Re: Disable SSH authentication
I think the goal could be achived with a different aproach, chaosonou wants "the ability to run a command on trusted machine remotely" + "don't need to either provide user account or the public key". This seems that he/she wants to automate or mechanize the ssh session, this could be achieved, without reinventing the wheel, using expect With spect you can control the remote session in a programatic way without loosing security and controlling outputs of your remote commands Further reference: http://expect.nist.gov/ http://www.tcl.tk/man/expect5.31/ Esteban Dauksis Ortolá [EMAIL PROTECTED] http://www.linkedin.com/in/estebandauksis El 17/10/2008, a las 9:09, Kosala Atapattu escribió: Hi Guys, This has been a very interesting mailing thread. After all the discussion I would like to summarize what I grabbed during these conversations. The ultimate goal, can be achived with following other tools... 1. Interestingly with "NETCAT" with -e option 2. Regular RSH with trusted host. Achieving this through SSH is not logical, since the approach basically defeats the original purpose of SSH. Did I miss something? Kosala On Mon, Oct 13, 2008 at 10:54 AM, chaoson <[EMAIL PROTECTED]> wrote: Hi, I'm running openssh-4.3p2. I need to ability to run a command on trusted machine remotely. So far as I know, we can use two ways to login to remote machine: 1) Provide user name and password 2) Public key authentication My question is that can we disable the SSH authentication so that we don't need to either provide user account or the public key? Does anyone has the idea? Thanks ___ 雅虎邮箱,您的终生邮箱! http://cn.mail.yahoo.com/ -- Kosala Disclaimer: Views expressed in this mail are my personal views and they would not reflect views of the employer. blog.kosala.net www.linux.lk/~kosala/ www.kosala.net
RE: Disable SSH authentication
> # Disallow non-root logins when /etc/nologin exists. I didn't have that line in my box and didn't bother to verify what ' pam_nologin.so' stands for. Now I checked that /etc/nologin did not exist in my box (that explains why it worked). -Sharath. -Original Message- From: Kosala Atapattu [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2008 11:12 AM To: Sharath Ballal Cc: Christian Grunfeld; chaoson; secureshell@securityfocus.com Subject: Re: Disable SSH authentication Hi Sharath, On Thu, Oct 16, 2008 at 8:29 AM, Sharath Ballal <[EMAIL PROTECTED]> wrote: > Kosala , > BTW, I'm not the originator of the request... it's chaoson. > You can still use SSH with PAM and skip both password and key authentication by changing the following entry in /etc/pam.d/sshd file and commenting other auth entries. > > authsufficient pam_nologin.so no_warn > > i.e. Change the pam_nologin.so to "sufficient" in the auth category and comment all others in this category (I guess even commenting other entries may not be required since we made it "sufficient" but it has to be the first entry, you can try that out). I see this in my Ubuntu box. # Disallow non-root logins when /etc/nologin exists. accountrequired pam_nologin.so The description gives a different definition to pam_nologin.so. Kosala
Re: Disable SSH authentication
Hi Guys, This has been a very interesting mailing thread. After all the discussion I would like to summarize what I grabbed during these conversations. The ultimate goal, can be achived with following other tools... 1. Interestingly with "NETCAT" with -e option 2. Regular RSH with trusted host. Achieving this through SSH is not logical, since the approach basically defeats the original purpose of SSH. Did I miss something? Kosala On Mon, Oct 13, 2008 at 10:54 AM, chaoson <[EMAIL PROTECTED]> wrote: > Hi, > > I'm running openssh-4.3p2. > > I need to ability to run a command on trusted machine remotely. So far as I > know, we can use two ways to login to remote machine: > 1) Provide user name and password > 2) Public key authentication > > My question is that can we disable the SSH authentication so that we don't > need to either provide user account or the public key? Does anyone has the > idea? Thanks > > > ___ > 雅虎邮箱,您的终生邮箱! > http://cn.mail.yahoo.com/ > -- Kosala Disclaimer: Views expressed in this mail are my personal views and they would not reflect views of the employer. blog.kosala.net www.linux.lk/~kosala/ www.kosala.net
Re: Disable SSH authentication
On Tue, 14 Oct 2008, Christian Grunfeld wrote: > Date: Tue, 14 Oct 2008 16:46:14 -0300 > > quote=" . . so that we don't need to either provide user account . . " > > that is what chaoson said ! Personally, I interpreted that sentence of chaoson to mean "type in user credentials". My undestanding of the problem is that they need to run, perhaps in unattended/scripted mode, some commands on the remote machine without having to interactively enter any credetials (which passphraseless ssh authentication would easily achieve, but perhaps chaoson did not figure it out yet how it works). > With rsh you must provide user and password on the remote host ! also > like telnet ! > > I remember to all of you that rsh or telnet are an input/output > redirection of a console thru sockets ! ! You don't at all need to have a user account with telnet. As you said it's an I/O redirection through sockets, so you can have written a perl script or a C program (or anything really that can listen on sockets) that listens on a sepcified port, and interprets commands send to it through a telnet client connecting to that port. (In fact we do something like that for hardware snapshot inventory of our computers (like video card, disk size, etc), which does not require a user account and is OK to transmit in clear. We map standart input commands to a small subset of commands to query to hardware spec, and send it back. For that you don't even need to have a telnet client, but can write your own little shell that transmits and receives packets.) -s > cheers > > 2008/10/14 Kosala Atapattu <[EMAIL PROTECTED]>: > > running commands with Netcat... even wierder > > > > This is not the answer to your question. May be you can try good old > > "rsh" with the "hosts.allowed"... In some internal networks (withing > > the same net zone) I have used that lot... where security is not much > > of a concern. > > > > Kosala > > > > 2008/10/14 Christian Grunfeld <[EMAIL PROTECTED]>: > >> Hi, > >> > >> strange question in a ssh discussion list ! > >> May be you can use netcat on both sides with standar input and output > >> redirected from/to a console. > >> > >> Cheers > >> Christian > >> > >> > >> 2008/10/13, chaoson <[EMAIL PROTECTED]>: > >>> Hi, > >>> > >>> I'm running openssh-4.3p2. > >>> > >>> I need to ability to run a command on trusted machine remotely. So far > >>> as I know, we can use two ways to login to remote machine: > >>> 1) Provide user name and password > >>> 2) Public key authentication > >>> > >>> My question is that can we disable the SSH authentication so that > >>> we don't need to either provide user account or the public key? Does > >>> anyone has the idea? Thanks -- Serguei A. Mokhov| /~\The ASCII Computer Science Department | \ / Ribbon Campaign Concordia University | XAgainst HTML Montreal, Quebec, Canada | / \ Email!
RE: Disable SSH authentication
Kosala , You can still use SSH with PAM and skip both password and key authentication by changing the following entry in /etc/pam.d/sshd file and commenting other auth entries. authsufficient pam_nologin.so no_warn i.e. Change the pam_nologin.so to "sufficient" in the auth category and comment all others in this category (I guess even commenting other entries may not be required since we made it "sufficient" but it has to be the first entry, you can try that out). -Sharath. -Original Message- From: Christian Grunfeld [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 15, 2008 1:27 AM To: Kosala Atapattu Cc: chaoson; secureshell@securityfocus.com Subject: Re: Disable SSH authentication As simple as: server side: nc -l -p 1234 -e /bin/bash client side: nc 1234 cheers ! 2008/10/14 Kosala Atapattu <[EMAIL PROTECTED]>: > running commands with Netcat... even wierder > > This is not the answer to your question. May be you can try good old > "rsh" with the "hosts.allowed"... In some internal networks (withing > the same net zone) I have used that lot... where security is not much > of a concern. > > Kosala > > 2008/10/14 Christian Grunfeld <[EMAIL PROTECTED]>: >> Hi, >> >> strange question in a ssh discussion list ! >> May be you can use netcat on both sides with standar input and output >> redirected from/to a console. >> >> Cheers >> Christian >> >> >> 2008/10/13, chaoson <[EMAIL PROTECTED]>: >>> Hi, >>> >>> I'm running openssh-4.3p2. >>> >>> I need to ability to run a command on trusted machine remotely. So far as >>> I know, we can use two ways to login to remote machine: >>> 1) Provide user name and password >>> 2) Public key authentication >>> >>> My question is that can we disable the SSH authentication so that we don't >>> need to either provide user account or the public key? Does anyone has the >>> idea? Thanks >>> >>> >>> >>> ___ >>> 雅虎邮箱,您的终生邮箱! >>> http://cn.mail.yahoo.com/ >>> >> > > > > -- > Kosala > > Disclaimer: Views expressed in this mail are my personal views and > they would not reflect views of the employer. > > blog.kosala.net > www.linux.lk/~kosala/ > www.kosala.net >
Re: Disable SSH authentication
Hi Sharath, On Thu, Oct 16, 2008 at 8:29 AM, Sharath Ballal <[EMAIL PROTECTED]> wrote: > Kosala , > BTW, I'm not the originator of the request... it's chaoson. > You can still use SSH with PAM and skip both password and key authentication > by changing the following entry in /etc/pam.d/sshd file and commenting other > auth entries. > > authsufficient pam_nologin.so no_warn > > i.e. Change the pam_nologin.so to "sufficient" in the auth category and > comment all others in this category (I guess even commenting other entries > may not be required since we made it "sufficient" but it has to be the first > entry, you can try that out). I see this in my Ubuntu box. # Disallow non-root logins when /etc/nologin exists. accountrequired pam_nologin.so The description gives a different definition to pam_nologin.so. Kosala
Re: Disable SSH authentication
Perhaps what you meant is the possibility of setting up a trust relationship with a remote box, and run an automated/cron job without prompting you for a password. If that is what you need, that is doable by 'scp' the content of your generated pub.key to the authorized-keys of the remote box. Bingo! You will never be bothered with the "troubles" of uid/passwd: I agree with you, it's a PITA to go thru all that:-) Thanks, Yinka. Christian Grunfeld wrote: > As simple as: > > server side: > nc -l -p 1234 -e /bin/bash > > client side: > nc 1234 > > cheers ! > > > > 2008/10/14 Kosala Atapattu <[EMAIL PROTECTED]>: > >> running commands with Netcat... even wierder >> >> This is not the answer to your question. May be you can try good old >> "rsh" with the "hosts.allowed"... In some internal networks (withing >> the same net zone) I have used that lot... where security is not much >> of a concern. >> >> Kosala >> >> 2008/10/14 Christian Grunfeld <[EMAIL PROTECTED]>: >> >>> Hi, >>> >>> strange question in a ssh discussion list ! >>> May be you can use netcat on both sides with standar input and output >>> redirected from/to a console. >>> >>> Cheers >>> Christian >>> >>> >>> 2008/10/13, chaoson <[EMAIL PROTECTED]>: >>> Hi, I'm running openssh-4.3p2. I need to ability to run a command on trusted machine remotely. So far as I know, we can use two ways to login to remote machine: 1) Provide user name and password 2) Public key authentication My question is that can we disable the SSH authentication so that we don't need to either provide user account or the public key? Does anyone has the idea? Thanks ___ 雅虎邮箱,您的终生邮箱! http://cn.mail.yahoo.com/ >> >> -- >> Kosala >> >> Disclaimer: Views expressed in this mail are my personal views and >> they would not reflect views of the employer. >> >> blog.kosala.net >> www.linux.lk/~kosala/ >> www.kosala.net >> >>
Re: Disable SSH authentication
How about "PermitEmptyPasswords yes", and remove the password from the user. Then I don't think you need the password. Kosala On Mon, Oct 13, 2008 at 10:54 AM, chaoson <[EMAIL PROTECTED]> wrote: > Hi, > > I'm running openssh-4.3p2. > > I need to ability to run a command on trusted machine remotely. So far as I > know, we can use two ways to login to remote machine: > 1) Provide user name and password > 2) Public key authentication > > My question is that can we disable the SSH authentication so that we don't > need to either provide user account or the public key? Does anyone has the > idea? Thanks > > > ___ > 雅虎邮箱,您的终生邮箱! > http://cn.mail.yahoo.com/ > -- Kosala Disclaimer: Views expressed in this mail are my personal views and they would not reflect views of the employer. blog.kosala.net www.linux.lk/~kosala/ www.kosala.net
Re: Disable SSH authentication
> You don't at all need to have a user account with telnet. As you said it's > an I/O redirection through sockets, so you can have written a perl script > or a C program (or anything really that can listen on sockets) that > listens on a sepcified port, and interprets commands send to it through a > telnet client connecting to that port. You are only talking from client point of view. Obviously you can connect a telnet client to every server you want but in case you want a telnet sesion (in order to have a console for running commands) you connect the telnet client to the telnet server which asks you for authentication (user/pass). If you connect a telnet client to a perl script or a C program or something that listen on sockets you are saying the same as me ! ! Netcat is that server that listen on sockets. And in my case I also use netcat as a client instead of a telnet client ! C
Re: Disable SSH authentication
As simple as: server side: nc -l -p 1234 -e /bin/bash client side: nc 1234 cheers ! 2008/10/14 Kosala Atapattu <[EMAIL PROTECTED]>: > running commands with Netcat... even wierder > > This is not the answer to your question. May be you can try good old > "rsh" with the "hosts.allowed"... In some internal networks (withing > the same net zone) I have used that lot... where security is not much > of a concern. > > Kosala > > 2008/10/14 Christian Grunfeld <[EMAIL PROTECTED]>: >> Hi, >> >> strange question in a ssh discussion list ! >> May be you can use netcat on both sides with standar input and output >> redirected from/to a console. >> >> Cheers >> Christian >> >> >> 2008/10/13, chaoson <[EMAIL PROTECTED]>: >>> Hi, >>> >>> I'm running openssh-4.3p2. >>> >>> I need to ability to run a command on trusted machine remotely. So far as >>> I know, we can use two ways to login to remote machine: >>> 1) Provide user name and password >>> 2) Public key authentication >>> >>> My question is that can we disable the SSH authentication so that we don't >>> need to either provide user account or the public key? Does anyone has the >>> idea? Thanks >>> >>> >>> >>> ___ >>> 雅虎邮箱,您的终生邮箱! >>> http://cn.mail.yahoo.com/ >>> >> > > > > -- > Kosala > > Disclaimer: Views expressed in this mail are my personal views and > they would not reflect views of the employer. > > blog.kosala.net > www.linux.lk/~kosala/ > www.kosala.net >
Re: Disable SSH authentication
quote=" . . so that we don't need to either provide user account . . " that is what chaoson said ! With rsh you must provide user and password on the remote host ! also like telnet ! I remember to all of you that rsh or telnet are an input/output redirection of a console thru sockets ! ! cheers 2008/10/14 Kosala Atapattu <[EMAIL PROTECTED]>: > running commands with Netcat... even wierder > > This is not the answer to your question. May be you can try good old > "rsh" with the "hosts.allowed"... In some internal networks (withing > the same net zone) I have used that lot... where security is not much > of a concern. > > Kosala > > 2008/10/14 Christian Grunfeld <[EMAIL PROTECTED]>: >> Hi, >> >> strange question in a ssh discussion list ! >> May be you can use netcat on both sides with standar input and output >> redirected from/to a console. >> >> Cheers >> Christian >> >> >> 2008/10/13, chaoson <[EMAIL PROTECTED]>: >>> Hi, >>> >>> I'm running openssh-4.3p2. >>> >>> I need to ability to run a command on trusted machine remotely. So far as >>> I know, we can use two ways to login to remote machine: >>> 1) Provide user name and password >>> 2) Public key authentication >>> >>> My question is that can we disable the SSH authentication so that we don't >>> need to either provide user account or the public key? Does anyone has the >>> idea? Thanks >>> >>> >>> >>> ___ >>> 雅虎邮箱,您的终生邮箱! >>> http://cn.mail.yahoo.com/ >>> >> > > > > -- > Kosala > > Disclaimer: Views expressed in this mail are my personal views and > they would not reflect views of the employer. > > blog.kosala.net > www.linux.lk/~kosala/ > www.kosala.net >
Re: Disable SSH authentication
running commands with Netcat... even wierder This is not the answer to your question. May be you can try good old "rsh" with the "hosts.allowed"... In some internal networks (withing the same net zone) I have used that lot... where security is not much of a concern. Kosala 2008/10/14 Christian Grunfeld <[EMAIL PROTECTED]>: > Hi, > > strange question in a ssh discussion list ! > May be you can use netcat on both sides with standar input and output > redirected from/to a console. > > Cheers > Christian > > > 2008/10/13, chaoson <[EMAIL PROTECTED]>: >> Hi, >> >> I'm running openssh-4.3p2. >> >> I need to ability to run a command on trusted machine remotely. So far as I >> know, we can use two ways to login to remote machine: >> 1) Provide user name and password >> 2) Public key authentication >> >> My question is that can we disable the SSH authentication so that we don't >> need to either provide user account or the public key? Does anyone has the >> idea? Thanks >> >> >> >> ___ >> 雅虎邮箱,您的终生邮箱! >> http://cn.mail.yahoo.com/ >> > -- Kosala Disclaimer: Views expressed in this mail are my personal views and they would not reflect views of the employer. blog.kosala.net www.linux.lk/~kosala/ www.kosala.net
Re: Disable SSH authentication
On Tue, Oct 14, 2008 at 12:01 PM, Serguei A. Mokhov <[EMAIL PROTECTED]> wrote: > Why public key authentication does not work for you? Indeed, why not setup key based auth with no passwords, other than the obvious security implications, as long as you protect your keys, you can script authentication without the need for hands on keyboards. -- Dave Hull Public key: http://trustedsignal.com/pubkey.txt Fingerprint: 4B2B F3AD A9C2 B4E1 CBDF B86F D360 D00F C18D C71B
Re: Disable SSH authentication
On Mon, 13 Oct 2008, chaoson wrote: > Date: Mon, 13 Oct 2008 15:54:57 +0800 (CST) > Hi, > > I'm running openssh-4.3p2. > > I need to ability to run a command on trusted machine remotely. So far > as I know, we can use two ways to login to remote machine: > > 1) Provide user name and password > 2) Public key authentication > > My question is that can we disable the SSH authentication so that we > don't need to either provide user account or the public key? Does anyone > has the idea? Thanks Well, if your machine is SO trusted and so secure that does not require authentication, why do you need to use openssh at all? ;-) Use telnet or rsh then ;-) Why public key authentication does not work for you? -- Serguei A. Mokhov| /~\The ASCII Computer Science Department | \ / Ribbon Campaign Concordia University | XAgainst HTML Montreal, Quebec, Canada | / \ Email!
Re: Disable SSH authentication
chaoson wrote: I'm running openssh-4.3p2. I need to ability to run a command on trusted machine remotely. So far as I know, we can use two ways to login to remote machine: 1) Provide user name and password 2) Public key authentication  My question is that can we disable the SSH authentication so that we don't need to either provide user account or the public key? Does anyone has the idea? Thank You mean a completely non authenticated ssh login? ... kind of defeats the first S of SSH... If I remember correctly, I think Rsh could do this based on source address/host, but who uses that in the last decade... Why would you want to do such a thing? If you really, really, really wanted to do this, you could do it via pam, using UsePAM yes in sshd_config and then set the pam for ssh to accept without checking for any passwords. (Disclaimer: the above may get you shot repeatedly by your wise-cracking local security guru... ;-) ) -h -- Hari Sekhon Always open to interesting opportunities http://www.linkedin.com/in/harisekhon
Re: Disable SSH authentication
Hi, strange question in a ssh discussion list ! May be you can use netcat on both sides with standar input and output redirected from/to a console. Cheers Christian 2008/10/13, chaoson <[EMAIL PROTECTED]>: > Hi, > > I'm running openssh-4.3p2. > > I need to ability to run a command on trusted machine remotely. So far as I > know, we can use two ways to login to remote machine: > 1) Provide user name and password > 2) Public key authentication > > My question is that can we disable the SSH authentication so that we don't > need to either provide user account or the public key? Does anyone has the > idea? Thanks > > > > ___ > 雅虎邮箱,您的终生邮箱! > http://cn.mail.yahoo.com/ >