Re: SSHd User root not allowed DenyUsers

To: debian-user-german@lists.debian.org
Subject: Re: SSHd User root not allowed DenyUsers
From: "Dr. Harry Knitter" <harry@knitter-edv-beratung.de>
Date: Wed, 6 May 2009 17:26:43 +0200
Message-id: <[🔎] 200905061726.43150.harry@knitter-edv-beratung.de>
In-reply-to: <[🔎] 4A019CA9.20806@web.de>
References: <[🔎] 4A0141E7.5090205@web.de> <[🔎] 200905061118.40665.harry@knitter-edv-beratung.de> <[🔎] 4A019CA9.20806@web.de>

Am Mittwoch, 6. Mai 2009 16:20 schrieb Michael Post:
> hier die Konfigurationsdatei (AllowUsers habe ich gerade noch einmal
> getestet, hilft aber nicht):
>
> <sshd_config>
> #       $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp
> $
>
> # This is the sshd server system-wide configuration file.  See
> # sshd_config(5) for more information.
>
> # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
>
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented.  Uncommented options change a
> # default value.
>
> AllowUsers root, user
>
> Port 22
> #Protocol 2,1
> Protocol 2
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey /etc/ssh/ssh_host_rsa_key
> #HostKey /etc/ssh/ssh_host_dsa_key
>
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 1h
> #ServerKeyBits 768
>
> # Logging
> #obsoletes QuietMode and FascistLogging
> #SyslogFacility AUTH
> #LogLevel INFO
>
> # Authentication:
>
> #LoginGraceTime 2m
> PermitRootLogin yes
> #StrictModes yes
> #MaxAuthTries 6
>
> #RSAAuthentication yes
> #PubkeyAuthentication yes
> #AuthorizedKeysFile     .ssh/authorized_keys
>
> # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
> #RhostsRSAAuthentication no
> # similar for protocol version 2
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
>
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication no
> # PasswordAuthentication yes
> PermitEmptyPasswords no
>
> # Change to no to disable s/key passwords
> #ChallengeResponseAuthentication yes
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> #KerberosGetAFSToken no
>
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCredentials yes
>
> # Set this to 'yes' to enable support for the deprecated 'gssapi'
> authentication
> # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is
> included
> # in this release. The use of 'gssapi' is deprecated due to the presence
> of
> # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not
> susceptible to.
> #GSSAPIEnableMITMAttack
> no
>
>
>
> # Set this to 'yes' to enable PAM authentication, account processing,
> # and session processing. If this is enabled, PAM authentication will
> # be allowed through the ChallengeResponseAuthentication mechanism.
> # Depending on your PAM configuration, this may bypass the setting of
> # PasswordAuthentication, PermitEmptyPasswords, and
> # "PermitRootLogin without-password". If you just want the PAM account and
> # session checks to run without PAM authentication, then enable this but
> set # ChallengeResponseAuthentication=no
> UsePAM yes
>
> #AllowTcpForwarding yes
> #GatewayPorts no
> X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PrintMotd yes
> #PrintLastLog yes
> #TCPKeepAlive yes
> #UseLogin no
> #UsePrivilegeSeparation yes
> #PermitUserEnvironment no
> #Compression yes
> #ClientAliveInterval 0
> #ClientAliveCountMax 3
> #UseDNS yes
> #PidFile /var/run/sshd.pid
> #MaxStartups 10
>
> # no default banner path
> #Banner /some/path
>
> # override default of no subsystems
> Subsystem       sftp    /usr/lib/ssh/sftp-server
>
> # This enables accepting locale enviroment variables LC_* LANG, see
> sshd_config(5).
> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
> LC_MESSAGES
> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
> AcceptEnv LC_IDENTIFICATION LC_ALL
>
>
> </sshd_config>

also so auf die Schnelle kann ich nichts Auffälliges erkennen.
Aber kurz so mal ne Frage. Mit welcher Distri arbeitest Du eigentlich. Hast Du 
überhaupt direkten root-Zugang zur shell?

Gruß

Harry
-- 

Ceterum censeo Microsoft esse delendam.

Reply to:

Follow-Ups:
- Re: SSHd User root not allowed DenyUsers
  - From: Jens Schüßler <jgs@trash.net>

References:
- SSHd User root not allowed DenyUsers
  - From: Michael Post <michael_post@web.de>
- Re: SSHd User root not allowed DenyUsers
  - From: "Dr. Harry Knitter" <harry@knitter-edv-beratung.de>
- Re: SSHd User root not allowed DenyUsers
  - From: Michael Post <michael_post@web.de>

Prev by Date: Re: Zeilenumbruch in Maillingslisten
Next by Date: Re: SSHd User root not allowed DenyUsers
Previous by thread: Re: SSHd User root not allowed DenyUsers
Next by thread: Re: SSHd User root not allowed DenyUsers
Index(es):
- Date
- Thread