Tux

...making Linux just a little more fun!

SSH configuration stuff

Faber Fedor [faber at linuxnj.com]
Fri, 15 Sep 2006 14:20:08 -0400

On 9/15/06, Bradley Chapman <kakadu at gmail.com> wrote:

>
> Recently I decided to take the plunge and enable SSH on my firewall
> machine, to allow me to get into it remotely. Having done so, I'm now
> agonizing over whether or not I've configured it correctly.

Send us your IP Address and the root password and we'll let you know. :-) Just kidding!

Everything looks fine to me. I would suggest you move the default port to another address: something high (< 64000) and random. A cracker seeing something open on port 22 will do an SSH attack, but on port 54256 he won't know what program to use.

> So far as I can tell, I have asymmetric public-private key
> authentication working correctly, but I am still asked for the account
> password when I SSH into the machine.

IIUC, I think it's asking for your passphrase, the one you used to generate the key-pair, no? To get around that, you have to generate keys with no pass-phrase (which is considered A Bad Thing).

Not only that, but despite

> setting PermitRootLogin to 'no', and AllowUsers to 'user' (the name of
> the account I set up), when attempting to login as either root or any
> other user on the machine, the ssh client simply asks for the account
> password three times and then fails, instead of failing immediately -
> is it supposed to do that?

Yes, it's supposed to do that. With that behaviour (prompting for the password three times), the cracker isn't sure if A) root logins are disabled or B) he has the wrong password. If it failed immediately, he would know that A was true. Anything to slow the little buggers down.

> TIA,

HTH

--

Regards,

Faber Fedor Linux New Jersey, Inc. 908-320-0357 http://www.linuxnj.com


Top    Back


Bradley Chapman [kakadu at gmail.com]
Fri, 15 Sep 2006 19:39:24 +0100

Mr. Fedor,

On 9/15/06, Faber Fedor <faber at linuxnj.com> wrote:

> On 9/15/06, Bradley Chapman <kakadu at gmail.com> wrote:
>
> > Recently I decided to take the plunge and enable SSH on my firewall
> > machine, to allow me to get into it remotely. Having done so, I'm now
> > agonizing over whether or not I've configured it correctly.
>
>
> Send us your IP Address and the root password and we'll let you know. :-)
> Just kidding!

Right :-/

>
> Everything looks fine to me.  I would suggest you move the default port to
> another address: something high (< 64000) and random. A cracker seeing
> something open on port 22 will do an SSH attack, but on port 54256 he won't
> know what program to use.

I would do that, but there are firewalls in the way...

>
>
> > So far as I can tell, I have asymmetric public-private key
> > authentication working correctly, but I am still asked for the account
> > password when I SSH into the machine.
>
>
> IIUC, I think it's asking for your passphrase, the one you used to generate
> the key-pair, no?  To get around that, you have to generate keys with no
> pass-phrase (which is considered A Bad Thing).

Ahhhh - I had not considered that. Yet the password I enter is the same as the account password, so either I messed up somewhere or I simply made the passphrase the same as the password...

Is there an easy way to tell?

>
> > Not only that, but despite
> > setting PermitRootLogin to 'no', and AllowUsers to 'user' (the name of
> > the account I set up), when attempting to login as either root or any
> > other user on the machine, the ssh client simply asks for the account
> > password three times and then fails, instead of failing immediately -
> > is it supposed to do that?
>
>
> Yes, it's supposed to do that.  With that behaviour (prompting for the
> password three times), the cracker isn't sure if A) root logins are disabled
> or B) he has the wrong password. If it failed immediately, he would know
> that A was true.  Anything to slow the little buggers down.

Excellent, thanks!

Brad

-- 
SCREW THE ADS! http://adblock.mozdev.org/


Top    Back


Kapil Hari Paranjape [kapil at imsc.res.in]
Sat, 16 Sep 2006 06:44:55 +0530

Hello,

On Fri, 15 Sep 2006, Bradley Chapman wrote:

> On 9/15/06, Faber Fedor <faber at linuxnj.com> wrote:
> > Everything looks fine to me.  I would suggest you move the default port to
> > another address: something high (< 64000) and random. A cracker seeing
> > something open on port 22 will do an SSH attack, but on port 54256 he won't
> > know what program to use.
> 
> I would do that, but there are firewalls in the way...

If you are seeing a lot of attempts at root logins, then an alternative to this is to use rate-limiting for SSH connections. At least this saves you some bandwidth.

Kapil. --


Top    Back


Peter Knaggs [peter.knaggs at gmail.com]
Sat, 16 Sep 2006 13:41:22 -0700

>
> UsePAM yes
>
> So far as I can tell, I have asymmetric public-private key
> authentication working correctly, but I am still asked for the account
> password when I SSH into the machine. Not only that, but despite
> setting PermitRootLogin to 'no', and AllowUsers to 'user' (the name of
> the account I set up), when attempting to login as either root or any
> other user on the machine, the ssh client simply asks for the account
> password three times and then fails, instead of failing immediately -
> is it supposed to do that?

I found I had to change "UsePAM" to "no" instead of "yes" to get ssh to stop prompting for a password. Other than that, it looks like your sshd_config is similar to mine.

Hope it helps, Peter.


Top    Back


Benjamin A. Okopnik [ben at linuxgazette.net]
Sat, 16 Sep 2006 17:41:28 -0400

On Sat, Sep 16, 2006 at 01:41:22PM -0700, Peter Knaggs wrote:

> >
> > UsePAM yes
> >
> > So far as I can tell, I have asymmetric public-private key
> > authentication working correctly, but I am still asked for the account
> > password when I SSH into the machine. Not only that, but despite
> > setting PermitRootLogin to 'no', and AllowUsers to 'user' (the name of
> > the account I set up), when attempting to login as either root or any
> > other user on the machine, the ssh client simply asks for the account
> > password three times and then fails, instead of failing immediately -
> > is it supposed to do that?
> 
> I found I had to change "UsePAM" to "no" instead of "yes" to get ssh
> to stop prompting for a password. Other than that, it looks like your
> sshd_config is similar to mine.

There's a bit more to that story. If "UsePAM" is set to "yes", 'ssh' is going to use the PAM authentication mechanism defined for it - e.g., on my system, that would be the '/etc/pam.d/ssh'. One of the early bits of configuration there looks like this:

# Standard Un*x authentication.
@include common-auth
My 'common-auth', in the same directory, looks like this:

# Removed the 'nullok_secure' option - Ben 10/26/2005
# auth    required    pam_unix.so nullok_secure
auth    required    pam_unix.so
("nullok_secure" (a Debian-specific option) supports passwordless "pam_unix" logins from TTYs listed in '/etc/securetty'; this can be necessary for initial installations. However, 'nullok' in general is at least a little dangerous - it allows null passwords - so I remove it on any system I own where I'm not the sole user.)

In other words, you now have a couple of choices: you can disable PAM auth entirely by setting "UsePAM" to "no", or you can leave "UsePAM" set to "yes" and modify '/etc/pam.d/ssh' to provide a flexible, tailored configuration for account management, authentication management, password management, and session management - in other words, the very reason that you have PAM installed on the system in the first place.

Either of these approaches is valid, depending on what you want - but it seems to me that the latter provides the most flexibility and better, finer-grained access to securing a given service.

* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *


Top    Back