[plug] Looking for assistance with a recent Debian upgrade
Joe Aquilina
joe at chem.com.au
Wed Dec 18 12:17:14 AWST 2019
I didn't check the old passwd file closely enough, that "extra" line was
in the old passwd file from a time when ssh was working, but was much
higher up in the file and I missed on my previous brief look. So it
obviously is not (part of) the problem.
Cheers.
Joe Aquilina
On 18/12/19 12:04 pm, Joe Aquilina wrote:
> Chris
>
> Her is the sshd_config file on the server:
>
> $ cat /etc/ssh/sshd_config
> # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
>
> # This is the sshd server system-wide configuration file. See
> # sshd_config(5) for more information.
>
> # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
>
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented. Uncommented options override the
> # default value.
>
> Port 22
> #AddressFamily any
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
> #HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_ecdsa_key
> #HostKey /etc/ssh/ssh_host_ed25519_key
>
> # Ciphers and keying
> #RekeyLimit default none
>
> # Logging
> #SyslogFacility AUTH
> #LogLevel INFO
>
> # Authentication:
>
> #LoginGraceTime 2m
> #PermitRootLogin prohibit-password
> AllowUsers joe
> #StrictModes yes
> #MaxAuthTries 6
> #MaxSessions 10
>
> #PubkeyAuthentication yes
>
> # Expect .ssh/authorized_keys2 to be disregarded by default in future.
> #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
>
> #AuthorizedPrincipalsFile none
>
> #AuthorizedKeysCommand none
> #AuthorizedKeysCommandUser nobody
>
> # For this to work you will also need host keys in
> /etc/ssh/ssh_known_hosts
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # HostbasedAuthentication
> #IgnoreUserKnownHosts no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
>
> # To disable tunneled clear text passwords, change to no here!
> #PasswordAuthentication yes
> #PermitEmptyPasswords no
>
> # Change to yes to enable challenge-response passwords (beware issues with
> # some PAM modules and threads)
> ChallengeResponseAuthentication no
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> #KerberosGetAFSToken no
>
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCredentials yes
> #GSSAPIStrictAcceptorCheck yes
> #GSSAPIKeyExchange no
>
> # Set this to 'yes' to enable PAM authentication, account processing,
> # and session processing. If this is enabled, PAM authentication will
> # be allowed through the ChallengeResponseAuthentication and
> # PasswordAuthentication. Depending on your PAM configuration,
> # PAM authentication via ChallengeResponseAuthentication may bypass
> # the setting of "PermitRootLogin without-password".
> # If you just want the PAM account and session checks to run without
> # PAM authentication, then enable this but set PasswordAuthentication
> # and ChallengeResponseAuthentication to 'no'.
> UsePAM yes
> UseLogin no
>
> #AllowAgentForwarding yes
> #AllowTcpForwarding yes
> #GatewayPorts no
> X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PermitTTY yes
> PrintMotd no
> #PrintLastLog yes
> #TCPKeepAlive yes
> #PermitUserEnvironment no
> #Compression delayed
> #ClientAliveInterval 0
> #ClientAliveCountMax 3
> #UseDNS no
> #PidFile /var/run/sshd.pid
> #MaxStartups 10:30:100
> #PermitTunnel no
> #ChrootDirectory none
> #VersionAddendum none
>
> # no default banner path
> #Banner none
>
> # Allow client to pass locale environment variables
> AcceptEnv LANG LC_*
>
> # override default of no subsystems
> Subsystem sftp /usr/lib/openssh/sftp-server
>
> # Example of overriding settings on a per-user basis
> #Match User anoncvs
> # X11Forwarding no
> # AllowTcpForwarding no
> # PermitTTY no
> # ForceCommand cvs server
>
> I just checked the passwd file on the server and both accounts I use
> to login finish with /bin/bash. However, I also noticed that the last
> line of the passwd file looks like this:
>
> sshd:x:100:65534::/run/sshd:/usr/sbin/nologin
>
> Looking at the passwd file from a backup done before the upgrade, and
> when ssh logins were working, this line is a recent addition - it does
> not appear in past instances of the passwd file. Is this the cause of
> my problems? Can I simply delete this line and try again?
>
> Cheers.
>
> Joe Aquilina
>
>
> On 18/12/19 11:49 am, Chris Hoy Poy wrote:
>> Hey Joe,
>>
>> Can you check what "usePrivilegeSeparation" is defined as in the
>> server sshd_config is ?
>>
>> Cheers
>> /Chris
>>
>> On Wed, 18 Dec 2019, 11:42 am Joe Aquilina, <joe at chem.com.au
>> <mailto:joe at chem.com.au>> wrote:
>>
>> sestatus and getenforce both show selinux as disabled.
>>
>> There is already another account that is occasionally used to
>> login to the server - it fails exactly the same as my (joe)
>> account. I don't believe that any scripts at login.
>>
>> And yes I did edit the output to protect the "guilty" ...
>> replaced the real server name with <server> and the server's IP
>> address. I presumed that is what was requested when it was
>> suggested that I post a sanitised copy of the login attempt output.
>>
>> Cheers.
>>
>> Joe Aquilina
>>
>> On 18/12/19 11:08 am, mike wrote:
>>> On 18/12/2019 10:43, Joe Aquilina wrote:
>>>> I have no idea about selinux, whether it is installed/enabled.
>>>> How do I check that and disable it if necessary, and then
>>>> re-enable?
>>>
>>> sestatus orgetenforce
>>>
>>> If file not found then not in use.
>>>
>>> Are you removing details from the output? IE:
>>> Authenticated to <server> ([ip.address of server]:22).
>>>
>>> Mine says
>>> debug1: Authentication succeeded (publickey).
>>> Authenticated to nos ([10.222.0.4]:22).
>>>
>>> Another thought is what does the passwd file say for your login? I have /bin/bash on the end
>>>
>>> What user are you trying to login as?
>>>
>>> Are you running any scripts at login that may be failing?
>>>
>>> Have you tried another user?
>>>
>>> Maybe create a new user and try logging in with that just to remove the user as being an issue.
>>>
>>> --
>>> 'ooroo
>>>
>>> Mike...(:)-)
>>> ---------------------------------------------------
>>> Email:mike at wolf-rock.com <mailto:mike at wolf-rock.com> o
>>> You need only two tools. o /////
>>> A hammer and duct tape. If it /@ `\ /) ~
>>> doesn't move and it should use > (O) X< ~ Fish!!
>>> the hammer. If it moves and `\___/' \) ~
>>> shouldn't, use the tape. \\\
>>> ---------------------------------------------------
>> _______________________________________________
>> PLUG discussion list: plug at plug.org.au <mailto:plug at plug.org.au>
>> http://lists.plug.org.au/mailman/listinfo/plug
>> Committee e-mail: committee at plug.org.au
>> <mailto:committee at plug.org.au>
>> PLUG Membership: http://www.plug.org.au/membership
>>
--
Joe Aquilina
Central Chemical Consulting Pty Ltd
PO Box 2546 Malaga WA 6944 Australia
1/11 Narloo St Malaga 6090 Australia
Tel: +61 8 9248 2739 Fax: +61 8 9248 2749
joe at chem.com.au www.chem.com.au
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20191218/9e09f28a/attachment.html>
More information about the plug
mailing list