ssh nemuzu se prihlasit pomoci public key
Petr Bartel
cyber na irix-servis.cz
Čtvrtek Prosinec 23 09:13:51 CET 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Caute lidi,
na jednom z mych stroju nastala situaci kdy mi prestala fungovat
autentizace pomoci verejneho klice, vzdy mi vnuti keybord-interactive a
chce heslo. Jak tomu zabranit ?
**************************************************************************
OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to ******** port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version
OpenSSH_3.8.1p1 Debian 1:3.8.1p1-6.backports.org.1
debug1: match: OpenSSH_3.8.1p1 Debian 1:3.8.1p1-6.backports.org.1 pat
OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 zlib
debug1: kex: client->server aes128-cbc hmac-md5 zlib
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'mail.risk.cz' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:15
debug1: ssh_rsa_verify: signature correct
debug1: Enabling compression at level 6.
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Offering public key: /root/.ssh/id_dsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
**************************************************************************
[root na risk-linux:~] 09:10:11 # ls -alsh .ssh/
4.0k drwx------ 2 root root 4.0k pro 23 08:39 .
4.0k drwxrwxrwx 8 root root 4.0k pro 21 19:49 ..
4.0k -r-------- 1 root root 1.8k pro 23 08:39 authorized_keys
4.0k -rw------- 1 root root 668 pro 21 19:10 id_dsa
4.0k -rw-r--r-- 1 root root 605 pro 21 19:10 id_dsa.pub
[root na risk-linux:~] 09:10:47 #
**************************************************************************
[root na risk-linux:~] 09:10:47 # cat /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for
RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Change to yes to enable tunnelled clear text passwords
PasswordAuthentication no
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
Subsystem sftp /usr/lib/sftp-server
UsePAM yes
**************************************************************************
a jedinou moznou zradu vidim nekde v pam
[root na risk-linux:~] 09:11:43 # cat /etc/pam.d/ssh
# PAM configuration for the Secure Shell service
# Disallow non-root logins when /etc/nologin exists.
auth required pam_nologin.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth required pam_env.so # [1]
# Standard Un*x authentication.
auth required pam_unix.so
# Standard Un*x authorization.
account required pam_unix.so
# Standard Un*x session setup and teardown.
session required pam_unix.so
# Print the message of the day upon successful login.
session optional pam_motd.so # [1]
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Standard Un*x password updating.
password required pam_unix.so
diky za rady
Petr
- --
Intelligence is the ability to avoid doing work, yet getting the work done.
Linus Torvalds
Petr Bartel ICQ 74097173
Irix a.s. e-mail bartel at irix dot cz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFByn4/zO0gscxrtkkRAv8HAJ4s58yGPtFeKAZ72yP+f8wSI1vftwCfZgD5
IWfYyjDA044RvCorquR7Mak=
=FUiT
-----END PGP SIGNATURE-----
Další informace o konferenci Linux