[buug] Secure Shell Success?
Zeke Krahlin
zk_lists at yahoo.com
Sat Aug 5 14:33:51 PDT 2000
--- Rick Moen <rick at linuxmafia.com> wrote:
> If memory serves, this is the error you tend to get when a process
> double-checks to see if you're in the authentication database (e.g.,
> /etc/shadow or wherever the user passwords are kept) and unexpectedly
> finds that you're not a valid user. This might happen if, for example,
> the process can't get to the authentication database at all because its
> effective user ID (under whose authority the user operates) lacks
> permission to read it.
Chris Stoddard's recommendation to lock down /etc/shadow is in this
statement:
---begin stoddard quote:
Other files we don't need to alter, but need to be locked down are,
/etc/services, /etc/passwd, /etc/shadow, /etc/group and /etc/gshadow. If
you plan to change your passwd or add a user you will have to run "chattr
-i filename" on /etc/passwd, /etc/shadow, /etc/group and /etc/gshadow or
you will get an error message.
---end stoddard quote
So I think this is part of the problem, though not entirely. I ran "chattr
-i" on those files, but still cannot run ssh as user.
> You might try removing your current OpenSSH/OpenSSL installation. (You
> _did_ install it to the /usr/local/ tree, right?)
I just installed the RPM versions, which placed the programs in their
proper areas: "/usr/bin", "/usr/doc", "/usr/man" and "/usr/lib". I didn't
uninstall any "~.tar.gz" stuff.
> Then try remote login, again. If it still fails, then your system is
> still damaged from the foray into Chris Stoddard's recommendations.
I think I need to completely undo all of Stoddard's instructions, then try
secure-shell. Assuming it then runs, I will put back Stoddard's
instructions one by one, testing ssh each time, to discover what thwarts
it.
> By the way, I'm making current versions of OpenSSH and OpenSSL available
> at http://linuxmafia.com/pub/linux/security/openssh/ , including a patch
> to fix an old, long-known problem of occasional deadlocking that you
> sometimes got on large files when using rsync over SSH transport.
I just downloaded 'em. Thanks!
> A long-time free-software hacker, Ton Hospel, actually found and fixed
> the cause of that deadlock in Tatu Ylönen's reference SSH
> implementation, years ago, but declined to contribute his patch because
> he was annoyed at Ylönen's company (SSH Communications Security, Ltd.)
> having taken his prior contributions proprietary.
That does stink, and I don't blame Ton for no longer cooperating with that
company.
> So, Hospel created
> a GPLed C-code wrapper program for the reference SSH. People who run
> that implementation (and who use rsync) should consider getting the
> wrapper. It's at
> http://linuxmafia.com/pub/linux/security/ylonen-ssh/ssh-rsync-wrapper
Wonderful, got it!
> > Since "ssh" is "secure", is logging on as root as safe as user?
>
> I can answer that question, but it's not the question you really mean
> to ask. You really should ask "Is this behaviour a problem?"
I understand: it's a bad habit to get into. Thus, I will forge ahead and
figure out wherein the problem really lies, that keeps me from running ssh
as a user.
And thanks for all the additional tips you provided, which I have not
included in this response. Much appreciated.
=====
Zeke Krahlin
zk_lists at yahoo.com
---
FreeNetCubs BBS & Chat
http://www5.50megs.com/fnc
__________________________________________________
Do You Yahoo!?
Kick off your party with Yahoo! Invites.
http://invites.yahoo.com/
More information about the buug
mailing list