-----Original Message----- On 05/09/11 15:18, Steven Buehler wrote: > I am trying to setup our servers to only allow logins with a > public/private key pair. 2 of our machines have to have root login > access with ssh and the rest, we will login as another account and su > to root. I just started with this company and on their boxes which > range from version 5.1 to 5.5, if I open up the firewall to allow ssh > access from anywhere, I can ssh to root without a password. The only > uncommented lines in the /etc/ssh/sshd_config are the following: > > [snip] > > > I'm hoping that someone can lead me in the right direction as I can't > figure this one out. If this was only one machine, I would assume > that it might have been hacked, but this is all of their servers and > VM's that will allow me to ssh to them without a login/password and > get into root. Luckily, they have always had their (supposedly > anyway) iptables set to only allow access from specific IP's. > > Change / uncomment PermitRootLogin with a value of without-password -- I changed the line to read PermitRootLogin without-password It still allows a root login without a password or key. Someone else suggested that there was an authorized_keys file and a known hosts file. I was able to get to these servers from my own personal servers that have NEVER ssh'd to these servers before, so the known hosts file from the client server was empty since it is actually a fresh install of mine. The authorized_keys file on the sshd server does have 2 keys in it. Those 2 private keys are NOT on the client server, so there should be no reason it lets me in from the remote (client) server. I have copied over my sshd_config file from one of my personal servers where I know they work and I still have the problem. Below is my new sshd_config file after some changes on one of the servers that I need to have root login with a key and not password, but it still allows login without either. I don't know what they did when they setup these machines, but it is really ticking me off. Protocol 2 SyslogFacility AUTHPRIV PermitRootLogin without-password StrictModes yes PubkeyAuthentication yes PermitEmptyPasswords no PasswordAuthentication no ChallengeResponseAuthentication no GSSAPIAuthentication yes GSSAPICleanupCredentials yes UsePAM no AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL X11Forwarding yes Subsystem sftp /usr/libexec/openssh/sftp-server -- Ok. I found the problem and, to me, this looks like a bug. There was one public key that when in the authorized_keys2 (or authorized_keys) file would allow a login with no private key or password. -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list