[plug] Looking for assistance with a recent Debian upgrade

Joe Aquilina joe at chem.com.au
Wed Dec 18 12:17:14 AWST 2019 

I didn't check the old passwd file closely enough, that "extra" line was 
in the old passwd file from a time when ssh was working, but was much 
higher up in the file and I missed on my previous brief look. So it 
obviously is not (part of) the problem.

Cheers.

Joe Aquilina


On 18/12/19 12:04 pm, Joe Aquilina wrote:
> Chris
>
> Her is the sshd_config file on the server:
>
> $ cat /etc/ssh/sshd_config
> #       $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
>
> # This is the sshd server system-wide configuration file.  See
> # sshd_config(5) for more information.
>
> # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
>
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented.  Uncommented options override the
> # default value.
>
> Port 22
> #AddressFamily any
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
> #HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_ecdsa_key
> #HostKey /etc/ssh/ssh_host_ed25519_key
>
> # Ciphers and keying
> #RekeyLimit default none
>
> # Logging
> #SyslogFacility AUTH
> #LogLevel INFO
>
> # Authentication:
>
> #LoginGraceTime 2m
> #PermitRootLogin prohibit-password
> AllowUsers joe
> #StrictModes yes
> #MaxAuthTries 6
> #MaxSessions 10
>
> #PubkeyAuthentication yes
>
> # Expect .ssh/authorized_keys2 to be disregarded by default in future.
> #AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2
>
> #AuthorizedPrincipalsFile none
>
> #AuthorizedKeysCommand none
> #AuthorizedKeysCommandUser nobody
>
> # For this to work you will also need host keys in 
> /etc/ssh/ssh_known_hosts
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # HostbasedAuthentication
> #IgnoreUserKnownHosts no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
>
> # To disable tunneled clear text passwords, change to no here!
> #PasswordAuthentication yes
> #PermitEmptyPasswords no
>
> # Change to yes to enable challenge-response passwords (beware issues with
> # some PAM modules and threads)
> ChallengeResponseAuthentication no
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> #KerberosGetAFSToken no
>
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCredentials yes
> #GSSAPIStrictAcceptorCheck yes
> #GSSAPIKeyExchange no
>
> # Set this to 'yes' to enable PAM authentication, account processing,
> # and session processing. If this is enabled, PAM authentication will
> # be allowed through the ChallengeResponseAuthentication and
> # PasswordAuthentication.  Depending on your PAM configuration,
> # PAM authentication via ChallengeResponseAuthentication may bypass
> # the setting of "PermitRootLogin without-password".
> # If you just want the PAM account and session checks to run without
> # PAM authentication, then enable this but set PasswordAuthentication
> # and ChallengeResponseAuthentication to 'no'.
> UsePAM yes
> UseLogin no
>
> #AllowAgentForwarding yes
> #AllowTcpForwarding yes
> #GatewayPorts no
> X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PermitTTY yes
> PrintMotd no
> #PrintLastLog yes
> #TCPKeepAlive yes
> #PermitUserEnvironment no
> #Compression delayed
> #ClientAliveInterval 0
> #ClientAliveCountMax 3
> #UseDNS no
> #PidFile /var/run/sshd.pid
> #MaxStartups 10:30:100
> #PermitTunnel no
> #ChrootDirectory none
> #VersionAddendum none
>
> # no default banner path
> #Banner none
>
> # Allow client to pass locale environment variables
> AcceptEnv LANG LC_*
>
> # override default of no subsystems
> Subsystem       sftp    /usr/lib/openssh/sftp-server
>
> # Example of overriding settings on a per-user basis
> #Match User anoncvs
> #       X11Forwarding no
> #       AllowTcpForwarding no
> #       PermitTTY no
> #       ForceCommand cvs server
>
> I just checked the passwd file on the server and both accounts I use 
> to login finish with /bin/bash. However, I also noticed that the last 
> line of the passwd file looks like this:
>
> sshd:x:100:65534::/run/sshd:/usr/sbin/nologin
>
> Looking at the passwd file from a backup done before the upgrade, and 
> when ssh logins were working, this line is a recent addition - it does 
> not appear in past instances of the passwd file. Is this the cause of 
> my problems? Can I simply delete this line and try again?
>
> Cheers.
>
> Joe Aquilina
>
>
> On 18/12/19 11:49 am, Chris Hoy Poy wrote:
>> Hey Joe,
>>
>> Can you check what "usePrivilegeSeparation" is defined as in the 
>> server sshd_config is ?
>>
>> Cheers
>> /Chris
>>
>> On Wed, 18 Dec 2019, 11:42 am Joe Aquilina, <joe at chem.com.au 
>> <mailto:joe at chem.com.au>> wrote:
>>
>>     sestatus and getenforce both show selinux as disabled.
>>
>>     There is already another account that is occasionally used to
>>     login to the server - it fails exactly the same as my (joe)
>>     account. I don't believe that any scripts at login.
>>
>>     And yes I did edit the output to protect the "guilty" ...
>>     replaced the real server name with <server> and the server's IP
>>     address. I presumed that is what was requested when it was
>>     suggested that I post a sanitised copy of the login attempt output.
>>
>>     Cheers.
>>
>>     Joe Aquilina
>>
>>     On 18/12/19 11:08 am, mike wrote:
>>>     On 18/12/2019 10:43, Joe Aquilina wrote:
>>>>     I have no idea about selinux, whether it is installed/enabled.
>>>>     How do I check that and disable it if necessary, and then
>>>>     re-enable?
>>>
>>>     sestatus orgetenforce
>>>
>>>     If file not found then not in use.
>>>
>>>     Are you removing details from the output? IE:
>>>     Authenticated to <server> ([ip.address of server]:22).
>>>
>>>     Mine says
>>>     debug1: Authentication succeeded (publickey).
>>>     Authenticated to nos ([10.222.0.4]:22).
>>>
>>>     Another thought is what does the passwd file say for your login? I have /bin/bash on the end
>>>
>>>     What user are you trying to login as?
>>>
>>>     Are you running any scripts at login that may be failing?
>>>
>>>     Have you tried another user?
>>>
>>>     Maybe create a new user and try logging in with that just to remove the user as being an issue.
>>>
>>>     -- 
>>>     'ooroo
>>>
>>>     Mike...(:)-)
>>>     ---------------------------------------------------
>>>     Email:mike at wolf-rock.com  <mailto:mike at wolf-rock.com>          o
>>>     You need only two tools.        o /////
>>>     A hammer and duct tape. If it    /@   `\  /) ~
>>>     doesn't move and it should use  >  (O)  X<  ~  Fish!!
>>>     the hammer. If it moves and      `\___/'  \) ~
>>>     shouldn't, use the tape.           \\\
>>>     ---------------------------------------------------
>>     _______________________________________________
>>     PLUG discussion list: plug at plug.org.au <mailto:plug at plug.org.au>
>>     http://lists.plug.org.au/mailman/listinfo/plug
>>     Committee e-mail: committee at plug.org.au
>>     <mailto:committee at plug.org.au>
>>     PLUG Membership: http://www.plug.org.au/membership
>>
-- 

Joe Aquilina
Central Chemical Consulting Pty Ltd
PO Box 2546 Malaga WA 6944 Australia
1/11 Narloo St Malaga 6090 Australia
Tel: +61  8 9248 2739  Fax: +61  8 9248 2749
joe at chem.com.au  www.chem.com.au

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20191218/9e09f28a/attachment.html>

More information about the plug mailing list