Re: Disable root login with ssh?

Here's a baffling one. I have two HPUX boxes. I am using ssh2 to connect to them. One the first one I can login as root and on the second I cannot. The question is why? In their /etc/sshd_config files they both have the line
PermitRootLogin yes
...so one should be able to login as root to both, no?
But then /etc/securetty only has the line
CONSOLE

Are there other files that I need to check to find out why one is properly locked down but the other isn't???

When all is said and done..more will be said.........than done!

12 REPLIES 12

If the word console is in the /etc/securetty file then root will only be able to login directly from the console. With this set up, you can log in as a normal user and 'su -' to root, or possibly rlogin to the machine as root. But from just a telnet or ssh type login root will be disabled.

John,
/etc/securetty only affects items such as rlogin and telnet, ssh is not affected. The /etc/sshd_config the PermitRootLogin option should be no if you don't want root to login. Once that change is made, then kill -HUP `cat /var/run/sshd.pid` and you should be good.

GL,
C

"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut

Patrick, I must disagree on this one, I have setup more than 40 servers with securetty and the only entry is console. I still have root level access through secure shell. Just my experience.

C

"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut

I still don't understand how I can NOT log in to the one where PermitRootLogin is set to "yes".

When all is said and done..more will be said.........than done!

Try using ssh -v and evaluate the output. Possibly post your results. Also, on the server you are trying to access, do the kill -HUP, it could be that the change was made to the sshd_config file but the daemon was not told to reread the config file.

Looking forward to your ssh -v output.

GL,
C

"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut

This is what I get when I try to ssh (as root) to the locked down machine:

root@ovmngr10 $ ssh -v -l root ovmngr3
debug: hostname is 'ovmngr3'.
debug: Unable to open //.ssh2/ssh2_config
debug: connecting to ovmngr3...
debug: entering event loop
debug: ssh_client_wrap: creating transport protocol
debug: SshAuthMethodClient/sshauthmethodc.c:119: Added "publickey" to usable methods.
debug: SshAuthMethodClient/sshauthmethodc.c:119: Added "password" to usable methods.
debug: Ssh2Client/sshclient.c:1142: creating userauth protocol
debug: Ssh2Common/sshcommon.c:544: local ip = 145.26.100.103, local port = 56889
debug: Ssh2Common/sshcommon.c:546: remote ip = 145.26.100.101, remote port = 22
debug: SshConnection/sshconn.c:1866: Wrapping...
debug: Ssh2Transport/trcommon.c:599: Remote version: SSH-1.99-2.4.0 F-SECURE SSH
debug: Ssh2Transport/trcommon.c:1124: c_to_s: cipher 3des-cbc, mac hmac-sha1, compression none
debug: Ssh2Transport/trcommon.c:1127: s_to_c: cipher 3des-cbc, mac hmac-sha1, compression none
debug: Ssh2Client/sshclient.c:406: Host key found from database.
debug: Ssh2Common/sshcommon.c:348: Received SSH_CROSS_STARTUP packet from connection protocol.
debug: Ssh2Common/sshcommon.c:398: Received SSH_CROSS_ALGORITHMS packet from connection protocol.
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:777: adding keyfile "//.ssh2/id_dsa_1024_a" to candidates
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:777: adding keyfile "//.ssh2/id_dsa_1024_b" to candidates
debug: Ssh2AuthClient/sshauthc.c:308: Method 'publickey' disabled.
debug: Ssh2AuthPasswdClient/authc-passwd.c:95: Starting password query...
root's password:
debug: Ssh2AuthPasswdClient/authc-passwd.c:95: Starting password query...
root's password:

As you can see it didn't accept the password that I supplied (which was correct).

On the other machine it's the same except I can log in as root.

When all is said and done..more will be said.........than done!

I didn't see anything out of the ordinary, what about an ssh -v output from the server you can get into? Maybe we can compare the differences and find something there.

C

"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut

The plot thickens, Craig.

On the box I can get into, I set the PermitRootLogins to no in the sshd_config, logged out and can still log in as root!!! Surely I'm missing the plot here.

When all is said and done..more will be said.........than done!

Did you have the sshd reread the config file? (kill -HUP `cat /var/run/sshd.pid`). Your sshd.pid file may be in a different place, but this is pretty standard.

On the box you can get into, is there a ~root/.shosts file or ~root/.ssh2/authorized_keys file? These things could possibly be bypassing things. Also, what does the IgnoreRootRhosts option say in you /etc/sshd_config file.

C

"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut

I'm still here John

"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut

Sorry Craig,

There is no .shosts file and the IgnoreRhosts in sshd_config is set to no.
Also there is no /.ssh2/authorized_keys file.

When all is said and done..more will be said.........than done!

I wondering if there is something different about F-Secure's version (that's what you are using if I am correct). I've used openssh and ssh from ssh.org, but never the F-Secure version before. What we worked on should have taken care of the problem in both versions. If you did purchase it, do you have support from F-Secure?

Still willing to try and resolve this thing.

C

"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut