topic Re: Cannot ssh root@server after running Bastille... in Operating System - HP-UX

Cannot ssh root@server after running Bastille...

Lee Harris_5 — Wed, 13 Apr 2005 02:19:33 GMT

Aha! I know the easy option would be to run bastille -r, but I like all the changes Bastille has made...it's just this one particular thing thats a problem.

I ran bastille on a test box we have just to see what the affects of hardening the system would be.

Yesterday, after I did this, I was pretty sure that I was able to directly logon as root but only using ssh to connect.

However today I tried to ssh to the server as root, but after it let me put in my password, it then logs me straight off...

It goes a little something like this...

ssh root@myserver
Password: secret1

Connection to myserver closed.

I also tried logging in using PuTTY but the same thing happened.

Can someone tell me what setting I need to change in what config file? I originally assumed /opt/ssh/etc/sshd_config, but couldn't see any parameters which looked appropriate.

Many Thanks! - Lee

Re: Cannot ssh root@server after running Bastille...

Matti_Kurkela — Wed, 13 Apr 2005 02:55:30 GMT

/opt/ssh/etc/sshd_config is usually the correct file. The setting to look for is "PermitRootLogin no".

You should reconsider allowing ssh to root using password authentication. If you need ssh access to root account, could you use SSH public key authentication for that?

The PermitRootLogin has two other settings than a simple yes/no. One is "without-password" which is a bit of a misnomer IMHO: it actually means that root cannot use password authentication but other authentication schemes (mainly SSH keys, but also PAM keyboard-interactive authentication) can be used.

The other is "forced-commands-only", which allows direct logins as root only with public key authentication, but further limits it. Access is allowed for running only the specific commands that are defined in /root/.ssh/authorized_keys, one command per key. This might be useful for automated remote backups and such.

Re: Cannot ssh root@server after running Bastille...

Lee Harris_5 — Wed, 13 Apr 2005 03:22:21 GMT

Hi, thanks for the reply...

I uncommented the line in sshd_config so I've now got...

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

...but I still cannot logon directly as root...

As for using Public Keys...as fun as that sounds, I'm too much of an SSH noob to start fiddling with that kind of hardcore SSH stuff.

Anyway, I changed the config, gave it some kill - SIGHUP on SSHD pid, but its still not letting me login as root.

Re: Cannot ssh root@server after running Bastille...

Robert Fritz — Fri, 22 Apr 2005 18:01:40 GMT

Note that Bastille doesn't configure SSH, it just makes a hole in the IPFitler-based firewall for your traffic to get through (if you use Bastille to set up your firewall, and ask it to make the hole).

-Robert

Re: Cannot ssh root@server after running Bastille...

Patrick Wallek — Fri, 22 Apr 2005 18:45:26 GMT

Check you /etc/securetty file and see if it has the word 'console' in it. If it does, try renaming the file to something else (/etc/securetty.orig for instance) and then try your SSH again.

I don't recall if SSH looks at the securetty file or not. It can't hurt to give it a try though.

Re: Cannot ssh root@server after running Bastille...

Darrel Louis — Sun, 24 Apr 2005 03:31:02 GMT

Lee,

Bastille doesn't do anything with SSH.
As Patrick mentioned the root login isn't possible, only from the console.
When you temporary move the /etc/securetty to another name you will be possible to login as root directly.
But from a security point of view you don't really want this.

I've done the following to create a secure system:
- Bastille
- Benchmark scoring tool ( http://www.cisecurity.org )

Have Fun

Darrel