Re: Peculiar problem with root login

To: debian-user@lists.debian.org
Subject: Re: Peculiar problem with root login
From: David Christensen <dpchrist@holgerdanske.com>
Date: Sun, 18 Jun 2017 23:08:11 -0700
Message-id: <[🔎] b34699ee-ea8c-0d0e-5a56-dceba610753a@holgerdanske.com>
In-reply-to: <[🔎] x6o9tl70h0.fsf@newsguy.com>
References: <[🔎] 86r2ypxr32.fsf@local.lan> <[🔎] 84b83449-06a9-1507-19ac-da08007b914a@holgerdanske.com> <[🔎] x6o9tl70h0.fsf@newsguy.com>

On 06/18/17 08:57, Harry Putnam wrote:
...

root # cat /etc/debian_version
8.8

root # uname -a
Linux d2 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30) x86_64 GNU/Linux

root # dpkg-query --show openssh-server
openssh-server  1:6.7p1-5+deb8u3

root # dpkg-query --show openssh-client
openssh-client  1:6.7p1-5+deb8u3

root # ls -1 /etc/ssh/*ssh*
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/etc/ssh/sshd_config~
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_ecdsa_key
/etc/ssh/ssh_host_ecdsa_key.pub
/etc/ssh/ssh_host_ed25519_key
/etc/ssh/ssh_host_ed25519_key.pub
/etc/ssh/ssh_host_rsa_key
/etc/ssh/ssh_host_rsa_key.pub

root # egrep -v '^.*#' /etc/ssh/sshd_config | grep .
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication yes


I use:

PasswordAuthentication no

This requires all users to have their remote user public keys enteredinto their authorized_keys files to log in from those remote hosts.

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
PermitRootLogin yes


This conflicts with the above setting (which is what I use):

PermitRootLogin without-password


Delete "PermitRootLogin yes".

root # ssh localhost
root@localhost's password:
Permission denied, please try again.
root@localhost's password:

 **** Could not login **** -ed Harry

root # tail /var/log/auth.log
Jun 18 11:43:17 d2 sshd[1894]: Accepted password for reader from 192.168.1.42 port 40945 ssh2
Jun 18 11:43:17 d2 sshd[1894]: pam_unix(sshd:session): session opened for user reader by (uid=0)
Jun 18 11:43:17 d2 systemd-logind[477]: New session 185 of user reader.
Jun 18 11:43:17 d2 sshd[1897]: Setting tty modes failed: Invalid argument
Jun 18 11:43:59 d2 su[1917]: Successful su for root by reader
Jun 18 11:43:59 d2 su[1917]: + /dev/pts/4 reader:root
Jun 18 11:43:59 d2 su[1917]: pam_unix(su:session): session opened for user root by reader(uid=1000)
Jun 18 11:45:56 d2 sshd[1963]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=d.local.lan  user=root
Jun 18 11:45:58 d2 sshd[1963]: Failed password for root from 127.0.0.1 port 54526 ssh2
Jun 18 11:46:03 d2 sshd[1963]: Connection closed by 127.0.0.1 [preauth]

On 06/18/17 13:48, Harry Putnam wrote:
...
> root # ls -la .ssh
> total 12
> drwx------ 2 root root 4096 May 30 21:44 .
> drwx------ 6 root root 4096 Jun 18 11:35 ..
> -rw-r--r-- 1 root root  666 May 30 22:17 known_hosts

I'd delete known_hosts, to be safe.

I have AT&T U-verse residential DSL service, which implements DNS hijacking:

https://en.wikipedia.org/wiki/DNS_hijacking

Beware of using SSH directly:

$ ssh remotehost

If remotehost doesn't resolve, instead of a "host not found" errormessage, AT&T directs SSH to a hijacker host; so I can enter mypassphrase (like a sucker).



You need to create SSH keys for root on this machine:

        2017-06-01 20:44:39 root@jesse ~
        # ssh-keygen
        Generating public/private rsa key pair.
        Enter file in which to save the key (/root/.ssh/id_rsa):
        Enter passphrase (empty for no passphrase): <redacted>
        Enter same passphrase again: <redacted>
        Your identification has been saved in /root/.ssh/id_rsa.
        Your public key has been saved in /root/.ssh/id_rsa.pub.
        The key fingerprint is:
	<remainder redacted>


Be sure to enter a strong passphrase.


Then copy your public key to the authorized_keys file:

        2017-06-01 20:46:17 root@jesse ~
        # cp .ssh/id_rsa.pub .ssh/authorized_keys

You don't want to type your passphrases into remote hosts, especially ifyou have to do it over and over (I use CVS over SSH, so this getstedious very quickly.) You want to use ssh-agent(1) and ssh-add(1), soyou can type your passphrase(s) once per key per terminal session intoyour local machine and ssh-agent will manage your decrypted privatekey(s) whenever you log in to remote hosts:


        2017-06-01 20:46:37 root@jesse ~
        # ssh-agent bash -l

        2017-06-01 20:46:54 root@jesse ~
        # ssh-add
        Enter passphrase for /root/.ssh/id_rsa: <redacted>
        Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)


Now you should be able to login from root to root@localhost:

        2017-06-01 20:47:05 root@jesse ~
        # ssh localhost
        The authenticity of host 'localhost (::1)' can't be established.
        ECDSA key fingerprint is <redacted>
        Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'localhost' (ECDSA) to the list ofknown hosts.

...

Write down the host ECDSA key fingerprint on a note card and keep it.You will verify this fingerprint when you log into this machine fromremote hosts.



Copy and paste all of the above into a log file.

Plug in a USB flash drive and mount it (double-click on the icon on thedesktop). Create a directory structure on a USB flash drive:


    root@host1 ~ # mkdir -p /media/user/usblabel/domainname/host1/root/.ssh


Copy root's public key to the flash drive:

root@host1 ~ # cp /root/.ssh/id_rsa.pub/media/user/usblabel/domainname/host1/root/.ssh/.



Go through the above procedure on your other accounts and machines.

Unmount the USB flash drive before yanking it out (right click ondesktop icon and choose "unmount").

Before you can log in to root@host1 from root@host2, you first need toappend root@host2' public key (id_rsa.pub) to root@host1'sauthorized_keys file:

root@host1 ~ # cat/media/user/usblabel/domainname/host2/root/.ssh/id_rsa.pub >>/root/.ssh/authorized_keys



Then from host2:

    root@host2 ~ # ssh-agent bash -l

    root@host2 ~ # ssh-add

    root@host2 ~ # ssh host1

You should see host2's ECDSA key fingerprint the first time you log in.Verify it against the note card.



"SSH Mastery" by Michael W Lucas was worth every penny:

    https://www.michaelwlucas.com/tools/ssh


David

Reply to:

Follow-Ups:
- Re: Peculiar problem with root login
  - From: David Christensen <dpchrist@holgerdanske.com>

References:
- Peculiar problem with root login
  - From: Harry Putnam <reader@newsguy.com>
- Re: Peculiar problem with root login
  - From: David Christensen <dpchrist@holgerdanske.com>
- Re: Peculiar problem with root login
  - From: Harry Putnam <reader@newsguy.com>

Prev by Date: Re: hacker tracking
Next by Date: Re: Peculiar problem with root login
Previous by thread: Re: Peculiar problem with root login
Next by thread: Re: Peculiar problem with root login
Index(es):
- Date
- Thread