DSM-G600, DNS-3xx and NSA-220 Hack Forum
Unfortunately no one can be told what fun_plug is - you have to see it for yourself.
You are not logged in.
Announcement
IRC Channel #funplug on irc.freenode.org
#1 2008-08-06 21:25:34
- boupartac
- Member
- From: Montréal, Québec, Canada
- Registered: 2008-07-29
- Posts: 38
SSH Root access
Hi all,
I would like to disable root logins on my dns-323. The last time I did that, I was not able to connect to my DNS-323 anymore. It was always saying "access denied", for my root and user login, via SSH. I was fortunate enough to be able to log in via ftp and send fun_plug and fun_plug.tgz again and restart my configuration from scratch. I first commented out this line and then rebooted.
#PermitRootLogin yes
Here is my /ffp/etc/ssh/sshd_config file. Can you see what would be wrong? Anybody got the same problem?
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/ffp/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /ffp/etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /ffp/etc/ssh/ssh_host_rsa_key
#HostKey /ffp/etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /ffp/etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /ffp/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
Thanks for your help,
boupartac
Offline
#2 2008-08-07 20:07:49
- boupartac
- Member
- From: Montréal, Québec, Canada
- Registered: 2008-07-29
- Posts: 38
Re: SSH Root access
Nobody?
Offline
#3 2008-08-11 16:26:44
- boupartac
- Member
- From: Montréal, Québec, Canada
- Registered: 2008-07-29
- Posts: 38
Re: SSH Root access
Nobody.
Offline
#4 2008-08-11 17:41:37
- hell0
- Member
- From: .de
- Registered: 2008-05-13
- Posts: 81
Re: SSH Root access
boupartac wrote:
Nobody.
Perhaps nobody wants root access disabled? 
There is a need for login as root, i don't get why you want to disable it..
CH3SNAS firmware 1.05 with WD1000FYPS and ffp 0.5 on USB Stick
Offline
#5 2008-08-11 21:43:19
- boupartac
- Member
- From: Montréal, Québec, Canada
- Registered: 2008-07-29
- Posts: 38
Re: SSH Root access
Because I can connect to my DNS-323 from the Internet (e.g. at Work) and as long as i can "su -" from my login name, there is absolutly no need to connect directly with root. This opens a security hole that is not necessary.
The problem I talked about is the fact that when I disable the root login, I can't login anymore, with both root and my username. It says "Access denied." Under Ubuntu, it works fine. That's why I'm asking.
Offline
#6 2008-08-17 16:18:29
- silversurfer
- Member
- Registered: 2008-07-20
- Posts: 95
Re: SSH Root access
@hell0
The reason for disabling root access to ssh is a security concern. Usually systems are configured to disable logins after a certain number of failed login attempts. If somebody tries a brute force attack on a normal account this account will become locked and the attacker will have bad luck. If you would lock your root account this way you would lock your main administrator out of the system. That's why remote access (with ssh for example) as root is disabled by many system administrators. It is still possible to login with a normal account and su to root. On normal PCs you have a console to login locally. This way you can login as root if all you normal accounts have been locked.
This is not the case on the DNS-323. One could say that it is useless to disable remote root access on the DNS-323 because you could lock yourself out completely when all normal accounts become locked. Still it is better to lock yourself out then to expose root access to the outside world.
@boupartac
These are the only options active in my sshd_config:
Code:
Protocol 2 PermitRootLogin no Subsystem sftp /ffp/libexec/sftp-server
Setting "PermitRootLogin no" should be enough to disable login by root.
Offline
#7 2008-08-18 18:10:25
- boupartac
- Member
- From: Montréal, Québec, Canada
- Registered: 2008-07-29
- Posts: 38
Re: SSH Root access
silversurfer wrote:
@boupartac
These are the only options active in my sshd_config:Code:
Protocol 2 PermitRootLogin no Subsystem sftp /ffp/libexec/sftp-serverSetting "PermitRootLogin no" should be enough to disable login by root.
Thanks for your reply. I tried that myself, but after rebooting, I was not able to login with my user/root accounts... It was saying "access denied". I had to send fun_plug and fun_plug.tgz and start over in order to replace sshd_config...
Everything went well for you? Did you have to reboot? How did you restart the service ssh after making those changes?
Thanks,
boupartac
Offline
#8 2008-08-18 18:28:07
Re: SSH Root access
boupartac wrote:
Thanks for your reply. I tried that myself, but after rebooting, I was not able to login with my user/root accounts... It was saying "access denied". I had to send fun_plug and fun_plug.tgz and start over in order to replace sshd_config...
See the note about reactivating telnet at the end of: http://dns323.kood.org/howto:ffp#the_root_user
No need to reinstall everything when you've locked yourself out.
And why did you reboot? Did it work _before_ rebooting (after /ffp/start/sshd.sh restart)? You might want to leave telnet enabled while experimenting with the ssh config, anyway. Are you running syslog? What's in /var/log/messages?
Offline
#9 2008-08-18 20:10:02
- boupartac
- Member
- From: Montréal, Québec, Canada
- Registered: 2008-07-29
- Posts: 38
Re: SSH Root access
fonz wrote:
See the note about reactivating telnet at the end of: http://dns323.kood.org/howto:ffp#the_root_user
No need to reinstall everything when you've locked yourself out.
Yeah, I know, but when I first bought & installed my DNS-323, I disabled telnet after enabling ssh, and while messing with sshd_config, I locked myself out, without being able to log in again (since telnetd was r--r--r--)
fonz wrote:
And why did you reboot? Did it work _before_ rebooting (after /ffp/start/sshd.sh restart)? You might want to leave telnet enabled while experimenting with the ssh config, anyway. Are you running syslog? What's in /var/log/messages?
Well, I restarted ssh. Since I did that in console, it didn't start again, so I had to reboot to restart ssh (n00b, i know. I am used to Ubuntu, where I restart this service once in a while without problems).
I will start and leave telnet running while trying to configure ssh. I am running syslog, yes, but I don't remember the error messages I had at first. Let me try that tonight and I'll keep you guys posted.
Thanks,
boupartac
Last edited by boupartac (2008-08-18 20:16:42)
Offline
#10 2008-08-19 16:17:23
- boupartac
- Member
- From: Montréal, Québec, Canada
- Registered: 2008-07-29
- Posts: 38
Re: SSH Root access
Hi again,
I tried that again last night, and (before I crashed my DNS-323 for some other reason) it was refusing connection from root, sweet. Don't know what happened last time!
Thanks,
boupartac
Offline