Re: Restricted shell and ssh problem
I don't know for sure, but my best guess is that you need to look at using a profile to set ENV to include an appropriate TMPDIR (if necessary) as well as to kick off the ssh-agent process. >From the man page for rksh/ksh: *-r* Restricted shell. A shell is ârestrictedâ if this option is used; if the basename the shell was invoked with was ârkshâ; or if the SHELL parameter is set to ârkshâ. The following restrictions come into effect after the shell processes any profile and ENV files: - The *cd* command is disabled. - The SHELL, ENV, and PATH parameters cannot be changed. - Command names can't be specified with absolute or relative paths. - The *-p* option of the built-in command *command* can't be used. - Redirections that create files can't be used (i.e. â>â, â>|â, â>>â, â<> â). And from the man page for ssh-agent: FILES *$TMPDIR/ssh-XX/agent.* UNIX-domain sockets used to contain the connection to the authentication agent. These sockets should only be readable by the owner. The sockets should get automatically removed when the agent exits. Hope this helped.
Re: Restricted shell and ssh problem
found the probleM. I Forgot to set ForwardAgent in the 1st ssh command. Sorry. 2016-08-25 18:45 GMT+02:00 jean-yves boisiaud < jean-yves.boisi...@alcor-consulting.fr>: > Hello, > > I am running openbsd 5.7 and openssh 6.8. > > I set a restricted shell (rksh) to run only ssh. It works. > > In the restricted shell command directory, I added also links to command > ssh-agent and ssh-add. > > But, SSH_AUTH_SOCK is not set (and /tmp/ssh- does not exist), so I > must use password authentication. > > How could I use agent authentication with ssh when I am in a restricted > shell ? > > âThanks for your help.â > > -- > Jean-Yves Boisiaud - Alcor Consulting > 24, rue de la Glycine > 49250 Saint Remy la Varenne > mobile : +33 6 63 71 73 46 fixe : +33 9 72 41 19 35 > -- Jean-Yves Boisiaud - Alcor Consulting 24, rue de la Glycine 49250 Saint Remy la Varenne mobile : +33 6 63 71 73 46 fixe : +33 9 72 41 19 35
Restricted shell and ssh problem
Hello, I am running openbsd 5.7 and openssh 6.8. I set a restricted shell (rksh) to run only ssh. It works. In the restricted shell command directory, I added also links to command ssh-agent and ssh-add. But, SSH_AUTH_SOCK is not set (and /tmp/ssh- does not exist), so I must use password authentication. How could I use agent authentication with ssh when I am in a restricted shell ? âThanks for your help.â -- Jean-Yves Boisiaud - Alcor Consulting 24, rue de la Glycine 49250 Saint Remy la Varenne mobile : +33 6 63 71 73 46 fixe : +33 9 72 41 19 35
Re: ssh problem
Leonard Jacobs wrote: Well I wish it were this easy, or perhaps I am still missing something. I added AllowUsers username in the sshd_config file and changed the drive to read/write and here's the results: [EMAIL PROTECTED]:~# mount -o rw /dev/wd0a / [EMAIL PROTECTED]:~# ssh -p 222 [EMAIL PROTECTED] [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: Permission denied (publickey,password,keyboard-interactive). Sep 5 18:31:23 shakti-taos sshd[10335]: Failed none for invalid user lj from ::1 port 15320 ssh2 Sep 5 18:31:26 shakti-taos sshd[10335]: Failed password for invalid user lj from ::1 port 15320 ssh2 Sep 5 18:31:31 shakti-taos last message repeated 2 times Of course I would love to disallow Root logins but will await the resolution of allowing regular users to connect via ssh first. Any suggestions would be greatly appreciated. Thordur I. Bjornsson wrote: Leonard Jacobs <[EMAIL PROTECTED]> wrote on Mon 4.Sep'06 at 22:22:30 -0400 I've configured a Soekris running OpenBSD 3.9 & pf as a firewall, with a read only CF. I am using the default sshd_config file except to run sshd on port 222. /dev mounted read only ? If so, then thats your proplem. Load it as an mfs on boot. (image + vnd ? maybe or sth) My problem is that I cannot connect remotely to this box via ssh except as root. When a legit user who has an account