Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Urgent: no ssh possible since net-misc/openssh-7.1_p1-r2
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
UncleVan
n00b
n00b


Joined: 08 Feb 2011
Posts: 72

PostPosted: Fri Nov 06, 2015 9:17 pm    Post subject: Urgent: no ssh possible since net-misc/openssh-7.1_p1-r2 Reply with quote

Hello everybody ,

After recent update
Code:
net-misc/openssh-6.9_p1-r2 ->  net-misc/openssh-7.1_p1-r2
I can not login with ssh anymore (I'm using two identical machines Thinkpad Edge 11). In the /var/log/messages there is following:
Code:
Jul 15 22:44:11 thinkkiste sshd[31065]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.50  user=root
Jul 15 22:44:14 thinkkiste sshd[31061]: error: PAM: Authentication failure for root from 192.168.0.50
After recherche I'm pretty sure there is something with the keys-pairs ssh uses, but I'm completely ignorant of how to solve this.

For now I reverted to 6.9 again and it works OK, but I highly appreciate any suggestion/help/info to solve this issue ASAP .

Thanks in advance !
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42569
Location: 56N 3W

PostPosted: Fri Nov 06, 2015 9:54 pm    Post subject: Reply with quote

UncleVan,

net-misc/openssh-7.x depreciates one sort of key as its no longer considered secure.
You can enable if if you want but it will go away one day.

See the news item 2015-08-13 OpenSSH 7.0 disables ssh-dss keys by default

Password logins for root are also disabled by default.
/etc/ssh/sshd_config:
#PermitRootLogin prohibit-password


Allowing root password logins via ssh has always been insecure.
Set up sudo. Log in as normal user and use
Code:
sudo su -
to become root.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
UncleVan
n00b
n00b


Joined: 08 Feb 2011
Posts: 72

PostPosted: Fri Nov 06, 2015 11:45 pm    Post subject: Reply with quote

Thank you for th quick response !

So far its fine but: How am I supposed to set up "new" keys for use ?

It is a local segment only - apart from internet - so login as root would not be an issue... BTW that was literally the same statement forcing me to not use telnet anymore ;-)


Last edited by UncleVan on Fri Nov 06, 2015 11:58 pm; edited 1 time in total
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 2882
Location: Illinois, USA

PostPosted: Fri Nov 06, 2015 11:54 pm    Post subject: Reply with quote

Had the same problem with root login. I did NOT change the conf file. Kept rejecting the password. I could log in as "guest" and su with the password but log in directly. I only ssh for admin work like emerge's and kernel builds, so that's a PITA.

I wound up blocking 7.0 and above like you.


Last edited by Tony0945 on Sat Nov 07, 2015 1:26 am; edited 1 time in total
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5592

PostPosted: Fri Nov 06, 2015 11:55 pm    Post subject: Reply with quote

New keys:
Code:
ssh-keygen -t ed25519
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@$remote

If you've restarted sshd on the remote side recently, it'll already have an ed25519 server key.
Back to top
View user's profile Send private message
UncleVan
n00b
n00b


Joined: 08 Feb 2011
Posts: 72

PostPosted: Sat Nov 07, 2015 12:04 am    Post subject: Reply with quote

Thank you guys,

I'll try to set up ssh 7 for root logins and report the results.
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2115
Location: Kentucky

PostPosted: Sat Nov 07, 2015 3:39 pm    Post subject: Reply with quote

Forcing this on people who have a bunch of machines to administer without even a "news readme" notice at the time the force is made is presumptuous to the point of arragonce! :evil:

I started a bunch of weekly updates last night and went to bed while they ran. I woke up this morning to chaos! I have many automation scripts that log in from one machine to another to perform various operations, not the least of which is nightly backups. Everything is broken! I kept all the old sshd config files, so why did everything change? Because some nanny of a developer decided that they knew bettter than I what was good for my network! :evil:

Only 2 of these machines is internet facing, yet all of them have been affected by this gentoo induced denial of service attack! :evil: :evil: :evil: :evil: :evil: :evil: :evil:

I was going to clean the fallen leaves out of the yard today, but know I have a broken network to fix instead.

(Maybe that's a good thing?) 8O
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
UncleVan
n00b
n00b


Joined: 08 Feb 2011
Posts: 72

PostPosted: Sat Nov 07, 2015 3:50 pm    Post subject: Reply with quote

OK, pretty trivial (shame on me .....): Just add/change in /etc/ssh/sshd_config
Code:
....
# Authentication:

...
PermitRootLogin yes
...
and everything is working again.

No need to generate new keys, because I type the password from the keyboard - in a local wired segment it is not an issue.
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 6965

PostPosted: Sat Nov 07, 2015 3:56 pm    Post subject: Reply with quote

Moriah wrote:
Forcing this on people who have a bunch of machines to administer without even a "news readme" notice at the time the force is made is presumptuous to the point of arragonce! :evil:

https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html


Moriah wrote:
affected by this gentoo induced denial of service attack!

the famous non existing news wrote:
Be aware though that eventually OpenSSH will drop support for DSA keys
entirely, so this is only a stop gap solution.

More details can be found on OpenSSH's website:
http://www.openssh.com/legacy.html

Mean, it's a step from openssh.

so:
For missing news: 0 points
For missing target: 0 points

Rant score is 0, sorry Moriah, better luck next time :)
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2115
Location: Kentucky

PostPosted: Sat Nov 07, 2015 4:35 pm    Post subject: Reply with quote

Pleaase note the phrase at the time the force .

