1 |
es tenyleg. :) |
2 |
thx |
3 |
|
4 |
|
5 |
2007. március 13. dátummal Aleph ezt írta: |
6 |
> Most nincs engedélyezve az egyik azonosítási mód sem. :-) |
7 |
> Ajánlom: |
8 |
> http://www.gentoo.org/doc/hu/security/security-handbook.xml?part=1&chap=10# |
9 |
>doc_chap11 |
10 |
> |
11 |
> Aleph |
12 |
> |
13 |
> 2007/3/13, cjvt <cjvt@××××××××.hu>: |
14 |
> > $ cat sshd_config |
15 |
> > |
16 |
> > # $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $ |
17 |
> > |
18 |
> > # This is the sshd server system-wide configuration file. See |
19 |
> > # sshd_config(5) for more information. |
20 |
> > |
21 |
> > # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin |
22 |
> > |
23 |
> > # The strategy used for options in the default sshd_config shipped with |
24 |
> > # OpenSSH is to specify options with their default value where |
25 |
> > # possible, but leave them commented. Uncommented options change a |
26 |
> > # default value. |
27 |
> > |
28 |
> > Port 225 |
29 |
> > Protocol 2 |
30 |
> > #AddressFamily any |
31 |
> > #ListenAddress 0.0.0.0 |
32 |
> > #ListenAddress :: |
33 |
> > |
34 |
> > # HostKey for protocol version 1 |
35 |
> > #HostKey /etc/ssh/ssh_host_key |
36 |
> > # HostKeys for protocol version 2 |
37 |
> > #HostKey /etc/ssh/ssh_host_rsa_key |
38 |
> > #HostKey /etc/ssh/ssh_host_dsa_key |
39 |
> > |
40 |
> > # Lifetime and size of ephemeral version 1 server key |
41 |
> > #KeyRegenerationInterval 1h |
42 |
> > #ServerKeyBits 768 |
43 |
> > |
44 |
> > # Logging |
45 |
> > # obsoletes QuietMode and FascistLogging |
46 |
> > #SyslogFacility AUTH |
47 |
> > #LogLevel INFO |
48 |
> > |
49 |
> > # Authentication: |
50 |
> > |
51 |
> > #LoginGraceTime 2m |
52 |
> > PermitRootLogin no |
53 |
> > #StrictModes yes |
54 |
> > #MaxAuthTries 6 |
55 |
> > |
56 |
> > #RSAAuthentication yes |
57 |
> > #PubkeyAuthentication yes |
58 |
> > #AuthorizedKeysFile .ssh/authorized_keys |
59 |
> > |
60 |
> > # For this to work you will also need host keys in |
61 |
> > /etc/ssh/ssh_known_hosts |
62 |
> > #RhostsRSAAuthentication no |
63 |
> > # similar for protocol version 2 |
64 |
> > #HostbasedAuthentication no |
65 |
> > # Change to yes if you don't trust ~/.ssh/known_hosts for |
66 |
> > # RhostsRSAAuthentication and HostbasedAuthentication |
67 |
> > #IgnoreUserKnownHosts no |
68 |
> > # Don't read the user's ~/.rhosts and ~/.shosts files |
69 |
> > #IgnoreRhosts yes |
70 |
> > |
71 |
> > # To disable tunneled clear text passwords, change to no here! |
72 |
> > PasswordAuthentication no |
73 |
> > #PermitEmptyPasswords no |
74 |
> > |
75 |
> > # Change to no to disable s/key passwords |
76 |
> > #ChallengeResponseAuthentication yes |
77 |
> > |
78 |
> > # Kerberos options |
79 |
> > #KerberosAuthentication no |
80 |
> > #KerberosOrLocalPasswd yes |
81 |
> > #KerberosTicketCleanup yes |
82 |
> > #KerberosGetAFSToken no |
83 |
> > |
84 |
> > # GSSAPI options |
85 |
> > #GSSAPIAuthentication no |
86 |
> > #GSSAPICleanupCredentials yes |
87 |
> > |
88 |
> > # Set this to 'yes' to enable PAM authentication, account processing, |
89 |
> > # and session processing. If this is enabled, PAM authentication will |
90 |
> > # be allowed through the ChallengeResponseAuthentication and |
91 |
> > # PasswordAuthentication. Depending on your PAM configuration, |
92 |
> > # PAM authentication via ChallengeResponseAuthentication may bypass |
93 |
> > # the setting of "PermitRootLogin without-password". |
94 |
> > # If you just want the PAM account and session checks to run without |
95 |
> > # PAM authentication, then enable this but set PasswordAuthentication |
96 |
> > # and ChallengeResponseAuthentication to 'no'. |
97 |
> > UsePAM no |
98 |
> > |
99 |
> > #AllowTcpForwarding yes |
100 |
> > #GatewayPorts no |
101 |
> > #X11Forwarding no |
102 |
> > #X11DisplayOffset 10 |
103 |
> > #X11UseLocalhost yes |
104 |
> > #PrintMotd yes |
105 |
> > #PrintLastLog yes |
106 |
> > #TCPKeepAlive yes |
107 |
> > #UseLogin no |
108 |
> > #UsePrivilegeSeparation yes |
109 |
> > #PermitUserEnvironment no |
110 |
> > #Compression delayed |
111 |
> > #ClientAliveInterval 0 |
112 |
> > #ClientAliveCountMax 3 |
113 |
> > UseDNS no |
