Hello
echo 0>/selinux/enforce
doesn't work at me:
[root@merkur ssh]# echo 0 >/selinux/enforce
-bash: /selinux/enforce: No such file or directory
[root@merkur ssh]#
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
so why are you doing this if you want password-login?
I know I had e mess... I changed to yes; even though it isn't working...
well, i read from top to post and stop after the first error
Dec 23 17:01:59 merkur sshd[9744]: error: Could not get shadow information for daniel
privude output of the follwoing commands:
cat /etc/shadow | grep daniel
cat /etc/passwd | grep daniel
stat /etc/shadow
stat /etc/passwd
[root@merkur ~]# cat /etc/shadow | grep daniel
daniel:$6$wf04zvEHF.xMgd2Y$u6ULiAbq9zzt3oljsQ2jr8qwR2IVu1Mz2KlmeTPkKCHPrEo1/pfwNODtsGtho9UOTn/UW18uskl4SnKnpayn/.:15328:0:99999:7:::
[root@merkur ~]# cat /etc/passwd | grep daniel
daniel:x:1000:1000:Daniel Bossert:/home/daniel:/bin/bash
[root@merkur ~]# stat /etc/shadow
File: `/etc/shadow'
Size: 1135 Blocks: 8 IO Block: 4096 regular file
Device: fd01h/64769d Inode: 156332 Links: 1
Access: (0000/----------) Uid: ( 0/ root) Gid: ( 0/ root)
Context: system_u:object_r:shadow_t:s0
Access: 2011-12-23 18:01:01.649903474 +0100
Modify: 2011-12-21 17:54:32.800954152 +0100
Change: 2011-12-21 17:54:32.837953216 +0100
Birth: -
[root@merkur ~]# stat /etc/shadow
File: `/etc/shadow'
Size: 1135 Blocks: 8 IO Block: 4096 regular file
Device: fd01h/64769d Inode: 156332 Links: 1
Access: (0000/----------) Uid: ( 0/ root) Gid: ( 0/ root)
Context: system_u:object_r:shadow_t:s0
Access: 2011-12-23 18:01:01.649903474 +0100
Modify: 2011-12-21 17:54:32.800954152 +0100
Change: 2011-12-21 17:54:32.837953216 +0100
Birth: -
[root@merkur ~]# stat /etc/passwd
File: `/etc/passwd'
Size: 1881 Blocks: 8 IO Block: 4096 regular file
Device: fd01h/64769d Inode: 156565 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Context: system_u:object_r:etc_t:s0
Access: 2011-12-23 17:55:01.431858018 +0100
Modify: 2011-12-21 17:54:32.725956049 +0100
Change: 2011-12-21 17:54:32.762955114 +0100
Birth: -
______________________________________________
for ssh permissions are very important
if they are messed up and too open it refuses
/etc/passwd
Zugriff: (0644/-rw-r--r--)
/etc/shadow
Zugriff: (0400/-r--------)
______________________________________________
[root@merkur ~]# ls -l /etc/passwd
-rw-r--r--. 1 root root 1881 Dec 21 17:54 /etc/passwd
[root@merkur ~]# ls -l /etc/shadow
----------. 1 root root 1135 Dec 21 17:54 /etc/shadow
[root@merkur ~]#
--->>>> I see, that /etc/shadow has no permissions.. ???? can that be?I
changed to 0400, but login doesn't work neither.
however - this is a working sshd-config with password AND
key-authentication, root allowed only with key and copied
from a production server changed to your username in the
allowed list
this is a CLEANED configuration without millions of
comments and nor random values by default
Port 22
Protocol 2
AddressFamily inet
ListenAddress 0.0.0.0
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPIAuthentication no
GSSAPICleanupCredentials no
X11Forwarding no
RSAAuthentication yes
PubkeyAuthentication yes
PermitEmptyPasswords no
PermitRootLogin without-password
AllowGroups root users
AllowUsers root daniel
IgnoreRhosts yes
HostbasedAuthentication no
RhostsRSAAuthentication no
StrictModes yes
UseDNS no
AllowTcpForwarding no
TCPKeepAlive yes
KeepAlive yes
ClientAliveCountMax 10
ClientAliveInterval 20
UsePrivilegeSeparation yes
Compression yes
UsePAM yes
LoginGraceTime 45
MaxAuthTries 5
MaxStartups 25
AuthorizedKeysFile .ssh/authorized_keys
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
Subsystem sftp internal-sftp
The following is the new sshd_config.. I don't know further..
Kind regards
Daniel
/etc/ssh/sshd_config (new):
# $OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
Port 22
AddressFamily inet
ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
Protocol 2
# HostKey for protocol version 1
# HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
# HostKey /etc/ssh/ssh_host_rsa_key
# HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 1h
ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
LoginGraceTime 30
PermitRootLogin without-password
StrictModes no
MaxAuthTries 5
#MaxSessions 10
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication no
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
# problems.
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
#AllowAgentForwarding yes
AllowTcpForwarding no
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
TCPKeepAlive yes
KeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
ClientAliveInterval 20
ClientAliveCountMax 10
#ShowPatchLevel no
UseDNS no
#PidFile /var/run/sshd.pid
MaxStartups 25
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Uncomment this if you want to use .local domain
#Host *.local
# CheckHostIP no
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
AllowGroups root users
AllowUsers root daniel
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
