RE: ssh allowing root login with no password
- From: "Steven Buehler" <steve@xxxxxxxxxxxx>
- Date: Tue, 10 May 2011 08:21:17 -0500
-----Original Message-----
On 05/09/11 15:18, Steven Buehler wrote:
I am trying to setup our servers to only allow logins with a
public/private key pair. 2 of our machines have to have root login
access with ssh and the rest, we will login as another account and su
to root. I just started with this company and on their boxes which
range from version 5.1 to 5.5, if I open up the firewall to allow ssh
access from anywhere, I can ssh to root without a password. The only
uncommented lines in the /etc/ssh/sshd_config are the following:
[snip]
I'm hoping that someone can lead me in the right direction as I can't
figure this one out. If this was only one machine, I would assume
that it might have been hacked, but this is all of their servers and
VM's that will allow me to ssh to them without a login/password and
get into root. Luckily, they have always had their (supposedly
anyway) iptables set to only allow access from specific IP's.
Change / uncomment PermitRootLogin with a value of without-password
--
I changed the line to read
PermitRootLogin without-password
It still allows a root login without a password or key.
Someone else suggested that there was an authorized_keys file and a known
hosts file. I was able to get to these servers from my own personal servers
that have NEVER ssh'd to these servers before, so the known hosts file from
the client server was empty since it is actually a fresh install of mine.
The authorized_keys file on the sshd server does have 2 keys in it. Those 2
private keys are NOT on the client server, so there should be no reason it
lets me in from the remote (client) server.
I have copied over my sshd_config file from one of my personal servers where
I know they work and I still have the problem.
Below is my new sshd_config file after some changes on one of the servers
that I need to have root login with a key and not password, but it still
allows login without either. I don't know what they did when they setup
these machines, but it is really ticking me off.
Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin without-password
StrictModes yes
PubkeyAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
Subsystem sftp /usr/libexec/openssh/sftp-server
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
- Follow-Ups:
- RE: ssh allowing root login with no password
- From: m . roth
- RE: ssh allowing root login with no password
- References:
- Re: ssh allowing root login with no password
- From: Les Ault
- Re: ssh allowing root login with no password
- Prev by Date: Re: Help Needed: My RHEL5 box suddenly stopped accepting e-mails
- Next by Date: RE: ssh allowing root login with no password
- Previous by thread: Re: ssh allowing root login with no password
- Next by thread: RE: ssh allowing root login with no password
- Index(es):
Relevant Pages
|
