Disbaling direct remote root logins using SSH

Disbaling direct remote root logins using SSH

Post by Nicole Harv » Sun, 11 May 2003 09:29:35



Hello..

I want to disable remote login as root directly using SSH. telnet is
already blocked and every user has to log on using SSH. I looked at
the /etc/default/login file and console=/dev/console and its not
commented out.I changed it to console=- so that I can avoid root
logins directly any where. But it does still allow direct remote root
logins via SSH. Am I missing something here? I sent a HUP to inetd and
also /etc/ftpusers does have root and there is no hosts.equiv file in
/etc

Please advise,
Thanks,
Nicole.

 
 
 

Disbaling direct remote root logins using SSH

Post by Dave Uhrin » Sun, 11 May 2003 09:38:17



> Hello..

> I want to disable remote login as root directly using SSH. telnet is
> already blocked and every user has to log on using SSH. I looked at
> the /etc/default/login file and console=/dev/console and its not
> commented out.I changed it to console=- so that I can avoid root
> logins directly any where. But it does still allow direct remote root
> logins via SSH. Am I missing something here? I sent a HUP to inetd and
> also /etc/ftpusers does have root and there is no hosts.equiv file in
> /etc

/etc/ssh/sshd_config

 
 
 

Disbaling direct remote root logins using SSH

Post by Martin Schoe » Fri, 16 May 2003 02:16:32




>>Hello..

>>I want to disable remote login as root directly using SSH. telnet is
>>already blocked and every user has to log on using SSH. I looked at
>>the /etc/default/login file and console=/dev/console and its not
>>commented out.I changed it to console=- so that I can avoid root
>>logins directly any where. But it does still allow direct remote root
>>logins via SSH. Am I missing something here? I sent a HUP to inetd and
>>also /etc/ftpusers does have root and there is no hosts.equiv file in
>>/etc

> /etc/ssh/sshd_config

Preferred way is tcp_wrappers.
Install it and control access via /etc/hosts.{allow|deny}

You might need an actual ssh-version (by means of buffer-overflows a
good consideration anyway) compiled with tcp_wrappers support.
-> sunfreeware.com will serve you well.
Or compile it yourself -> openssh.org.

Positive sideeffect: you can control telnet/ftp access with tcp_wrappers
as well.

Martin

 
 
 

Disbaling direct remote root logins using SSH

Post by Dave Uhrin » Fri, 16 May 2003 02:24:30





>>>Hello..

>>>I want to disable remote login as root directly using SSH. telnet is
>>>already blocked and every user has to log on using SSH. I looked at
>>>the /etc/default/login file and console=/dev/console and its not
>>>commented out.I changed it to console=- so that I can avoid root
>>>logins directly any where. But it does still allow direct remote root
>>>logins via SSH. Am I missing something here? I sent a HUP to inetd and
>>>also /etc/ftpusers does have root and there is no hosts.equiv file in
>>>/etc

>> /etc/ssh/sshd_config

> Preferred way is tcp_wrappers.
> Install it and control access via /etc/hosts.{allow|deny}

If and only if sshd was compiled with the tcp_wrappers option (was it?)
and sshd is started from inetd which by default it is not, at least in
Solaris 9.

And if it were the preferred method then how come Sun did not do that with
Solaris 9?

Quote:> Positive sideeffect: you can control telnet/ftp access with tcp_wrappers
> as well.

Telnet is evil; it is wholly insecure.  Telnet -should- never be enabled.
 
 
 

Disbaling direct remote root logins using SSH

Post by ger.. » Fri, 16 May 2003 05:52:19







>>>>Hello..
>>>>I want to disable remote login as root directly using SSH. telnet is
>>>>already blocked and every user has to log on using SSH. I looked at
>>>>the /etc/default/login file and console=/dev/console and its not
>>>>commented out.I changed it to console=- so that I can avoid root
>>>>logins directly any where. But it does still allow direct remote root
>>>>logins via SSH. Am I missing something here? I sent a HUP to inetd and
>>>>also /etc/ftpusers does have root and there is no hosts.equiv file in
>>>>/etc

inetd has * all to do with libwrap : >

Quote:>>> /etc/ssh/sshd_config

That will do it - in fact its usually the default..??

Quote:>> Preferred way is tcp_wrappers.
>> Install it and control access via /etc/hosts.{allow|deny}
> If and only if sshd was compiled with the tcp_wrappers option (was it?)
> and sshd is started from inetd which by default it is not, at least in
> Solaris 9.

Are you sure about that? : >
ldd /usr/lib/ssh/sshd|grep wrap
        libwrap.so.1 =>  /usr/sfw/lib/libwrap.so.1
Quote:> And if it were the preferred method then how come Sun did not do that with
> Solaris 9?

Looks like they did.
cat /etc/release
                        Solaris 9 4/03 s9s_u3wos_08 SPARC
           Copyright 2003 Sun Microsystems, Inc.  All Rights Reserved.
                        Use is subject to license terms.
                           Assembled 25 February 2003

Quote:>> Positive sideeffect: you can control telnet/ftp access with tcp_wrappers
>> as well.
> Telnet is evil; it is wholly insecure.  Telnet -should- never be enabled.

Agreed on that
 
 
 

Disbaling direct remote root logins using SSH

Post by Dave Uhrin » Fri, 16 May 2003 07:12:17





>> If and only if sshd was compiled with the tcp_wrappers option (was it?)
>> and sshd is started from inetd which by default it is not, at least in
>> Solaris 9.
> Are you sure about that? : >
> ldd /usr/lib/ssh/sshd|grep wrap
>         libwrap.so.1 =>  /usr/sfw/lib/libwrap.so.1

Agreed, Sun's version of OpenSSH was compiled with that option.

Quote:>> And if it were the preferred method then how come Sun did not do that with
>> Solaris 9?
> Looks like they did.
> cat /etc/release
>                         Solaris 9 4/03 s9s_u3wos_08 SPARC
>            Copyright 2003 Sun Microsystems, Inc.  All Rights Reserved.
>                         Use is subject to license terms.
>                            Assembled 25 February 2003

But you have not shown where tcp_wrappers is used to control access to
sshd.  Please do that.

If you look at TCPD(1M) you will see that inetd is required for its usage:

     Operation is as follows:  whenever  a  request  for  service
     arrives,  the  inetd daemon is tricked into running the tcpd
     program instead of the desired server. tcpd logs the request
     and does some additional checks. When all is well, tcpd runs
     the appropriate server program and goes away.

 
 
 

Disbaling direct remote root logins using SSH

Post by Martin Schoe » Fri, 16 May 2003 07:17:54



>>Positive sideeffect: you can control telnet/ftp access with tcp_wrappers
>>as well.

> Dave Uhring replied

>> Telnet is evil; it is wholly insecure.  Telnet -should- never be enabled.

One more reason to strictly control it, if, for whatever reason, you
want to use it.
Besides that I absolutely agree with you. Telnet/FTP over the net and
your username's password might be dogmeat.

Martin

 
 
 

Disbaling direct remote root logins using SSH

Post by Darren Dunha » Fri, 16 May 2003 07:23:56



> But you have not shown where tcp_wrappers is used to control access to
> sshd.  Please do that.
> If you look at TCPD(1M) you will see that inetd is required for its usage:
>      Operation is as follows:  whenever  a  request  for  service
>      arrives,  the  inetd daemon is tricked into running the tcpd
>      program instead of the desired server. tcpd logs the request
>      and does some additional checks. When all is well, tcpd runs
>      the appropriate server program and goes away.

Inetd is required for 'tcpd', but tcpd is only one component of tcp
wrappers.

Arbitrary programs (such as sshd) may choose to compile with the libwrap
libraries, at which point they will make use of the /etc/hosts.allow and
related files.  Tcpd is not used when this path is taken.

--

Unix System Administrator                    Taos - The SysAdmin Company
Got some Dr Pepper?                           San Francisco, CA bay area
         < This line left intentionally blank to confuse you. >

 
 
 

Disbaling direct remote root logins using SSH

Post by Martin Schoe » Fri, 16 May 2003 07:29:50



> But you have not shown where tcp_wrappers is used to control access to
> sshd.  Please do that.

> If you look at TCPD(1M) you will see that inetd is required for its usage:

Nope.

