Results 1 to 5 of 5

Thread: SSH ignores "StrictModes no"

  1. #1
    Join Date
    Jan 2007
    Beans
    83
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Unhappy SSH ignores "StrictModes no"

    I'm trying to set up sshd. I had StrictModes set to "yes" and then changed it to "no." sshd seems to be reading the setting properly, as you can see below, but it's still refusing my public key when its permissions are set to 755.

    Here's the debug output for sshd. (I deleted my IP address due to paranoia.) The values from my sshd_config file can be seen in the output.

    Code:
    $ sudo /usr/sbin/sshd -ddd -e
    debug2: load_server_config: filename /etc/ssh/sshd_config
    debug2: load_server_config: done config len = 843
    debug2: parse_server_config: config /etc/ssh/sshd_config len 843
    debug3: /etc/ssh/sshd_config:6 setting StrictModes no
    debug3: /etc/ssh/sshd_config:11 setting Port 2727
    debug3: /etc/ssh/sshd_config:14 setting AddressFamily inet
    debug3: /etc/ssh/sshd_config:21 setting Protocol 2
    debug3: /etc/ssh/sshd_config:24 setting X11Forwarding no
    debug3: /etc/ssh/sshd_config:27 setting TCPKeepAlive no
    debug3: /etc/ssh/sshd_config:28 setting ClientAliveInterval 600
    debug3: /etc/ssh/sshd_config:29 setting ClientAliveCountMax 3
    debug3: /etc/ssh/sshd_config:32 setting UsePrivilegeSeparation yes
    debug3: /etc/ssh/sshd_config:38 setting HostKey /etc/ssh/ssh_host_rsa_key
    debug3: /etc/ssh/sshd_config:39 setting HostKey /etc/ssh/ssh_host_dsa_key
    debug3: /etc/ssh/sshd_config:42 setting KeyRegenerationInterval 3600
    debug3: /etc/ssh/sshd_config:43 setting ServerKeyBits 768
    debug3: /etc/ssh/sshd_config:46 setting PermitBlacklistedKeys no
    debug3: /etc/ssh/sshd_config:52 setting AllowUsers jordon
    debug3: /etc/ssh/sshd_config:55 setting LoginGraceTime 60
    debug3: /etc/ssh/sshd_config:58 setting PermitRootLogin no
    debug3: /etc/ssh/sshd_config:64 setting IgnoreRhosts yes
    debug3: /etc/ssh/sshd_config:67 setting HostbasedAuthentication no
    debug3: /etc/ssh/sshd_config:69 setting RSAAuthentication yes
    debug3: /etc/ssh/sshd_config:70 setting PubkeyAuthentication yes
    debug3: /etc/ssh/sshd_config:74 setting RhostsRSAAuthentication no
    debug3: /etc/ssh/sshd_config:77 setting HostbasedAuthentication no
    debug3: /etc/ssh/sshd_config:80 setting IgnoreUserKnownHosts yes
    debug3: /etc/ssh/sshd_config:83 setting PermitEmptyPasswords no
    debug3: /etc/ssh/sshd_config:87 setting ChallengeResponseAuthentication no
    debug3: /etc/ssh/sshd_config:91 setting PasswordAuthentication no
    debug3: /etc/ssh/sshd_config:97 setting UsePAM no
    debug3: /etc/ssh/sshd_config:103 setting SyslogFacility AUTH
    debug3: /etc/ssh/sshd_config:104 setting LogLevel INFO
    debug3: /etc/ssh/sshd_config:110 setting PrintMotd no
    debug3: /etc/ssh/sshd_config:113 setting PrintLastLog yes
    debug3: /etc/ssh/sshd_config:115 setting MaxAuthTries 2
    debug3: /etc/ssh/sshd_config:117 setting MaxStartups 1
    debug3: /etc/ssh/sshd_config:119 setting Subsystem sftp /usr/lib/openssh/sftp-server
    debug1: sshd version OpenSSH_5.1p1 Debian-6ubuntu2
    debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
    debug1: read PEM private key done: type RSA
    debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
    debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
    debug1: private host key: #0 type 1 RSA
    debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
    debug1: read PEM private key done: type DSA
    debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
    debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
    debug1: private host key: #1 type 2 DSA
    debug1: rexec_argv[0]='/usr/sbin/sshd'
    debug1: rexec_argv[1]='-ddd'
    debug1: rexec_argv[2]='-e'
    debug2: fd 3 setting O_NONBLOCK
    debug1: Bind to port 2727 on 0.0.0.0.
    Server listening on 0.0.0.0 port 2727.
    debug3: fd 4 is not O_NONBLOCK
    debug1: Server will not fork when running in debugging mode.
    debug3: send_rexec_state: entering fd = 7 config len 843
    debug3: ssh_msg_send: type 0
    debug3: send_rexec_state: done
    debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
    debug3: recv_rexec_state: entering fd = 5
    debug3: ssh_msg_recv entering
    debug3: recv_rexec_state: done
    debug2: parse_server_config: config rexec len 843
    debug3: rexec:6 setting StrictModes no
    debug3: rexec:11 setting Port 2727
    debug3: rexec:14 setting AddressFamily inet
    debug3: rexec:21 setting Protocol 2
    debug3: rexec:24 setting X11Forwarding no
    debug3: rexec:27 setting TCPKeepAlive no
    debug3: rexec:28 setting ClientAliveInterval 600
    debug3: rexec:29 setting ClientAliveCountMax 3
    debug3: rexec:32 setting UsePrivilegeSeparation yes
    debug3: rexec:38 setting HostKey /etc/ssh/ssh_host_rsa_key
    debug3: rexec:39 setting HostKey /etc/ssh/ssh_host_dsa_key
    debug3: rexec:42 setting KeyRegenerationInterval 3600
    debug3: rexec:43 setting ServerKeyBits 768
    debug3: rexec:46 setting PermitBlacklistedKeys no
    debug3: rexec:52 setting AllowUsers jordon
    debug3: rexec:55 setting LoginGraceTime 60
    debug3: rexec:58 setting PermitRootLogin no
    debug3: rexec:64 setting IgnoreRhosts yes
    debug3: rexec:67 setting HostbasedAuthentication no
    debug3: rexec:69 setting RSAAuthentication yes
    debug3: rexec:70 setting PubkeyAuthentication yes
    debug3: rexec:74 setting RhostsRSAAuthentication no
    debug3: rexec:77 setting HostbasedAuthentication no
    debug3: rexec:80 setting IgnoreUserKnownHosts yes
    debug3: rexec:83 setting PermitEmptyPasswords no
    debug3: rexec:87 setting ChallengeResponseAuthentication no
    debug3: rexec:91 setting PasswordAuthentication no
    debug3: rexec:97 setting UsePAM no
    debug3: rexec:103 setting SyslogFacility AUTH
    debug3: rexec:104 setting LogLevel INFO
    debug3: rexec:110 setting PrintMotd no
    debug3: rexec:113 setting PrintLastLog yes
    debug3: rexec:115 setting MaxAuthTries 2
    debug3: rexec:117 setting MaxStartups 1
    debug3: rexec:119 setting Subsystem sftp /usr/lib/openssh/sftp-server
    debug1: sshd version OpenSSH_5.1p1 Debian-6ubuntu2
    debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
    debug1: read PEM private key done: type RSA
    debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
    debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
    debug1: private host key: #0 type 1 RSA
    debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
    debug1: read PEM private key done: type DSA
    debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
    debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
    debug1: private host key: #1 type 2 DSA
    debug1: inetd sockets after dupping: 3, 3
    Connection from [IP redacted] port 41085
    debug1: Client protocol version 2.0; client software version OpenSSH_5.1p1 Debian-6ubuntu2
    debug1: match: OpenSSH_5.1p1 Debian-6ubuntu2 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-6ubuntu2
    debug2: fd 3 setting O_NONBLOCK
    debug3: privsep user:group 113:65534
    debug1: permanently_set_uid: 113/65534
    debug1: list_hostkey_types: ssh-rsa,ssh-dss
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib@openssh.com
    debug2: kex_parse_kexinit: none,zlib@openssh.com
    debug2: kex_parse_kexinit: 
    debug2: kex_parse_kexinit: 
    debug2: kex_parse_kexinit: first_kex_follows 0 
    debug2: kex_parse_kexinit: reserved 0 
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
    debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
    debug2: kex_parse_kexinit: 
    debug2: kex_parse_kexinit: 
    debug2: kex_parse_kexinit: first_kex_follows 0 
    debug2: kex_parse_kexinit: reserved 0 
    debug2: mac_setup: found hmac-md5
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug2: mac_setup: found hmac-md5
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
    debug3: mm_request_send entering: type 0
    debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
    debug3: mm_request_receive_expect entering: type 1
    debug3: mm_request_receive entering
    debug2: Network child is on pid 5255
    debug3: preauth child monitor started
    debug3: mm_request_receive entering
    debug3: monitor_read: checking request 0
    debug3: mm_answer_moduli: got parameters: 1024 1024 8192
    debug3: mm_request_send entering: type 1
    debug2: monitor_read: 0 used once, disabling now
    debug3: mm_request_receive entering
    debug3: mm_choose_dh: remaining 0
    debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
    debug2: dh_gen_key: priv key bits set: 121/256
    debug2: bits set: 509/1024
    debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
    debug2: bits set: 500/1024
    debug3: mm_key_sign entering
    debug3: mm_request_send entering: type 5
    debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
    debug3: mm_request_receive_expect entering: type 6
    debug3: mm_request_receive entering
    debug3: monitor_read: checking request 5
    debug3: mm_answer_sign
    debug3: mm_answer_sign: signature 0x2523bf8(271)
    debug3: mm_request_send entering: type 6
    debug2: monitor_read: 5 used once, disabling now
    debug3: mm_request_receive entering
    debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
    debug2: kex_derive_keys
    debug2: set_newkeys: mode 1
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug2: set_newkeys: mode 0
    debug1: SSH2_MSG_NEWKEYS received
    debug1: KEX done
    debug1: userauth-request for user jordon service ssh-connection method none
    debug1: attempt 0 failures 0
    debug3: mm_getpwnamallow entering
    debug3: mm_request_send entering: type 7
    debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
    debug3: mm_request_receive_expect entering: type 8
    debug3: mm_request_receive entering
    debug3: monitor_read: checking request 7
    debug3: mm_answer_pwnamallow
    debug3: Trying to reverse map address [IP redacted].
    debug2: parse_server_config: config reprocess config len 843
    debug3: auth_shadow_acctexpired: today 14633 sp_expire -1 days left -14634
    debug3: account expiration disabled
    debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
    debug3: mm_request_send entering: type 8
    debug2: monitor_read: 7 used once, disabling now
    debug3: mm_request_receive entering
    debug2: input_userauth_request: setting up authctxt for jordon
    debug3: mm_inform_authserv entering
    debug3: mm_request_send entering: type 3
    debug2: input_userauth_request: try method none
    debug3: monitor_read: checking request 3
    debug3: mm_answer_authserv: service=ssh-connection, style=, role=
    debug2: monitor_read: 3 used once, disabling now
    debug3: mm_request_receive entering
    Connection closed by [IP redacted]
    debug1: do_cleanup
    debug1: do_cleanup
    Someone else seems to have had this problem, but it didn't seem to be solved. Can anyone help?

  2. #2
    Join Date
    Jun 2006
    Location
    Belgium (nl)
    Beans
    24
    Distro
    Ubuntu

    Re: SSH ignores "StrictModes no"

    EDIT: I mean this issues still occurs for me on Ubuntu 11.04
    Last edited by Pistolpete2; June 15th, 2012 at 06:18 PM. Reason: Mistake :-)
    A man may fight for many things. His country, his friends, his principles, the glistening ear on the cheek of a golden child. But personally, I'd mud-wrestle my own mother for a ton of cash, an amusing clock and a sack of French porn. - Blackadder -

  3. #3
    Join Date
    Dec 2010
    Beans
    570
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: SSH ignores "StrictModes no"

    You are getting this because it is the ssh client that is throwing the error not the sshd server.

    Keep in mind that the sshd_config controls the settings for the SSH Daemon where as the ssh_config controls the settings for the ssh client.

    There is no directive for the ssh_config that I know of that disables this permissions check. Let me tak a look a the source for OpenSSH and see if there is any thing there.

    OK, looking at the code here is what I found:
    The ssh command main function calls "key_load_private_type" for each type of private key supported which in turn calls key_perm_ok and if private key file owner UID doesn't match the current user UID and permissions have any bit for group or other set key_perm_ok prints that "UNPROTECTED PRIVATE KEY FILE" warning and returns False (0) to key_load_private_type. This causes key_load_private_type to return a Null private key to the ssh main function which causes it to continue as if there was no private key to use for authentication.

    There are no switches/or conditionals in the UID/Permission check on the private key done by the ssh client command so there is no way to override it.
    Last edited by hawkmage; June 15th, 2012 at 07:43 PM. Reason: More info

  4. #4
    Join Date
    Jun 2006
    Location
    Belgium (nl)
    Beans
    24
    Distro
    Ubuntu

    Smile [Solved] SSH ignores "StrictModes no"

    Please do not bother anymore .

    The problem is solved.

    I'd be happy to say way but I am not sure . The only thing I now that the host is rebooted so I gues that something went wrong when I restarted the SSH Daemon service. My client configuration hasn't changed so I guess it was server-side instead of client side.

    Which would be more logical to me because if you cannot setup your SSH connection you cannot check the permissions of the folders on the remote host. So the client cannot determine the conditions that must be true (700 for home folder, .ssh folder and authorized_keys) for strictMode.

    Thanks for your time, but sometimes a Microsoft solution (e.g. rebooting) does the trick .
    A man may fight for many things. His country, his friends, his principles, the glistening ear on the cheek of a golden child. But personally, I'd mud-wrestle my own mother for a ton of cash, an amusing clock and a sack of French porn. - Blackadder -

  5. #5
    Join Date
    Jun 2006
    Location
    UK
    Beans
    Hidden!
    Distro
    Ubuntu 14.10 Utopic Unicorn

    Re: [Solved] SSH ignores "StrictModes no"

    Quote Originally Posted by Pistolpete2 View Post
    The problem is solved.
    Good to hear. I've closed this thread with a > 2-year old first post.

    Please do not PM me about your forum account unless you have been asked to. The correct place to contact an admin about your account is here.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •