[plug] Looking for assistance with a recent Debian upgrade

Joe Aquilina joe at chem.com.au
Wed Dec 18 12:04:54 AWST 2019 

Chris

Her is the sshd_config file on the server:

$ cat /etc/ssh/sshd_config
#       $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
AllowUsers joe
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
UseLogin no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem       sftp    /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

I just checked the passwd file on the server and both accounts I use to 
login finish with /bin/bash. However, I also noticed that the last line 
of the passwd file looks like this:

sshd:x:100:65534::/run/sshd:/usr/sbin/nologin

Looking at the passwd file from a backup done before the upgrade, and 
when ssh logins were working, this line is a recent addition - it does 
not appear in past instances of the passwd file. Is this the cause of my 
problems? Can I simply delete this line and try again?

Cheers.

Joe Aquilina


On 18/12/19 11:49 am, Chris Hoy Poy wrote:
> Hey Joe,
>
> Can you check what "usePrivilegeSeparation" is defined as in the 
> server sshd_config is ?
>
> Cheers
> /Chris
>
> On Wed, 18 Dec 2019, 11:42 am Joe Aquilina, <joe at chem.com.au 
> <mailto:joe at chem.com.au>> wrote:
>
>     sestatus and getenforce both show selinux as disabled.
>
>     There is already another account that is occasionally used to
>     login to the server - it fails exactly the same as my (joe)
>     account. I don't believe that any scripts at login.
>
>     And yes I did edit the output to protect the "guilty" ... replaced
>     the real server name with <server> and the server's IP address. I
>     presumed that is what was requested when it was suggested that I
>     post a sanitised copy of the login attempt output.
>
>     Cheers.
>
>     Joe Aquilina
>
>     On 18/12/19 11:08 am, mike wrote:
>>     On 18/12/2019 10:43, Joe Aquilina wrote:
>>>     I have no idea about selinux, whether it is installed/enabled.
>>>     How do I check that and disable it if necessary, and then re-enable?
>>
>>     sestatus orgetenforce
>>
>>     If file not found then not in use.
>>
>>     Are you removing details from the output? IE:
>>     Authenticated to <server> ([ip.address of server]:22).
>>
>>     Mine says
>>     debug1: Authentication succeeded (publickey).
>>     Authenticated to nos ([10.222.0.4]:22).
>>
>>     Another thought is what does the passwd file say for your login? I have /bin/bash on the end
>>
>>     What user are you trying to login as?
>>
>>     Are you running any scripts at login that may be failing?
>>
>>     Have you tried another user?
>>
>>     Maybe create a new user and try logging in with that just to remove the user as being an issue.
>>
>>     -- 
>>     'ooroo
>>
>>     Mike...(:)-)
>>     ---------------------------------------------------
>>     Email:mike at wolf-rock.com  <mailto:mike at wolf-rock.com>          o
>>     You need only two tools.        o /////
>>     A hammer and duct tape. If it    /@   `\  /) ~
>>     doesn't move and it should use  >  (O)  X<  ~  Fish!!
>>     the hammer. If it moves and      `\___/'  \) ~
>>     shouldn't, use the tape.           \\\
>>     ---------------------------------------------------
>
>
>     -- 
>     Joe Aquilina
>     Central Chemical Consulting Pty Ltd
>     PO Box 2546 Malaga WA 6944 Australia
>     1/11 Narloo St Malaga 6090 Australia
>     Tel: +61  8 9248 2739  Fax: +61  8 9248 2749
>     joe at chem.com.au  <mailto:joe at chem.com.au>   www.chem.com.au  <http://www.chem.com.au>	
>
>     _______________________________________________
>     PLUG discussion list: plug at plug.org.au <mailto:plug at plug.org.au>
>     http://lists.plug.org.au/mailman/listinfo/plug
>     Committee e-mail: committee at plug.org.au <mailto:committee at plug.org.au>
>     PLUG Membership: http://www.plug.org.au/membership
>

-- 
Joe Aquilina
Central Chemical Consulting Pty Ltd
PO Box 2546 Malaga WA 6944 Australia
1/11 Narloo St Malaga 6090 Australia
Tel: +61  8 9248 2739  Fax: +61  8 9248 2749
joe at chem.com.au  www.chem.com.au

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20191218/42dffdc7/attachment.html>

More information about the plug mailing list