Re: potato openssh
Ethan Benson <erbenson@alaska.net> wrote:
>have you tried adding:
>ALL: 127.0.0.1 localhost <yourip> <yourhost.yourdomain>
>to /etc/hosts.allow just for testing?
Thanks. Ok, I added 127.0.0.1 to hosts.deny on the remote end and it
works now. But doesn't this rather weaken security ?
I'd like to share what I've found out so far. If anybody is into
ssh and PAM, please enlighten us.
The local box is running Debian potato with openssh.
~% ssh -V
SSH Version OpenSSH-1.2, protocol version 1.5.
Compiled with SSL.
The problematic remote is running RedHat 6.1
~% ssh1 -V
SSH Version 1.2.26 [i586-unknown-linux], protocol version 1.5.
Standard version. Does not use RSAREF.
Trying to login using ssh -v says
...
debug: Requesting X11 forwarding with authentication spoofing.
debug: Requesting authentication agent forwarding.
debug: Sending command: /usr/X11R6/bin/xterm
debug: Entering interactive session.
debug: Remote: Fwd X11 connection from 127.0.0.1 refused by tcp_wrappers.
X connection to foo.bar.baz.net:10.0 broken (explicit kill or server shutdown).
Now, in /var/log/messages of the remote there is
Dec 7 22:56:32 pyxis33 sshd2[453]: connection from "111.222.333.4444"
Dec 7 22:56:33 pyxis33 sshd[8764]: log: Generating 768 bit RSA key.
Dec 7 22:56:34 pyxis33 sshd[8764]: log: RSA key generation complete.
Dec 7 22:56:34 pyxis33 sshd[8764]: log: Connection from 111.222.333.444
port 1023
Dec 7 22:56:34 pyxis33 PAM_pwdb[8764]: authentication failure; (uid=0) -> foo
for ssh service
Thus, no connection. This happens only on the RH6.1 boxes. I can login
to any other machines (SunOS4, Solaris2.5, OSF1 4.0, IRIX6.2) no
problem, and I can login from anywhere to my local box.
X11Forwarding enabled.
Why do I need 127.0.0.1 in hosts.allow on the RH6.1 machines ?
My home directories are not group writable as suggested as problem
with RSA ( /usr/doc/ssh/README.Debian)
I'll try using ssh2 next to see if there's any difference..
Thanks to all for the suggestions.
Tnx
Reply to: