is found at sshd startup, a new one will be generated - a different one each time, of course. So what you're seeing seems to be normal, even though not desired at all. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh server hashcode change on nanoBSD
Don't top-post, please. takCoder tak.offic...@gmail.com writes: but now, a questions occurred to me about this ssh key. as i don't know enough about its process, would you please tell me whether this key is a shared key for all ssh clients who send a request? or it differs as the client changes? There are a number of keys involved in ssh. The host keys are used at the start of the connection to make sure that some other machine doesn't impersonate the one you wanted. The encryption of the data happens with per-session keys, which are not only different for each client, but for every session. The two types of keys are not related to each other. (this question may sound a bit newbiesh, but i don't know much about the ssh process, sorry :) ) Cryptography in general is quite complicated, and ssh is a lot more complicated than just its cryptography. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH Access To Live CD? (Was Re: FBSD-9.0-RC3 Disk 1 ISO Bootable?)
Здравствуйте, Drew. Вы писали 6 января 2012 г., 23:44:28: DT On 1/6/2012 12:07 PM, Al Plant wrote: per...@pluto.rain.com wrote: Al Plant n...@hdk5.net wrote: I accessed the sshd from the new install screen as an option when I loaded it on the test box. I had to set up the lan manually to first get it up. Then you should be able to use ssh. I take it you either arranged for ssh to accept a direct root login, or added a non-root username. Does the new installer do one of these automatically, or is there more manual configuration involved? BSD Installer asks if you want to install sshd and click yes. Later you can go to another box on the lan and use the user account to ssh into the new box and su to root. This feature has been on the installs for a while. I used it on sysinstall on 7.*. DT OK, so you didn't actually install remotely via ssh. You installed DT locally and let the installer configure sshd for your new install and it DT was available after you rebooted into your new install. DT I'd like to actually be able to install via ssh. Basically I'd like ssh DT access to the Live CD so I could partition my drives for zfs prior to DT installing. And I'd like to do it from a computer that's connected to DT the web so I can read and copy/paste examples. DT Cheers, DT Drew mfsBSD - is interesting project, that allow you to install/ reinstall system remotely! -- С уважением, Коньков mailto:kes-...@yandex.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh with bridged ap
Again, your /var/log/auth.log should be very helpful in this matter. Connect on your server with WIFI then do this: tail -f /var/log/auth.log Then, try to connect using the wired connection and see if you get any logs. If you do, post them here :) If you're connecting from a non-windows box, please pass the -v flag to your ssh client to toggle verbose output and post that here too. On 9/13/11 2:14 PM, George Vagner wrote: I was thinking that maybe because the wired interface doesn't actually have An IP address it is a reverse lookup thing. -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Damien Fleuriot Sent: Tuesday, September 13, 2011 5:36 AM To: freebsd-questions@freebsd.org Subject: Re: ssh with bridged ap On 9/13/11 3:54 AM, george vagner wrote: I have set up wireless AP with a static IP and bridged it to my internal wired network on RE0. I can successfully connect with WPA to the wireless network and browse other computers on the wired net fine, I can log into the freebsd machine using ssh no problem as long as if I connect via the wireless network. If I try and log into the freebsd machine using the wired network I get a log in prompt for username Then I get the password prompt but after typing in my password it always says login incorrect, it don't do this if I am on the wireless net. Maybe something in the sshd config about bridged connections? Maybe an excerpt from your /var/log/auth.log at that time, too... Might turn out that you don't get anything in /var/log/auth.log which would indicate that, when using the wired IP of the machine, you're actually connecting to another host. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh with bridged ap
On 9/13/11 3:54 AM, george vagner wrote: I have set up wireless AP with a static IP and bridged it to my internal wired network on RE0. I can successfully connect with WPA to the wireless network and browse other computers on the wired net fine, I can log into the freebsd machine using ssh no problem as long as if I connect via the wireless network. If I try and log into the freebsd machine using the wired network I get a log in prompt for username Then I get the password prompt but after typing in my password it always says login incorrect, it don't do this if I am on the wireless net. Maybe something in the sshd config about bridged connections? Maybe an excerpt from your /var/log/auth.log at that time, too... Might turn out that you don't get anything in /var/log/auth.log which would indicate that, when using the wired IP of the machine, you're actually connecting to another host. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: ssh with bridged ap
I was thinking that maybe because the wired interface doesn't actually have An IP address it is a reverse lookup thing. -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Damien Fleuriot Sent: Tuesday, September 13, 2011 5:36 AM To: freebsd-questions@freebsd.org Subject: Re: ssh with bridged ap On 9/13/11 3:54 AM, george vagner wrote: I have set up wireless AP with a static IP and bridged it to my internal wired network on RE0. I can successfully connect with WPA to the wireless network and browse other computers on the wired net fine, I can log into the freebsd machine using ssh no problem as long as if I connect via the wireless network. If I try and log into the freebsd machine using the wired network I get a log in prompt for username Then I get the password prompt but after typing in my password it always says login incorrect, it don't do this if I am on the wireless net. Maybe something in the sshd config about bridged connections? Maybe an excerpt from your /var/log/auth.log at that time, too... Might turn out that you don't get anything in /var/log/auth.log which would indicate that, when using the wired IP of the machine, you're actually connecting to another host. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: ssh with bridged ap solved
Allow connections to forwarded ports in sshd config -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of George Vagner Sent: Tuesday, September 13, 2011 8:14 AM To: freebsd-questions@freebsd.org Subject: RE: ssh with bridged ap I was thinking that maybe because the wired interface doesn't actually have An IP address it is a reverse lookup thing. -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Damien Fleuriot Sent: Tuesday, September 13, 2011 5:36 AM To: freebsd-questions@freebsd.org Subject: Re: ssh with bridged ap On 9/13/11 3:54 AM, george vagner wrote: I have set up wireless AP with a static IP and bridged it to my internal wired network on RE0. I can successfully connect with WPA to the wireless network and browse other computers on the wired net fine, I can log into the freebsd machine using ssh no problem as long as if I connect via the wireless network. If I try and log into the freebsd machine using the wired network I get a log in prompt for username Then I get the password prompt but after typing in my password it always says login incorrect, it don't do this if I am on the wireless net. Maybe something in the sshd config about bridged connections? Maybe an excerpt from your /var/log/auth.log at that time, too... Might turn out that you don't get anything in /var/log/auth.log which would indicate that, when using the wired IP of the machine, you're actually connecting to another host. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh -X (X11 forwarding) not working from 6.1 to 8.1
On Tue, Jul 12, 2011 at 03:18:07AM -0700, per...@pluto.rain.com wrote: DISPLAY is not getting set in a remote shell started by ssh -X. $ echo $DISPLAY :0.0 $ ssh -X [server] 'echo DISPLAY=%$DISPLAY%' DISPLAY=%% How would I go about debugging this? DISPLAY _is_ set correctly on the ssh client -- I am running in an xterm there, and can successfully start another (local) one -- and the word DISPLAY is not present in any of the shell startup files (.bash*, .cshrc, .login, .profile, .shrc) on either the ssh client or the ssh server. The ssh client is FreeBSD 6.1 and the ssh server is FreeBSD 8.1. It does work correctly in the other direction (using the 8.1 system as the ssh client and the 6.1 system as the ssh server), and I can run X11 programs on the 8.1 system, displaying on the 6.1 system, provided I set DISPLAY appropriately on the 8.1 system. It's only the ssh X11 forwarding that's broken, and only in one direction. Have you tried putting: DISPLAY=:0.0 in ~/.ssh/environment on the machine that's not setting DISPLAY properly? Regards, -- Frank Contact info: http://www.shute.org.uk/misc/contact.html pgpL3UspxCyWi.pgp Description: PGP signature
Solved: Re: ssh -X (X11 forwarding) not working from 6.1 to 8.1
Mark Felder f...@feld.me wrote: On Tue, 12 Jul 2011 00:06:33 -0500, Michael Sierchio ku...@tenebras.com wrote: xauth not in your path? ssh -Y skips all auth stuff so you don't need xauth; he said that didn't work either :-( Well, apparently, even -Y needs xauth (which was not installed on the 8.1 system) on the ssh server -- although not on the ssh client. After installing it: $ ssh -Y fbsd81 'echo DISPLAY=%$DISPLAY%' /usr/local/bin/xauth: creating new authority file /home/perryh/.Xauthority DISPLAY=%localhost:10.0% and -X also works :) so this turns out to have been the solution. Next question: shouldn't I have gotten some kind of error message when attempting ssh -X or ssh -Y when xauth wasn't available? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh -X (X11 forwarding) not working from 6.1 to 8.1
Frank Shute fr...@shute.org.uk wrote: On Tue, Jul 12, 2011 at 03:18:07AM -0700, per...@pluto.rain.com wrote: DISPLAY is not getting set in a remote shell started by ssh -X. ... Have you tried putting: DISPLAY=:0.0 in ~/.ssh/environment on the machine that's not setting DISPLAY properly? Wouldn't that cause the remote app -- which is running on the ssh server -- to (try to) use that machine's own local display? A port-forwarded connection normally has something along the lines of DISPLAY=localhost:10.0 (but it can't be hard-coded, because the 10 part will vary depending on what-all port-forwarded connections exist). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh -X (X11 forwarding) not working from 6.1 to 8.1
This sounds silly, but what happens if you try ssh -Y Regards, Mark ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh -X (X11 forwarding) not working from 6.1 to 8.1
Mark Felder f...@feld.me wrote: This sounds silly, but what happens if you try ssh -Y Exactly the same thing as with -X, in either direction. It still fails with the 6.1 system as the ssh client, and works with the 6.1 system as the ssh server ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh -X (X11 forwarding) not working from 6.1 to 8.1
xauth not in your path? On Tue, Jul 12, 2011 at 4:46 AM, per...@pluto.rain.com wrote: Mark Felder f...@feld.me wrote: This sounds silly, but what happens if you try ssh -Y Exactly the same thing as with -X, in either direction. It still fails with the 6.1 system as the ssh client, and works with the 6.1 system as the ssh server ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh -X (X11 forwarding) not working from 6.1 to 8.1
On Tue, 12 Jul 2011 00:06:33 -0500, Michael Sierchio ku...@tenebras.com wrote: xauth not in your path? ssh -Y skips all auth stuff so you don't need xauth; he said that didn't work either :-( ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh -X (X11 forwarding) not working from 6.1 to 8.1
It still fails with the 6.1 system as the ssh client, and works with the 6.1 system as the ssh server Is X11Forwarding yes set in the server config of the failing direction? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Eitan Adler ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh -X (X11 forwarding) not working from 6.1 to 8.1
Eitan Adler li...@eitanadler.com wrote: It still fails with the 6.1 system as the ssh client, and works with the 6.1 system as the ssh server Is X11Forwarding yes set in the server config of the failing direction? Both seem to be defaulted. On 6.1: $ egrep -C 2 X11Forwarding /etc/ssh/sshd_config #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes On 8.1: $ egrep -C 2 X11Forwarding /etc/ssh/sshd_config #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes -- # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH persistent sessions without screen?
On Thu, 2011-03-31 at 09:00 -0700, Chris Telting wrote: I would like to have something like virtual terminals that continue running no matter if ssh is connected to them or not. Something like the screen utility. But I don't want to use screen, tmux? I'm looking for something more automated. Maybe even be able to have multiple connections on different computers. I have a number of computers and I like to use each for batch processing different stuff, especially compiling. I'm mostly interested in connecting to running sessions from a mobile android phone. I don't want to keep having to manually login every time through screen and it should be tolerant of a dropped connection. I'm thinking there is probably a way to do this with just ssh. Maybe have separate sshd daemons running on specific ports. Any ideas? Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH persistent sessions without screen?
* Chris Telting christopher...@telting.org [2011-03-31 09:00:02-0700]: Something like the screen utility. But I don't want to use screen, I'm looking for something more automated. tmux can do this, and unlike GNU screen, can be easily scripted. Check it out, we started using it at $work early year and we had about 2 dozen people move permanently from screen (like me, they'd been using it for years) to tmux. Thomas ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH persistent sessions without screen?
