Re: Re: Peculiar problem with root login

To: debian-user@lists.debian.org
Subject: Re: Re: Peculiar problem with root login
From: Tom Dial <tddial@comcast.net>
Date: Sun, 18 Jun 2017 14:36:24 -0600
Message-id: <[🔎] 376dd39f-b18d-76d7-5de4-1015f4220e4c@comcast.net>
Reply-to: tddial@world.oberlin.edu
In-reply-to: <[🔎] x6o9tl70h0.fsf@newsguy.com>
References: <[🔎] x6o9tl70h0.fsf@newsguy.com>


On 06/18/2017 09:57 AM, Harry Putnam wrote:
> David Christensen <dpchrist@holgerdanske.com> writes:
> 
>> On 06/12/2017 06:39 AM, Harry Putnam wrote:
>>> Running debian jesse in a vbox vm on a Solaris host
>>>
>>> I have what seems like an unusual problem with root login on this
>>> host.
> 
> [...]
> 
>>> I'm fresh out of ideas as to what else to do here.
>>>
>>> The auth log shows:
>>>
>>>   Jun 11 14:50:55 d2 sshd[2830]: pam_unix(sshd:auth): authentication
>>>   failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=d.local.lan
>>>   user=root
>>>
>>>   Jun 11 14:50:57 d2 sshd[2830]: Failed password for root from
>>>   127.0.0.1 port 54522 ssh2
>>
>> Please run the following commands from the console of the jesse vm as
>> root and paste your console session (prompts, commands entered, output
>> obtained).  If you redact anything, substitute the phrase
>> '<redacted>':
>>
>> # cat /etc/debian_version
>>
>> # uname -a
>>
>> # dpkg-query --show openssh-server
>>
>> # dpkg-query --show openssh-client
>>
>> # ls -1 /etc/ssh/*ssh*
>>
>> # ls -1 /root/.ssh
>>
>> # egrep -v '^.*#' /etc/ssh/sshd_config | grep .
>>
>> # ssh localhost
>>
>> # tail /var/log/auth.log
> 
> Thanks for the prod... I should have included at least some of that.
> 
> -------       -------       ---=---       -------       -------
> 
> diagnostic_data:
> 
> root # cat /etc/debian_version
> 8.8
> 
> root # uname -a
> Linux d2 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30) x86_64 GNU/Linux
> 
> root # dpkg-query --show openssh-server
> openssh-server  1:6.7p1-5+deb8u3
> 
> root # dpkg-query --show openssh-client
> openssh-client  1:6.7p1-5+deb8u3
> 
> root # ls -1 /etc/ssh/*ssh*
> /etc/ssh/ssh_config
> /etc/ssh/sshd_config
> /etc/ssh/sshd_config~
> /etc/ssh/ssh_host_dsa_key
> /etc/ssh/ssh_host_dsa_key.pub
> /etc/ssh/ssh_host_ecdsa_key
> /etc/ssh/ssh_host_ecdsa_key.pub
> /etc/ssh/ssh_host_ed25519_key
> /etc/ssh/ssh_host_ed25519_key.pub
> /etc/ssh/ssh_host_rsa_key
> /etc/ssh/ssh_host_rsa_key.pub
> 
> root # egrep -v '^.*#' /etc/ssh/sshd_config | grep .
> Port 22
> Protocol 2
> HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_dsa_key
> HostKey /etc/ssh/ssh_host_ecdsa_key
> HostKey /etc/ssh/ssh_host_ed25519_key
> UsePrivilegeSeparation yes
> KeyRegenerationInterval 3600
> ServerKeyBits 1024
> SyslogFacility AUTH
> LogLevel INFO
> LoginGraceTime 120
> PermitRootLogin without-password

This will prevent root login using a password. Only other methods, such
as RSA authentication are to be permitted.

> StrictModes yes
> RSAAuthentication yes
> PubkeyAuthentication yes
> IgnoreRhosts yes
> RhostsRSAAuthentication no
> HostbasedAuthentication no
> PermitEmptyPasswords no
> ChallengeResponseAuthentication no
> PasswordAuthentication yes
> X11Forwarding yes
> X11DisplayOffset 10
> PrintMotd no
> PrintLastLog yes
> TCPKeepAlive yes
> AcceptEnv LANG LC_*
> Subsystem sftp /usr/lib/openssh/sftp-server
> UsePAM yes
> PermitRootLogin yes

This may or may not be effective owing the the above setting of
"PermitRootLogin without-password" depending on how sshd treats
duplicate setting. My (jessie) man page does not say whether the first
or last setting will be effective.

> 
> root # ssh localhost
> root@localhost's password:
> Permission denied, please try again.
> root@localhost's password:
> 
>  **** Could not login **** -ed Harry
> 
> root # tail /var/log/auth.log
> Jun 18 11:43:17 d2 sshd[1894]: Accepted password for reader from 192.168.1.42 port 40945 ssh2
> Jun 18 11:43:17 d2 sshd[1894]: pam_unix(sshd:session): session opened for user reader by (uid=0)
> Jun 18 11:43:17 d2 systemd-logind[477]: New session 185 of user reader.
> Jun 18 11:43:17 d2 sshd[1897]: Setting tty modes failed: Invalid argument
> Jun 18 11:43:59 d2 su[1917]: Successful su for root by reader
> Jun 18 11:43:59 d2 su[1917]: + /dev/pts/4 reader:root
> Jun 18 11:43:59 d2 su[1917]: pam_unix(su:session): session opened for user root by reader(uid=1000)
> Jun 18 11:45:56 d2 sshd[1963]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=d.local.lan  user=root
> Jun 18 11:45:58 d2 sshd[1963]: Failed password for root from 127.0.0.1 port 54526 ssh2
> Jun 18 11:46:03 d2 sshd[1963]: Connection closed by 127.0.0.1 [preauth]
> 

My preferences, for what it is worth, are

PermitRootLogin without-password
ChallengeResponseAuthentication no
PasswordAuthentication no
AllowUsers netuser1 \
 netuser2 \
 ... \
 root@localhost \
 root@backuphost

On some systems, "localhost" doesn't work;
 root@::1 root@127.0.0.1
is a workaround. I have not got around to figuring out the differences,
and as the circumvention is trivial it is not a high priority.

This requires arranging to install each user's public key in his or her
.ssh/authorized_keys file, which can be a pain on a large or active
network, but not that much of a problem with up to a few dozen users and
systems.

Regards,
Tom Dial

Reply to:

Follow-Ups:
- Re: Peculiar problem with root login
  - From: Harry Putnam <reader@newsguy.com>

References:
- Re: Peculiar problem with root login
  - From: Harry Putnam <reader@newsguy.com>

Prev by Date: Re: Resolved [was Re: Stretch--no network interfaces]
Next by Date: Re: Stretch--no network interfaces
Previous by thread: Re: Peculiar problem with root login
Next by thread: Re: Peculiar problem with root login
Index(es):
- Date
- Thread