Re: potato openssh

To: hservoma@wis02.ec.t.kanazawa-u.ac.jp, debian-user@lists.debian.org
Subject: Re: potato openssh
From: Ethan Benson <erbenson@alaska.net>
Date: Tue, 7 Dec 1999 17:16:23 -0900
Message-id: <v04210102b4736e5ae7e1@[192.168.0.1]>
In-reply-to: <[🔎] 19991208004108E.hservoma@wis02.ec.t.kanazawa-u.ac.jp>
References: <[🔎] 19991207121649B.hservoma@wis02.ec.t.kanazawa-u.ac.jp> <v0421010cb472b8e7a132@[192.168.0.1]> <[🔎] 19991208004108E.hservoma@wis02.ec.t.kanazawa-u.ac.jp>

On 8/12/99 hservoma@wis02.ec.t.kanazawa-u.ac.jp wrote:

Thanks. Ok, I added 127.0.0.1 to hosts.deny on the remote end and it
works now. But doesn't this rather weaken security ?

I have read that you must have a allow line for all for 127.0.0.1because some software requires it and will not function otherwise.ssh appears to be one. you can be more granular if you like and justhave a ssh: 127.0.0.1 I am not sure how much this impacts security.i know if you allow port forwarding and such with ssh it is possibleto bypass some kinds of access rules, for example if you use wu-ftpd(bad for security anyway but..) and have restrictions configured forcertain hosts, the user can just set up a ssh forwarded session andbypass all the restrictions since the connection orginates from thelocalhost.


i assume you meant hosts.allow not hosts.deny :)

[...]
Trying to login using ssh -v says
...
debug: Requesting X11 forwarding with authentication spoofing.
debug: Requesting authentication agent forwarding.
debug: Sending command: /usr/X11R6/bin/xterm
debug: Entering interactive session.
debug: Remote: Fwd X11 connection from 127.0.0.1 refused by tcp_wrappers.

X connection to foo.bar.baz.net:10.0 broken (explicit kill or servershutdown).


Now, in /var/log/messages of the remote there is

Dec  7 22:56:32 pyxis33 sshd2[453]: connection from "111.222.333.4444"
Dec  7 22:56:33 pyxis33 sshd[8764]: log: Generating 768 bit RSA key.
Dec  7 22:56:34 pyxis33 sshd[8764]: log: RSA key generation complete.
Dec  7 22:56:34 pyxis33 sshd[8764]: log: Connection from 111.222.333.444
port 1023
Dec  7 22:56:34 pyxis33 PAM_pwdb[8764]: authentication failure; (uid=0) -> foo
for ssh service

Thus, no connection. This happens only on the RH6.1 boxes. I can login
to any other machines (SunOS4, Solaris2.5, OSF1 4.0, IRIX6.2) no
problem, and I can login from anywhere to my local box.
X11Forwarding enabled.

strange, sounds like a ssh or pam misconfiguration on the redhat box,it looks like you are using password authentication is it allowed insshd_config? is the pam.d/ssh file setup correctly?

another thing to try is on the redhat box do a ssh localhost and seeif you can login that way.


 pam is refusing the connection not ssh so i think its a pam problem.

Why do I need 127.0.0.1 in hosts.allow on the RH6.1 machines ?
My home directories are not group writable as suggested as problem
with RSA ( /usr/doc/ssh/README.Debian)

I'll try using ssh2 next to see if there's any difference..


bah, try OpenSSH on the redhat box :-)

Ethan

Reply to:

References:
- potato openssh
  - From: hservoma@wis02.ec.t.kanazawa-u.ac.jp
- Re: potato openssh
  - From: Ethan Benson <erbenson@alaska.net>
- Re: potato openssh
  - From: hservoma@wis02.ec.t.kanazawa-u.ac.jp

Prev by Date: locking the console
Next by Date: Re: locking the console
Previous by thread: Re: potato openssh
Next by thread: Unidentified subject!
Index(es):
- Date
- Thread