114 |
> > #PidFile /var/run/sshd.pid |
115 |
> > #MaxStartups 10 |
116 |
> > #PermitTunnel no |
117 |
> > |
118 |
> > # no default banner path |
119 |
> > #Banner /some/path |
120 |
> > |
121 |
> > # override default of no subsystems |
122 |
> > Subsystem sftp /usr/lib64/misc/sftp-server |
123 |
> > |
124 |
> > # Example of overriding settings on a per-user basis |
125 |
> > #Match User anoncvs |
126 |
> > # X11Forwarding no |
127 |
> > # AllowTcpForwarding no |
128 |
> > # ForceCommand cvs server |
129 |
> > |
130 |
> > |
131 |
> > vt |
132 |
> > |
133 |
> > 2007. március 13. dátummal Aleph ezt írta: |
134 |
> > > A baj az, hogy a jelszavas azonosítás nincs engedélyezve, de elvárja. |
135 |
> > |
136 |
> > Ezért |
137 |
> > |
138 |
> > > a public-key sikeressége után elutasít. Ha minden igaz akkor a |
139 |
> > > configfile-ban nincs kommentelve a pam-ot engedélyező sor. |
140 |
> > > |
141 |
> > > Aleph |
142 |
> > > |
143 |
> > > 2007/3/13, cjvt <cjvt@××××××××.hu>: |
144 |
> > > > udv Mindenki, |
145 |
> > > > |
146 |
> > > > Van egy olyan problemam, hogy nem tudom mi okbol, de az sshd |
147 |
> > |
148 |
> > eltanacsol: |
149 |
> > > > Ha a kliensen (ubuntu - 192.168.1.1) probalkozom, ez az eredmeny: |
150 |
> > > > |
151 |
> > > > $ ssh user@192.168.1.50 -p 225 -v |
152 |
> > > > |
153 |
> > > > OpenSSH_4.3p2 Debian-5ubuntu1, OpenSSL 0.9.8b 04 May 2006 |
154 |
> > > > debug1: Reading configuration data /etc/ssh/ssh_config |
155 |
> > > > debug1: Applying options for * |
156 |
> > > > debug1: Connecting to 192.168.1.50 [192.168.1.50] port 225. |
157 |
> > > > debug1: Connection established. |
158 |
> > > > debug1: identity file /home/user/.ssh/identity type -1 |
159 |
> > > > debug1: identity file /home/user/.ssh/id_rsa type -1 |
160 |
> > > > debug1: identity file /home/user/.ssh/id_dsa type -1 |
161 |
> > > > debug1: Remote protocol version 2.0, remote software version |
162 |
> > |
163 |
> > OpenSSH_4.6 |
164 |
> > |
165 |
> > > > debug1: match: OpenSSH_4.6 pat OpenSSH* |
166 |
> > > > debug1: Enabling compatibility mode for protocol 2.0 |
167 |
> > > > debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-5ubuntu1 |
168 |
> > > > debug1: SSH2_MSG_KEXINIT sent |
169 |
> > > > debug1: SSH2_MSG_KEXINIT received |
170 |
> > > > debug1: kex: server->client aes128-cbc hmac-md5 none |
171 |
> > > > debug1: kex: client->server aes128-cbc hmac-md5 none |
172 |
> > > > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent |
173 |
> > > > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP |
174 |
> > > > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent |
175 |
> > > > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY |
176 |
> > > > debug1: Host '192.168.1.50' is known and matches the RSA host key. |
177 |
> > > > debug1: Found key in /home/user/.ssh/known_hosts:1 |
178 |
> > > > debug1: ssh_rsa_verify: signature correct |
179 |
> > > > debug1: SSH2_MSG_NEWKEYS sent |
180 |
> > > > debug1: expecting SSH2_MSG_NEWKEYS |
181 |
> > > > debug1: SSH2_MSG_NEWKEYS received |
182 |
> > > > debug1: SSH2_MSG_SERVICE_REQUEST sent |
183 |
> > > > debug1: SSH2_MSG_SERVICE_ACCEPT received |
184 |
> > > > debug1: Authentications that can continue: publickey |
185 |
> > > > debug1: Next authentication method: publickey |
186 |
> > > > debug1: Trying private key: /home/user/.ssh/identity |
187 |
> > > > debug1: Trying private key: /home/user/.ssh/id_rsa |
188 |
> > > > debug1: Trying private key: /home/user/.ssh/id_dsa |
189 |
> > > > debug1: No more authentication methods to try. |
190 |
> > > > Permission denied (publickey). |
191 |
> > > > |
192 |
> > > > |
193 |
> > > > a szerver (gentoo - 192.168.1.50) ugyanakkor ezt mondja a lognak: |
194 |
> > > > |
195 |
> > > > |
196 |
> > > > reverse mapping checking getaddrinfo for server [192.168.1.1] failed |
197 |
> > > > - POSSIBLE BREAK-IN ATTEMPT! |
198 |
> > > > |
199 |
> > > > valaki tudja, mit editaltam tonkre? ;) |
200 |
> > > > |
201 |
> > > > vt |
202 |
> > > > -- |
203 |
> > > > gentoo-user-hu@g.o mailing list |
204 |
> > |
205 |
> > -- |
206 |
> > gentoo-user-hu@g.o mailing list |
207 |
|
208 |
|
209 |
-- |
210 |
gentoo-user-hu@g.o mailing list |