sshd_config - how to set it up?

[alu]

happy new year

i have a problem to set up sshd-config used with openssh.tcz; i have made some simple changes in /usr/local/etc/ssh/sshd_config in order to prevent root logins, and i have also add the lines

AllowUsers auser
AllowGroups auser

in order to give login permission for only one user, the auser; then saved the changes and restarted openssh (sudo /usr/local/etc/init.d/openssh restart); when i want to test the changes, nothing seems to have been picked up at the server side, i.e. i can always log in as root or as buser (the otherone user on my server).

Same experience with home-made RSA-keys; i made them locally, then copied the public key to the server in the authorized_keys file for the user tc only (within /home/tc/.ssh/ which I have created); restarted openssh, but i can always login with my usual password... it seems to me as if the changes made in sshd_config have no effect on the behavior of the openssh server; or did i miss smthg?

[curaga]

What do you see if you stop it, and then start from the terminal:

sshd -D -e

[alu]

I have to give full path:

/usr/local/sbin/sshd -D -e

it returns:

Could not load host key: /usr/local/etc/ssh/ssh_host_rsa_key
Could not load host key: /usr/local/etc/ssh/ssh_host_dsa_key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting

but ssh_host_rsa and dsa_key are there and the files are not empty...

[alu]

i tried to regenerate the rsa keys on the server

sudo ssh-keygen -t rsa -f /usr/local/etc/ssh/ssh_host_rsa_key

which overwrited the rsa key. then i set the sshd_config file up in order not to authorize login with passwords, and i restarted the server; i always get the message saying that openssh could not load the keys.

i create then a rsa key locally for the tc user and copied it onto the server; it works for the tc user, who must now log in with the passphrase and not the password; i set the sshd_config file up in order to allow only the tc user to log in, but still i can log in with another user (which is a buser available on the server); in both case i can log with root even if i set up sshd_conf in order to disable the root login.

i don't understand why the changes done to sshd_config are not taken into account

[curaga]

Are you perhaps running two sshd's? Since opensshd exits, and you can still log in, maybe the dropbear one is still running?

[alu]

i don't believe it since i am starting mc without the ssh boot code, but i will check it in order to be sure

[alu]

i did a

sudo /etc/init.d/dropbear stop

which returns

Dropbear is not running

[alu]

i tried to regenerate the rsa1, rsa2 and dsa key into /etc/ssh, and i have changed the sshd_config file to reflect the new path of the keys and to disable root login as well as login with password; after restarting openssh, the tc user can connect with password, and root login can connect...

[alu]

since i don't find any answer to why openssh does not seem to respond to command in sshd_config, i shall run dropbear as ssh server with the following workaroud:

1. start dropbear ssh and make your own rsa keys; dropbear does not allow root login per default, which is good for me;
2. you can use sftp with dropbear following this thread: http://forum.tinycorelinux.net/index.php?topic=1738.0
3. or you can install openssh on the server side without starting the daemon; this is what i did; with that, you will have the possibility to use sftp AND sshfs with dropbear and your own keys together;
4. in order to use sftp, i basically changed a little bit the propositions in the thread mentioned above at point 2.; on the server side, do: sudo mkdir /usr/libexec && sudo cp /usr/local/libexec/sftp-server  /usr/libexec; on the client side, start sftp normally;
5. in order to use sshfs, on the client side do: sshfs -o sftp_server=/usr/libexec/sftp-server youruser_at_theipof your server:/the/directory/to/be/mounted /themountpoint/onthe/clientside.

with that workaround, you have a full functional ssh secured server with sftp and sshfs utilities

[Kingdomcome]

I have not had a problem with OpenSSH not reading its config.  You would need to add the config(s) and keys to your backup to have it last through a reboot, I personally backup the entire /usr/local/etc/ssh/ directory.  The init script included in the openssh extension will automatically create the host keys for the server if it does not find them before starting the server. The init script is located at /usr/local/etc/init.d/openssh

[Kingdomcome]

As a follow up, the config files (sshd_config and ssh_config) are the standard upstream configs which should be reviewed and edited to increase security. Permissions of config files and key are important, here are the default permissions in /usr/local/etc/ssh/ which openssh expects to see after the host keys have been generated:

Code: [Select]

tc@box:/usr/local/etc/ssh$ ls -l
total 24
lrwxrwxrwx 1 root root   44 Dec 29 11:20 moduli -> /tmp/tcloop/openssh/usr/local/etc/ssh/moduli
-rw-r--r-- 1 root root 1498 Nov 25 11:11 ssh_config
lrwxrwxrwx 1 root root   53 Dec 29 11:20 ssh_config.orig -> /tmp/tcloop/openssh/usr/local/etc/ssh/ssh_config.orig
-rw------- 1 root root  668 Nov 25 22:33 ssh_host_dsa_key
-rw-r--r-- 1 root root  602 Nov 25 22:33 ssh_host_dsa_key.pub
-rw------- 1 root root 1675 Nov 25 22:33 ssh_host_rsa_key
-rw-r--r-- 1 root root  394 Nov 25 22:33 ssh_host_rsa_key.pub
-rw-r--r-- 1 root root 3352 Jan  5 10:34 sshd_config
lrwxrwxrwx 1 root root   54 Dec 29 11:20 sshd_config.orig -> /tmp/tcloop/openssh/usr/local/etc/ssh/sshd_config.orig
Permissions of  ~/.ssh and contents are important as well

Code: [Select]

tc@box:~$ ls -al | grep .ssh
drwx--S---  2 tc   staff     100 Jan  5 11:15 .ssh/
tc@box:~$ ls -l .ssh/
-rw-------    1 tc       staff         388 Jan  5 11:21 authorized_keys
There are a few ways to deny root access in sshd_config:
1) uncomment the "PermitRootLogin" and change "yes" to "no"
2) add the directive "DenyUsers root"
3) add the directive "AllowUsers tc auser
If the "AllowUsers" directive is used, OpenSSH will deny any user not listed

[alu]

thanks,  but i know all that, i run openssh for years on debian and ubuntu without issues; i would be happy to know what does not work, and please you to try in the same conditions as mines:

server with mc 2.7 and client with mc 2.7, user tc; give tc a password on the server-side, load openssh, create your own rsa keys and try to log in the server with tc password; in my case, even if i create my own rsa keys, i can always log in the server with my password (/home/tc/.ssh has 755 permission, and the file authorized_keys 600, i assume that this is correct); i also modified sshd_config file in order to disable root login, restart openssh, but still i can login in my server as root... after spending a week to troubleshot these issues, i have got no success, sorry to say that.

by the way: i am not suppose to backup any directory, it should work at first mount.

[Kingdomcome]

I have a server running TC that I ssh into multiple times a day, I have set up public key so that I dont have to enter a password every time, and have x11 forwarding enabled in the respective config files and I use the backup function to save the settings across a reboot.

I just now set up 2 testing VMs with fresh cloud mode installations of MC2.7 and openssh.tcz. I created passwords for tc and root and created personal keys for tc and used scp to transfer the public key to the server and also edited /usr/local/etc/ssh/sshd_config to disable root login.  After restarting the server everything was tested and worked as expected.

For debugging public key login I would suggest using "slogin -vvv <ip.address.of.server>"

[vitex]

I also performed an experiment.  As far as I can tell, openssh.tcz is working as expected. 

Boot the microcore_2.7.iso with no bootcodes.

Do the following steps on the Micro Core machine.

Code: [Select]

# Make the .ssh directory
mkdir .ssh

# Create a password for user tc
passwd

# Install openssh
tce-load -w -i openssh.tcz

# Start openssh
sudo /usr/local/etc/init.d/openssh start

Do the following steps on any machine with ssh installed.  (tc@microcore means user tc at whatever address you need to access the Micro Core system.)

Code: [Select]

# Copy your public keys to Micro Core using the password for user tc
scp .ssh/*.pub tc@microcore:.ssh/authorized_keys

# Create a .ssh directory for root
ssh tc@microcore sudo mkdir /root/.ssh

# Copy the authorized keys to root
ssh tc@microcore sudo cp .ssh/authorized_keys /root/.ssh

# Verifiy that root can access Micro Core without a password
ssh root@microcore id

# Disable root logins.
ssh root@microcore 'sed -i "s/#PermitRootLogin yes/PermitRootLogin no/" /usr/local/etc/ssh/sshd_config'

# Restart openssh
ssh tc@microcore sudo /usr/local/etc/init.d/openssh restart

# Try to login in as root; you will get a password prompt that verifies
# that the change to PermitRootLogin worked.
ssh root@microcore id

# Verify that tc can still log in without a password
ssh tc@microcore id

I also verified that I can log in as user tc if I add a "AllowUsers tc" command to sshd_config but not if I change that to "AllowUsers xx".

Note that this example shows again that disallowing ssh access by root is futile if any other user has ssh access and can execute sudo.

[alu]

Note that this example shows again that disallowing ssh access by root is futile if any other user has ssh access and can execute sudo.

exactly - what you did is to make private/public keys for root; i did it the other way (and again, it should work that way too), namely creating the private/public ssh key for tc user, and disabling the root login in the sshd_config file; and still, i can log in as root with the root passwd. i expect (as in my debian system running openssh) that the simple way works - disabling the root login in sshd_config, creating some unprivileged users, creating the rsa keys for those users, and being able to login with private/public keys only, and not as root at all.

another experiment that i did was the following:

- added a buser:bgroup as unprivileged user on the server side - i have now tc:staff and buser:bgroup as users on the server side; i create private/public rsa keys for both of the users, and not for root; i copy the public key on the server side (/home/tc/.ssh/authorized_keys and /home/buser/.ssh/authorized_keys) and give correct permission to the files 'authorized_keys' (namely 600) and to the directory .ssh (namely 755).
- edited sshd_config with the two follwing lines:

AllowUsers tc
AllowGroups staff

- disabling the root login;
- then: ssh buser_at_ipofmyserver; i accept the key, i am prompted to type the password of buser in, and still i can log in with the password of the buser.

maybe it's just me missing something obvious; but at this time, i can log in as root with the root passwd even if i turn it off in the sshd_config file, and i can not restrict access to my server to only one user.