[plug] Looking for assistance with a recent Debian upgrade

Chris Hoy Poy chris at hoypoy.id.au
Wed Dec 18 12:19:26 AWST 2019 

That line shouldn't bother it (the nologin is fine, you don't want it
logging in)

I can't see "usePrivilegeSeparation" in that config, it's probably default.

How old is the overall install, and has the kernel been upgraded recently?

I see a number of recent minor issues around openssl versions + kernel
versions

Probably want to be a later kernel if possible, just to be sure.

https://www.mail-archive.com/debian-ssh@lists.debian.org/msg08820.html

https://www.mail-archive.com/debian-ssh@lists.debian.org/msg08852.html


On Wed, 18 Dec 2019, 12:05 pm Joe Aquilina, <joe at chem.com.au> wrote:

> Chris
>
> Her is the sshd_config file on the server:
>
> $ cat /etc/ssh/sshd_config
> #       $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
>
> # This is the sshd server system-wide configuration file.  See
> # sshd_config(5) for more information.
>
> # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
>
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented.  Uncommented options override the
> # default value.
>
> Port 22
> #AddressFamily any
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
> #HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_ecdsa_key
> #HostKey /etc/ssh/ssh_host_ed25519_key
>
> # Ciphers and keying
> #RekeyLimit default none
>
> # Logging
> #SyslogFacility AUTH
> #LogLevel INFO
>
> # Authentication:
>
> #LoginGraceTime 2m
> #PermitRootLogin prohibit-password
> AllowUsers joe
> #StrictModes yes
> #MaxAuthTries 6
> #MaxSessions 10
>
> #PubkeyAuthentication yes
>
> # Expect .ssh/authorized_keys2 to be disregarded by default in future.
> #AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2
>
> #AuthorizedPrincipalsFile none
>
> #AuthorizedKeysCommand none
> #AuthorizedKeysCommandUser nobody
>
> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # HostbasedAuthentication
> #IgnoreUserKnownHosts no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
>
> # To disable tunneled clear text passwords, change to no here!
> #PasswordAuthentication yes
> #PermitEmptyPasswords no
>
> # Change to yes to enable challenge-response passwords (beware issues with
> # some PAM modules and threads)
> ChallengeResponseAuthentication no
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> #KerberosGetAFSToken no
>
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCredentials yes
> #GSSAPIStrictAcceptorCheck yes
> #GSSAPIKeyExchange no
>
> # Set this to 'yes' to enable PAM authentication, account processing,
> # and session processing. If this is enabled, PAM authentication will
> # be allowed through the ChallengeResponseAuthentication and
> # PasswordAuthentication.  Depending on your PAM configuration,
> # PAM authentication via ChallengeResponseAuthentication may bypass
> # the setting of "PermitRootLogin without-password".
> # If you just want the PAM account and session checks to run without
> # PAM authentication, then enable this but set PasswordAuthentication
> # and ChallengeResponseAuthentication to 'no'.
> UsePAM yes
> UseLogin no
>
> #AllowAgentForwarding yes
> #AllowTcpForwarding yes
> #GatewayPorts no
> X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PermitTTY yes
> PrintMotd no
> #PrintLastLog yes
> #TCPKeepAlive yes
> #PermitUserEnvironment no
> #Compression delayed
> #ClientAliveInterval 0
> #ClientAliveCountMax 3
> #UseDNS no
> #PidFile /var/run/sshd.pid
> #MaxStartups 10:30:100
> #PermitTunnel no
> #ChrootDirectory none
> #VersionAddendum none
>
> # no default banner path
> #Banner none
>
> # Allow client to pass locale environment variables
> AcceptEnv LANG LC_*
>
> # override default of no subsystems
> Subsystem       sftp    /usr/lib/openssh/sftp-server
>
> # Example of overriding settings on a per-user basis
> #Match User anoncvs
> #       X11Forwarding no
> #       AllowTcpForwarding no
> #       PermitTTY no
> #       ForceCommand cvs server
>
> I just checked the passwd file on the server and both accounts I use to
> login finish with /bin/bash. However, I also noticed that the last line of
> the passwd file looks like this:
>
> sshd:x:100:65534::/run/sshd:/usr/sbin/nologin
>
> Looking at the passwd file from a backup done before the upgrade, and when
> ssh logins were working, this line is a recent addition - it does not
> appear in past instances of the passwd file. Is this the cause of my
> problems? Can I simply delete this line and try again?
>
> Cheers.
>
> Joe Aquilina
>
>
> On 18/12/19 11:49 am, Chris Hoy Poy wrote:
>
> Hey Joe,
>
> Can you check what "usePrivilegeSeparation" is defined as in the server
> sshd_config is ?
>
> Cheers
> /Chris
>
> On Wed, 18 Dec 2019, 11:42 am Joe Aquilina, <joe at chem.com.au> wrote:
>
>> sestatus and getenforce both show selinux as disabled.
>>
>> There is already another account that is occasionally used to login to
>> the server - it fails exactly the same as my (joe) account. I don't believe
>> that any scripts at login.
>>
>> And yes I did edit the output to protect the "guilty" ... replaced the
>> real server name with <server> and the server's IP address. I presumed that
>> is what was requested when it was suggested that I post a sanitised copy of
>> the login attempt output.
>>
>> Cheers.
>>
>> Joe Aquilina
>>
>> On 18/12/19 11:08 am, mike wrote:
>>
>> On 18/12/2019 10:43, Joe Aquilina wrote:
>>
>> I have no idea about selinux, whether it is installed/enabled. How do I
>> check that and disable it if necessary, and then re-enable?
>>
>>
>> sestatus or getenforce
>>
>> If file not found then not in use.
>>
>> Are you removing details from the output? IE:
>> Authenticated to <server> ([ip.address of server]:22).
>>
>> Mine says
>> debug1: Authentication succeeded (publickey).
>> Authenticated to nos ([10.222.0.4]:22).
>>
>> Another thought is what does the passwd file say for your login? I have /bin/bash on the end
>>
>> What user are you trying to login as?
>>
>> Are you running any scripts at login that may be failing?
>>
>> Have you tried another user?
>>
>> Maybe create a new user and try logging in with that just to remove the user as being an issue.
>>
>>
>> --
>> 'ooroo
>>
>> Mike...(:)-)
>> ---------------------------------------------------
>> Email: mike at wolf-rock.com         o
>> You need only two tools.        o /////
>> A hammer and duct tape. If it    /@   `\  /) ~
>> doesn't move and it should use  >  (O)  X<  ~  Fish!!
>> the hammer. If it moves and      `\___/'  \) ~
>> shouldn't, use the tape.           \\\
>> ---------------------------------------------------
>>
>>
>> --
>> Joe Aquilina
>> Central Chemical Consulting Pty Ltd
>> PO Box 2546 Malaga WA 6944 Australia
>> 1/11 Narloo St Malaga 6090 Australia
>> Tel: +61  8 9248 2739  Fax: +61  8 9248 2749joe at chem.com.au  www.chem.com.au	
>>
>> _______________________________________________
>> PLUG discussion list: plug at plug.org.au
>> http://lists.plug.org.au/mailman/listinfo/plug
>> Committee e-mail: committee at plug.org.au
>> PLUG Membership: http://www.plug.org.au/membership
>
>
> --
> Joe Aquilina
> Central Chemical Consulting Pty Ltd
> PO Box 2546 Malaga WA 6944 Australia
> 1/11 Narloo St Malaga 6090 Australia
> Tel: +61  8 9248 2739  Fax: +61  8 9248 2749joe at chem.com.au  www.chem.com.au
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20191218/4c6bf01f/attachment.html>

More information about the plug mailing list