RE: ssh allowing root login with no password

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----Original Message-----
On 05/09/11 15:18, Steven Buehler wrote:
> I am trying to setup our servers to only allow logins with a 
> public/private key pair.  2 of our machines have to have root login 
> access with ssh and the rest, we will login as another account and su 
> to root.  I just started with this company and on their boxes which 
> range from version 5.1 to 5.5, if I open up the firewall to allow ssh 
> access from anywhere, I can ssh to root without a password.  The only 
> uncommented lines in the /etc/ssh/sshd_config are the following:
>
>   [snip]
>
>
> I'm hoping that someone can lead me in the right direction as I can't 
> figure this one out.  If this was only one machine, I would assume 
> that it might have been hacked, but this is all of their servers and 
> VM's that will allow me to ssh to them without a login/password and 
> get into root.  Luckily, they have always had their (supposedly
> anyway) iptables set to only allow access from specific IP's.
>
>

Change / uncomment PermitRootLogin with a value of without-password

--

I changed the line to read
PermitRootLogin without-password

It still allows a root login without a password or key.

Someone else suggested that there was an authorized_keys file and a known
hosts file.  I was able to get to these servers from my own personal servers
that have NEVER ssh'd to these servers before, so the known hosts file from
the client server was empty since it is actually a fresh install of mine.
The authorized_keys file on the sshd server does have 2 keys in it.  Those 2
private keys are NOT on the client server, so there should be no reason it
lets me in from the remote (client) server.

I have copied over my sshd_config file from one of my personal servers where
I know they work and I still have the problem.

Below is my new sshd_config file after some changes on one of the servers
that I need to have root login with a key and not password, but it still
allows login without either.  I don't know what they did when they setup
these machines, but it is really ticking me off.

Protocol 2   
SyslogFacility AUTHPRIV
PermitRootLogin without-password
StrictModes yes
PubkeyAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE
LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL X11Forwarding yes
Subsystem       sftp    /usr/libexec/openssh/sftp-server

-- 

Ok.  I found the problem and, to me, this looks like a bug.  There was one
public key that when in the authorized_keys2 (or authorized_keys) file would
allow a login with no private key or password.




-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list


[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux