Re: potato openssh

8 Dec 1999 02:17:26 -0000 

On 8/12/99 [EMAIL PROTECTED] wrote:


Thanks. Ok, I added 127.0.0.1 to hosts.deny on the remote end and it
works now. But doesn't this rather weaken security ?



I have read that you must have a allow line for all for 127.0.0.1 
because some software requires it and will not function otherwise. 
ssh appears to be one.  you can be more granular if you like and just 
have a ssh: 127.0.0.1  I am not sure how much this impacts security. 
i know if you allow port forwarding and such with ssh it is possible 
to bypass some kinds of access rules, for example if you use wu-ftpd 
(bad for security anyway but..) and have restrictions configured for 
certain hosts, the user can just set up a ssh forwarded session and 
bypass all the restrictions since the connection orginates from the 
localhost.


i assume you meant hosts.allow not hosts.deny :)


[...]
Trying to login using ssh -v says
...
debug: Requesting X11 forwarding with authentication spoofing.
debug: Requesting authentication agent forwarding.
debug: Sending command: /usr/X11R6/bin/xterm
debug: Entering interactive session.
debug: Remote: Fwd X11 connection from 127.0.0.1 refused by tcp_wrappers.

X connection to foo.bar.baz.net:10.0 broken (explicit kill or server 
shutdown).


Now, in /var/log/messages of the remote there is

Dec  7 22:56:32 pyxis33 sshd2[453]: connection from "111.222.333.4444"
Dec  7 22:56:33 pyxis33 sshd[8764]: log: Generating 768 bit RSA key.
Dec  7 22:56:34 pyxis33 sshd[8764]: log: RSA key generation complete.
Dec  7 22:56:34 pyxis33 sshd[8764]: log: Connection from 111.222.333.444
port 1023
Dec  7 22:56:34 pyxis33 PAM_pwdb[8764]: authentication failure; (uid=0) -> foo
for ssh service

Thus, no connection. This happens only on the RH6.1 boxes. I can login
to any other machines (SunOS4, Solaris2.5, OSF1 4.0, IRIX6.2) no
problem, and I can login from anywhere to my local box.
X11Forwarding enabled.



strange, sounds like a ssh or pam misconfiguration on the redhat box, 
it looks like you are using password authentication is it allowed in 
sshd_config?  is the pam.d/ssh file setup correctly?



another thing to try is on the redhat box do a ssh localhost and see 
if you can login that way.


 pam is refusing the connection not ssh so i think its a pam problem.


Why do I need 127.0.0.1 in hosts.allow on the RH6.1 machines ?
My home directories are not group writable as suggested as problem
with RSA ( /usr/doc/ssh/README.Debian)

I'll try using ssh2 next to see if there's any difference..


bah, try OpenSSH on the redhat box :-)

Ethan






















					Reply via email to