topic Re: Disable root login with ssh? in Operating System - HP-UX

Disable root login with ssh?

John Clifford_1 — Thu, 14 Feb 2002 15:16:00 GMT

Here's a baffling one. I have two HPUX boxes. I am using ssh2 to connect to them. One the first one I can login as root and on the second I cannot. The question is why? In their /etc/sshd_config files they both have the line
PermitRootLogin yes
...so one should be able to login as root to both, no?
But then /etc/securetty only has the line
CONSOLE

Are there other files that I need to check to find out why one is properly locked down but the other isn't???

Re: Disable root login with ssh?

Patrick Wallek — Thu, 14 Feb 2002 15:18:52 GMT

If the word console is in the /etc/securetty file then root will only be able to login directly from the console. With this set up, you can log in as a normal user and 'su -' to root, or possibly rlogin to the machine as root. But from just a telnet or ssh type login root will be disabled.

Re: Disable root login with ssh?

Craig Rants — Thu, 14 Feb 2002 15:19:58 GMT

John,
/etc/securetty only affects items such as rlogin and telnet, ssh is not affected. The /etc/sshd_config the PermitRootLogin option should be no if you don't want root to login. Once that change is made, then kill -HUP `cat /var/run/sshd.pid` and you should be good.

GL,
C

Re: Disable root login with ssh?

Craig Rants — Thu, 14 Feb 2002 15:22:27 GMT

Patrick, I must disagree on this one, I have setup more than 40 servers with securetty and the only entry is console. I still have root level access through secure shell. Just my experience.

C

Re: Disable root login with ssh?

John Clifford_1 — Thu, 14 Feb 2002 15:27:47 GMT

I still don't understand how I can NOT log in to the one where PermitRootLogin is set to "yes".

Re: Disable root login with ssh?

Craig Rants — Thu, 14 Feb 2002 15:32:32 GMT

Try using ssh -v and evaluate the output. Possibly post your results. Also, on the server you are trying to access, do the kill -HUP, it could be that the change was made to the sshd_config file but the daemon was not told to reread the config file.

Looking forward to your ssh -v output.

GL,
C

Re: Disable root login with ssh?

John Clifford_1 — Thu, 14 Feb 2002 15:49:24 GMT

This is what I get when I try to ssh (as root) to the locked down machine:

root@ovmngr10 $ ssh -v -l root ovmngr3
debug: hostname is 'ovmngr3'.
debug: Unable to open //.ssh2/ssh2_config
debug: connecting to ovmngr3...
debug: entering event loop
debug: ssh_client_wrap: creating transport protocol
debug: SshAuthMethodClient/sshauthmethodc.c:119: Added "publickey" to usable methods.
debug: SshAuthMethodClient/sshauthmethodc.c:119: Added "password" to usable methods.
debug: Ssh2Client/sshclient.c:1142: creating userauth protocol
debug: Ssh2Common/sshcommon.c:544: local ip = 145.26.100.103, local port = 56889
debug: Ssh2Common/sshcommon.c:546: remote ip = 145.26.100.101, remote port = 22
debug: SshConnection/sshconn.c:1866: Wrapping...
debug: Ssh2Transport/trcommon.c:599: Remote version: SSH-1.99-2.4.0 F-SECURE SSH
debug: Ssh2Transport/trcommon.c:1124: c_to_s: cipher 3des-cbc, mac hmac-sha1, compression none
debug: Ssh2Transport/trcommon.c:1127: s_to_c: cipher 3des-cbc, mac hmac-sha1, compression none
debug: Ssh2Client/sshclient.c:406: Host key found from database.
debug: Ssh2Common/sshcommon.c:348: Received SSH_CROSS_STARTUP packet from connection protocol.
debug: Ssh2Common/sshcommon.c:398: Received SSH_CROSS_ALGORITHMS packet from connection protocol.
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:777: adding keyfile "//.ssh2/id_dsa_1024_a" to candidates
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:777: adding keyfile "//.ssh2/id_dsa_1024_b" to candidates
debug: Ssh2AuthClient/sshauthc.c:308: Method 'publickey' disabled.
debug: Ssh2AuthPasswdClient/authc-passwd.c:95: Starting password query...
root's password:
debug: Ssh2AuthPasswdClient/authc-passwd.c:95: Starting password query...
root's password:

As you can see it didn't accept the password that I supplied (which was correct).

On the other machine it's the same except I can log in as root.

Re: Disable root login with ssh?

Craig Rants — Thu, 14 Feb 2002 16:09:07 GMT

I didn't see anything out of the ordinary, what about an ssh -v output from the server you can get into? Maybe we can compare the differences and find something there.

C

Re: Disable root login with ssh?

John Clifford_1 — Thu, 14 Feb 2002 16:24:27 GMT

The plot thickens, Craig.

On the box I can get into, I set the PermitRootLogins to no in the sshd_config, logged out and can still log in as root!!! Surely I'm missing the plot here.

Re: Disable root login with ssh?

Craig Rants — Thu, 14 Feb 2002 16:28:57 GMT

Did you have the sshd reread the config file? (kill -HUP `cat /var/run/sshd.pid`). Your sshd.pid file may be in a different place, but this is pretty standard.

On the box you can get into, is there a ~root/.shosts file or ~root/.ssh2/authorized_keys file? These things could possibly be bypassing things. Also, what does the IgnoreRootRhosts option say in you /etc/sshd_config file.

C

Re: Disable root login with ssh?

Craig Rants — Thu, 14 Feb 2002 20:06:20 GMT

I'm still here John

Re: Disable root login with ssh?

John Clifford_1 — Fri, 15 Feb 2002 10:22:16 GMT

Sorry Craig,

There is no .shosts file and the IgnoreRhosts in sshd_config is set to no.
Also there is no /.ssh2/authorized_keys file.

Re: Disable root login with ssh?

Craig Rants — Fri, 15 Feb 2002 14:30:11 GMT

I wondering if there is something different about F-Secure's version (that's what you are using if I am correct). I've used openssh and ssh from ssh.org, but never the F-Secure version before. What we worked on should have taken care of the problem in both versions. If you did purchase it, do you have support from F-Secure?

Still willing to try and resolve this thing.

C