topic Re: Stop ssh root login in Operating System - HP-UX

Stop ssh root login

John Mak — Tue, 28 Nov 2006 20:00:24 GMT

Hi All,

I'm currently having trouble with securing root login after installing HP-UX Secure Shell A.04.30.014

I believe that I have setup the /opt/ssh/etc/sshd_config file correctly with the bellow config.

hostA /opt/ssh/etc #
hostA /opt/ssh/etc # grep EnforceSecureTTY sshd_config
EnforceSecureTTY yes
hostA /opt/ssh/etc # grep PermitRootLogin sshd_config
PermitRootLogin yes
# "PermitRootLogin without-password". If you just want the PAM account and
hostA /opt/ssh/etc # cat /etc/securetty
console
hostA /opt/ssh/etc #

Denying Telnet connection is working fine. In the current state I’m still able to ssh using the root login, as can be seen bellow

hostB /root/.ssh # ssh -v root@hostA
OpenSSH_4.3p2-hpn, OpenSSL 0.9.7i 14 Oct 2005
HP-UX Secure Shell-A.04.30.014, HP-UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Connecting to hostA [X.X.X.X] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/3
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3p2-hpn
debug1: match: OpenSSH_4.3p2-hpn pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2-hpn
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'hostA' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
Last successful login for root: Wed Nov 29 11:32:11 EST-10EDT 2006
Last unsuccessful login for root: NEVER
Last login: Wed Nov 29 11:32:11 2006 from hostB.towerlife

hostA /root #
hostA /root #
hostA /root #
hostA /root #
logout
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to hostA closed.
debug1: Transferred: stdin 0, stdout 0, stderr 32 bytes in 174.8 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.2
debug1: Exit status 0
hostB /root/.ssh #

I have had a look around and can not see the source of the problem.

Any help or pointing me in the right direction would be appreciated.

Thanks

Re: Stop ssh root login

Patrick Wallek — Tue, 28 Nov 2006 20:53:45 GMT

Change the line:

PermitRootLogin yes

to:

PermitRootLogin no

Then stop and restart SSH.

# /sbin/init.d/secsh stop

# /sbin/init.d/secsh start

You will then NOT be allowed to ssh as root.

Re: Stop ssh root login

KapilRaj — Tue, 28 Nov 2006 20:55:59 GMT

PermitRootLogin no #### Thats all you willl need and a restart to sshd.

Re: Stop ssh root login

John Mak — Tue, 28 Nov 2006 21:19:49 GMT

According to the link http://www2.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000082022499 And HP-UX Secure Shell Getting Started, if I set EnforceSecureTTY and PermitRootLogin to yes I should get the following result:

SSH A.04.20 Behaviour
Host login will be allowed only for those root users whose pty's are listed in the /etc/securetty file
Hostcommand execution will be allowed for all root users (independent of /etc/securetty)

scp and sftp A.04.20 Behaviour
scp and sftp execution will be allowed for all root users regardless of /etc/securetty

This combination (currently in force now) should have the desired result I wish to achieve.

I have considered setting PermitRootLogin to no but this would not be a practical solution for my situation.

Re: Stop ssh root login

Patrick Wallek — Tue, 28 Nov 2006 22:26:54 GMT

I guess I'm not clear on what EXACTLY you are trying to accomplish then.

For what you initially stated initially, setting PermitRootLogin to no is the way to go.

If there are other details you haven't stated, then those would be helpful to us to help you further.

Re: Stop ssh root login

John Mak — Tue, 28 Nov 2006 23:23:36 GMT

Apologies for not being clearer in my original question.

What I trying to achieve was not allowing direct root logins to a system and force a su, (utilizing EnforceSecureTTY) but I would like to execute the scp command as root from HostA to HostB and vice versa therefore leaving PermitRootLogin to be yes.

From what I understood from the material I have looked at, this should be the case with my YES YES config. At the moment Im able to scp and also login directly as root, which I wish to avoid.

Re: Stop ssh root login

John Mak — Sun, 03 Dec 2006 18:20:55 GMT