ssh allowing root login with no password
Steven Buehler
steve at ibushost.com
Tue May 10 14:12:19 UTC 2011
> -----Original Message-----
> On 05/09/11 15:18, Steven Buehler wrote:
> > I am trying to setup our servers to only allow logins with a
> > public/private key pair. 2 of our machines have to have root login
> > access with ssh and the rest, we will login as another account and su
> > to root. I just started with this company and on their boxes which
> > range from version 5.1 to 5.5, if I open up the firewall to allow ssh
> > access from anywhere, I can ssh to root without a password. The only
> > uncommented lines in the /etc/ssh/sshd_config are the following:
> >
> > [snip]
> >
> >
> > I'm hoping that someone can lead me in the right direction as I can't
> > figure this one out. If this was only one machine, I would assume
> > that it might have been hacked, but this is all of their servers and
> > VM's that will allow me to ssh to them without a login/password and
> > get into root. Luckily, they have always had their (supposedly
> > anyway) iptables set to only allow access from specific IP's.
> >
> >
>
> Change / uncomment PermitRootLogin with a value of without-password
>
> --
>
> I changed the line to read
> PermitRootLogin without-password
>
> It still allows a root login without a password or key.
>
> Someone else suggested that there was an authorized_keys file and a
> known hosts file. I was able to get to these servers from my own personal
> servers that have NEVER ssh'd to these servers before, so the known hosts
> file from the client server was empty since it is actually a fresh install
of mine.
> The authorized_keys file on the sshd server does have 2 keys in it. Those
2
> private keys are NOT on the client server, so there should be no reason it
lets
> me in from the remote (client) server.
>
> I have copied over my sshd_config file from one of my personal servers
> where I know they work and I still have the problem.
>
> Below is my new sshd_config file after some changes on one of the servers
> that I need to have root login with a key and not password, but it still
allows
> login without either. I don't know what they did when they setup these
> machines, but it is really ticking me off.
>
> Protocol 2
> SyslogFacility AUTHPRIV
> PermitRootLogin without-password
> StrictModes yes
> PubkeyAuthentication yes
> PermitEmptyPasswords no
> PasswordAuthentication no
> ChallengeResponseAuthentication no
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> UsePAM no
> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE
> LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS
> LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL
> X11Forwarding yes
> Subsystem sftp /usr/libexec/openssh/sftp-server
>
> --
>
> Ok. I found the problem and, to me, this looks like a bug. There was one
> public key that when in the authorized_keys2 (or authorized_keys) file
> would allow a login with no private key or password.
>
Ok, this is just plane stuped. I created a new private/public key and put
ONLY this public key into the authorized_keys2 file in a test account that I
just created and set the permissions on the .ssh directory and
authorized_keys2 file.
chmod 700 .ssh
chmod 600 .ssh/authorized_keys2
Then I tried to ssh to this account at server from one of my private servers
and it wouldn't let me in. That is good since I wasn't using a key from
there. I then used my keys to get in from my laptop running windows7 and
SecureCRT. I got in as expected. Now, I went back to my private server and
tried to ssh to account at server again and it let me in, but I was still not
using a key so it should not let me in. Allows me in with no password.
What is going on here? Anybody seen this before?
More information about the redhat-list
mailing list