> -----Original Message----- > On 05/09/11 15:18, Steven Buehler wrote: > > I am trying to setup our servers to only allow logins with a > > public/private key pair. 2 of our machines have to have root login > > access with ssh and the rest, we will login as another account and su > > to root. I just started with this company and on their boxes which > > range from version 5.1 to 5.5, if I open up the firewall to allow ssh > > access from anywhere, I can ssh to root without a password. The only > > uncommented lines in the /etc/ssh/sshd_config are the following: > > > > [snip] > > > > > > I'm hoping that someone can lead me in the right direction as I can't > > figure this one out. If this was only one machine, I would assume > > that it might have been hacked, but this is all of their servers and > > VM's that will allow me to ssh to them without a login/password and > > get into root. Luckily, they have always had their (supposedly > > anyway) iptables set to only allow access from specific IP's. > > > > > > Change / uncomment PermitRootLogin with a value of without-password > > -- > > I changed the line to read > PermitRootLogin without-password > > It still allows a root login without a password or key. > > Someone else suggested that there was an authorized_keys file and a > known hosts file. I was able to get to these servers from my own personal > servers that have NEVER ssh'd to these servers before, so the known hosts > file from the client server was empty since it is actually a fresh install of mine. > The authorized_keys file on the sshd server does have 2 keys in it. Those 2 > private keys are NOT on the client server, so there should be no reason it lets > me in from the remote (client) server. > > I have copied over my sshd_config file from one of my personal servers > where I know they work and I still have the problem. > > Below is my new sshd_config file after some changes on one of the servers > that I need to have root login with a key and not password, but it still allows > login without either. I don't know what they did when they setup these > machines, but it is really ticking me off. > > Protocol 2 > SyslogFacility AUTHPRIV > PermitRootLogin without-password > StrictModes yes > PubkeyAuthentication yes > PermitEmptyPasswords no > PasswordAuthentication no > ChallengeResponseAuthentication no > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > UsePAM no > AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE > LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS > LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL > X11Forwarding yes > Subsystem sftp /usr/libexec/openssh/sftp-server > > -- > > Ok. I found the problem and, to me, this looks like a bug. There was one > public key that when in the authorized_keys2 (or authorized_keys) file > would allow a login with no private key or password. > Ok, this is just plane stuped. I created a new private/public key and put ONLY this public key into the authorized_keys2 file in a test account that I just created and set the permissions on the .ssh directory and authorized_keys2 file. chmod 700 .ssh chmod 600 .ssh/authorized_keys2 Then I tried to ssh to this account@server from one of my private servers and it wouldn't let me in. That is good since I wasn't using a key from there. I then used my keys to get in from my laptop running windows7 and SecureCRT. I got in as expected. Now, I went back to my private server and tried to ssh to account@server again and it let me in, but I was still not using a key so it should not let me in. Allows me in with no password. What is going on here? Anybody seen this before? -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
