ssh root denied
Hi everyone, I have some troubles with ssh I have a Freebsd server 4.9 working in a closet without screen. So I would like to use it through ssh from another station with OpenSSH to configure it when I need it. I can connect with a user login / password, but not with root / password. Is there any reason ? did I miss something ? I use the command : ssh [EMAIL PROTECTED] (This one doesn't work with the right password) to connect or : ssh [EMAIL PROTECTED] (This one does) Ouputs from OpenSSH : Connection to 192.168.1.1 closed by remote host. Connection to 192.168.1.1 closed. Not really clear for me. :s And I'm pretty sure the password is correct because when it's wrong it just asks me the password again! Does anybody have any idea ? Thanx Razor. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ssh root denied
RazorOnFreeBSD wrote: Hi everyone, I have some troubles with ssh I have a Freebsd server 4.9 working in a closet without screen. So I would like to use it through ssh from another station with OpenSSH to configure it when I need it. I can connect with a user login / password, but not with root / password. Is there any reason ? did I miss something ? It's denied by default, as a security matter. You actually want to login and use 'su -' instead of login as root directly. If you really want to enable it, Edit the file /etc/ssh/sshd_config #PermitRootLogin yes Remove the hash. But, know that it's not secure, and you really don't want that. The login as normal user, (which need to be in the wheel group) and then su -'ing isn't that much work and doesn't take that much time, but it's more secure. Cheers -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl A Dutch community for helping newcomers on the hackerscene ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ssh root denied
RazorOnFreeBSD wrote: Hi everyone, I have some troubles with ssh I have a Freebsd server 4.9 working in a closet without screen. So I would like to use it through ssh from another station with OpenSSH to configure it when I need it. I can connect with a user login / password, but not with root / password. Is there any reason ? did I miss something ? I use the command : ssh [EMAIL PROTECTED] (This one doesn't work with the right password) to connect or : ssh [EMAIL PROTECTED] (This one does) Ouputs from OpenSSH : Connection to 192.168.1.1 closed by remote host. Connection to 192.168.1.1 closed. Not really clear for me. :s And I'm pretty sure the password is correct because when it's wrong it just asks me the password again! Does anybody have any idea ? Thanx Razor. Root logins are disallowed by default on FreeBSD for security reasons. The recommended approach is to log on an account that is a member of the "wheel" group, and su(1) to root when necessary for administrative purposes while doing your routine work under a less-privileged UID... That said, I believe you can allow root logins by adjusting /etc/ssh/sshd_config Kevin Kinsey DaleCo, S.P. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ssh root denied
Thanks for all everyone... It works! Enjoy your day.. ;) - Original Message - From: "Remko Lodder" <[EMAIL PROTECTED]> To: "RazorOnFreeBSD" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, April 12, 2004 10:12 PM Subject: Re: ssh root denied > RazorOnFreeBSD wrote: > > Hi everyone, > > > > I have some troubles with ssh > > I have a Freebsd server 4.9 working in a closet without screen. > > So I would like to use it through ssh from another station with OpenSSH to configure it when I need it. > > I can connect with a user login / password, but not with root / password. > > Is there any reason ? did I miss something ? > > It's denied by default, as a security matter. You actually want to login > and use 'su -' instead of login as root directly. > > If you really want to enable it, > > Edit the file > /etc/ssh/sshd_config > #PermitRootLogin yes > > Remove the hash. > > But, know that it's not secure, and you really don't want that. > The login as normal user, (which need to be in the wheel group) and then > su -'ing isn't that much work and doesn't take that much time, but it's > more secure. > > Cheers > > -- > > Kind regards, > > Remko Lodder > Elvandar.org/DSINet.org > www.mostly-harmless.nl A Dutch community for helping newcomers on the > hackerscene > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ssh root denied
Hi, On Mon, 12 Apr 2004, Kevin D. Kinsey, DaleCo, S.P. wrote: |Root logins are disallowed by default on FreeBSD |for security reasons. The recommended approach |is to log on an account that is a member of the |"wheel" group, and su(1) to root when necessary |for administrative purposes while doing your routine |work under a less-privileged UID... But, what should be te correct approach when you want to copy root's files and/or remote execute programs as root with scripts using scp/ssh and key authentication? Like: scp master.passwd host2:/etc/ or ssh host2 'pwd_mkdb -p /etc/master.passwd' - Marcelo ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ssh root denied
You could chmod them (for a _trusted_ user) and scp them inside a tunnel. But I on the other hand would move them with something physical ( usbkey,floppy or something or other ) Check out GBDE for that case. >On Tue, 13 Apr 2004 17:36:56 -0300 (EST) ><[EMAIL PROTECTED]> wrote: > Hi, > > On Mon, 12 Apr 2004, Kevin D. Kinsey, DaleCo, S.P. wrote: > > |Root logins are disallowed by default on FreeBSD > |for security reasons. The recommended approach > |is to log on an account that is a member of the > |"wheel" group, and su(1) to root when necessary > |for administrative purposes while doing your routine > |work under a less-privileged UID... > > But, what should be te correct approach when you want to copy > root's files and/or remote execute programs as root with scripts using > scp/ssh and key authentication? > Like: > > scp master.passwd host2:/etc/ > or > ssh host2 'pwd_mkdb -p /etc/master.passwd' > > > - Marcelo > > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ssh root denied
But, what should be te correct approach when you want to copy root's files and/or remote execute programs as root with scripts using scp/ssh and key authentication? Like: scp master.passwd host2:/etc/ or ssh host2 'pwd_mkdb -p /etc/master.passwd' Tar them, chown the user logtransfer, use logtransfer user to transer files. never ever use root for that it's highly insecure ( imho even with key auth ). "remote execute programs" why? cant you locally run them and fetch them with a dedicated lowerlevel account? Root is almighty, use it with precaution, locally , or with su -,sudo. Use it remote, get whacked, everything breaks, too bad. My approach in a "hard" way :-) Cheers - Marcelo -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl A Dutch community for helping newcomers on the hackerscene ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ssh root denied
Hi, On Tue, 13 Apr 2004, Remko Lodder wrote: |> |> But, what should be te correct approach when you want to copy |> root's files and/or remote execute programs as root with scripts using |> scp/ssh and key authentication? |> Like: |> |> scp master.passwd host2:/etc/ |> or |> ssh host2 'pwd_mkdb -p /etc/master.passwd' | |"remote execute programs" why? cant you locally run them and fetch them |with a dedicated lowerlevel account? Use my example above, supose you need to sync passwd between two hosts, using an script via cron. Even if you tar/chown it and copy with low level user, you will need to regenerate the passwd. - Marcelo ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ssh root denied
* thib <[EMAIL PROTECTED]> [2004-04-13 14:16]: > >On Tue, 13 Apr 2004 17:36:56 -0300 (EST) > ><[EMAIL PROTECTED]> wrote: > > Hi, > > > > On Mon, 12 Apr 2004, Kevin D. Kinsey, DaleCo, S.P. wrote: > > > > |Root logins are disallowed by default on FreeBSD > > |for security reasons. The recommended approach > > |is to log on an account that is a member of the > > |"wheel" group, and su(1) to root when necessary > > > > > You could chmod them (for a _trusted_ user) and scp them inside a tunnel. > But I on the other hand would move them with something physical ( usbkey, > floppy or something or other ) > Check out GBDE for that case. Isn't this situation exactly why 'sudo' (/usr/ports/security/sudo) was developed? I use sudo regularly for admin tasks like this. There are very few times when I 'need' to be root. -- Joshua Women are more easily and more deeply terrified ... generating more sheer horror than the male of the species. -- Spock, "Wolf in the Fold", stardate 3615.4 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ssh root denied
Use my example above, supose you need to sync passwd between two hosts, using an script via cron. Even if you tar/chown it and copy with low level user, you will need to regenerate the passwd. Then i should use different methods (ldap?) and then i would build scripts, tar as root, transfer as (low_level_user), rebuild as root. Just cronts, no transfers etc done as root, only the local things as root. Just to prevent anything scary :-) cheers - Marcelo -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl A Dutch community for helping newcomers on the hackerscene ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ssh root denied
Date: Tue, 13 Apr 2004 17:36:56 -0300 (EST) From: <[EMAIL PROTECTED]> >On Mon, 12 Apr 2004, Kevin D. Kinsey, DaleCo, S.P. wrote: > >|Root logins are disallowed by default on FreeBSD >|for security reasons. The recommended approach >|is to log on an account that is a member of the >|"wheel" group, and su(1) to root when necessary >|for administrative purposes while doing your routine >|work under a less-privileged UID... > > But, what should be te correct approach when you want to copy >root's files and/or remote execute programs as root with scripts using >scp/ssh and key authentication? >Like: > > scp master.passwd host2:/etc/ > or > ssh host2 'pwd_mkdb -p /etc/master.passwd' > > >- Marcelo To allow user fred to execute an arbitrary program, say ndc on a remote system: 1) allow fred to ssh with (and only with) [rd]sa keys, so that this works. [EMAIL PROTECTED]> ssh remotesys echo foo foo [EMAIL PROTECTED]> 2) on remotesys add the following to /whatever/etc/sudoers with "sudo visudo" fred ALL = NOPASSWD:/usr/sbin/ndc 3) verify with [EMAIL PROTECTED]> ssh remotesys sudo /usr/sbin/ndc restart Options: You can, if you feel the need, set fred's local ssh key to require a password. Sudoers can be set to allow only a particular set of options to command. For that, I create pseudo users for particular classes of tasks. I haven't used su since I found sudo. I've not logged in as root, save in a grave emergency in 7-8 years. I've a CD which contains all the .ssh/auth_keys, etc, and use it after installing a machine, and before plugging it in the net. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
