Tiny Core Linux
Tiny Core Extensions => TCE Q&A Forum => Topic started by: alu on January 01, 2010, 09:45:12 AM
-
happy new year
i have a problem to set up sshd-config used with openssh.tcz; i have made some simple changes in /usr/local/etc/ssh/sshd_config in order to prevent root logins, and i have also add the lines
AllowUsers auser
AllowGroups auser
in order to give login permission for only one user, the auser; then saved the changes and restarted openssh (sudo /usr/local/etc/init.d/openssh restart); when i want to test the changes, nothing seems to have been picked up at the server side, i.e. i can always log in as root or as buser (the otherone user on my server).
Same experience with home-made RSA-keys; i made them locally, then copied the public key to the server in the authorized_keys file for the user tc only (within /home/tc/.ssh/ which I have created); restarted openssh, but i can always login with my usual password... it seems to me as if the changes made in sshd_config have no effect on the behavior of the openssh server; or did i miss smthg?
-
What do you see if you stop it, and then start from the terminal:
sshd -D -e
-
I have to give full path:
/usr/local/sbin/sshd -D -e
it returns:
Could not load host key: /usr/local/etc/ssh/ssh_host_rsa_key
Could not load host key: /usr/local/etc/ssh/ssh_host_dsa_key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting
but ssh_host_rsa and dsa_key are there and the files are not empty...
-
i tried to regenerate the rsa keys on the server
sudo ssh-keygen -t rsa -f /usr/local/etc/ssh/ssh_host_rsa_key
which overwrited the rsa key. then i set the sshd_config file up in order not to authorize login with passwords, and i restarted the server; i always get the message saying that openssh could not load the keys.
i create then a rsa key locally for the tc user and copied it onto the server; it works for the tc user, who must now log in with the passphrase and not the password; i set the sshd_config file up in order to allow only the tc user to log in, but still i can log in with another user (which is a buser available on the server); in both case i can log with root even if i set up sshd_conf in order to disable the root login.
i don't understand why the changes done to sshd_config are not taken into account
-
Are you perhaps running two sshd's? Since opensshd exits, and you can still log in, maybe the dropbear one is still running?
-
i don't believe it since i am starting mc without the ssh boot code, but i will check it in order to be sure
-
i did a
sudo /etc/init.d/dropbear stop
which returns
Dropbear is not running
-
i tried to regenerate the rsa1, rsa2 and dsa key into /etc/ssh, and i have changed the sshd_config file to reflect the new path of the keys and to disable root login as well as login with password; after restarting openssh, the tc user can connect with password, and root login can connect...
-
since i don't find any answer to why openssh does not seem to respond to command in sshd_config, i shall run dropbear as ssh server with the following workaroud:
1. start dropbear ssh and make your own rsa keys; dropbear does not allow root login per default, which is good for me;
2. you can use sftp with dropbear following this thread: http://forum.tinycorelinux.net/index.php?topic=1738.0
3. or you can install openssh on the server side without starting the daemon; this is what i did; with that, you will have the possibility to use sftp AND sshfs with dropbear and your own keys together;
4. in order to use sftp, i basically changed a little bit the propositions in the thread mentioned above at point 2.; on the server side, do: sudo mkdir /usr/libexec && sudo cp /usr/local/libexec/sftp-server /usr/libexec; on the client side, start sftp normally;
5. in order to use sshfs, on the client side do: sshfs -o sftp_server=/usr/libexec/sftp-server youruser_at_theipof your server:/the/directory/to/be/mounted /themountpoint/onthe/clientside.
with that workaround, you have a full functional ssh secured server with sftp and sshfs utilities
-
I have not had a problem with OpenSSH not reading its config. You would need to add the config(s) and keys to your backup to have it last through a reboot, I personally backup the entire /usr/local/etc/ssh/ directory. The init script included in the openssh extension will automatically create the host keys for the server if it does not find them before starting the server. The init script is located at /usr/local/etc/init.d/openssh
-
As a follow up, the config files (sshd_config and ssh_config) are the standard upstream configs which should be reviewed and edited to increase security. Permissions of config files and key are important, here are the default permissions in /usr/local/etc/ssh/ which openssh expects to see after the host keys have been generated:
tc@box:/usr/local/etc/ssh$ ls -l
total 24
lrwxrwxrwx 1 root root 44 Dec 29 11:20 moduli -> /tmp/tcloop/openssh/usr/local/etc/ssh/moduli
-rw-r--r-- 1 root root 1498 Nov 25 11:11 ssh_config
lrwxrwxrwx 1 root root 53 Dec 29 11:20 ssh_config.orig -> /tmp/tcloop/openssh/usr/local/etc/ssh/ssh_config.orig
-rw------- 1 root root 668 Nov 25 22:33 ssh_host_dsa_key
-rw-r--r-- 1 root root 602 Nov 25 22:33 ssh_host_dsa_key.pub
-rw------- 1 root root 1675 Nov 25 22:33 ssh_host_rsa_key
-rw-r--r-- 1 root root 394 Nov 25 22:33 ssh_host_rsa_key.pub
-rw-r--r-- 1 root root 3352 Jan 5 10:34 sshd_config
lrwxrwxrwx 1 root root 54 Dec 29 11:20 sshd_config.orig -> /tmp/tcloop/openssh/usr/local/etc/ssh/sshd_config.orig
Permissions of ~/.ssh and contents are important as well
tc@box:~$ ls -al | grep .ssh
drwx--S--- 2 tc staff 100 Jan 5 11:15 .ssh/
tc@box:~$ ls -l .ssh/
-rw------- 1 tc staff 388 Jan 5 11:21 authorized_keys
There are a few ways to deny root access in sshd_config:
1) uncomment the "PermitRootLogin" and change "yes" to "no"
2) add the directive "DenyUsers root"
3) add the directive "AllowUsers tc auser
If the "AllowUsers" directive is used, OpenSSH will deny any user not listed
-
thanks, but i know all that, i run openssh for years on debian and ubuntu without issues; i would be happy to know what does not work, and please you to try in the same conditions as mines:
server with mc 2.7 and client with mc 2.7, user tc; give tc a password on the server-side, load openssh, create your own rsa keys and try to log in the server with tc password; in my case, even if i create my own rsa keys, i can always log in the server with my password (/home/tc/.ssh has 755 permission, and the file authorized_keys 600, i assume that this is correct); i also modified sshd_config file in order to disable root login, restart openssh, but still i can login in my server as root... after spending a week to troubleshot these issues, i have got no success, sorry to say that.
by the way: i am not suppose to backup any directory, it should work at first mount.
-
I have a server running TC that I ssh into multiple times a day, I have set up public key so that I dont have to enter a password every time, and have x11 forwarding enabled in the respective config files and I use the backup function to save the settings across a reboot.
I just now set up 2 testing VMs with fresh cloud mode installations of MC2.7 and openssh.tcz. I created passwords for tc and root and created personal keys for tc and used scp to transfer the public key to the server and also edited /usr/local/etc/ssh/sshd_config to disable root login. After restarting the server everything was tested and worked as expected.
For debugging public key login I would suggest using "slogin -vvv <ip.address.of.server>"
-
I also performed an experiment. As far as I can tell, openssh.tcz is working as expected.
Boot the microcore_2.7.iso with no bootcodes.
Do the following steps on the Micro Core machine.
# Make the .ssh directory
mkdir .ssh
# Create a password for user tc
passwd
# Install openssh
tce-load -w -i openssh.tcz
# Start openssh
sudo /usr/local/etc/init.d/openssh start
Do the following steps on any machine with ssh installed. (tc@microcore means user tc at whatever address you need to access the Micro Core system.)
# Copy your public keys to Micro Core using the password for user tc
scp .ssh/*.pub tc@microcore:.ssh/authorized_keys
# Create a .ssh directory for root
ssh tc@microcore sudo mkdir /root/.ssh
# Copy the authorized keys to root
ssh tc@microcore sudo cp .ssh/authorized_keys /root/.ssh
# Verifiy that root can access Micro Core without a password
ssh root@microcore id
# Disable root logins.
ssh root@microcore 'sed -i "s/#PermitRootLogin yes/PermitRootLogin no/" /usr/local/etc/ssh/sshd_config'
# Restart openssh
ssh tc@microcore sudo /usr/local/etc/init.d/openssh restart
# Try to login in as root; you will get a password prompt that verifies
# that the change to PermitRootLogin worked.
ssh root@microcore id
# Verify that tc can still log in without a password
ssh tc@microcore id
I also verified that I can log in as user tc if I add a "AllowUsers tc" command to sshd_config but not if I change that to "AllowUsers xx".
Note that this example shows again that disallowing ssh access by root is futile if any other user has ssh access and can execute sudo.
-
Note that this example shows again that disallowing ssh access by root is futile if any other user has ssh access and can execute sudo.
exactly - what you did is to make private/public keys for root; i did it the other way (and again, it should work that way too), namely creating the private/public ssh key for tc user, and disabling the root login in the sshd_config file; and still, i can log in as root with the root passwd. i expect (as in my debian system running openssh) that the simple way works - disabling the root login in sshd_config, creating some unprivileged users, creating the rsa keys for those users, and being able to login with private/public keys only, and not as root at all.
another experiment that i did was the following:
- added a buser:bgroup as unprivileged user on the server side - i have now tc:staff and buser:bgroup as users on the server side; i create private/public rsa keys for both of the users, and not for root; i copy the public key on the server side (/home/tc/.ssh/authorized_keys and /home/buser/.ssh/authorized_keys) and give correct permission to the files 'authorized_keys' (namely 600) and to the directory .ssh (namely 755).
- edited sshd_config with the two follwing lines:
AllowUsers tc
AllowGroups staff
- disabling the root login;
- then: ssh buser_at_ipofmyserver; i accept the key, i am prompted to type the password of buser in, and still i can log in with the password of the buser.
maybe it's just me missing something obvious; but at this time, i can log in as root with the root passwd even if i turn it off in the sshd_config file, and i can not restrict access to my server to only one user.
-
Maybe you should start over with openssh. remove relevent files from backup or persistent media, remove the tcz, reboot and reinstall. I know its working correctly for me and Im sure others would have complained if they were having issues.
-
i have started tc 2.7 with base nolocal norestore in order to come to an end with the openssh troubles i have got; and the good news is that it is probably something in my backup that does make openssh daemon messing up; now, i can modify sshd_config (as turning the rootlogin to 'no') and i can see the change working... but to one issue i always have: if i want to connect as tc user with private/public rsa keys, i can't get openssh.tcz daemon to ask me for my passphrase; i have to login with my password, and if i turn the authentication with password to 'no' in the sshd_config file, i can't log in my server anymore. thanks Kingdomcome and vitex to have put me on the right path
-
bump -
I was having this same problem - mc 4.5.3 - i would get the error message 'could not load host key: ...' i tried reinstalling ssh from scratch, all that stuff - when I tried logging in from a remote server (openbsd) it would deny me saying "no hostkey alg" ...
I found out that what I was doing wrong was that when I ran init.d/openssh keygen , i was putting in a passphrase. When i re-ran openssh-keygen with an empty passphrase, it started working as expected. FWIW.
-
Old thread but better to keep it all together - I'm having a problem along the lines of what alu was experiencing - openssh not recognising parameters set in sshd_config
I am downloading a single csv file from my Tiny Core thin client to a Windows 7 machine, using Openssh on the TC end and cwRsync on the Windows end. The file transfer only takes 2 or 3 seconds, but rsync is hanging for about 15 seconds prior to starting the transfer. I have found several references to a reverse DNS lookup, which can supposedly be avoided by adding "UseDNS no" to sshd_config.
I have done this and restarted sshd, but it doesn't seem to make any difference. It appears openssh is ignoring my sshd_config settings.
Permissions of my ssh directory:
drwxr-xr-x 2 root root 280 Jun 5 15:59 ./
drwxr-xr-x 8 root root 240 Jun 5 15:59 ../
lrwxrwxrwx 1 root root 44 Jun 5 15:59 moduli -> /tmp/tcloop/openssh/usr/local/etc/ssh/moduli
-rw-r--r-- 1 root root 1553 Jun 5 15:57 ssh_config
lrwxrwxrwx 1 root root 56 Jun 5 15:59 ssh_config.example -> /tmp/tcloop/openssh/usr/local/etc/ssh/ssh_config.example
-rw------- 1 root root 668 May 19 11:20 ssh_host_dsa_key
-rw-r--r-- 1 root root 598 May 19 11:20 ssh_host_dsa_key.pub
-rw------- 1 root root 227 May 19 11:20 ssh_host_ecdsa_key
-rw-r--r-- 1 root root 170 May 19 11:20 ssh_host_ecdsa_key.pub
-rw------- 1 root root 1679 May 19 11:20 ssh_host_rsa_key
-rw-r--r-- 1 root root 390 May 19 11:20 ssh_host_rsa_key.pub
-rw-r--r-- 1 root root 3297 Jun 5 12:15 sshd_config
lrwxrwxrwx 1 root root 57 Jun 5 15:59 sshd_config.example -> /tmp/tcloop/openssh/usr/local/etc/ssh/sshd_config.example
When I first set up openssh I copied the sshd_config.example file to sshd_config as per instructions in info file, and then ran chmod 644 on sshd_config to set what I believe to be the correct permissions. Did the same for ssh_config.
Any suggestions?