Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
Apache
CentosOS 5
Plesk 10
New on commandline and ssh.
While trying to get several users (root git friend) to ssh to the same shell and configuring passwordless connection I must have made a mistake.
I can no longer login over ssh as root or git but can as friend whose shell I transferred by editting etc/passwd.
I luckily can still login on plesk so gui file editing is possible.
here's what I found in my sshd errorlog
sshd[11999]: User git not allowed because shell /bin/bash\r does not exist
sshd[12000]: input_userauth_request: invalid user git
sshd[11999]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.dynamic.upc.nl user=git
sshd[11999]: Failed password for invalid user git from xxx.xxx.xxx port 54851 ssh2
I read something about sudo ing and incidently entering: causing the \r
But where to restore?
Here are some configurations
etc/ssh/sshd_config :
PubkeyAuthentication yes
ect/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh
/bin/false
/usr/local/psa/bin/chrootsh
/bin/rbash
etc/passwd
git:x:10009:10009::/home/git:/bin/bash
friend:x:10010:10010::/home/git:/bin/bash
earlier I tried to install password less connecting
so there is a .ssh/id_rsa file somewhere on the server and on my local machine.
After reading Git's famous "ERROR: Permission to .git denied to user"
I tried
ssh-add -l
Could not open a connection to your authentication agent
My problem resembles this:
https://serverfault.com/questions/480806/ssh-root-access-denied-after-changing-shell
If I am logged over ssh as friend I cannot sudo to root:
sudo root
friend is not in the sudoers file
nor can I chsh
[friend#vpsXXX ~]$ chsh -s /bin/bash root
chsh: Running UID doesn't match UID of user we're altering, shell change denied
Hope someone can clear this up for me.
Happy to supply more info if needed
/bin/bash\r
means that you've edited the /etc/passwd or /etc/shells with a Windows editor as it contains Windows line feeds \r\n. Linux interprets only the \n and assumes that the remaining \r is part of the binary name.
Solution: Open the files in a Linux editor and remove the new line and add it again.
Also you could install the package tofrodos and execute:
fromdos /etc/passwd
fromdos /etc/shells
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed last year.
Improve this question
I have been trying to enable logging in my OpenLDAP setup (in Oracle Enterprise Linux 6.5) , but no logs are being generated in /var/log/slapd/slapd.log.
Followed these steps to enable logging :
Edited the slapd.conf file :
# grep -i loglevel /etc/openldap/slapd.conf
loglevel -1
Did the setup for the log directory in /var/log/slapd
# cd /var/log/slapd ; ls -ltr
-rw------- 1 root root 217 May 21 19:48 slapd.log
Edited the rsyslog config file
# grep -i local4 /etc/rsyslog.conf
local4. /var/log/slapd/slapd.log*
restarted the openldap service and also the rsyslogger :
# service rsyslog restart
# service slapd restart
But even after doing these steps , we are not seeing logs captured in the slapd.log file . Only log seen is the below line :
more /var/log/slapd/slapd.log
May 21 19:48:12 sprdneval slapd[2961]: #(#) $OpenLDAP: slapd 2.4.39 (Aug 16 2014 20:41:55) $#012#011mockbuild#ca-buildj3.us
.oracle.com:/builddir/build/BUILD/openldap-2.4.39/openldap-2.4.39/build-servers/servers/slapd
Am i missing to do something blindingly obvious ?
Regards,
Hari
If you are using the OnLine Configuration (OLC) have a look at Zytrax. It explains quite well how to use and configure it.
Same problem here ('loglevel any' and 'logfile /var/log/slapd/slapd.log' options in slapd.conf and in the cn=config, but no debug output in the logfile).
I've just solved the problem by adding "-d any" to the command line arguments of the slapd
/usr/bin/slapd -d any -u ldap -g ldap -h "ldap://127.0.0.1/ ldaps:/// ldapi:///"
I see the same issue and posted my question at Serverfault about what '-s' option means.
If you see olcLogLevel setting at current config:
$ sudo grep olcLogLevel /etc/openldap/slapd.d/cn=config.ldif
olcLogLevel: 0
Then, you can change it by:
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: 256
EOF
If you don't see olcLogLevel setting, then you need to newly create the entry. I haven't seen the case but I think it will be done by change 'changetype' above from 'modify' to 'add'.
My environment is CentOS7.9 so that the path would be different from yours.
You can do and check df -h to check disk space and delete heavy files which you do not require (like messages*.gz) from /var/log/ also empty the content of /var/log/slapd/slapd.log
Now you reboot your system and check service slapd status.
Hope ,it works now.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I need to create a user which can only SFTP to specific directory and take a copy of some infomation. that is it. I keep looking online and they bring up information about chroot and modifying the the sshd_config.
So far I can just
add the user "useradd sftpexport"
create it without a home directory "-M"
set its login location "-d /u02/export/cdrs" (Where the information is stored)
not allow it to use ssh "-s /bin/false"
useradd sftpexport -M -d /u02/export/cdrs -s /bin/false
Can anyone suggest what am meant to edit so the user can only login and copy the file off?
I prefer to create a user group sftp and restrict users in that group to their home directory.
First, edit your /etc/ssh/sshd_config file and add this at the bottom.
