DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 9th February 2009
carpman carpman is offline
Shell Scout
 
Join Date: Jul 2008
Posts: 94
Thanked 0 Times in 0 Posts
Default ssh access

Hello, i am having an issue with ssh access for users of hosting CP, i Hsphere and clients need to request ssh access and i then allow or disallow.

Problem that even with allowing access is not granted?

This is the same for wwwuser which is main hsphere system (web) user!

Looking in logs i see:

Code:
eb  9 16:28:35 cp sshd[84688]: User wwwuser from 77-101-149-1**.cable.ubr09.hari.blueyonder.co.uk not allowed because none of user's groups are listed in AllowGroups
Feb  9 16:28:53 cp sshd[84688]: error: PAM: authentication error for illegal user wwwuser from 77-1**-193.cable.ubr09.hari.blueyonder.co.uk
Feb  9 16:28:53 cp sshd[84688]: Failed keyboard-interactive/pam for invalid user wwwuser from 77.101.1**.193 port 44812 ssh2
Feb  9 16:29:05 cp sshd[84688]: error: PAM: authentication error for illegal user wwwuser from 77-101-1**-193.cable.ubr09.hari.blueyonder.co.uk
Feb  9 16:29:05 cp sshd[84688]: Failed keyboard-interactive/pam for invalid user wwwuser from 77.101.1**.193 port 44812 ssh2
Feb  9 16:29:07 cp sshd[84695]: error: ssh_msg_send: write

Here is my sshd.config if some could have check to see if i am missing something before i have contact Parrallels support and part with some cash

Code:
Protocol 2


# Authentication:

PermitRootLogin without-password


IgnoreRhosts yes

X11Forwarding no

AllowGroups wheel

Subsystem       sftp    /usr/libexec/sftp-server
many thanks

Last edited by carpman; 9th February 2009 at 04:49 PM.
Reply With Quote
  #2   (View Single Post)  
Old 9th February 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

Are you sure you want to grant ssh access to a system account which shouldn't have a valid shell?

Last edited by DutchDaemon; 9th February 2009 at 11:17 PM. Reason: barking up wrong tree ;)
Reply With Quote
  #3   (View Single Post)  
Old 9th February 2009
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

The answer is here:
Quote:
not allowed because none of user's groups are listed in AllowGroups
You're allowing only members of the wheel group to ssh in. It might be time to rethink your security scheme, BTW. You have a service account user who you're allowing ssh access to (as DutchDaemon noted), and you're allowing wheel members to ssh in?

How about instead creating a separate account for transferring files over ssh (or whatever it is you're doing) and creating a sshguys group, and changing the sshd_config directive to utilize that group instead of wheel.
__________________
Kill your t.v.
Reply With Quote
  #4   (View Single Post)  
Old 10th February 2009
carpman carpman is offline
Shell Scout
 
Join Date: Jul 2008
Posts: 94
Thanked 0 Times in 0 Posts
Default

Hello, first thing is did not setup the server initially so am trying to work things out.

I believe there are two separate threads here, system ssh access and hsphere, though setting for system may be affecting hspehre access.

I have one user who is not a hsphere user who i use for system access and su into root from that, this user is in the wheel group.

Hsphere puts it users into ssh jail, there are occassions when shell access is required by hsphere user and these are given on requested basis.


I have searched hsphere docs but cannot find anything concerning sshd.conf?


Not sure why creating another ssh group will help as only user in wheel group is my system admin account!

cheers
Reply With Quote
  #5   (View Single Post)  
Old 10th February 2009
anomie's Avatar
anomie anomie is offline
Local
 
Join Date: Apr 2008
Location: Texas
Posts: 446
Thanked 69 Times in 46 Posts
Default

@carpman: sshd is telling you clearly what the problem is. The user you're trying to ssh in as is not in the wheel group (as per your sshd_config setup).

Creating another ssh group will not help fix the situation you originally posted about. I'm suggesting that you make this change of your own volition because IMO you're potentially asking for trouble from a security perspective.
__________________
Kill your t.v.
Reply With Quote
  #6   (View Single Post)  
Old 11th February 2009
carpman carpman is offline
Shell Scout
 
Join Date: Jul 2008
Posts: 94
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by anomie View Post
@carpman: sshd is telling you clearly what the problem is. The user you're trying to ssh in as is not in the wheel group (as per your sshd_config setup).

Creating another ssh group will not help fix the situation you originally posted about. I'm suggesting that you make this change of your own volition because IMO you're potentially asking for trouble from a security perspective.
Hello and thanks for reply,i have tried adding the users group ie group 'wwwuser' to AllowedGroups and tried the AllowUsers variable with user name but still the same?
Reply With Quote
  #7   (View Single Post)  
Old 11th February 2009
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,796
Thanked 214 Times in 189 Posts
Default

Did you restart sshd?
Reply With Quote
  #8   (View Single Post)  
Old 18th February 2009
carpman carpman is offline
Shell Scout
 
Join Date: Jul 2008
Posts: 94
Thanked 0 Times in 0 Posts
Default

Hello, ok been digging deeper nad now believe that this is down to SSH2 public keys issue which is not working on server.

Code:
In /var/log/messages when the cpanel user tries to SSH as root, the following errors occur:
Feb 18 14:33:17 cp sshd[43030]: error: ssh_msg_send: write
Feb 18 14:33:29 cp sshd[43056]: error: ssh_msg_send: write

I can ssh into box but the web CP must communicate over SSH2 public keys which is iy is failing to do?


Also what should permissions be for:

Code:
 /root/.ssh and /root/.ssh/authorized_keys2
here is my current sshd_config

Code:
cp# cat /etc/ssh/sshd_config
#       $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $
#       $FreeBSD: src/crypto/openssh/sshd_config,v 1.42.2.4 2006/11/11 00:51:28 des Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

#VersionAddendum FreeBSD-20061110

#Port 22
Protocol 2
AllowGroups wheel
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
LogLevel VERBOSE

# Authentication:

#LoginGraceTime 2m
PermitRootLogin without-password
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
#PasswordAuthentication no
PermitEmptyPasswords no

# Change to no to disable PAM authentication
#ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10


# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem       sftp    /usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server

cheers

Last edited by carpman; 18th February 2009 at 07:06 PM.
Reply With Quote
  #9   (View Single Post)  
Old 19th February 2009
carpman carpman is offline
Shell Scout
 
Join Date: Jul 2008
Posts: 94
Thanked 0 Times in 0 Posts
Default

ok i replaced the ssh_config with default one and made changes as per original and now the authorized_keys2 issue is solved, not sure why but it is.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
DVD access zazen OpenBSD General 11 4th June 2009 03:28 PM
Securing ftp access AlexDudko FreeBSD Security 6 12th January 2009 09:21 PM
pf allow ftp access ijk FreeBSD Security 9 25th August 2008 04:12 AM
ssh/external access jwhal OpenBSD General 11 21st May 2008 07:19 PM
CD Access in KDE Scott FreeBSD General 10 13th May 2008 05:48 AM


All times are GMT. The time now is 10:40 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick