[buug] Secure Shell Success?

Zeke Krahlin zk_lists at yahoo.com
Sat Aug 5 14:33:51 PDT 2000 

--- Rick Moen <rick at linuxmafia.com> wrote:
> If memory serves, this is the error you tend to get when a process
> double-checks to see if you're in the authentication database (e.g., 
> /etc/shadow or wherever the user passwords are kept) and unexpectedly 
> finds that you're not a valid user.  This might happen if, for example,
> the process can't get to the authentication database at all because its 
> effective user ID (under whose authority the user operates) lacks
> permission to read it.

Chris Stoddard's recommendation to lock down /etc/shadow is in this
statement:

---begin stoddard quote:

Other files we don't need to alter, but need to be locked down are,
/etc/services, /etc/passwd, /etc/shadow, /etc/group and /etc/gshadow. If
you plan to change your passwd or add a user you will have to run "chattr
-i filename" on /etc/passwd, /etc/shadow, /etc/group and /etc/gshadow or
you will get an error message. 

---end stoddard quote

So I think this is part of the problem, though not entirely. I ran "chattr
-i" on those files, but still cannot run ssh as user.

> You might try removing your current OpenSSH/OpenSSL installation.  (You
> _did_ install it to the /usr/local/ tree, right?)

I just installed the RPM versions, which placed the programs in their
proper areas: "/usr/bin", "/usr/doc", "/usr/man" and "/usr/lib". I didn't
uninstall any "~.tar.gz" stuff.

> Then try remote login, again.  If it still fails, then your system is
> still damaged from the foray into Chris Stoddard's recommendations.

I think I need to completely undo all of Stoddard's instructions, then try
secure-shell. Assuming it then runs, I will put back Stoddard's
instructions one by one, testing ssh each time, to discover what thwarts
it.

> By the way, I'm making current versions of OpenSSH and OpenSSL available
> at http://linuxmafia.com/pub/linux/security/openssh/ , including a patch
> to fix an old, long-known problem of occasional deadlocking that you
> sometimes got on large files when using rsync over SSH transport.

I just downloaded 'em. Thanks!

> A long-time free-software hacker, Ton Hospel, actually found and fixed 
> the cause of that deadlock in Tatu Ylönen's reference SSH
> implementation, years ago, but declined to contribute his patch because
> he was annoyed at Ylönen's company (SSH Communications Security, Ltd.) 
> having taken his prior contributions proprietary. 

That does stink, and I don't blame Ton for no longer cooperating with that
company.

> So, Hospel created
> a GPLed C-code wrapper program for the reference SSH.  People who run 
> that implementation (and who use rsync) should consider getting the 
> wrapper.  It's at
> http://linuxmafia.com/pub/linux/security/ylonen-ssh/ssh-rsync-wrapper

Wonderful, got it!

> > Since "ssh" is "secure", is logging on as root as safe as user?
> 
> I can answer that question, but it's not the question you really mean
> to ask.  You really should ask "Is this behaviour a problem?"  

I understand: it's a bad habit to get into. Thus, I will forge ahead and
figure out wherein the problem really lies, that keeps me from running ssh
as a user.

And thanks for all the additional tips you provided, which I have not
included in this response. Much appreciated.


=====
Zeke Krahlin
zk_lists at yahoo.com
---
FreeNetCubs BBS & Chat
http://www5.50megs.com/fnc

__________________________________________________
Do You Yahoo!?
Kick off your party with Yahoo! Invites.
http://invites.yahoo.com/

More information about the buug mailing list