Date: Fri, 7 Jul 2000 14:46:45 +0200 From: Willem Brown <willem@brwn.org> To: Nick Slager <nicks@albury.net.au> Cc: cjclark@alum.mit.edu, questions@FreeBSD.ORG Subject: Re: Root logins with ssh Message-ID: <20000707144644.F30920@snoopy.brwn.org> In-Reply-To: <20000707221134.A57699@albury.net.au>; from nicks@albury.net.au on Fri, Jul 07, 2000 at 10:11:34PM %2B1000 References: <20000707161827.A51081@albury.net.au> <20000707001038.G682@dialin-client.earthlink.net> <20000707221134.A57699@albury.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, I also tried this earlier. I ended up changing PermitRootLogin no to PermitRootLogin without-password and added my public key to /root/.ssh/authorized_keys file on the host. I also added a from= option at the beginning of the line. Nobody else seems to be able to logon as root, from any other host. I'm not sure who secure this is. Regards Willem Brown On Fri, Jul 07, 2000 at 10:11:34PM +1000, Nick Slager wrote: > Thus spake Crist J. Clark (cristjc@earthlink.net): > > > On Fri, Jul 07, 2000 at 04:18:28PM +1000, Nick Slager wrote: > > > Has anyone managed to do this? Pointers appreciated. > > > > Never done it with DSA keys. Done it with RSA keys. > > > > 1) Make a private/public keypair with no passphrase using > > ssh-keygen on the client. > > > > 2) Put the public key in /root/.ssh/authorized_keys[0] on server. > > > > 3) You now can ssh into the server from the client. > > This is essentially what I had done (with DSA keys). I've generated RSA keys > and tried the same, but it still prompts me for a password. Running sshd -d on > the server during the connection attempt gives: > > debug: Server will not fork when running in debugging mode. > Connection from myserver.com port 953 > Connection from xxx.xx.xxx.xx port 953 > debug: Client protocol version 1.5; client software version OpenSSH-2.1 > debug: Local version string SSH-1.99-OpenSSH-2.1 > debug: Sent 768 bit public key and 1024 bit host key. > debug: Encryption type: 3des > debug: Received session key; encryption turned on. > debug: Installing crc compensation attack detector. > debug: Attempting authentication for root. > ROOT LOGIN REFUSED FROM myserver.com > ROOT LOGIN as 'root' from myserver.com > Failed rsa for ROOT from xxx.xx.xxx.xx port 953 > > It appears the root login attempt has been refused even before authentication > has been attempted. Of course, it could also be a misconfiguration on my part > :-) > > Here's my sshd_config: > > Port 22 > #Protocol 2,1 > ListenAddress 0.0.0.0 > #ListenAddress :: > HostKey /etc/ssh/ssh_host_key > ServerKeyBits 768 > LoginGraceTime 60 > KeyRegenerationInterval 3600 > PermitRootLogin no > IgnoreRhosts yes > StrictModes yes > X11Forwarding no > X11DisplayOffset 10 > PrintMotd yes > KeepAlive yes > > SyslogFacility AUTH > LogLevel INFO > > RhostsAuthentication no > RhostsRSAAuthentication no > RSAAuthentication yes > DSAAuthentication yes > PasswordAuthentication yes > PermitEmptyPasswords no > > CheckMail no > UseLogin no > > > Any further thoughts appreciated. > > > Nick. > > > -- > From a Sun Microsystems bug report (#4102680): > "Workaround: don't pound on the mouse like a wild monkey." > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > -- /* =============================================================== */ /* Linux, FreeBSD, NetBSD, OpenBSD. The choice is yours. */ /* =============================================================== */ Men of peace usually are [brave]. -- Spock, "The Savage Curtain", stardate 5906.5 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000707144644.F30920>