on that box attempts connection, I get " Failed password for invalid user lj from 192.168.1.13 port 10962 ssh2". Is there anything obvious that you can suggest that might be causing this problem? I did try changing the file system to read/write, but it did not resolve the problem. Thanks. If you have console access, have you tried running sshd -D -d -d -d, then trying to connect in? It will give diagnostics from the server that usually very obviously reveal what the problem is. I've even done this (VERY) carefully remotely, once ssh'd in, kill off the main daemon, restart with debugging and then try to get whatever working that wasn't. I usually schedule an "at" job to restart in 1 hour in case I get kicked off... Good Luck, Steve Williams
Re: ssh problem
On 2006/09/05 22:21, Leonard Jacobs wrote: > Well I wish it were this easy, or perhaps I am still missing something. > I added AllowUsers username in the sshd_config file and changed the > drive to read/write and here's the results: Was the user added normally (adduser/vipw)? If not, was pwd_mkdb run to update pwd.db and spwd.db? > Of course I would love to disallow Root logins but will await the > resolution of allowing regular users to connect via ssh first. Soekris - what is it, single-user system running as a router or something? There's probably not very much benefit from disabling root logins in such a case, just use good passwords or use keys and PasswordAuthentication no (and if possible only allow your legitimate IP addresses to connect), but you still want that if you disable root logins.
Re: ssh problem
On Tue, 05 Sep 2006 22:21:55 -0400, Leonard Jacobs wrote: >Well I wish it were this easy, or perhaps I am still missing something. >I added AllowUsers username in the sshd_config file and changed the >drive to read/write and here's the results: > >[EMAIL PROTECTED]:~# mount -o rw /dev/wd0a / >[EMAIL PROTECTED]:~# ssh -p 222 [EMAIL PROTECTED] >[EMAIL PROTECTED]'s password: >Permission denied, please try again. >[EMAIL PROTECTED]'s password: >Permission denied, please try again. >[EMAIL PROTECTED]'s password: >Permission denied (publickey,password,keyboard-interactive). > >Sep 5 18:31:23 shakti-taos sshd[10335]: Failed none for invalid user lj >from ::1 port 15320 ssh2 >Sep 5 18:31:26 shakti-taos sshd[10335]: Failed password for invalid >user lj from ::1 port 15320 ssh2 >Sep 5 18:31:31 shakti-taos last message repeated 2 times > >Of course I would love to disallow Root logins but will await the >resolution of allowing regular users to connect via ssh first. > >Any suggestions would be greatly appreciated. > > >Thordur I. Bjornsson wrote: >> Leonard Jacobs <[EMAIL PROTECTED]> wrote on Mon 4.Sep'06 at 22:22:30 -0400 >> >>> I've configured a Soekris running OpenBSD 3.9 & pf as a firewall, with a >>> read only CF. I am using the default sshd_config file except to run >>> sshd on port 222. >> /dev mounted read only ? >> >> If so, then thats your proplem. Load it as an mfs on boot. (image + vnd >> ? maybe or sth) >>> My problem is that I cannot connect remotely to this box via ssh except >>> as root. When a legit user who has an account on that box attempts >>> connection, I get " Failed password for invalid user lj from >>> 192.168.1.13 port 10962 ssh2". Is there anything obvious that you can >>> suggest that might be causing this problem? I did try changing the file >>> system to read/write, but it did not resolve the problem. >>> >>> Thanks. > > What does # su lj result in? and, have you tried -vvv in the ssh invocation? It won't tell you anything that would allow you to find out whether a user is in the passwd file or such but it might just add some light. >From the land "down under": Australia. Do we look from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server. Your IP address will also be greytrapped for 24 hours after any attempt. I am continually amazed by the people who run OpenBSD who don't take this advice. I always expected a smarter class. I guess not.
Re: ssh problem
Well I wish it were this easy, or perhaps I am still missing something. I added AllowUsers username in the sshd_config file and changed the drive to read/write and here's the results: [EMAIL PROTECTED]:~# mount -o rw /dev/wd0a / [EMAIL PROTECTED]:~# ssh -p 222 [EMAIL PROTECTED] [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: Permission denied (publickey,password,keyboard-interactive). Sep 5 18:31:23 shakti-taos sshd[10335]: Failed none for invalid user lj from ::1 port 15320 ssh2 Sep 5 18:31:26 shakti-taos sshd[10335]: Failed password for invalid user lj from ::1 port 15320 ssh2 Sep 5 18:31:31 shakti-taos last message repeated 2 times Of course I would love to disallow Root logins but will await the resolution of allowing regular users to connect via ssh first. Any suggestions would be greatly appreciated. Thordur I. Bjornsson wrote: Leonard Jacobs <[EMAIL PROTECTED]> wrote on Mon 4.Sep'06 at 22:22:30 -0400 I've configured a Soekris running OpenBSD 3.9 & pf as a firewall, with a read only CF. I am using the default sshd_config file except to run sshd on port 222. /dev mounted read only ? If so, then thats your proplem. Load it as an mfs on boot. (image + vnd ? maybe or sth) My problem is that I cannot connect remotely to this box via ssh except as root. When a legit user who has an account on that box attempts connection, I get " Failed password for invalid user lj from 192.168.1.13 port 10962 ssh2". Is there anything obvious that you can suggest that might be causing this problem? I did try changing the file system to read/write, but it did not resolve the problem. Thanks.
Re: ssh problem
Leonard Jacobs <[EMAIL PROTECTED]> wrote on Mon 4.Sep'06 at 22:22:30 -0400 > I've configured a Soekris running OpenBSD 3.9 & pf as a firewall, with a > read only CF. I am using the default sshd_config file except to run > sshd on port 222. /dev mounted read only ? If so, then thats your proplem. Load it as an mfs on boot. (image + vnd ? maybe or sth) > > My problem is that I cannot connect remotely to this box via ssh except > as root. When a legit user who has an account on that box attempts > connection, I get " Failed password for invalid user lj from > 192.168.1.13 port 10962 ssh2". Is there anything obvious that you can > suggest that might be causing this problem? I did try changing the file > system to read/write, but it did not resolve the problem. > > Thanks.
Re: ssh problem
Do you have the AllowUsers or AllowGroups in your config file ? That would do it. You shoulda also disable direct root logins. Try changing the following in /etc/ssh/sshd_config PermitRootLogin no Leonard Jacobs([EMAIL PROTECTED])@Mon, Sep 04, 2006 at 10:22:30PM -0400: > I've configured a Soekris running OpenBSD 3.9 & pf as a firewall, with a > read only CF. I am using the default sshd_config file except to run > sshd on port 222. > > My problem is that I cannot connect remotely to this box via ssh except > as root. When a legit user who has an account on that box attempts > connection, I get " Failed password for invalid user lj from > 192.168.1.13 port 10962 ssh2". Is there anything obvious that you can > suggest that might be causing this problem? I did try changing the file > system to read/write, but it did not resolve the problem. > > Thanks. > -- Allie D. Allnix,LLC. http://www.allnix.net One man's theology is another man's belly laugh.
ssh problem
I've configured a Soekris running OpenBSD 3.9 & pf as a firewall, with a read only CF. I am using the default sshd_config file except to run sshd on port 222. My problem is that I cannot connect remotely to this box via ssh except as root. When a legit user who has an account on that box attempts connection, I get " Failed password for invalid user lj from 192.168.1.13 port 10962 ssh2". Is there anything obvious that you can suggest that might be causing this problem? I did try changing the file system to read/write, but it did not resolve the problem. Thanks.