I did not say therre was not a news item on it; I said there ought to be a "re-reminder" at the time it was actually happening.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1692

PostPosted: Sat Nov 07, 2015 4:49 pm    Post subject: Reply with quote

that's the thing, there was a reminder... we can't force you to read it
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2115
Location: Kentucky

PostPosted: Sat Nov 07, 2015 5:35 pm    Post subject: Reply with quote

That was my complaint: the reminder ws 2 months before the occurrance. I read it, but after 2 months, it would have been nice to announce that it was going into effect today.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2115
Location: Kentucky

PostPosted: Sat Nov 07, 2015 5:41 pm    Post subject: Reply with quote

Anyway, I am taking advantage of this inconvenient event to clear out all my stuff in my .ssh/ directories and regenerate it to the new standards. One thing I *will* keep is root login via password. I have some utility machines that have no other user besides root. I am the only administrator. I only administrate these machines because there is no one else to do it, and I need them to do myincome producing work. As I said, there are only 2 of them that are internet facing; the rest are on a well protected ethernet segment behind multiple natting firewalls. From time to time, they all need to be administered remotely, possibly from machines that have never logged into those machines before. Therefore, I need to allow root login via password on ssh.

Also, I a, *not* clearing the fallen leaves out of the yard today! :D :wink:
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42569
Location: 56N 3W

PostPosted: Sat Nov 07, 2015 5:45 pm    Post subject: Reply with quote

Moriah,

Quote:
Therefore, I need to allow root login via password on ssh.


That's one solution. There are others, such as key based log in as root.
You could even create a normal user that you subsequently user to gain root.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2115
Location: Kentucky

PostPosted: Sat Nov 07, 2015 6:18 pm    Post subject: Reply with quote

Neddy:

I also have to run a lot of scripts that login as root. Finding and changing them all would be a major pain tht I just do not have time for right now.
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
The LT
n00b
n00b


Joined: 23 Feb 2006
Posts: 20
Location: Moscow, Russia

PostPosted: Sun Nov 08, 2015 2:55 pm    Post subject: Reply with quote

Moriah wrote:
Forcing this on people who have a bunch of machines to administer without even a "news readme" notice at the time the force is made is presumptuous to the point of arragonce! :evil:

Not reading upstream changelogs before updating cricical system packages is outright ignorant. Before you accuse the maintainers, make sure you even follow the established best practices and guidelines.

Quote:

I started a bunch of weekly updates last night and went to bed while they ran. I woke up this morning to chaos! I have many automation scripts that log in from one machine to another to perform various operations, not the least of which is nightly backups. Everything is broken! I kept all the old sshd config files, so why did everything change? Because some nanny of a developer decided that they knew bettter than I what was good for my network! :evil:


No, because an ignorant user like you who thinks they know better never noticed that sshd_config is COMMENTED by default and the devs changed the defaults. Should you have bothered to CONFIGURE sshd, you wouldn't run into this.

Quote:

Only 2 of these machines is internet facing, yet all of them have been affected by this gentoo induced denial of service attack! :evil: :evil: :evil: :evil: :evil: :evil: :evil:

This is irrelevant to the problem. The developers don't tailor the package for you and your two "internet-facing" machines.

Quote:

I was going to clean the fallen leaves out of the yard today, but know I have a broken network to fix instead.

I would start with fixing your practices and update habits.

Quote:

(Maybe that's a good thing?) 8O

Definately. At least you'll learn to read through the configuration files more carefully and not login as root. And also, it might prompt you to ditch dsa if you ever used it.
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1692

PostPosted: Sun Nov 08, 2015 4:39 pm    Post subject: Reply with quote

iirc, the login with root has been defaulted to commented out for several years to begin with, so that change isn't anything new. Now if upstream is starting to phase out that option all together, I couldn't say. I can see arguments for both sides, and I admit I used the login with root before. Though that is only when I am setting up a new machine, once the machine is up, I leave it turned off and just login with a regular user, then su into root.
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 2882
Location: Illinois, USA

PostPosted: Sun Nov 08, 2015 6:39 pm    Post subject: Reply with quote

ct85711 wrote:
Though that is only when I am setting up a new machine, once the machine is up, I leave it turned off and just login with a regular user, then su into root.


An extra, unnecessary step.
Back to top
View user's profile Send private message
UberLord
Retired Dev
Retired Dev


Joined: 18 Sep 2003
Posts: 6737
Location: Blighty

PostPosted: Mon Nov 09, 2015 9:54 am    Post subject: Reply with quote

Moriah wrote:
Neddy:

I also have to run a lot of scripts that login as root. Finding and changing them all would be a major pain tht I just do not have time for right now.


So go the root key login approach.
I do this on my OpenWRT boxes I own on my local network.
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool
Back to top
View user's profile Send private message
Moriah
Advocate
Advocate


Joined: 27 Mar 2004
Posts: 2115
Location: Kentucky

PostPosted: Thu Dec 10, 2015 1:49 pm    Post subject: Reply with quote

Neddy helped me solve this problem thru a series of private messages. Thanks, Neddy!
_________________
The MyWord KJV Bible tool is at http://www.elilabs.com/~myword

Foghorn Leghorn is a Warner Bros. cartoon character.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum