Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: PAM with SSH

  1. #11
    Join Date
    Dec 2010
    Beans
    433

    Re: PAM with SSH

    Any way to do this from windows?

  2. #12
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: PAM with SSH

    I wouldn't know. I don't use it.

    Maybe if you have the server or a console on the server in front of you, you could launch a second instance of sshd and watch the debug info from it. That might provide something.

    Code:
    /usr/sbin/sshd -p 2200 -d
    sudo /usr/sbin/sshd -p 2200 -d
    That will allow you to login, once, on port 2200 while sending all the debug info to stderr for you to read through. Doing it that way leaves the 'original' sshd running so you can even do it remotely.
    Last edited by Lars Noodén; March 3rd, 2014 at 03:45 PM.

  3. #13
    Join Date
    Dec 2010
    Beans
    433

    Re: PAM with SSH

    So I tried connecting from windows, but didn't seem to get any other debug info.
    Attached Images Attached Images

  4. #14
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    ChrootDirectory

    I think I was able to duplicate your error on my system. At least using your configuration as-is creates one.

    Code:
    debug1: PAM: establishing credentials
    bad ownership or modes for chroot directory "/home/foo"
    Using ChrootDirectory the target of the chroot, %h, has to be owned by root and not writeable by anyone else. So if that is a user's home directory, then that home directory has to be 755 or 750 for root. That creates some seconday logistical problems if the user also is expected to have a login shell, but if sticking with SFTP only then there is no problem.

    Code:
    sudo chown root /home/foo
    sudo chmod 755 /home/foo

  5. #15
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: PAM with SSH

    Quote Originally Posted by sniper8752 View Post
    So I tried connecting from windows, but didn't seem to get any other debug info.
    sshd needs to be launched as root to read the private host keys. I should have mentioned it above, I'll edit it.

  6. #16
    Join Date
    Dec 2010
    Beans
    433

    Re: ChrootDirectory

    Quote Originally Posted by Lars Noodén View Post
    I think I was able to duplicate your error on my system. At least using your configuration as-is creates one.

    Code:
    debug1: PAM: establishing credentials
    bad ownership or modes for chroot directory "/home/foo"
    Using ChrootDirectory the target of the chroot, %h, has to be owned by root and not writeable by anyone else. So if that is a user's home directory, then that home directory has to be 755 or 750 for root. That creates some seconday logistical problems if the user also is expected to have a login shell, but if sticking with SFTP only then there is no problem.

    Code:
    sudo chown root /home/foo
    sudo chmod 755 /home/foo
    I am planning on having the user having a login. I will see if I can get the config file posted on here somehow.

  7. #17
    Join Date
    Dec 2010
    Beans
    433

    Re: PAM with SSH

    Here is my sshd_config file:
    Code:
    # Package generated configuration file# See the sshd_config(5) manpage for details
    
    
    # What ports, IPs and protocols we listen for
    Port 22
    # Use these options to restrict which interfaces/protocols sshd will bind to
    #ListenAddress ::
    #ListenAddress 0.0.0.0
    Protocol 2
    # HostKeys for protocol version 2
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_dsa_key
    HostKey /etc/ssh/ssh_host_ecdsa_key
    #Privilege Separation is turned on for security
    UsePrivilegeSeparation yes
    AllowUsers bob admin
    # Lifetime and size of ephemeral version 1 server key
    KeyRegenerationInterval 3600
    ServerKeyBits 768
    
    
    # Logging
    SyslogFacility AUTH
    LogLevel INFO
    
    
    # Authentication:
    LoginGraceTime 120
    PermitRootLogin yes # changed this value to yes
    StrictModes yes
    
    
    RSAAuthentication yes
    PubkeyAuthentication yes
    #AuthorizedKeysFile     %h/.ssh/authorized_keys
    
    
    # Don't read the user's ~/.rhosts and ~/.shosts files
    IgnoreRhosts yes
    # For this to work you will also need host keys in /etc/ssh_known_hosts
    RhostsRSAAuthentication no
    # similar for protocol version 2
    HostbasedAuthentication no
    # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
    #IgnoreUserKnownHosts yes
    
    
    # To enable empty passwords, change to yes (NOT RECOMMENDED)
    PermitEmptyPasswords no
    
    
    # Change to yes to enable challenge-response passwords (beware issues with
    # some PAM modules and threads)
    ChallengeResponseAuthentication no
    
    
    # Change to no to disable tunnelled clear text passwords
    #PasswordAuthentication yes
    
    
    # Kerberos options
    #KerberosAuthentication no
    #KerberosGetAFSToken no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    
    
    # GSSAPI options
    #GSSAPIAuthentication no
    #GSSAPICleanupCredentials yes
    
    
    X11Forwarding no
    X11DisplayOffset 10
    PrintMotd no
    PrintLastLog yes
    TCPKeepAlive yes
    #UseLogin no
    
    
    #MaxStartups 10:30:60
    Banner /etc/issue.net
    
    
    # Allow client to pass locale environment variables
    AcceptEnv LANG LC_*
    
    
    Subsystem sftp internal-sftp -f AUTH -l VERBOSE
    
    
    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication.  Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    #UsePAM yes # Started commenting out here
    #AllowGroups sftpusers sftp
    #Match Group sftpusers
    #ChrootDirectory %h
    #AllowTCPForwarding no
    #ForceCOmmand internal-sftp

  8. #18
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    AllowGroups

    AllowUsers blocks subsequent use of AllowGroups, they don't mix. It's not so clear in the documentation though.

    Can you describe the scenario(s) you wish to enable?

  9. #19
    Join Date
    Dec 2010
    Beans
    433

    Re: PAM with SSH

    What do you mean? AllowUsers seems to work by itself.
    I would like to prevent root from being able to login directly, which I think would be a security feature. Correct me if you don't think so. I just think that they could use switchuser, or I think the command is, su. but there will be other accounts that I would allow to have an account on the server, to be able to log on locally, as well as from afar to access documents, do work, or whatever the reason may be.

  10. #20
    Join Date
    Sep 2006
    Beans
    8,627
    Distro
    Ubuntu 14.04 Trusty Tahr

    preventing remote root login

    AllowUsers takes priority over AllowGroups. Try them in a few permutations and see.

    However, it is much simpler to prevent remote root logins. Just set

    Code:
    PermitRootLogin no
    and that should do it. Then to use root, they'll have to run either su or sudo, but that will at least give you a real login so that you know who to ask questions.

Page 2 of 3 FirstFirst 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •