HPE Community
Operating System - HP-UX
1836579 Members
1666 Online
110102 Solutions
New Discussion

Re: Cannot ssh root@server after running Bastille...

 
Lee Harris_5
Valued Contributor

‎04-12-2005 07:19 PM

‎04-12-2005 07:19 PM

Cannot ssh root@server after running Bastille...

Aha! I know the easy option would be to run bastille -r, but I like all the changes Bastille has made...it's just this one particular thing thats a problem.

I ran bastille on a test box we have just to see what the affects of hardening the system would be.

Yesterday, after I did this, I was pretty sure that I was able to directly logon as root but only using ssh to connect.

However today I tried to ssh to the server as root, but after it let me put in my password, it then logs me straight off...

It goes a little something like this...

ssh root@myserver
Password: secret1

Connection to myserver closed.

I also tried logging in using PuTTY but the same thing happened.

Can someone tell me what setting I need to change in what config file? I originally assumed /opt/ssh/etc/sshd_config, but couldn't see any parameters which looked appropriate.

Many Thanks! - Lee
0 Kudos
Reply
5 REPLIES 5
Matti_Kurkela
Honored Contributor

‎04-12-2005 07:55 PM

‎04-12-2005 07:55 PM

Re: Cannot ssh root@server after running Bastille...

/opt/ssh/etc/sshd_config is usually the correct file. The setting to look for is "PermitRootLogin no".

You should reconsider allowing ssh to root using password authentication. If you need ssh access to root account, could you use SSH public key authentication for that?

The PermitRootLogin has two other settings than a simple yes/no. One is "without-password" which is a bit of a misnomer IMHO: it actually means that root cannot use password authentication but other authentication schemes (mainly SSH keys, but also PAM keyboard-interactive authentication) can be used.

The other is "forced-commands-only", which allows direct logins as root only with public key authentication, but further limits it. Access is allowed for running only the specific commands that are defined in /root/.ssh/authorized_keys, one command per key. This might be useful for automated remote backups and such.
MK
0 Kudos
Reply
Lee Harris_5
Valued Contributor

‎04-12-2005 08:22 PM

‎04-12-2005 08:22 PM

Re: Cannot ssh root@server after running Bastille...

Hi, thanks for the reply...

I uncommented the line in sshd_config so I've now got...

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

...but I still cannot logon directly as root...

As for using Public Keys...as fun as that sounds, I'm too much of an SSH noob to start fiddling with that kind of hardcore SSH stuff.

Anyway, I changed the config, gave it some kill - SIGHUP on SSHD pid, but its still not letting me login as root.

0 Kudos
Reply
Robert Fritz
Regular Advisor

‎04-22-2005 11:01 AM

‎04-22-2005 11:01 AM

Re: Cannot ssh root@server after running Bastille...

Note that Bastille doesn't configure SSH, it just makes a hole in the IPFitler-based firewall for your traffic to get through (if you use Bastille to set up your firewall, and ask it to make the hole).

-Robert
Those Who Would Sacrifice Liberty for Security Deserve Neither." - Benjamin Franklin
0 Kudos
Reply
Patrick Wallek
Honored Contributor

‎04-22-2005 11:45 AM

‎04-22-2005 11:45 AM

Re: Cannot ssh root@server after running Bastille...

Check you /etc/securetty file and see if it has the word 'console' in it. If it does, try renaming the file to something else (/etc/securetty.orig for instance) and then try your SSH again.

I don't recall if SSH looks at the securetty file or not. It can't hurt to give it a try though.
0 Kudos
Reply
Darrel Louis
Honored Contributor

‎04-23-2005 08:31 PM

‎04-23-2005 08:31 PM

Re: Cannot ssh root@server after running Bastille...

Lee,

Bastille doesn't do anything with SSH.
As Patrick mentioned the root login isn't possible, only from the console.
When you temporary move the /etc/securetty to another name you will be possible to login as root directly.
But from a security point of view you don't really want this.

I've done the following to create a secure system:
- Bastille
- Benchmark scoring tool ( http://www.cisecurity.org )

Have Fun

Darrel
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.