Match Group sftp
ChrootDirectory %h
ForceCommand internal-sftp
AllowTcpForwarding no
This tells OpenSSH that all users in the sftp group are to be chrooted to their home directory (which %h represents in the ChrootDirectory command)
Add a new sftp group, add your user to the group, restrict him from ssh access and define his home directory.
groupadd sftp
usermod username -g sftp
usermod username -s /bin/false
usermod username -d /home/username
Restart ssh:
sudo service ssh restart
If you are still experiencing problems, check that the directory permissions are correct on the home directory. Adjust the 755 value appropriately for your setup.
sudo chmod 755 /home/username
EDIT: Based on the details of your question, it looks like you are just missing the sshd_config portion. In your case, substitute sftp with sftpexport. Also be sure that the file permissions are accessible on the /u02/export/cdrs directory.
An even better setup (and there are even better setups than what I am about to propose) is to symlink the /u02/export/cdrs directory to the user home directory.
You could need to add a restricted shell for this user can put some files there. You can use rssh tool for that.
usermod -s /usr/bin/rssh sftpexport
Enable allowed protocols in config /etc/rssh.conf.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I need to ssh (as root) to a remote server and perform some root level operations. I will be sshing from a local server where I don't have root privileges. Given this option, is it possible to perform passwordless ssh to remote system using (rsa) keys ?
Local and remote servers run linux.
BTW, I generated keys (ssh-keygen -t rsa) on the local server. Copied the public key to remote server's .ssh/authorized_keys file. However it still keeps prompting for password. The same setup works fine, if the local and remote username (non-root) matches.
1 check that your /etc/ssh/sshd_config file have "PermitRootLogin yes".
2 Store the following Shell code into nopasswd.sh:
#!/bin/sh
scp ~/.ssh/id_dsa.pub $1#$2:~/
ssh $1#$2 "cat ~/id_dsa.pub >> ~/.ssh/authorized_keys; chmod 644 ~/.ssh/authorized_keys; exit"
3 Use it by these steps:
$ssh-keygen -t dsa
$ ./nopasswd.sh root REMOTE_HOST
Yes. SSH does not make a connection between account names on different systems, so you can ssh as non-root to root if you have a valid key pair.
In ~/.ssh/config:
Host rootRemoteSystem
HostName RemoteSystem
User root
Then:
ssh-copy-id rootRemoteSystem
Then you can do:
ssh rootRemoteSystem
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I am running slitaz distro, and would like to completely remove the root password. I have tried giving a blank password to the passwd command, however that did not seem to do the trick. It gave me an error password was too short, ans it still asked me for a password when I ssh-ed in. The password was just hiting the "Enter" key.
UPDATE:
Perhaps it has to do with the fact that slitaz uses dropbear for ssh? Because even with a blank password for root in /etc/shadow, it still prompts for a password.
● Do you really want to allow logins without a password? If so, try passwd -d root (see warnings below)
● Do you really want to have an empty password? echo root: | chpasswd or, if that is rejected, echo "root:$(mkpasswd -s </dev/null)" | chpasswd -e (see warnings below)
● For those coming here in search of a way to block password login for root, you have options:
passwd -l root disables (locks), passwd -u root re-enables (unlocks) the root password.
sshd option PasswordAuthentication no disables password authentification for all users (via ssh)
sshd option PermitRootLogin no disables root login (via ssh)
sshd option PermitRootLogin prohibit-password disables root login with password (via ssh)
Notes and warnings:
⚠️ Make sure you have a way to log in even if you accidentally lock your password. For example, a second user with full sudo access. (If you try to configure no / an insecure password, your system might actually lock you out.)
passwd -d root can allow for root login without password!
⚠️ this is a terrible idea on systems connected to the internet. Don't do it except in an isolated host or network. An empty password is arguably worse.
that's why your system setup might still disallow logins without password (or with empty password) if you remove the password (or set it to the empty string). Especially via SSH.
SSH with public keys, and something ssh-agent is the way to go if you want the convenience of not repeatedly entering your password
SSH with public keys, and an unencrypted private key is the way to go if you want to run commands from remote scripts. There is a PermitRootLogin forced-commands-only sshd option; when set the remote script can only trigger specific commands that you need to configure on the server.
Usually, passwords are usually saved in salted&hashed form in /etc/shadow. For more information, read the manpage with man shadow 5.
Authentication can be blocked in the configuration of the SSH server (see man sshd_config) or in the OS's authentification system (see "PAM" - Linux Pluggable Authentication Modules).
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
How do I setup Public-Key Authentication for SSH?
If you have SSH installed, you should be able to run..
ssh-keygen
Then go through the steps, you'll have two files, id_rsa and id_rsa.pub (the first is your private key, the second is your public key - the one you copy to remote machines)
Then, connect to the remote machine you want to login to, to the file ~/.ssh/authorized_keys add the contents of your that id_rsa.pub file.
Oh, and chmod 600 all the id_rsa* files (both locally and remote), so no other users can read them:
chmod 600 ~/.ssh/id_rsa*
Similarly, ensure the remote ~/.ssh/authorized_keys file is chmod 600 also:
chmod 600 ~/.ssh/authorized_keys
Then, when you do ssh remote.machine, it should ask you for the key's password, not the remote machine.
To make it nicer to use, you can use ssh-agent to hold the decrypted keys in memory - this means you don't have to type your keypair's password every single time. To launch the agent, you run (including the back-tick quotes, which eval the output of the ssh-agent command)
`ssh-agent`
On some distros, ssh-agent is started automatically. If you run echo $SSH_AUTH_SOCK and it shows a path (probably in /tmp/) it's already setup, so you can skip the previous command.
Then to add your key, you do
ssh-add ~/.ssh/id_rsa
and enter your passphrase. It's stored until you remove it (using the ssh-add -D command, which removes all keys from the agent)
For windows this is a good introduction and guide
Here are some good ssh-agents for systems other than linux.
Windows - pageant
OS X - SSHKeychain