On Thu, Mar 31, 2011 at 09:00:02AM -0700, Chris Telting wrote: I would like to have something like virtual terminals that continue running no matter if ssh is connected to them or not. Something like the screen utility. But I don't want to use screen, I'm looking for something more automated. Maybe even be able to have multiple connections on different computers. I have a number of computers and I like to use each for batch processing different stuff, especially compiling. I'm mostly interested in connecting to running sessions from a mobile android phone. I don't want to keep having to manually login every time through screen and it should be tolerant of a dropped connection. I'm thinking there is probably a way to do this with just ssh. Maybe have separate sshd daemons running on specific ports. Any ideas? I'm not 100% clear on what you're trying to avoid from GNU Screen, but my first thought when you said you wanted persistent sessions without GNU Screen was tmux. Count mine as a third vote for tmux, if that suits your needs. Depending on your actual needs, you could also look into using the nohup command. It's not a terminal multiplexer but, in the words of the manpage, it allows you to run a command immune to hangups, with output to a non-tty. -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] pgpqFYnnxccRE.pgp Description: PGP signature
Re: ssh interactive session, through intermediate hosts ... problems ...
On Fri, Dec 3, 2010 at 4:43 PM, Josh Suid joshs...@yahoo.com wrote: First, where on the ssh client command line (see above) can I specify a more liberal timeout value ? Since my interactive session has three or more layers of host between it, the whole thing falls apart if even one link slows down a bit... how can I make my ssh sessions more tolerant to timeouts ? At what point are you seeing timeouts? I've found many home routers time out idle TCP sessions quite quickly, so if it's the first jump, you may find enabling ClientAliveInterval helps. I find a setting of 300 seconds (5 minutes) is frequent enough to keep most routers happy. Second, how can I construct this session with just a single command ? When I try this: ssh u...@host ssh u...@host2 ssh u...@host3 I get this error: # ssh u...@host ssh u...@host2 Pseudo-terminal will not be allocated because stdin is not a terminal. Permission denied (publickey,keyboard-interactive). Is there a way to build this tunnel with a single command ? (an ssh command, run over an ssh command, run over an ssh command) Normally when you execute a command over SSH it doesn't allocate a pseudo-tty, like it normally will for an interactive session. You might try passing the -t command to force allocation of a ptty. Another option would be to use ssh -L to create a tunnel from one host to another, then running ssh over that tunnel. This would also work with scp. You may run into problems with host keys, though. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh interactive session, through intermediate hosts ... problems ...
On Fri, Dec 3, 2010 at 6:43 PM, Josh Suid joshs...@yahoo.com wrote: # ssh u...@host ssh u...@host2 Pseudo-terminal will not be allocated because stdin is not a terminal. Permission denied (publickey,keyboard-interactive). Is there a way to build this tunnel with a single command ? (an ssh command, run over an ssh command, run over an ssh command) Finally, is there a way to scp a file over intermediate hosts ? That is to say, I want to scp the file: u...@host:/some/file to myself, but I want the ssh session to go through hosts X and Y first ... there must be a way to do this where you pipe the output of scp over ssh to ... head spinning... Generally speaking, you'll do something like this: http://www.rzg.mpg.de/networkservices/ssh-tunnelling-port-forwarding then you can do fancier stuff to speed up working like passwordless login's, terminal multiplexer's like tmux etc. You may also wish to consider setting up a VPN. -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh-agent and ssh-add on FreeBSD
On Mon, Nov 29, 2010 at 8:40 AM, bluethundr bluethu...@gmail.com wrote: Hey list On my CentOS machines I usually keep track of my rsa key with ssh-agent, ssh-add and keychain I would like to know a) how to install keychain under FreeBSD and b) how to fix this error: [bluethu...@lbsd2:~]#ssh sum1 Enter passphrase for key '/home/bluethundr/.ssh/id_rsa': [bluethu...@lbsd2:~]#exec ssh-agent bash [bluethu...@lbsd2:~]#ssh-add Could not open a connection to your authentication agent.a Whenever I try to ssh to another box on the network (with a homedir shared amongst all centos and FreeBSD machines) it prompts me for my passphrase. Usually on the CentOS boxes exec ssh-agent bash does the trick. Anyone have any idea why this isn't working on the FreeBSD box? thanks!! The man page for ssh-agent is very informative: http://www.freebsd.org/cgi/man.cgi?query=ssh-agentsektion=1 I read it recently when setting up my system to do as you're trying to do. Of course, don't hesitate to refer to the EXCELLENT FreeBSD Handbook, it is absolutely one of the best references I've ever seen for any software: http://www.freebsd.org/doc/handbook/openssh.html Good luck! -Brandon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh-agent and ssh-add on FreeBSD
On Mon Nov 29 10, Brandon Gooch wrote: On Mon, Nov 29, 2010 at 8:40 AM, bluethundr bluethu...@gmail.com wrote: Hey list On my CentOS machines I usually keep track of my rsa key with ssh-agent, ssh-add and keychain I would like to know a) how to install keychain under FreeBSD and b) how to fix this error: [bluethu...@lbsd2:~]#ssh sum1 Enter passphrase for key '/home/bluethundr/.ssh/id_rsa': [bluethu...@lbsd2:~]#exec ssh-agent bash ^^ this looks wrong. i think you want eval `ssh-agent` so the envars get set. otherwise ssh-add won't know where to look for a running ssh-agent. cheers. alex [bluethu...@lbsd2:~]#ssh-add Could not open a connection to your authentication agent.a Whenever I try to ssh to another box on the network (with a homedir shared amongst all centos and FreeBSD machines) it prompts me for my passphrase. Usually on the CentOS boxes exec ssh-agent bash does the trick. Anyone have any idea why this isn't working on the FreeBSD box? thanks!! The man page for ssh-agent is very informative: http://www.freebsd.org/cgi/man.cgi?query=ssh-agentsektion=1 I read it recently when setting up my system to do as you're trying to do. Of course, don't hesitate to refer to the EXCELLENT FreeBSD Handbook, it is absolutely one of the best references I've ever seen for any software: http://www.freebsd.org/doc/handbook/openssh.html Good luck! -Brandon -- a13x ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh-agent and ssh-add on FreeBSD
On 29/11/2010 19:08, Alexander Best wrote: [bluethu...@lbsd2:~]#ssh sum1 Enter passphrase for key '/home/bluethundr/.ssh/id_rsa': [bluethu...@lbsd2:~]#exec ssh-agent bash ^^ this looks wrong. i think you want eval `ssh-agent` so the envars get set. otherwise ssh-add won't know where to look for a running ssh-agent. Both forms are correct. eval $(ssh-agent) modifies the environment in the current shell so ssh-add can contact ssh-agent, whereas ssh-agent bash causes ssh-agent to run a copy of bash, which will it will pass down the appropriate environmental settings to. exec is just gravy, in that it replaces the current shell with the ssh-agent process, rather than leaving it lying around uselessly. For the OP: no good idea why the command isn't working for you. Try it without the exec and also try it adding '-d' to the ssh-agent flags to see if the debug output contains any clues. Be sure /tmp has the correct permissions (1777) and that the partition hasn't filled up, so running ssh-agent can create a directory containing the unix domain socket ssh-add uses to connect to the agent. As for installing keychain try: # cd /usr/ports/security/keychain # make all install clean or if you've installed it: # portmaster security/keychain Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: ssh authentication error
On Thu, Nov 11, 2010 at 10:06, Jerrin slackma...@gmail.com wrote: Hi, On a mac system i generated the key using ssh-keygen -t dsa and copied .ssh/id_dsa.pub to /home/user/.ssh/authorized_keys on a Freebsd server, but it prompts for the password Check perms on /home/user/.ssh/authorized_keys chmod 640 or 600, not 644 If that doesn't work, try to ssh with a -v or -vv, that might give you more of a clue ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh authentication error
On Fri, Nov 12, 2010 at 5:58 PM, xSAPPYx xsap...@gmail.com wrote: On Thu, Nov 11, 2010 at 10:06, Jerrin slackma...@gmail.com wrote: Hi, On a mac system i generated the key using ssh-keygen -t dsa and copied .ssh/id_dsa.pub to /home/user/.ssh/authorized_keys on a Freebsd server, but it prompts for the password Check perms on /home/user/.ssh/authorized_keys chmod 640 or 600, not 644 If that doesn't work, try to ssh with a -v or -vv, that might give you more of a clue ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org That's the permissions of my authorized_keys, I believe that's 0600, some systems require a much more restrictive 0400 octal. -rwxr--r-- 1 chris chris 622B Jun 28 21:36 authorized_keys Did you know... If you play a Windows 2000 CD backwards, you hear satanic messages, but what's worse is when you play it forward ...it installs Windows 2000 -- Alfred Perlstein on chat at freebsd.org http://lists.freebsd.org/mailman/listinfo/freebsd-questions ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh authentication error
Chris Brennan writes: Check perms on /home/user/.ssh/authorized_keys chmod 640 or 600, not 644 That's the permissions of my authorized_keys, I believe that's 0600, some systems require a much more restrictive 0400 octal. -rwxr--r-- 1 chris chris 622B Jun 28 21:36 authorized_keys Um, I think that's 744. Whether the appropriate code cares Robert Huff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh key authentication problem...
On Thu, Oct 28, 2010 at 10:13:12PM +0100, krad wrote: On 28 October 2010 20:39, Peter Harrison peter.piggy...@virgin.net wrote: Can anyone help me debug an ssh key-based authentication problem? I have an 8.1-R server running sshd, with one user account. On the server, I've used ssh-keygen to generate id_rsa and id_rsa.pub. On my laptop I then pulled the id_rsa.pub file over and: % cat id_rsa.pub .ssh/authorized_keys Now I try to login from the laptop (also 8.1-R) to the server. It pauses for a second and presents me with a 'Password:' prompt, so obviously the key authentication isn't working. He's a debugging chunk from sshd run with '-ddd' flags: debug1: PAM: initializing for peter debug1: userauth-request for user peter service ssh-connection method publickey debug1: attempt 1 failures 0 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug1: PAM: setting PAM_RHOST to 192.168.1.4 debug2: monitor_read: 45 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x286067c0 debug1: trying public key file /home/peter/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug3: secure_filename: checking '/usr/home/peter/.ssh' debug3: secure_filename: checking '/usr/home/peter' debug3: secure_filename: terminating check at '/usr/home/peter' debug2: key not found debug1: trying public key file /home/peter/.ssh/authorized_keys2 Failed publickey for peter from 192.168.1.4 port 43046 ssh2 debug3: mm_answer_keyallowed: key 0x286067c0 is not allowed debug3: mm_request_send entering: type 21 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa debug3: mm_request_receive entering debug1: userauth-request for user peter service ssh-connection method keyboard-interactive debug1: attempt 2 failures 1 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs Anyone suggest what I'm doing wrong? TIA. Peter Harrison. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org you have the setup the keys the wrong way around by the sound of it. The ssh server should have the public keys only in the authorized_keys files, and your client/desktop should have the private keys in your ~/.ssh Now I feel like a right berk. Thanks for putting me on the right track, I have it working now. Regards, Peter Harrison. C C B D Now I feel like a right berk. Thanks I have it sorted and working now. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh key authentication problem...
On Thu, Oct 28, 2010 at 02:17:14PM -0700, Chuck Swiger wrote: Hi-- On Oct 28, 2010, at 12:39 PM, Peter Harrison wrote: debug1: trying public key file /home/peter/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug3: secure_filename: checking '/usr/home/peter/.ssh' debug3: secure_filename: checking '/usr/home/peter' debug3: secure_filename: terminating check at '/usr/home/peter' debug2: key not found It's likely that the permissions to the private key are wrong somewhere in the path. Something like chmod go-w / /usr /usr/home /usr/home/peter /usr/home/peter/.ssh /usr/home/peter/.ssh/id_rsa is likely to help Regards, -- -Chuck You were right that there was a permissions problem in there too. It's sorted now, thanks for the assist. Peter Harrison. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh key authentication problem...
On Thu, Oct 28, 2010 at 10:18:41PM -0400, Mikel King wrote: Peter, Have you verified permissions of 700 on .ssh and 640 on authorized_keys and authorized_keys2? If you do not have an authorized_keys2 simply copy the former to that name and give it a go. Cheers, Mikel King Mikel - you were right I didn't have the permission correct, but it doesn't work if I have it set to anything other than 0600 for authorized_keys? Thanks for the help. Peter Harrison. _ From: Peter Harrison [mailto:peter.piggy...@virgin.net] To: questi...@freebsd.org Sent: Thu, 28 Oct 2010 15:39:53 -0400 Subject: ssh key authentication problem... Can anyone help me debug an ssh key-based authentication problem? I have an 8.1-R server running sshd, with one user account. On the server, I've used ssh-keygen to generate id_rsa and id_rsa.pub. On my laptop I then pulled the id_rsa.pub file over and: % cat id_rsa.pub .ssh/authorized_keys Now I try to login from the laptop (also 8.1-R) to the server. It pauses for a second and presents me with a 'Password:' prompt, so obviously the key authentication isn't working. He's a debugging chunk from sshd run with '-ddd' flags: debug1: PAM: initializing for peter debug1: userauth-request for user peter service ssh-connection method publickey debug1: attempt 1 failures 0 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug1: PAM: setting PAM_RHOST to 192.168.1.4 debug2: monitor_read: 45 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x286067c0 debug1: trying public key file /home/peter/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug3: secure_filename: checking '/usr/home/peter/.ssh' debug3: secure_filename: checking '/usr/home/peter' debug3: secure_filename: terminating check at '/usr/home/peter' debug2: key not found debug1: trying public key file /home/peter/.ssh/authorized_keys2 Failed publickey for peter from 192.168.1.4 port 43046 ssh2 debug3: mm_answer_keyallowed: key 0x286067c0 is not allowed debug3: mm_request_send entering: type 21 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa debug3: mm_request_receive entering debug1: userauth-request for user peter service ssh-connection method keyboard-interactive debug1: attempt 2 failures 1 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs Anyone suggest what I'm doing wrong? TIA. Peter Harrison. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh key authentication problem...
On 10/28/10 3:39 PM, Peter Harrison wrote: Can anyone help me debug an ssh key-based authentication problem? I have an 8.1-R server running sshd, with one user account. On the server, I've used ssh-keygen to generate id_rsa and id_rsa.pub. On my laptop I then pulled the id_rsa.pub file over and: % cat id_rsa.pub .ssh/authorized_keys Either I'm having reading comprehension problems, or you've got things backwards. If you're trying to login into the server across the network, the id_rsa.pub file goes into .ssh/authorized_keys file on the server, and the id_rsa file lives on your laptop, all nicely secured with a passphrase in case somebody steals your laptop. --Jon Radel j...@radel.com
Re: ssh key authentication problem...
On 28 October 2010 20:39, Peter Harrison peter.piggy...@virgin.net wrote: Can anyone help me debug an ssh key-based authentication problem? I have an 8.1-R server running sshd, with one user account. On the server, I've used ssh-keygen to generate id_rsa and id_rsa.pub. On my laptop I then pulled the id_rsa.pub file over and: % cat id_rsa.pub .ssh/authorized_keys Now I try to login from the laptop (also 8.1-R) to the server. It pauses for a second and presents me with a 'Password:' prompt, so obviously the key authentication isn't working. He's a debugging chunk from sshd run with '-ddd' flags: debug1: PAM: initializing for peter debug1: userauth-request for user peter service ssh-connection method publickey debug1: attempt 1 failures 0 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug1: PAM: setting PAM_RHOST to 192.168.1.4 debug2: monitor_read: 45 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x286067c0 debug1: trying public key file /home/peter/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug3: secure_filename: checking '/usr/home/peter/.ssh' debug3: secure_filename: checking '/usr/home/peter' debug3: secure_filename: terminating check at '/usr/home/peter' debug2: key not found debug1: trying public key file /home/peter/.ssh/authorized_keys2 Failed publickey for peter from 192.168.1.4 port 43046 ssh2 debug3: mm_answer_keyallowed: key 0x286067c0 is not allowed debug3: mm_request_send entering: type 21 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa debug3: mm_request_receive entering debug1: userauth-request for user peter service ssh-connection method keyboard-interactive debug1: attempt 2 failures 1 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs Anyone suggest what I'm doing wrong? TIA. Peter Harrison. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org you have the setup the keys the wrong way around by the sound of it. The ssh server should have the public keys only in the authorized_keys files, and your client/desktop should have the private keys in your ~/.ssh ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh key authentication problem...
You have to do the other way generate at laptop, put in authorized_key at server the public key and then you will be able to ssh to server from laptop using key authorization On Thu, 28 Oct 2010 20:39:53 +0100 Peter Harrison peter.piggy...@virgin.net wrote: Can anyone help me debug an ssh key-based authentication problem? I have an 8.1-R server running sshd, with one user account. On the server, I've used ssh-keygen to generate id_rsa and id_rsa.pub. On my laptop I then pulled the id_rsa.pub file over and: % cat id_rsa.pub .ssh/authorized_keys Now I try to login from the laptop (also 8.1-R) to the server. It pauses for a second and presents me with a 'Password:' prompt, so obviously the key authentication isn't working. He's a debugging chunk from sshd run with '-ddd' flags: debug1: PAM: initializing for peter debug1: userauth-request for user peter service ssh-connection method publickey debug1: attempt 1 failures 0 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug1: PAM: setting PAM_RHOST to 192.168.1.4 debug2: monitor_read: 45 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x286067c0 debug1: trying public key file /home/peter/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug3: secure_filename: checking '/usr/home/peter/.ssh' debug3: secure_filename: checking '/usr/home/peter' debug3: secure_filename: terminating check at '/usr/home/peter' debug2: key not found debug1: trying public key file /home/peter/.ssh/authorized_keys2 Failed publickey for peter from 192.168.1.4 port 43046 ssh2 debug3: mm_answer_keyallowed: key 0x286067c0 is not allowed debug3: mm_request_send entering: type 21 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa debug3: mm_request_receive entering debug1: userauth-request for user peter service ssh-connection method keyboard-interactive debug1: attempt 2 failures 1 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs Anyone suggest what I'm doing wrong? TIA. Peter Harrison. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh key authentication problem...
On 28 October 2010 22:13, krad kra...@gmail.com wrote: On 28 October 2010 20:39, Peter Harrison peter.piggy...@virgin.netwrote: Can anyone help me debug an ssh key-based authentication problem? I have an 8.1-R server running sshd, with one user account. On the server, I've used ssh-keygen to generate id_rsa and id_rsa.pub. On my laptop I then pulled the id_rsa.pub file over and: % cat id_rsa.pub .ssh/authorized_keys Now I try to login from the laptop (also 8.1-R) to the server. It pauses for a second and presents me with a 'Password:' prompt, so obviously the key authentication isn't working. He's a debugging chunk from sshd run with '-ddd' flags: debug1: PAM: initializing for peter debug1: userauth-request for user peter service ssh-connection method publickey debug1: attempt 1 failures 0 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug1: PAM: setting PAM_RHOST to 192.168.1.4 debug2: monitor_read: 45 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x286067c0 debug1: trying public key file /home/peter/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug3: secure_filename: checking '/usr/home/peter/.ssh' debug3: secure_filename: checking '/usr/home/peter' debug3: secure_filename: terminating check at '/usr/home/peter' debug2: key not found debug1: trying public key file /home/peter/.ssh/authorized_keys2 Failed publickey for peter from 192.168.1.4 port 43046 ssh2 debug3: mm_answer_keyallowed: key 0x286067c0 is not allowed debug3: mm_request_send entering: type 21 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa debug3: mm_request_receive entering debug1: userauth-request for user peter service ssh-connection method keyboard-interactive debug1: attempt 2 failures 1 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs Anyone suggest what I'm doing wrong? TIA. Peter Harrison. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org you have the setup the keys the wrong way around by the sound of it. The ssh server should have the public keys only in the authorized_keys files, and your client/desktop should have the private keys in your ~/.ssh note the server does have private and public keys, but they are hosts keys not user ones and are stored in /etc/ssh/. You dont normally have to generate these as the rc scripts take card of that on the 1st invocation ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh key authentication problem...
On Thu, Oct 28, 2010 at 12:39 PM, Peter Harrison peter.piggy...@virgin.net wrote: Can anyone help me debug an ssh key-based authentication problem? I have an 8.1-R server running sshd, with one user account. On the server, I've used ssh-keygen to generate id_rsa and id_rsa.pub. On my laptop I then pulled the id_rsa.pub file over and: % cat id_rsa.pub .ssh/authorized_keys i assume you copied it to ~/.ssh/authorized_keys or $HOME/.ssh/authorized_keys? other things worth checking are permissions of ~/.ssh and the files contained in there? man 1 ssh details permissions, but briefly: ~/.ssh/authorized_keys Lists the public keys (RSA/DSA) that can be used for logging in as this user. The format of this file is described in the sshd(8) manual page. This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. it also covers other files as well. HTH -pete -- pete wright www.nycbug.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh key authentication problem...
Hi-- On Oct 28, 2010, at 12:39 PM, Peter Harrison wrote: debug1: trying public key file /home/peter/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug3: secure_filename: checking '/usr/home/peter/.ssh' debug3: secure_filename: checking '/usr/home/peter' debug3: secure_filename: terminating check at '/usr/home/peter' debug2: key not found It's likely that the permissions to the private key are wrong somewhere in the path. Something like chmod go-w / /usr /usr/home /usr/home/peter /usr/home/peter/.ssh /usr/home/peter/.ssh/id_rsa is likely to help Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh key authentication problem...
