Re: ssh when rlogin=false

From: Chris Gregors (Chris.Gregors@TELUS.COM)
Date: Mon Jan 06 2003 - 16:02:51 EST

Hmmm. My take on your question was how to DISABLE root logins. This is our
problem. I've attached some information for your perusal. With these
settings I can get in as root over ssh.

Contents of /etc/sshd_config
Port 22
ListenAddress 0.0.0.0
HostKey /etc/ssh_host_key
RandomSeed /etc/ssh_random_seed
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
IgnoreRhosts no
StrictModes yes
QuietMode no
X11Forwarding yes
X11DisplayOffset 10
FascistLogging no
PrintMotd yes
KeepAlive yes
SyslogFacility DAEMON
RhostsAuthentication no
RhostsRSAAuthentication yes
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords yes
UseLogin yes

sshd version

[root] /etc> /usr/local/sbin/sshd -?
sshd version OpenSSH_3.2.3p1

And some stanza from /etc/security/user

default:
        admin = false
        login = true
        su = true
        daemon = true
        rlogin = true
        sugroups = ALL
        admgroups =
        ttys = ALL
        auth1 = SYSTEM
        auth2 = NONE
        tpath = nosak
        umask = 022
        expires = 0
        SYSTEM = "compat"
        logintimes =
        pwdwarntime = 0
        account_locked = false
        loginretries = 0
        histexpire = 0
        histsize = 0
        minage = 0
        maxage = 0
        maxexpired = -1
        minalpha = 0
        minother = 0
        minlen = 0
        mindiff = 0
        maxrepeats = 8
        dictionlist =
        pwdchecks =

root:
        admin = true
        SYSTEM = "compat"
        loginretries = 0
        account_locked = false
        rlogin = false

Hope this is enough.

-----Original Message-----
From: Mills, John T [mailto:John.T.Mills@ERAC.COM]
Sent: Monday, January 06, 2003 1:20 PM
To: aix-l@Princeton.EDU
Subject: Re: ssh when rlogin=false

I think we're having a disconnect here. I am trying
to enable root login via ssh, not disable it. I am
changing the rlogin attribute of the root user to
false. The problem is that ssh looks at that parameter
and denies the connection. I am looking for a means
to configure ssh to ignore the settings on the root
user and allow root to ssh into the box. I tried PermitRootLogin no/yes and
neither worked, but I may be running an odd version of ssh on this box.

-----Original Message-----
From: Chris Gregors [mailto:Chris.Gregors@TELUS.COM]
Sent: Monday, January 06, 2003 2:08 PM
To: aix-l@Princeton.EDU
Subject: Re: [aix-l] ssh when rlogin=false

Hmmm I always thought that was the solution.

If it is root logins you are trying to stop, then set this in
/etc/sshd_config

PermitRootLogin no

Otherwise, I'm not sure anymore.

-----Original Message-----
From: Mills, John T [mailto:John.T.Mills@ERAC.COM]
Sent: Monday, January 06, 2003 12:52 PM
To: aix-l@Princeton.EDU
Subject: Re: ssh when rlogin=false

Chris,

   My daemon starts on demand, so I don't have anything to restart I think.
I tried the change and it is still disallowing login with rlogin=false. Was
this a fix for ssh to honor rlogin or ignore it? I am trying to get ssh to
ignore rlogin=false.

John

-----Original Message-----
From: Chris Gregors [mailto:Chris.Gregors@TELUS.COM]
Sent: Monday, January 06, 2003 1:08 PM
To: aix-l@Princeton.EDU
Subject: Re: [aix-l] ssh when rlogin=false

In /etc/sshd_config set the following entry:

UseLogin yes

And restart sshd. This should cause it to honor rlogin=false.

Chris Gregors
Telus Enterprise Solutions
Email: chris.gregors@telus.com
Phone: (780) 493-2450
Cell: (780) 718-5917

-----Original Message-----
From: Mills, John T [mailto:John.T.Mills@ERAC.COM]
Sent: Monday, January 06, 2003 10:33 AM
To: aix-l@Princeton.EDU
Subject: Re: ssh when rlogin=false

Bill,

   I don't have an sshd running. I'm using openssh,
and it starts a sshd when I connect but it doesn't
keep one running in the background. I am just doing
and 'ssh hostname' to test and a 'chuser rlogin=false
uid' to make the change.
   When I set rlogin=false I get the standard:

Remote logins are not allowed for this account.

message. With rlogin=true I can ssh with no problems.

John T. Mills

-----Original Message-----
From: Bill Verzal [mailto:Bill_Verzal@BCBSIL.COM]
Sent: Monday, January 06, 2003 11:03 AM
To: aix-l@Princeton.EDU
Subject: Re: [aix-l] ssh when rlogin=false

Curious - did you refresh or stop/start sshd ?
----------------------------------------------------------------------------
----------------------------

Bill Verzal
Technical Consultant
Forbes Technical Consulting
(312) 653-3684
bill_verzal@bcbsil.com
billverzal@imcingular.com (Pager)
888-428-4025 (Pager)
MailStop: 27.202B

                    "Mills, John
                    T" To: aix-l@Princeton.EDU
                    <John.T.Mills@ cc:
                    ERAC.COM> Subject: ssh when rlogin=false
                    Sent by: "IBM
                    AIX Discussion
                    List"
                    <aix-l@Princet
                    on.EDU>

                    01/06/2003
                    11:00 AM
                    Please respond
                    to "IBM AIX
                    Discussion
                    List"

All,

   Has anyone had any luck getting ssh to function
when rlogin=false has been set? I understand that
ssh takes rlogin=false very seriously, but I am
trying to configure ssh to function after this
change is made.

Thanks,

John T. Mills

**********
The information contained in this communication is confidential, private,
proprietary, or otherwise privileged and is intended only for the use of the
addressee. Unauthorized use, disclosure, distribution or copying is
strictly prohibited and may be unlawful. If you have received this
communication in error, please notify the sender immediately at
(312)653-6000 in Illinois; (972)766-6900 in Texas; or (800)835-8699 in New
Mexico.
**********

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:16:27 EDT