|
|||
ssh access
Hello, i am having an issue with ssh access for users of hosting CP, i Hsphere and clients need to request ssh access and i then allow or disallow.
Problem that even with allowing access is not granted? This is the same for wwwuser which is main hsphere system (web) user! Looking in logs i see: Code:
eb 9 16:28:35 cp sshd[84688]: User wwwuser from 77-101-149-1**.cable.ubr09.hari.blueyonder.co.uk not allowed because none of user's groups are listed in AllowGroups Feb 9 16:28:53 cp sshd[84688]: error: PAM: authentication error for illegal user wwwuser from 77-1**-193.cable.ubr09.hari.blueyonder.co.uk Feb 9 16:28:53 cp sshd[84688]: Failed keyboard-interactive/pam for invalid user wwwuser from 77.101.1**.193 port 44812 ssh2 Feb 9 16:29:05 cp sshd[84688]: error: PAM: authentication error for illegal user wwwuser from 77-101-1**-193.cable.ubr09.hari.blueyonder.co.uk Feb 9 16:29:05 cp sshd[84688]: Failed keyboard-interactive/pam for invalid user wwwuser from 77.101.1**.193 port 44812 ssh2 Feb 9 16:29:07 cp sshd[84695]: error: ssh_msg_send: write Here is my sshd.config if some could have check to see if i am missing something before i have contact Parrallels support and part with some cash Code:
Protocol 2 # Authentication: PermitRootLogin without-password IgnoreRhosts yes X11Forwarding no AllowGroups wheel Subsystem sftp /usr/libexec/sftp-server Last edited by carpman; 9th February 2009 at 04:49 PM. |
|
|||
Hello, first thing is did not setup the server initially so am trying to work things out.
I believe there are two separate threads here, system ssh access and hsphere, though setting for system may be affecting hspehre access. I have one user who is not a hsphere user who i use for system access and su into root from that, this user is in the wheel group. Hsphere puts it users into ssh jail, there are occassions when shell access is required by hsphere user and these are given on requested basis. I have searched hsphere docs but cannot find anything concerning sshd.conf? Not sure why creating another ssh group will help as only user in wheel group is my system admin account! cheers |
|
||||
@carpman: sshd is telling you clearly what the problem is. The user you're trying to ssh in as is not in the wheel group (as per your sshd_config setup).
Creating another ssh group will not help fix the situation you originally posted about. I'm suggesting that you make this change of your own volition because IMO you're potentially asking for trouble from a security perspective.
__________________
Kill your t.v. |
|
|||
Quote:
|
|
|||
Hello, ok been digging deeper nad now believe that this is down to SSH2 public keys issue which is not working on server.
Code:
In /var/log/messages when the cpanel user tries to SSH as root, the following errors occur: Feb 18 14:33:17 cp sshd[43030]: error: ssh_msg_send: write Feb 18 14:33:29 cp sshd[43056]: error: ssh_msg_send: write I can ssh into box but the web CP must communicate over SSH2 public keys which is iy is failing to do? Also what should permissions be for: Code:
/root/.ssh and /root/.ssh/authorized_keys2 Code:
cp# cat /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $ # $FreeBSD: src/crypto/openssh/sshd_config,v 1.42.2.4 2006/11/11 00:51:28 des Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. # Note that some of FreeBSD's defaults differ from OpenBSD's, and # FreeBSD has a few additional options. #VersionAddendum FreeBSD-20061110 #Port 22 Protocol 2 AllowGroups wheel #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO LogLevel VERBOSE # Authentication: #LoginGraceTime 2m PermitRootLogin without-password #StrictModes yes #MaxAuthTries 6 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Change to yes to enable built-in password authentication. #PasswordAuthentication no PermitEmptyPasswords no # Change to no to disable PAM authentication #ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 # no default banner path #Banner /some/path # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server cheers Last edited by carpman; 18th February 2009 at 07:06 PM. |
|
|||
ok i replaced the ssh_config with default one and made changes as per original and now the authorized_keys2 issue is solved, not sure why but it is.
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
DVD access | zazen | OpenBSD General | 11 | 4th June 2009 03:28 PM |
Securing ftp access | AlexDudko | FreeBSD Security | 6 | 12th January 2009 09:21 PM |
pf allow ftp access | ijk | FreeBSD Security | 9 | 25th August 2008 04:12 AM |
ssh/external access | jwhal | OpenBSD General | 11 | 21st May 2008 07:19 PM |
CD Access in KDE | Scott | FreeBSD General | 10 | 13th May 2008 05:48 AM |