Peter, Have you verified permissions of 700 on .ssh and 640 on authorized_keys and authorized_keys2? If you do not have an authorized_keys2 simply copy the former to that name and give it a go. Cheers, Mikel King _ From: Peter Harrison [mailto:peter.piggy...@virgin.net] To: questi...@freebsd.org Sent: Thu, 28 Oct 2010 15:39:53 -0400 Subject: ssh key authentication problem... Can anyone help me debug an ssh key-based authentication problem? I have an 8.1-R server running sshd, with one user account. On the server, I've used ssh-keygen to generate id_rsa and id_rsa.pub. On my laptop I then pulled the id_rsa.pub file over and: % cat id_rsa.pub .ssh/authorized_keys Now I try to login from the laptop (also 8.1-R) to the server. It pauses for a second and presents me with a 'Password:' prompt, so obviously the key authentication isn't working. He's a debugging chunk from sshd run with '-ddd' flags: debug1: PAM: initializing for peter debug1: userauth-request for user peter service ssh-connection method publickey debug1: attempt 1 failures 0 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug1: PAM: setting PAM_RHOST to 192.168.1.4 debug2: monitor_read: 45 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x286067c0 debug1: trying public key file /home/peter/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug3: secure_filename: checking '/usr/home/peter/.ssh' debug3: secure_filename: checking '/usr/home/peter' debug3: secure_filename: terminating check at '/usr/home/peter' debug2: key not found debug1: trying public key file /home/peter/.ssh/authorized_keys2 Failed publickey for peter from 192.168.1.4 port 43046 ssh2 debug3: mm_answer_keyallowed: key 0x286067c0 is not allowed debug3: mm_request_send entering: type 21 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa debug3: mm_request_receive entering debug1: userauth-request for user peter service ssh-connection method keyboard-interactive debug1: attempt 2 failures 1 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs Anyone suggest what I'm doing wrong? TIA. Peter Harrison. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh under attack - sessions in accepted state hogging CPU
On 10/08/10 05.13, Matt Emmerton wrote: I'm in the middle of dealing with a SSH brute force attack that is relentless. I'm working on getting sshguard+ipfw in place to deal with it, but in the meantime, my box is getting pegged because sshd is accepting some connections which are getting stuck in [accepted] state and eating CPU. I know there's not much I can do about the brute force attacks, but will upgrading openssh avoid these stuck connections? If the attack you're experiencing is trying to exhaust system resources by opening a large number of connections, then you may want to toggle these options in sshd_config: ClientAliveInterval LoginGraceTime MaxAuthTries MaxSessions MaxStartups Check the man-page. Secondly, check your logs if this attack is from a limited range of IPs, if so, you might want to try block those ranges. If your users will only connect from your country, then blocking other countries in your firewall is very effective. Thanks to everyone for their help. I did have MaxSessions set to a small number, but that essentially DoS'd my access to the server when enough sshd processes got hung. sshguard+ipfw was blocking a large number of attacks, but the other attacks that were coming in and hanging sshd weren't getting caught (because they weren't repetitive.) I have moved some of my servers to alternate ports, and on the others I tweaked some of the settings Erik suggested which has helped a lot. Thanks for all the advice. -- Matt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh under attack - sessions in accepted state hogging CPU
One thing I don't see mentioned a lot is port knocking. It's not perfect but it does have it's uses. Since it sounds like you have a lot of users that need to connect you might be able to adapt it to your situation. I haven't tried this specific port knocking sequence but you could setup a knock where if a user attempts to connect to port 22 say 3 times (most clients should auto retry) it then opens up port 22 to that ip and allows them to connect to sshd. This would depend on the type of brute force being done. A distributed botnet might only try an ip/port once or twice then move on. This would be pretty seemless to the end user except for an initial delay when connecting as their client retries the connection until the specific knock threshold has been hit. It's a middle ground to changing the port sshd is operating on. You can do this with firewall rules or http://www.freshports.org/security/knock/. A lot of SSH attacks are coming from large numbers of compromised hosts that make them very hard to stop with sshguard which is pretty annoying. On 8/9/2010 8:13 PM, Matt Emmerton wrote: Hi all, I'm in the middle of dealing with a SSH brute force attack that is relentless. I'm working on getting sshguard+ipfw in place to deal with it, but in the meantime, my box is getting pegged because sshd is accepting some connections which are getting stuck in [accepted] state and eating CPU. I know there's not much I can do about the brute force attacks, but will upgrading openssh avoid these stuck connections? root 39127 35.2 0.1 6724 3036 ?? Rs 11:10PM 0:37.91 sshd: [accepted] (sshd) root 39368 33.6 0.1 6724 3036 ?? Rs 11:10PM 0:22.99 sshd: [accepted] (sshd) root 39138 33.1 0.1 6724 3036 ?? Rs 11:10PM 0:41.94 sshd: [accepted] (sshd) root 39137 32.5 0.1 6724 3036 ?? Rs 11:10PM 0:36.56 sshd: [accepted] (sshd) root 39135 31.0 0.1 6724 3036 ?? Rs 11:10PM 0:35.09 sshd: [accepted] (sshd) root 39366 30.9 0.1 6724 3036 ?? Rs 11:10PM 0:23.01 sshd: [accepted] (sshd) root 39132 30.8 0.1 6724 3036 ?? Rs 11:10PM 0:35.21 sshd: [accepted] (sshd) root 39131 30.7 0.1 6724 3036 ?? Rs 11:10PM 0:38.07 sshd: [accepted] (sshd) root 39134 30.2 0.1 6724 3036 ?? Rs 11:10PM 0:40.96 sshd: [accepted] (sshd) root 39367 29.3 0.1 6724 3036 ?? Rs 11:10PM 0:22.08 sshd: [accepted] (sshd) PID USERNAME THR PRI NICE SIZERES STATE C TIME WCPU COMMAND 39597 root 1 1030 6724K 3036K RUN 3 0:28 35.06% sshd 39599 root 1 1030 6724K 3036K RUN 0 0:26 34.96% sshd 39596 root 1 1030 6724K 3036K RUN 0 0:27 34.77% sshd 39579 root 1 1030 6724K 3036K CPU33 0:28 33.69% sshd 39592 root 1 1020 6724K 3036K RUN 2 0:27 32.18% sshd 39591 root 1 1020 6724K 3036K CPU22 0:27 31.88% sshd -- Matt Emmerton ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh under attack - sessions in accepted state hogging CPU
Hi, Matt-- On Aug 9, 2010, at 8:13 PM, Matt Emmerton wrote: I'm in the middle of dealing with a SSH brute force attack that is relentless. I'm working on getting sshguard+ipfw in place to deal with it, but in the meantime, my box is getting pegged because sshd is accepting some connections which are getting stuck in [accepted] state and eating CPU. I know there's not much I can do about the brute force attacks, but will upgrading openssh avoid these stuck connections? If I wasn't allowed to require that in order to SSH to arbitrary internal machines one would need to do a VPN session, the second choice would be to install the openssh port with tcpwrappers support + denyhosts. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh under attack - sessions in accepted state hogging CPU
On 8/9/2010 8:13 PM, Matt Emmerton wrote: Hi all, I'm in the middle of dealing with a SSH brute force attack that is relentless. I'm working on getting sshguard+ipfw in place to deal with it, but in the meantime, my box is getting pegged because sshd is accepting some connections which are getting stuck in [accepted] state and eating CPU. I know there's not much I can do about the brute force attacks, but will upgrading openssh avoid these stuck connections? root 39127 35.2 0.1 6724 3036 ?? Rs 11:10PM 0:37.91 sshd: [accepted] (sshd) root 39368 33.6 0.1 6724 3036 ?? Rs 11:10PM 0:22.99 sshd: [accepted] (sshd) root 39138 33.1 0.1 6724 3036 ?? Rs 11:10PM 0:41.94 sshd: [accepted] (sshd) root 39137 32.5 0.1 6724 3036 ?? Rs 11:10PM 0:36.56 sshd: [accepted] (sshd) root 39135 31.0 0.1 6724 3036 ?? Rs 11:10PM 0:35.09 sshd: [accepted] (sshd) root 39366 30.9 0.1 6724 3036 ?? Rs 11:10PM 0:23.01 sshd: [accepted] (sshd) root 39132 30.8 0.1 6724 3036 ?? Rs 11:10PM 0:35.21 sshd: [accepted] (sshd) root 39131 30.7 0.1 6724 3036 ?? Rs 11:10PM 0:38.07 sshd: [accepted] (sshd) root 39134 30.2 0.1 6724 3036 ?? Rs 11:10PM 0:40.96 sshd: [accepted] (sshd) root 39367 29.3 0.1 6724 3036 ?? Rs 11:10PM 0:22.08 sshd: [accepted] (sshd) PID USERNAME THR PRI NICE SIZERES STATE C TIME WCPU COMMAND 39597 root 1 1030 6724K 3036K RUN 3 0:28 35.06% sshd 39599 root 1 1030 6724K 3036K RUN 0 0:26 34.96% sshd 39596 root 1 1030 6724K 3036K RUN 0 0:27 34.77% sshd 39579 root 1 1030 6724K 3036K CPU33 0:28 33.69% sshd 39592 root 1 1020 6724K 3036K RUN 2 0:27 32.18% sshd 39591 root 1 1020 6724K 3036K CPU22 0:27 31.88% sshd -- Matt Emmerton Hi. There is a cracking/DoS technique, that tries to exhaust a servers resources, by continualy issuing connect requests, in the hope that when the stack croaks in some way, it'll somehow drop it's guard, or go off air permanently. Have you upset anyone recently? Can you not move your services to non standard IP ports, moving away from the standard ports, where all the script kiddies bots hang out, or are your clients cast in concrete? I've got FTP, Web and SSH systems running on two sites, on very non standard ports, with next to no one trying to get in as a result, but maintaining full visibility to the clients that need them, and know where they are! All my standard ports (80, 21, 22 etc) show as non existant to the outside world, except on one site, where the mail server is continualy getting hammered, but the site's ISP say they cant forward mail to any other port. The users have no problems, so long as I correctly specify the port with the address to them, as in 'address:port' if I send them a link etc, or an example how to fill in a connection dialog. DJB. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh under attack - sessions in accepted state hogging CPU
In freebsd-questions Digest, Vol 323, Issue 3, Message: 35 On Mon, 9 Aug 2010 23:36:57 -0400 Matt Emmerton m...@gsicomp.on.ca wrote: I know there's not much I can do about the brute force attacks, but will upgrading openssh avoid these stuck connections? 1. switch over to using solely RSA keys In the works; I have too many users to convert :( 2. switch to a non-standard port This is not attractive, even though it would be effective. I tried this once already and my support volume skyrocketed so I had to switch back. Matt, I've seen later responses; portknocking, tcpwrappers + denyhosts etc. The latter works, well but keeping lists of $badguys updated is becoming more intensive all the time against botnets. If you're in a position to permit only connections from a table of IP addresses, maybe subnets, there's lots you can do to block connections from elsewhere before they get to sshd (or tcpwrappers), eg with ipfw: ipfw add $rule allow tcp from table(22) to me 22 in recv $ext_if setup ipfw add deny $logifdesired tcp from any to me 22 in recv $ext_if setup Add keep-state, or earlier allow established connections, to taste. For users with varying IPs you can have them do a (say) POP mail ckeck or anything requiring auth, tail its log either live or from a maybe 5 minute cronjob to add $goodguys table entries, simple scripting and it's not too onerous training roaming users to (eg) check mail before login. Adding `date +%s` as the value for added table entries, it's easy enough deleting dynamic entries after some period of time, by cron. If you can't limit connections to just $goodguys for logistic reasons you can at least use ipfw 'limit' rules to allow only say one or two ssh connections from one IP, which should help the open connections issue. You could also impose connection limits running sshd from inetd(8): [/max-child[/max-connections-per-ip-per-minute[/max-child-per-ip]]] HTH, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh under attack - sessions in accepted state hogging CPU
On 10/08/2010 15:25, Dave wrote: On 8/9/2010 8:13 PM, Matt Emmerton wrote: Hi all, I'm in the middle of dealing with a SSH brute force attack that is relentless. I'm working on getting sshguard+ipfw in place to deal with it, but in the meantime, my box is getting pegged because sshd is accepting some connections which are getting stuck in [accepted] state and eating CPU. I know there's not much I can do about the brute force attacks, but will upgrading openssh avoid these stuck connections? root 39127 35.2 0.1 6724 3036 ?? Rs 11:10PM 0:37.91 sshd: [accepted] (sshd) root 39368 33.6 0.1 6724 3036 ?? Rs 11:10PM 0:22.99 sshd: [accepted] (sshd) root 39138 33.1 0.1 6724 3036 ?? Rs 11:10PM 0:41.94 sshd: [accepted] (sshd) root 39137 32.5 0.1 6724 3036 ?? Rs 11:10PM 0:36.56 sshd: [accepted] (sshd) root 39135 31.0 0.1 6724 3036 ?? Rs 11:10PM 0:35.09 sshd: [accepted] (sshd) root 39366 30.9 0.1 6724 3036 ?? Rs 11:10PM 0:23.01 sshd: [accepted] (sshd) root 39132 30.8 0.1 6724 3036 ?? Rs 11:10PM 0:35.21 sshd: [accepted] (sshd) root 39131 30.7 0.1 6724 3036 ?? Rs 11:10PM 0:38.07 sshd: [accepted] (sshd) root 39134 30.2 0.1 6724 3036 ?? Rs 11:10PM 0:40.96 sshd: [accepted] (sshd) root 39367 29.3 0.1 6724 3036 ?? Rs 11:10PM 0:22.08 sshd: [accepted] (sshd) PID USERNAME THR PRI NICE SIZERES STATE C TIME WCPU COMMAND 39597 root 1 1030 6724K 3036K RUN 3 0:28 35.06% sshd 39599 root 1 1030 6724K 3036K RUN 0 0:26 34.96% sshd 39596 root 1 1030 6724K 3036K RUN 0 0:27 34.77% sshd 39579 root 1 1030 6724K 3036K CPU33 0:28 33.69% sshd 39592 root 1 1020 6724K 3036K RUN 2 0:27 32.18% sshd 39591 root 1 1020 6724K 3036K CPU22 0:27 31.88% sshd -- Matt Emmerton Hi. There is a cracking/DoS technique, that tries to exhaust a servers resources, by continualy issuing connect requests, in the hope that when the stack croaks in some way, it'll somehow drop it's guard, or go off air permanently. Have you upset anyone recently? Can you not move your services to non standard IP ports, moving away from the standard ports, where all the script kiddies bots hang out, or are your clients cast in concrete? I've got FTP, Web and SSH systems running on two sites, on very non standard ports, with next to no one trying to get in as a result, but maintaining full visibility to the clients that need them, and know where they are! All my standard ports (80, 21, 22 etc) show as non existant to the outside world, except on one site, where the mail server is continualy getting hammered, but the site's ISP say they cant forward mail to any other port. I'm in agreement with dave here, about ssh anyway moving ssh to a non std port makes a massive difference, do it now! Paul. -- - Paul Macdonald IFDNRG Ltd Web and video hosting - t: 0131 5548070 m: 07534206249 e: p...@ifdnrg.com w: http://www.ifdnrg.com - IFDNRG 40 Maritime Street Edinburgh EH6 6SA - ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh under attack - sessions in accepted state hogging CPU
On 8/9/2010 8:13 PM, Matt Emmerton wrote: Hi all, I'm in the middle of dealing with a SSH brute force attack that is relentless. I'm working on getting sshguard+ipfw in place to deal with it, but in the meantime, my box is getting pegged because sshd is accepting some connections which are getting stuck in [accepted] state and eating CPU. I know there's not much I can do about the brute force attacks, but will upgrading openssh avoid these stuck connections? There is a cracking/DoS technique, that tries to exhaust a servers resources, by continualy issuing connect requests, in the hope that when the stack croaks in some way, it'll somehow drop it's guard, or go off air permanently. Have you upset anyone recently? Not that I know of - unless my wife counts :) Can you not move your services to non standard IP ports, moving away from the standard ports, where all the script kiddies bots hang out, or are your clients cast in concrete? Right now, they are cast in concrete. I want to move many of them to public keys, so maybe I will change the port at the same time too. I've got FTP, Web and SSH systems running on two sites, on very non standard ports, with next to no one trying to get in as a result, but maintaining full visibility to the clients that need them, and know where they are! All my standard ports (80, 21, 22 etc) show as non existant to the outside world, except on one site, where the mail server is continualy getting hammered, but the site's ISP say they cant forward mail to any other port. I have two servers on the same IP block, and one is getting brute-forced and the other is not. I guess it's just a matter of time before the botnets seek it out. The users have no problems, so long as I correctly specify the port with the address to them, as in 'address:port' if I send them a link etc, or an example how to fill in a connection dialog. I'm seriously going to consider this. -- Matt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh under attack - sessions in accepted state hogging CPU
On 10/08/10 05.13, Matt Emmerton wrote: I'm in the middle of dealing with a SSH brute force attack that is relentless. I'm working on getting sshguard+ipfw in place to deal with it, but in the meantime, my box is getting pegged because sshd is accepting some connections which are getting stuck in [accepted] state and eating CPU. I know there's not much I can do about the brute force attacks, but will upgrading openssh avoid these stuck connections? If the attack you're experiencing is trying to exhaust system resources by opening a large number of connections, then you may want to toggle these options in sshd_config: ClientAliveInterval LoginGraceTime MaxAuthTries MaxSessions MaxStartups Check the man-page. Secondly, check your logs if this attack is from a limited range of IPs, if so, you might want to try block those ranges. If your users will only connect from your country, then blocking other countries in your firewall is very effective. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh under attack - sessions in accepted state hogging CPU
I know there's not much I can do about the brute force attacks, but will upgrading openssh avoid these stuck connections? 1. switch over to using solely RSA keys In the works; I have too many users to convert :( 2. switch to a non-standard port This is not attractive, even though it would be effective. I tried this once already and my support volume skyrocketed. 3. what version of openssh are you currently using? Whatever ships with 8.0-REL, which appears to be: Best James= ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh under attack - sessions in accepted state hogging CPU
I know there's not much I can do about the brute force attacks, but will upgrading openssh avoid these stuck connections? 1. switch over to using solely RSA keys In the works; I have too many users to convert :( 2. switch to a non-standard port This is not attractive, even though it would be effective. I tried this once already and my support volume skyrocketed so I had to switch back. 3. what version of openssh are you currently using? Whatever ships with 8.0-REL, which appears to be: OpenSSL version OpenSSL 0.9.8k 25 Mar 2009 Regards, -- Matt ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh under attack - sessions in accepted state hogging CPU
Hi Matt, I know there's not much I can do about the brute force attacks, but will upgrading openssh avoid these stuck connections? 1. switch over to using solely RSA keys 2. switch to a non-standard port 3. what version of openssh are you currently using? Best James___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh: port 22: connection refuused
On Fri, May 07, 2010 at 12:18:25AM -0500, Tim Daneliuk wrote: On 5/7/2010 12:13 AM, Gary Kline wrote: SNIP What's in your /etc/hosts.allow file? # Start by allowing everything (this prevents the rest of the file # from working, so remove it when you need protection). # The rules here work on a First match wins basis. ALL : ALL : allow that i moused and pasted from my main desktop. OK and you've indicated that sshd is running. A few other thoughts: 1) Is there a firewall running on your machine that could be preventing the connection? pcbsd seems to have its oen kind of ipf; thanks for the pointer. be nice if this were the fault. 2) Is there a firewall running on your *client* machine that could be interfering. no; my firewall stuff is all my pfSense computer. 3) Log into the FreeBSD machine and see if you can ssh to localhost to just to confirm that sshd is working. If that works, try sshing to the same machine using its IP, and then its address to make sure DNS is resolving properly. i did this hours ago. i thought it would fail, but nope. i ssh'd from the thinkpad to the thinkpad. you know, it might be worth building the ssh stuff in ports before i blow away the entire distribution Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix The 7.83a release of Jottings: http://jottings.thought.org/index.php http://journey.thought.org 99 44/100% Guaranteed Novel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh: port 22: connection refuused
On 5/6/2010 12:21 PM, Gary Kline wrote: can anybody help me with ne of my last problems: getting ssh Into my new comuter? i am able to ssh outside. need to scp my config files over. sshd is running on zen This generally involves two or three steps: 1) Make sure /etc/rc.conf has this in it: sshd_enable=YES 2) Make sure /etc/hosts.allow permits access to your machine via ssh. Something like this: sshd: 192.168. a_host-name.com an.ip.add.ress :ALLOW Some people do this: sshd: ALL :ALLOW That's fine if the machine sits on a trusted LAN, but I don't much like this for machines that are internet-facing ... it just provides another vector for attack. So, for such machines, I explicitly name the address and names that are permitted ssh access. 3) If you're running a firewall, make sure that the sshd ports (22/tcp and 22/udp) are open for those machines/addresses you want to connect into your FreeBSD box. If you are still having trouble, go to the client machine and invoke your session like this: ssh -v your_freebsd_machine It will barf out a bunch of interesting information about why the connection isn't working that may help you figure out what's going on. Happy Trails, Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh: port 22: connection refuused
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/05/2010 18:32:18, Tim Daneliuk wrote: 3) If you're running a firewall, make sure that the sshd ports (22/tcp and 22/udp) are open for those machines/addresses you want to connect into your FreeBSD box. Despite what it may say in /etc/services, ssh doesn't use UDP. It's purely TCP based. (No idea why /etc/services usually lists both TCP and UDP port numbers for services that are pure TCP. It was probably something that seemed to be a good idea at the time.) Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvjCNMACgkQ8Mjk52CukIybqwCfchTs9102F56SnZcqj54daL/1 pqsAnR+hWeJNDMUfNQfdAYxED3xjjdhG =eTao -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh: port 22: connection refuused
On Thu, May 06, 2010 at 12:32:18PM -0500, Tim Daneliuk wrote: On 5/6/2010 12:21 PM, Gary Kline wrote: can anybody help me with ne of my last problems: getting ssh Into my new comuter? i am able to ssh outside. need to scp my config files over. sshd is running on zen This generally involves two or three steps: 1) Make sure /etc/rc.conf has this in it: sshd_enable=YES Yes; this was my first try. no diff. 2) Make sure /etc/hosts.allow permits access to your machine via ssh. Something like this: sshd: 192.168. a_host-name.com an.ip.add.ress :ALLOW Some people do this: sshd: ALL :ALLOW That's fine if the machine sits on a trusted LAN, but I don't much like this for machines that are internet-facing ... it just provides another vector for attack. So, for such machines, I explicitly name the address and names that are permitted ssh access. ok. itried this; have not rebooted yet. no difference right now. 3) If you're running a firewall, make sure that the sshd ports (22/tcp and 22/udp) are open for those machines/addresses you want to connect into your FreeBSD box. i'm runnning a pfSense computer; pretty sure that things are sett correctly there. If you are still having trouble, go to the client machine and invoke your session like this: ssh -v your_freebsd_machine the files in /etc/ssh were the first thing i thought of editing. didn't see many differences between rel 8.0 and my current 7.3. still, here is the verbose output. pl 14:20 tao [5036] ssh zen ssh: connect to host zen port 22: Connection refused pl 14:20 tao [5037] ssh - zen OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to zen [10.47.0.190] port 22. debug1: connect to address 10.47.0.190 port 22: Connection refused ssh: connect to host zen port 22: Connection refused pl 14:22 tao [5038] any idea what the ``needpriv 0'' means? It will barf out a bunch of interesting information about why the connection isn't working that may help you figure out what's going on. Happy Trails, Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix The 7.83a release of Jottings: http://jottings.thought.org/index.php http://journey.thought.org 99 44/100% Guaranteed Novel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh: port 22: connection refuused
On 5/6/2010 4:35 PM, Gary Kline wrote: On Thu, May 06, 2010 at 12:32:18PM -0500, Tim Daneliuk wrote: On 5/6/2010 12:21 PM, Gary Kline wrote: can anybody help me with ne of my last problems: getting ssh Into my new comuter? i am able to ssh outside. need to scp my config files over. sshd is running on zen This generally involves two or three steps: 1) Make sure /etc/rc.conf has this in it: sshd_enable=YES Yes; this was my first try. no diff. 2) Make sure /etc/hosts.allow permits access to your machine via ssh. Something like this: sshd: 192.168. a_host-name.com an.ip.add.ress :ALLOW Some people do this: sshd: ALL :ALLOW That's fine if the machine sits on a trusted LAN, but I don't much like this for machines that are internet-facing ... it just provides another vector for attack. So, for such machines, I explicitly name the address and names that are permitted ssh access. ok. itried this; have not rebooted yet. no difference right now. 3) If you're running a firewall, make sure that the sshd ports (22/tcp and 22/udp) are open for those machines/addresses you want to connect into your FreeBSD box. i'm runnning a pfSense computer; pretty sure that things are sett correctly there. If you are still having trouble, go to the client machine and invoke your session like this: ssh -v your_freebsd_machine the files in /etc/ssh were the first thing i thought of editing. didn't see many differences between rel 8.0 and my current 7.3. still, here is the verbose output. pl 14:20 tao [5036] ssh zen ssh: connect to host zen port 22: Connection refused pl 14:20 tao [5037] ssh - zen OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to zen [10.47.0.190] port 22. debug1: connect to address 10.47.0.190 port 22: Connection refused ssh: connect to host zen port 22: Connection refused pl 14:22 tao [5038] any idea what the ``needpriv 0'' means? What's in your /etc/hosts.allow file? It will barf out a bunch of interesting information about why the connection isn't working that may help you figure out what's going on. Happy Trails, Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh: port 22: connection refuused
On 5/6/2010 4:41 PM, Tim Daneliuk wrote: On 5/6/2010 4:35 PM, Gary Kline wrote: On Thu, May 06, 2010 at 12:32:18PM -0500, Tim Daneliuk wrote: On 5/6/2010 12:21 PM, Gary Kline wrote: can anybody help me with ne of my last problems: getting ssh Into my new comuter? i am able to ssh outside. need to scp my config files over. sshd is running on zen This generally involves two or three steps: 1) Make sure /etc/rc.conf has this in it: sshd_enable=YES Yes; this was my first try. no diff. 2) Make sure /etc/hosts.allow permits access to your machine via ssh. Something like this: sshd: 192.168. a_host-name.com an.ip.add.ress :ALLOW Some people do this: sshd: ALL :ALLOW That's fine if the machine sits on a trusted LAN, but I don't much like this for machines that are internet-facing ... it just provides another vector for attack. So, for such machines, I explicitly name the address and names that are permitted ssh access. ok. itried this; have not rebooted yet. no difference right now. 3) If you're running a firewall, make sure that the sshd ports (22/tcp and 22/udp) are open for those machines/addresses you want to connect into your FreeBSD box. i'm runnning a pfSense computer; pretty sure that things are sett correctly there. If you are still having trouble, go to the client machine and invoke your session like this: ssh -v your_freebsd_machine the files in /etc/ssh were the first thing i thought of editing. didn't see many differences between rel 8.0 and my current 7.3. still, here is the verbose output. pl 14:20 tao [5036] ssh zen ssh: connect to host zen port 22: Connection refused pl 14:20 tao [5037] ssh - zen OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to zen [10.47.0.190] port 22. debug1: connect to address 10.47.0.190 port 22: Connection refused ssh: connect to host zen port 22: Connection refused pl 14:22 tao [5038] any idea what the ``needpriv 0'' means? What's in your /etc/hosts.allow file? Oh ... one other thing ... make sure sshd is actually running. If you changed the /etc/rc.conf enable line without either rebooting or doing a kill -HUP 1, you may not have a running daemon. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh: port 22: connection refuused
On Thu, May 06, 2010 at 04:41:21PM -0500, Tim Daneliuk wrote: On 5/6/2010 4:35 PM, Gary Kline wrote: On Thu, May 06, 2010 at 12:32:18PM -0500, Tim Daneliuk wrote: On 5/6/2010 12:21 PM, Gary Kline wrote: can anybody help me with ne of my last problems: getting ssh Into my new comuter? i am able to ssh outside. need to scp my config files over. sshd is running on zen This generally involves two or three steps: 1) Make sure /etc/rc.conf has this in it: sshd_enable=YES Yes; this was my first try. no diff. 2) Make sure /etc/hosts.allow permits access to your machine via ssh. Something like this: sshd: 192.168. a_host-name.com an.ip.add.ress :ALLOW Some people do this: sshd: ALL :ALLOW That's fine if the machine sits on a trusted LAN, but I don't much like this for machines that are internet-facing ... it just provides another vector for attack. So, for such machines, I explicitly name the address and names that are permitted ssh access. ok. itried this; have not rebooted yet. no difference right now. 3) If you're running a firewall, make sure that the sshd ports (22/tcp and 22/udp) are open for those machines/addresses you want to connect into your FreeBSD box. i'm runnning a pfSense computer; pretty sure that things are sett correctly there. If you are still having trouble, go to the client machine and invoke your session like this: ssh -v your_freebsd_machine the files in /etc/ssh were the first thing i thought of editing. didn't see many differences between rel 8.0 and my current 7.3. still, here is the verbose output. pl 14:20 tao [5036] ssh zen ssh: connect to host zen port 22: Connection refused pl 14:20 tao [5037] ssh - zen OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to zen [10.47.0.190] port 22. debug1: connect to address 10.47.0.190 port 22: Connection refused ssh: connect to host zen port 22: Connection refused pl 14:22 tao [5038] any idea what the ``needpriv 0'' means? What's in your /etc/hosts.allow file? sshd: ALL ALL :ALLOW i think. i'm at my main desktop right now. there were two ALL strings in the pcbsd /etc/hosts.allow. the line was commented out; i just x'd the #. i'll reboot and see if that reinitialized =something=. :_) It will barf out a bunch of interesting information about why the connection isn't working that may help you figure out what's going on. Happy Trails, Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix The 7.83a release of Jottings: http://jottings.thought.org/index.php http://journey.thought.org 99 44/100% Guaranteed Novel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh: port 22: connection refuused
On 5/6/2010 4:41 PM, Tim Daneliuk wrote: SNIP pl 14:20 tao [5036] ssh zen ssh: connect to host zen port 22: Connection refused pl 14:20 tao [5037] ssh - zen OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to zen [10.47.0.190] port 22. debug1: connect to address 10.47.0.190 port 22: Connection refused ssh: connect to host zen port 22: Connection refused pl 14:22 tao [5038] any idea what the ``needpriv 0'' means? The more I look at this, the more it looks to me like your sshd is not running at all, isn't running on port 22, or is being blocked by some kind of firewall. Just for snicks, I tried to ssh to a machine on our network that I know does not have an ssh daemon running. Look at the results: ssh -v sylvester OpenSSH_5.4p1 FreeBSD-20100308, OpenSSL 0.9.8k 25 Mar 2009 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to sylvester.tundraware.com [192.168.0.102] port 22. debug1: connect to address 192.168.0.102 port 22: Connection refused ssh: connect to host sylvester.tundraware.com port 22: Connection refused Look familiar? :-) P.S. You are running a VERY old version of OpenSSH. I believe there were significant security problems back that far. Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh: port 22: connection refuused
On Thu, May 06, 2010 at 04:48:30PM -0500, Tim Daneliuk wrote: On 5/6/2010 4:41 PM, Tim Daneliuk wrote: On 5/6/2010 4:35 PM, Gary Kline wrote: On Thu, May 06, 2010 at 12:32:18PM -0500, Tim Daneliuk wrote: On 5/6/2010 12:21 PM, Gary Kline wrote: can anybody help me with ne of my last problems: getting ssh Into my new comuter? i am able to ssh outside. need to scp my config files over. sshd is running on zen This generally involves two or three steps: 1) Make sure /etc/rc.conf has this in it: sshd_enable=YES Yes; this was my first try. no diff. 2) Make sure /etc/hosts.allow permits access to your machine via ssh. Something like this: sshd: 192.168. a_host-name.com an.ip.add.ress :ALLOW Some people do this: sshd: ALL :ALLOW That's fine if the machine sits on a trusted LAN, but I don't much like this for machines that are internet-facing ... it just provides another vector for attack. So, for such machines, I explicitly name the address and names that are permitted ssh access. ok. itried this; have not rebooted yet. no difference right now. 3) If you're running a firewall, make sure that the sshd ports (22/tcp and 22/udp) are open for those machines/addresses you want to connect into your FreeBSD box. i'm runnning a pfSense computer; pretty sure that things are sett correctly there. If you are still having trouble, go to the client machine and invoke your session like this: ssh -v your_freebsd_machine the files in /etc/ssh were the first thing i thought of editing. didn't see many differences between rel 8.0 and my current 7.3. still, here is the verbose output. pl 14:20 tao [5036] ssh zen ssh: connect to host zen port 22: Connection refused pl 14:20 tao [5037] ssh - zen OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to zen [10.47.0.190] port 22. debug1: connect to address 10.47.0.190 port 22: Connection refused ssh: connect to host zen port 22: Connection refused pl 14:22 tao [5038] any idea what the ``needpriv 0'' means? What's in your /etc/hosts.allow file? Oh ... one other thing ... make sure sshd is actually running. If you changed the /etc/rc.conf enable line without either rebooting or doing a kill -HUP 1, you may not have a running daemon. i'm like 9.99-bar % sure sshd is up; i did ti the long way by sh /etc/rc.d/ssh restart and so it has to have exec. i just poked around on google and there is some noise about ssh failing from outside. i'm downloading a cd of 8.0 (i386)! of the Real-Thing: freebsd. it should be about an hour. the main//only reason i messed with linux was that for reasons unknown [completely], FBSD messed up on streams. but in just the past several weeks i'm able to play audio and video streams here on my old '03 Dell. i've got 7.3 here, but using firefox3: yes. i use konqueror because it has text/speech builtin. on the kde4, i see that konq4 seems ready to play streams. nutshell, no more going to/fro. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix The 7.83a release of Jottings: http://jottings.thought.org/index.php http://journey.thought.org 99 44/100% Guaranteed Novel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh: port 22: connection refuused
On Thu, May 06, 2010 at 06:20:47PM -0500, Tim Daneliuk wrote: On 5/6/2010 4:41 PM, Tim Daneliuk wrote: SNIP pl 14:20 tao [5036] ssh zen ssh: connect to host zen port 22: Connection refused pl 14:20 tao [5037] ssh - zen OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to zen [10.47.0.190] port 22. debug1: connect to address 10.47.0.190 port 22: Connection refused ssh: connect to host zen port 22: Connection refused pl 14:22 tao [5038] any idea what the ``needpriv 0'' means? The more I look at this, the more it looks to me like your sshd is not running at all, isn't running on port 22, or is being blocked by some kind of firewall. Just for snicks, I tried to ssh to a machine on our network that I know does not have an ssh daemon running. Look at the results: ssh -v sylvester OpenSSH_5.4p1 FreeBSD-20100308, OpenSSL 0.9.8k 25 Mar 2009 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to sylvester.tundraware.com [192.168.0.102] port 22. debug1: connect to address 192.168.0.102 port 22: Connection refused ssh: connect to host sylvester.tundraware.com port 22: Connection refused Look familiar? :-) just very slightly!! i'll grep for sshd from the output of ps. stranger things, etc, etc. P.S. You are running a VERY old version of OpenSSH. I believe there were significant security problems back that far. i'm using whatever is bundled in the 7.3 release. in ports its v1.2.33_5 ... Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix The 7.83a release of Jottings: http://jottings.thought.org/index.php http://journey.thought.org 99 44/100% Guaranteed Novel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh: port 22: connection refuused
On Thu, May 06, 2010 at 04:41:21PM -0500, Tim Daneliuk wrote: On 5/6/2010 4:35 PM, Gary Kline wrote: On Thu, May 06, 2010 at 12:32:18PM -0500, Tim Daneliuk wrote: On 5/6/2010 12:21 PM, Gary Kline wrote: can anybody help me with ne of my last problems: getting ssh Into my new comuter? i am able to ssh outside. need to scp my config files over. sshd is running on zen This generally involves two or three steps: 1) Make sure /etc/rc.conf has this in it: sshd_enable=YES Yes; this was my first try. no diff. 2) Make sure /etc/hosts.allow permits access to your machine via ssh. Something like this: sshd: 192.168. a_host-name.com an.ip.add.ress :ALLOW Some people do this: sshd: ALL :ALLOW That's fine if the machine sits on a trusted LAN, but I don't much like this for machines that are internet-facing ... it just provides another vector for attack. So, for such machines, I explicitly name the address and names that are permitted ssh access. ok. itried this; have not rebooted yet. no difference right now. 3) If you're running a firewall, make sure that the sshd ports (22/tcp and 22/udp) are open for those machines/addresses you want to connect into your FreeBSD box. i'm runnning a pfSense computer; pretty sure that things are sett correctly there. If you are still having trouble, go to the client machine and invoke your session like this: ssh -v your_freebsd_machine the files in /etc/ssh were the first thing i thought of editing. didn't see many differences between rel 8.0 and my current 7.3. still, here is the verbose output. pl 14:20 tao [5036] ssh zen ssh: connect to host zen port 22: Connection refused pl 14:20 tao [5037] ssh - zen OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to zen [10.47.0.190] port 22. debug1: connect to address 10.47.0.190 port 22: Connection refused ssh: connect to host zen port 22: Connection refused pl 14:22 tao [5038] any idea what the ``needpriv 0'' means? What's in your /etc/hosts.allow file? # Start by allowing everything (this prevents the rest of the file # from working, so remove it when you need protection). # The rules here work on a First match wins basis. ALL : ALL : allow that i moused and pasted from my main desktop. It will barf out a bunch of interesting information about why the connection isn't working that may help you figure out what's going on. Happy Trails, Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix The 7.83a release of Jottings: http://jottings.thought.org/index.php http://journey.thought.org 99 44/100% Guaranteed Novel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh: port 22: connection refuused
On 5/7/2010 12:13 AM, Gary Kline wrote: SNIP What's in your /etc/hosts.allow file? # Start by allowing everything (this prevents the rest of the file # from working, so remove it when you need protection). # The rules here work on a First match wins basis. ALL : ALL : allow that i moused and pasted from my main desktop. OK and you've indicated that sshd is running. A few other thoughts: 1) Is there a firewall running on your machine that could be preventing the connection? 2) Is there a firewall running on your *client* machine that could be interfering. 3) Log into the FreeBSD machine and see if you can ssh to localhost to just to confirm that sshd is working. If that works, try sshing to the same machine using its IP, and then its address to make sure DNS is resolving properly. Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH root login with keys only
On 05/04/10 01:35, Marcin Wisnicki wrote: PasswordAuthentication is already disabled (by default). I need to disable ChallengeResponseAuthentication however: /etc/ssh/sshd_config line 131: Directive 'ChallengeResponseAuthentication' is not allowed within a Match block Same thing for UsePAM no (though I would like to keep pam for accounting and session management) You can configure two daemons one with root access allowed and the other without. Let the one with root access allowed run on a non-standard port. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH root login with keys only
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/04/2010 22:04:35, Marcin Wisnicki wrote: Is it possible to configure sshd such that both conditions are met: 1. Root will be able to login only by using keys 2. Normal users will still be able to use pam/keyboard-interactive Only by running two instances of sshd on different ports / IP numbers. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAku5ptQACgkQ8Mjk52CukIzONACeNdDCGVl8z+aqYx2s3N1IhMXx hOMAn0uQJYWRaOLeUR+Nz6npMyKz2hws =V0EV -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH root login with keys only
On 05/04/2010 10:01, Matthew Seaman wrote: On 04/04/2010 22:04:35, Marcin Wisnicki wrote: Is it possible to configure sshd such that both conditions are met: 1. Root will be able to login only by using keys 2. Normal users will still be able to use pam/keyboard-interactive Only by running two instances of sshd on different ports / IP numbers. I missed the rest of this thread so sorry its its been said already. As far as I knew the directive PermitRootLogin without-password in /etc/ssh/sshd_config should accomplish what was requested. However a note later in the default sshd_config file regarding the UsePAM setting says 'Depending on your PAM configuration, PAM authentication via ChallengeResponseAuthentication may bypass the setting of PermitRootLogin without-password.' So I'd be interested to know if by default this is the case. Vince Cheers, Matthew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH root login with keys only
On 05/04/2010 10:17, Vincent Hoffman wrote: On 05/04/2010 10:01, Matthew Seaman wrote: On 04/04/2010 22:04:35, Marcin Wisnicki wrote: Is it possible to configure sshd such that both conditions are met: 1. Root will be able to login only by using keys 2. Normal users will still be able to use pam/keyboard-interactive Only by running two instances of sshd on different ports / IP numbers. I missed the rest of this thread so sorry its its been said already. As far as I knew the directive PermitRootLogin without-password in /etc/ssh/sshd_config should accomplish what was requested. However a note later in the default sshd_config file regarding the UsePAM setting says 'Depending on your PAM configuration, PAM authentication via ChallengeResponseAuthentication may bypass the setting of PermitRootLogin without-password.' So I'd be interested to know if by default this is the case. And sure enough when I have a look in the archive, my suggestion has been discussed at length. sorry for noise. Vince Vince Cheers, Matthew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH root login with keys only
On Mon, 05 Apr 2010 10:01:08 +0100, Matthew Seaman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/04/2010 22:04:35, Marcin Wisnicki wrote: Is it possible to configure sshd such that both conditions are met: 1. Root will be able to login only by using keys 2. Normal users will still be able to use pam/keyboard-interactive Only by running two instances of sshd on different ports / IP numbers. Thanks for all reponses. I've finally solved it by configuring PAM to deny root. Unfortunately all of pam modules in base system that can do it, deny login only in account phase which is too late for sshd. I've modified pam_securetty to also provide auth facility. For anyone interested, here is a patch: --- /usr/src/lib/libpam/modules/pam_securetty/pam_securetty.c 2010-02-18 00:12:28.0 +0100 +++ pam_securetty/pam_securetty.c 2010-04-05 04:47:21.0 +0200 @@ -45,2 +45,3 @@ +#define PAM_SM_AUTH #define PAM_SM_ACCOUNT @@ -54,2 +55,24 @@ PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags, +int argc, const char *argv[]) +{ + const char *user; + int r; + + if ((r = pam_get_user(pamh, user, NULL)) != PAM_SUCCESS) + return (r); + + return (pam_sm_acct_mgmt(pamh, flags, argc, argv)); +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, +int argc __unused, const char *argv[] __unused) +{ + + return (PAM_SUCCESS); +} + + +PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH root login with keys only
You should also consider posting your patch and related content to, 'freebsd-hack...@freebsd.org'. -Modulok- On 4/5/10, Marcin Wisnicki mwisnicki+free...@gmail.com wrote: On Mon, 05 Apr 2010 10:01:08 +0100, Matthew Seaman wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/04/2010 22:04:35, Marcin Wisnicki wrote: Is it possible to configure sshd such that both conditions are met: 1. Root will be able to login only by using keys 2. Normal users will still be able to use pam/keyboard-interactive Only by running two instances of sshd on different ports / IP numbers. Thanks for all reponses. I've finally solved it by configuring PAM to deny root. Unfortunately all of pam modules in base system that can do it, deny login only in account phase which is too late for sshd. I've modified pam_securetty to also provide auth facility. For anyone interested, here is a patch: --- /usr/src/lib/libpam/modules/pam_securetty/pam_securetty.c 2010-02-18 00:12:28.0 +0100 +++ pam_securetty/pam_securetty.c 2010-04-05 04:47:21.0 +0200 @@ -45,2 +45,3 @@ +#define PAM_SM_AUTH #define PAM_SM_ACCOUNT @@ -54,2 +55,24 @@ PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags, +int argc, const char *argv[]) +{ + const char *user; + int r; + + if ((r = pam_get_user(pamh, user, NULL)) != PAM_SUCCESS) + return (r); + + return (pam_sm_acct_mgmt(pamh, flags, argc, argv)); +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, +int argc __unused, const char *argv[] __unused) +{ + + return (PAM_SUCCESS); +} + + +PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH root login with keys only
On Mon, Apr 5, 2010 at 4:17 AM, Vincent Hoffman vi...@unsane.co.uk wrote: I missed the rest of this thread so sorry its its been said already. As far as I knew the directive PermitRootLogin without-password in /etc/ssh/sshd_config should accomplish what was requested. However a note later in the default sshd_config file regarding the UsePAM setting says 'Depending on your PAM configuration, PAM authentication via ChallengeResponseAuthentication may bypass the setting of PermitRootLogin without-password.' That PAM comment in sshd_config got my attention a number of years ago, so I did a lot of testing of various sshd/pam settings to try and understand what could happen and to try and make some sense out of it. My configurations: in /etc/ssh/sshd_config: PermitRootLogin without-password UsePAM yes in /etc/pam.d/sshd: # auth: open policy: allow OPIE, ldap, and unix password authsufficient pam_opie.so no_warn no_fake_prompts authrequisite pam_opieaccess.so no_warn allow_local authsufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass authrequiredpam_unix.so no_warn try_first_pass Using this configuration I have thoroughly tested on both FreeBSD-7 and (more recently) FreeBSD-8 and root is allowed in via ssh with public key auth only; typing the unix password at it gets permission denied for keyboard-interactive. Non-root users are allowed in via either LDAP password or local unix password as expected. I haven't configured OPIE for root, but it wouldn't bother me if it worked for root in this setup since its design addresses why passwords are insecure in the first place. I use this in production on all my systems and haven't changed any other of FreeBSD's default configurations for sshd. I haven't gone so far as to check source code to see why this works as it does. I'm guessing that PAM may allow passwords for root via something that isn't pam_unix since by design PAM can allow anything. But when using pam_unix, at least, it does observe the without-password setting for root. As always YMMV, but I am happy with this tested setup and so I use it with confidence. Peggy Wilkins Sysadmin, The University of Chicago Library ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH root login with keys only
On Mon, 05 Apr 2010 12:38:01 -0500, Peggy Wilkins wrote: On Mon, Apr 5, 2010 at 4:17 AM, Vincent Hoffman vi...@unsane.co.uk wrote: However a note later in the default sshd_config file regarding the UsePAM setting says 'Depending on your PAM configuration, PAM authentication via ChallengeResponseAuthentication may bypass the setting of PermitRootLogin without-password.' That PAM comment in sshd_config got my attention a number of years ago, so I did a lot of testing of various sshd/pam settings to try and understand what could happen and to try and make some sense out of it. My configurations: in /etc/ssh/sshd_config: PermitRootLogin without-password UsePAM yes Hmm.. indeeed it seems to work just fine I haven't gone so far as to check source code to see why this works as it does. I'm guessing that PAM may allow passwords for root via something that isn't pam_unix since by design PAM can allow anything. But when using pam_unix, at least, it does observe the without-password setting for root. I've followed the code and it looks like when 'without-password' is enabled then whatever password you entered will be replaced with \b\n\r\177INCORRECT in auth-pam.c:1175 before calling pam with a hope that it is not really your password ;) But I've tried worst case scenario (auth sufficient pam_permit.so) and it seems even that will be denied as there is an extra check in auth-pam.c:779 so it will fail anyway: fatal: Internal error: PAM auth succeeded when it should have failed So it seems it is in fact perfectly safe to use such combination of options. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH root login with keys only
Hi, Is it possible to configure sshd such that both conditions are met: 1. Root will be able to login only by using keys 2. Normal users will still be able to use pam/keyboard-interactive perhaps the sshd-option PermitRootLogin does match your requirements. To be found in sshd_config (5). Regards, Julian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH root login with keys only
On 4 April 2010 22:49, Julian Fagir g...@gnrp.in-berlin.de wrote: Hi, Is it possible to configure sshd such that both conditions are met: 1. Root will be able to login only by using keys 2. Normal users will still be able to use pam/keyboard-interactive perhaps the sshd-option PermitRootLogin does match your requirements. To be found in sshd_config (5). Regards, Julian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Why do you need to do this? It is generally a bad thing to allow. Why not use su or sudo? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH root login with keys only
On 04/04/10 23:04, Marcin Wisnicki wrote: Is it possible to configure sshd such that both conditions are met: 1. Root will be able to login only by using keys 2. Normal users will still be able to use pam/keyboard-interactive Yes, you can create a Match block with the criteria User, something like this I guess will work (haven't tested): PermitRootLogin yes Match User root PasswordAuthentication no check the man page. You might also want to restrict from where root can login with another match block. I assume that you have decided root login is acceptable with the increased security of key authentication. Just beware that the key must be password protected. BR, Erik -- Erik Nørgaard Ph: +34.666334818/+34.915211157 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH root login with keys only
On 04/04/2010 22:04, Marcin Wisnicki wrote: Is it possible to configure sshd such that both conditions are met: 1. Root will be able to login only by using keys Yes 2. Normal users will still be able to use pam/keyboard-interactive Yes see PermitRootLogin section in man sshd_config... /Craig B ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH root login with keys only
On Mon, 05 Apr 2010 01:25:09 +0200, Erik Norgaard wrote: On 04/04/10 23:04, Marcin Wisnicki wrote: Is it possible to configure sshd such that both conditions are met: 1. Root will be able to login only by using keys 2. Normal users will still be able to use pam/keyboard-interactive Yes, you can create a Match block with the criteria User, something like this I guess will work (haven't tested): PermitRootLogin yes Match User root PasswordAuthentication no check the man page. You might also want to restrict from where root can login with another match block. PasswordAuthentication is already disabled (by default). I need to disable ChallengeResponseAuthentication however: /etc/ssh/sshd_config line 131: Directive 'ChallengeResponseAuthentication' is not allowed within a Match block Same thing for UsePAM no (though I would like to keep pam for accounting and session management) I assume that you have decided root login is acceptable with the increased security of key authentication. Just beware that the key must be password protected. BR, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: SSH root login with keys only
On Sun, 04 Apr 2010 23:49:59 +0200, Julian Fagir wrote: Hi, Is it possible to configure sshd such that both conditions are met: 1. Root will be able to login only by using keys 2. Normal users will still be able to use pam/keyboard-interactive perhaps the sshd-option PermitRootLogin does match your requirements. To be found in sshd_config (5). Unfortunately it doesn't. Assuming you mean 'without-password' option, I would have to disable ChallengeResponseAuthentication for everyone which I would like to avoid. It is not possible to disable ChallengeResponseAuthentication inside match block. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh/sshd cores dump
Hi again, I have this weird error since yesterday, one a system that used to be working nicely, suddenly: ssh cores dump when run as non priviledged user, works fine for root sshd aborts on signal 11 [... see my previous mails?] This seems to be a problem linked to openssl from the ports interfeering with openldap. Once I removed openssl and reinstalled everything, all was fine. Best regards, Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh/sshd cores dump
Hi again, I have this weird error since yesterday, one a system that used to be working nicely, suddenly: ssh cores dump when run as non priviledged user, works fine for root sshd aborts on signal 11 I tried to reinstall world, but it is the same. There is openssl installed from the ports on that machine (what port needed it?) as well as ldap/nss_ldap/open_ldap. It seems that the problem started when I tried to upgrade openldap libbrary (openldap-client port). I did a little bit more diging: ssh cores dump on a strcmp, from /lib/libc.so.6; I checked with a working machine, the library are the same; I checked ssh, they are the same. This is very puzzeling. Any clue? The machine is running 6.4-RELEASE-p9 Some information: ufo2on65: uname -a FreeBSD ufo2.cs.ait.ac.th 6.4-RELEASE-p9 FreeBSD 6.4-RELEASE-p9 #0: Fri Jan 29 16:53:47 ICT 2010 r...@ufo2.cs.ait.ac.th:/usr/obj/usr/src/sys/SMP amd64 On the server side, for a username that does not exist: ufo2on66: sudo sshd -ddd -e sshd re-exec requires execution with an absolute path ufo2on67: sudo /usr/sbin/sshd -ddd -e debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 157 debug2: parse_server_config: config /etc/ssh/sshd_config len 157 debug3: /etc/ssh/sshd_config:111 setting Subsystem sftp /usr/libexec/sftp-server debug1: sshd version OpenSSH_4.5p1 FreeBSD-20061110 debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #0 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-ddd' debug1: rexec_argv[2]='-e' debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 22 on ::. Server listening on :: port 22. debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Waiting for a connection Connection with a username that does not exist debug1: fd 5 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 157 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug3: recv_rexec_state: entering fd = 5 debug3: ssh_msg_recv entering debug3: recv_rexec_state: done debug2: parse_server_config: config rexec len 157 debug3: rexec:111 setting Subsystem sftp/usr/libexec/sftp-server debug1: sshd version OpenSSH_4.5p1 FreeBSD-20061110 debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #0 type 2 DSA debug1: inetd sockets after dupping: 3, 3 debug1: res_init() Connection from 192.41.170.5 port 63398 debug1: Client protocol version 2.0; client software version OpenSSH_4.5p1 FreeB SD-20061110 debug1: match: OpenSSH_4.5p1 FreeBSD-20061110 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.5p1 FreeBSD-20061110 debug2: fd 3 setting O_NONBLOCK debug2: Network child is on pid 16235 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 22:22 debug1: permanently_set_uid: 22/22 debug1: list_hostkey_types: ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-g roup-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1 28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se,aes128-c tr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1 28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se,aes128-c tr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd...@open ssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd...@open ssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,z...@openssh.com debug2: kex_parse_kexinit: none,z...@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-g roup-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss,ssh-rsa debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1 28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se,aes128-c tr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1 28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-...@lysator.liu.se,aes128-c tr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd...@open
Re: ssh to root
On Wed, Jan 20, 2010 at 10:49:09PM -0500, Aryeh M. Friedman wrote: I need to set up a machine so that I can type ssh [host] as root from some other host and I get a prompt with super user privs... I already have set this up for u...@host for root and ssh host for normal users... but root still asks for a password after I set the authorized_keys file in ~root/.ssh.. I have looked at ssh_config(5) but can't tell what option (if any) does this... if anyone is coruious the final goal here is to set up a sysutils/fusefs-ssh for this host (already installed and working for normal users but want to make it so it is done as root) If you can stand to do it in two steps, put your non-root id in the wheel group (in /ec/group). Then ssh and log as the non-root user and then su(1) to root. As some have said, do not directly log in as root over the net if you can possibly avoid it. jerry ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh to root
I need to set up a machine so that I can type ssh [host] as root from some other host and I get a prompt with super user privs... I already have set this up for u...@host for root and ssh host for normal users... but root still asks for a password after I set the authorized_keys file in ~root/.ssh.. I have looked at ssh_config(5) but can't tell what option (if any) does this... if anyone is coruious the final goal here is to set up a sysutils/fusefs-ssh for this host (already installed and working for normal users but want to make it so it is done as root) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh to root
Hi, Aryeh M. Friedman wrote: I need to set up a machine so that I can type ssh [host] as root from some other host and I get a prompt with super user privs... I already have set this up for u...@host for root and ssh host for normal users... but root still asks for a password after I set the authorized_keys file in ~root/.ssh.. I have looked at ssh_config(5) but can't tell what option (if any) does this PermitRootLogin is set to 'no' by default in /etc/ssh/sshd_config. It isn't advisable disabling this extra layer of security. Regards, -- Glen Barber ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh to root
Aryeh M. Friedman wrote: I need to set up a machine so that I can type ssh [host] as root from some other host and I get a prompt with super user privs... I already have set this up for u...@host for root and ssh host for normal users... but root still asks for a password after I set the authorized_keys file in ~root/.ssh.. I have looked at ssh_config(5) but can't tell what option (if any) does this... if anyone is coruious the final goal here is to set up a sysutils/fusefs-ssh for this host (already installed and working for normal users but want to make it so it is done as root) Don't do it. *never* permit root-level access directly to *any* of your equipment. You want to provide as many levels of escalation to root level as you can, no matter what protocol you are using. Auth in as a normal user (as you stated is already working), and then use sudo(8) to escalate yourself. If you can already ssh [host] as a normal user, then you already have the concept of keys. You can automate the escalation after you've authenticated, and then do what you want to do. Seriously... ...don't do it. Steve ps. # pkg_add -r sudo # rehash # man sudo Then, when/if you have problems with specific functions that need root privileges, ask those questions here instead. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh to root
On Wed, Jan 20, 2010 at 11:09:14PM -0500, Steve Bertrand typed: Aryeh M. Friedman wrote: I need to set up a machine so that I can type ssh [host] as root from some other host and I get a prompt with super user privs... I already have set this up for u...@host for root and ssh host for normal users... but root still asks for a password after I set the authorized_keys file in ~root/.ssh.. I have looked at ssh_config(5) but can't tell what option (if any) does this... if anyone is coruious the final goal here is to set up a sysutils/fusefs-ssh for this host (already installed and working for normal users but want to make it so it is done as root) Don't do it. *never* permit root-level access directly to *any* of your equipment. This is not very helpfull. In a private LAN these security mantras become a lot less obvious. You defend the LAN, not necessarily the individual systems. To Aryen: you might want to set PermitRootLogin to 'without-password' in /etc/ssh/sshd_config. That way, password authentications for root are still disabled and only users from machines with the correct private keys are allowed. Ruben You want to provide as many levels of escalation to root level as you can, no matter what protocol you are using. Auth in as a normal user (as you stated is already working), and then use sudo(8) to escalate yourself. If you can already ssh [host] as a normal user, then you already have the concept of keys. You can automate the escalation after you've authenticated, and then do what you want to do. Seriously... ...don't do it. Steve ps. # pkg_add -r sudo # rehash # man sudo Then, when/if you have problems with specific functions that need root privileges, ask those questions here instead. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh-agent and ordering of keys
El día Wednesday, November 11, 2009 a las 03:09:44PM +, Vincent Hoffman escribió: Hi all, I've a bit of an annoying problem that hopefully someone here has delt with before. I have a large(ish) number of ssh keys as i like to keep things nicely seperated, I also use longish passphrases. To deal with long pass phrases I have started to use ssh-agent, which is working nicely but since i have a large number of keys and ssh-agent doesnt let you specify a particular key for a particular machine (I was using host and IdentiyFile lines in ~/.ssh/config before) I'm starting to hit a problem where I'm unable to log in to a machine as I'm hitting the MaxAuthTries value in sshd_config. I know i could just bung the MaxAuthTries value up to 20 or so on all my servers but I dont really want to, I'd rather a way of specifying which ssh key ssh-agent uses for a specific host, (like i said it ignores the IdentiyFile lines in the config file and ignores the -i switch to ssh itself.) Any ideas welcome. I have never used this, but you could start different ssh-agent(1) and loading the key(s) you want to use to one or the other and let ssh(1) ask the dedicated ssh-agent(1) for a given host by some shell wrapping (i.e. mapping the -i filename to the correct ssh-agent(1) socket); HIH matthias -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e g...@unixarea.de - w http://www.unixarea.de/ Vote NO to EU The Lisbon Treaty: http://www.no-means-no.eu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ssh-agent and ordering of keys
2009/11/11 Matthias Apitz g...@unixarea.de El día Wednesday, November 11, 2009 a las 03:09:44PM +, Vincent Hoffman escribió: Hi all, I've a bit of an annoying problem that hopefully someone here has delt with before. I have a large(ish) number of ssh keys as i like to keep things nicely seperated, I also use longish passphrases. To deal with long pass phrases I have started to use ssh-agent, which is working nicely but since i have a large number of keys and ssh-agent doesnt let you specify a particular key for a particular machine (I was using host and IdentiyFile lines in ~/.ssh/config before) I'm starting to hit a problem where I'm unable to log in to a machine as I'm hitting the MaxAuthTries value in sshd_config. I know i could just bung the MaxAuthTries value up to 20 or so on all my servers but I dont really want to, I'd rather a way of specifying which ssh key ssh-agent uses for a specific host, (like i said it ignores the IdentiyFile lines in the config file and ignores the -i switch to ssh itself.) Any ideas welcome. I have never used this, but you could start different ssh-agent(1) and loading the key(s) you want to use to one or the other and let ssh(1) ask the dedicated ssh-agent(1) for a given host by some shell wrapping (i.e. mapping the -i filename to the correct ssh-agent(1) socket); HIH matthias -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e g...@unixarea.de - w http://www.unixarea.de/ Vote NO to EU The Lisbon Treaty: http://www.no-means-no.eu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Im not sure why you have to use loads of different keys other than one of each type (rsa1, dsa etc). After all if your storing all the private keys in the same place then its not really more secure ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ~/.ssh directory permissions
Chris Rees wrote: Although I think it's not a big deal, as long as your id_?sa has permissions 600 like mine, or even 400. Chris The man page for ssh(1) provides a lot of detail about the sensitivity of the various files related to ssh. To quote it regarding a few of them: ~/.ssh/ This directory is the default location for all user-specific configuration and authentication information. There is no general requirement to keep the entire contents of this directory secret, but the recommended permissions are read/write/execute for the user, and not accessible by others. So as you can see, 700 is recommended (but not necessary). ~/.ssh/identity ~/.ssh/id_dsa ~/.ssh/id_rsa Contains the private key for authentication. These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute). ssh will simply ignore a private key file if it is accessible by others. It is possible to specify a passphrase when generating the key which will be used to encrypt the sensitive part of this file using 3DES. However, identity, id_dsa and id_rsa _must_ be 700 at a maximum. It's best to follow the recommendations from the man page unless you have very specific reasons for needing more lax permissions on these files. Regards, Brent ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org