At least the (latest?) ssh version 3.5p1 you get from openssh is by
default controlled through ( and thus compiled with support for)
tcp_wrappers.
Of course you still have the sshd_config, but this should be obsolete.

However, I cannot prove this now and show you the docs, but installed it
on at least a dozen machines and resricted access 'on the fly'.

Or was your 'where' meant in the sense of 'how to do this in
/etc/hosts.[deny|allow}'?

Martin

 
 
 

Disbaling direct remote root logins using SSH

Post by Martin Schoe » Fri, 16 May 2003 07:39:30




>> But you have not shown where tcp_wrappers is used to control access to
>> sshd.  Please do that.

>> If you look at TCPD(1M) you will see that inetd is required for its
>> usage:

> Nope.

> At least the (latest?) ssh version 3.5p1 you get from openssh is by
> default controlled through ( and thus compiled with support for)
> tcp_wrappers.

Forgotten: for some earlier versions you had the option to pick the
sources and compile it manually with tcp_wrappers support.

Martin

 
 
 

Disbaling direct remote root logins using SSH

Post by Dave Uhrin » Fri, 16 May 2003 08:12:58




>> But you have not shown where tcp_wrappers is used to control access to
>> sshd.  Please do that.

>> If you look at TCPD(1M) you will see that inetd is required for its usage:

>>      Operation is as follows:  whenever  a  request  for  service
>>      arrives,  the  inetd daemon is tricked into running the tcpd
>>      program instead of the desired server. tcpd logs the request
>>      and does some additional checks. When all is well, tcpd runs
>>      the appropriate server program and goes away.

> Inetd is required for 'tcpd', but tcpd is only one component of tcp
> wrappers.

> Arbitrary programs (such as sshd) may choose to compile with the libwrap
> libraries, at which point they will make use of the /etc/hosts.allow and
> related files.  Tcpd is not used when this path is taken.

I have sshd running on this Ultra1 and there are no /etc/hosts.* files
whatever, yet I can connect as root from my other hosts.  The sshd is the
stock Solaris 9 version and ldd does show libwrap as one of its
dependencies.

Yes, creating /etc/hosts.deny

ALL:ALL

does indeed prevent ssh connections.

So your description is correct.

But the proper place to deny root access via ssh is /etc/ssh/sshd_config.

 
 
 

Disbaling direct remote root logins using SSH

Post by Dave Uhrin » Sat, 17 May 2003 02:05:40







>>>> But you have not shown where tcp_wrappers is used to control access to
>>>> sshd.  Please do that.

> Sure - thought it was a no brainer sorry Example:
> /etc/hosts.allow
> sshd:   127.0.0.1 : ALLOW

Which allows only local access to sshd.  Impossible to access this host
from remote hosts by -any- user, not just root.  Not very useful, it
appears.

Quote:>> So your description is correct.
> Gotta get it right some of the time : >

You still have not shown how to permit remote user access while denying
root access using tcp_wrappers.

Quote:>> But the proper place to deny root access via ssh is /etc/ssh/sshd_config.

> The advantage of libwrap becomes somewhat more clear (I think) when
> you try a telnet to the port: no answer - short delay - connection refused

The discussion is about SSH, not telnet, even is the OP wants to disbal
root ;-)
 
 
 

Disbaling direct remote root logins using SSH

Post by Arthur Mars » Sat, 14 Jun 2003 23:35:43






>>>>Hello..

>>>>I want to disable remote login as root directly using SSH. telnet is
>>>>already blocked and every user has to log on using SSH. I looked at
>>>>the /etc/default/login file and console=/dev/console and its not
>>>>commented out.I changed it to console=- so that I can avoid root
>>>>logins directly any where. But it does still allow direct remote root
>>>>logins via SSH. Am I missing something here? I sent a HUP to inetd and
>>>>also /etc/ftpusers does have root and there is no hosts.equiv file in
>>>>/etc

>>>/etc/ssh/sshd_config

>>Preferred way is tcp_wrappers.
>>Install it and control access via /etc/hosts.{allow|deny}

> If and only if sshd was compiled with the tcp_wrappers option (was it?)
> and sshd is started from inetd which by default it is not, at least in
> Solaris 9.

> And if it were the preferred method then how come Sun did not do that with
> Solaris 9?

>>Positive sideeffect: you can control telnet/ftp access with tcp_wrappers
>>as well.

> Telnet is evil; it is wholly insecure.  Telnet -should- never be enabled.

I remember secure telnet being discussed at the 1993 Australian Unix
Users Group conference and being available in recent versions of
C-Kermit and Kermit 95 (Kermit also supports secure ftp, see
http://www.columbia.edu/kermit). Secure telnet servers can be configured
to disable non-secure telnet access.

Nevertheless, the "telnet is [always] insecure" bigots win out.

Arthur.

 
 
 

Disbaling direct remote root logins using SSH

Post by Dave Uhrin » Sun, 15 Jun 2003 01:07:12



> I remember secure telnet being discussed at the 1993 Australian Unix
> Users Group conference and being available in recent versions of
> C-Kermit and Kermit 95 (Kermit also supports secure ftp, see
> http://www.columbia.edu/kermit). Secure telnet servers can be configured
> to disable non-secure telnet access.

That version of telnet does not appear to be available from Sun in
Solaris.  Nor is it implemented in Windows, any Linux distro or any BSD.
Of what relevance is your comment to my previous statement.

Quote:> Nevertheless, the "telnet is [always] insecure" bigots win out.

Get Sun to adopt and implement it and I'll retract my statement.
 
 
 

Disbaling direct remote root logins using SSH

Post by Jeffrey Altm » Fri, 20 Jun 2003 17:39:00




> > I remember secure telnet being discussed at the 1993 Australian Unix
> > Users Group conference and being available in recent versions of
> > C-Kermit and Kermit 95 (Kermit also supports secure ftp, see
> > http://www.columbia.edu/kermit). Secure telnet servers can be configured
> > to disable non-secure telnet access.

> That version of telnet does not appear to be available from Sun in
> Solaris.  Nor is it implemented in Windows, any Linux distro or any BSD.
> Of what relevance is your comment to my previous statement.

> > Nevertheless, the "telnet is [always] insecure" bigots win out.

> Get Sun to adopt and implement it and I'll retract my statement.

Solaris, RedHat Linux, HP-UX, AIX, Debian, and many other operating
systems already include a secure form of telnetd.  Its the Kerberos Telnet
daemon.

It is true that these operating systems do not include the TLS Telnet daemon
which would be desired by those not willing to commit to a Kerberos Realm
configuration.  However, there are several distributions all of which build
and install on all of the major and minor Unixes.

  http://www.kermit-project.org/telnetd.html

 
 
 

1. remote login to Solaris using ssh

A few questions related to remotely logging in to a Solaris 10
workstation using ssh. The ssh client (in Windows) that I'm using is
called Xmanager (if that matters).

1. If I log in remotely using a user account, "echo $PATH" only shows
"/usr/bin". Logging in from the terminal gives
"/usr/bin:/usr/dt/bin:/usr/openwin/bin:/usr/ucb:/usr/sfw/bin:/opt/SUNWspro/bin".
Out of this, I had added this part ":/usr/sfw/bin:/opt/SUNWspro/bin" in
my .profile. So it seems that .profile is not getting executed when I
log in remotely through ssh. Even before executing .profile, it is not
adding other directories to PATH (except /usr/bin). Why is this
happening and how to fix this?

2. Cannot log in remotely as root using ssh. Is this not allowed?

3. When I run sunstudio, the GUI window that comes up does not show the
topmost part of the window (that is, which contains the buttons for
minimizing, resizing or closing). As a result, it's a bit difficult to
work with. Also, only the last opened window can be accessed. Any way
to fix this or get around this?

Thanks.

2. Generate file using template

3. Strange character when using ssh/telnet remote login

4. Install Tape Drive - Dell PowerVault 120T (OEM Sony TSL-S11000)

5. remote root login using rsh with no password

6. Serial port problem

7. remote login using root acct.

8. help!unix/hpux10.10 real time

9. remote variables with remote commands using ssh

10. SSH - Direct login without password - Beginner Question

11. rsh root but no root remote login...

12. login to remote pc through direct serial line

13. block direct root login