Gentoo Archives: gentoo-user-hu

From: cjvt <cjvt@××××××××.hu>
To: gentoo-user-hu@l.g.o
Subject: Re: [gentoo-user-hu] sshd reverse mapping problema
Date: Tue, 13 Mar 2007 15:00:39
Message-Id: 200703131559.57511.cjvt@inebhedj.hu
In Reply to: Re: [gentoo-user-hu] sshd reverse mapping problema by Aleph
1 es tenyleg. :)
2 thx
3
4
5 2007. március 13. dátummal Aleph ezt írta:
6 > Most nincs engedélyezve az egyik azonosítási mód sem. :-)
7 > Ajánlom:
8 > http://www.gentoo.org/doc/hu/security/security-handbook.xml?part=1&chap=10#
9 >doc_chap11
10 >
11 > Aleph
12 >
13 > 2007/3/13, cjvt <cjvt@××××××××.hu>:
14 > > $ cat sshd_config
15 > >
16 > > # $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $
17 > >
18 > > # This is the sshd server system-wide configuration file. See
19 > > # sshd_config(5) for more information.
20 > >
21 > > # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
22 > >
23 > > # The strategy used for options in the default sshd_config shipped with
24 > > # OpenSSH is to specify options with their default value where
25 > > # possible, but leave them commented. Uncommented options change a
26 > > # default value.
27 > >
28 > > Port 225
29 > > Protocol 2
30 > > #AddressFamily any
31 > > #ListenAddress 0.0.0.0
32 > > #ListenAddress ::
33 > >
34 > > # HostKey for protocol version 1
35 > > #HostKey /etc/ssh/ssh_host_key
36 > > # HostKeys for protocol version 2
37 > > #HostKey /etc/ssh/ssh_host_rsa_key
38 > > #HostKey /etc/ssh/ssh_host_dsa_key
39 > >
40 > > # Lifetime and size of ephemeral version 1 server key
41 > > #KeyRegenerationInterval 1h
42 > > #ServerKeyBits 768
43 > >
44 > > # Logging
45 > > # obsoletes QuietMode and FascistLogging
46 > > #SyslogFacility AUTH
47 > > #LogLevel INFO
48 > >
49 > > # Authentication:
50 > >
51 > > #LoginGraceTime 2m
52 > > PermitRootLogin no
53 > > #StrictModes yes
54 > > #MaxAuthTries 6
55 > >
56 > > #RSAAuthentication yes
57 > > #PubkeyAuthentication yes
58 > > #AuthorizedKeysFile .ssh/authorized_keys
59 > >
60 > > # For this to work you will also need host keys in
61 > > /etc/ssh/ssh_known_hosts
62 > > #RhostsRSAAuthentication no
63 > > # similar for protocol version 2
64 > > #HostbasedAuthentication no
65 > > # Change to yes if you don't trust ~/.ssh/known_hosts for
66 > > # RhostsRSAAuthentication and HostbasedAuthentication
67 > > #IgnoreUserKnownHosts no
68 > > # Don't read the user's ~/.rhosts and ~/.shosts files
69 > > #IgnoreRhosts yes
70 > >
71 > > # To disable tunneled clear text passwords, change to no here!
72 > > PasswordAuthentication no
73 > > #PermitEmptyPasswords no
74 > >
75 > > # Change to no to disable s/key passwords
76 > > #ChallengeResponseAuthentication yes
77 > >
78 > > # Kerberos options
79 > > #KerberosAuthentication no
80 > > #KerberosOrLocalPasswd yes
81 > > #KerberosTicketCleanup yes
82 > > #KerberosGetAFSToken no
83 > >
84 > > # GSSAPI options
85 > > #GSSAPIAuthentication no
86 > > #GSSAPICleanupCredentials yes
87 > >
88 > > # Set this to 'yes' to enable PAM authentication, account processing,
89 > > # and session processing. If this is enabled, PAM authentication will
90 > > # be allowed through the ChallengeResponseAuthentication and
91 > > # PasswordAuthentication. Depending on your PAM configuration,
92 > > # PAM authentication via ChallengeResponseAuthentication may bypass
93 > > # the setting of "PermitRootLogin without-password".
94 > > # If you just want the PAM account and session checks to run without
95 > > # PAM authentication, then enable this but set PasswordAuthentication
96 > > # and ChallengeResponseAuthentication to 'no'.
97 > > UsePAM no
98 > >
99 > > #AllowTcpForwarding yes
100 > > #GatewayPorts no
101 > > #X11Forwarding no
102 > > #X11DisplayOffset 10
103 > > #X11UseLocalhost yes
104 > > #PrintMotd yes
105 > > #PrintLastLog yes
106 > > #TCPKeepAlive yes
107 > > #UseLogin no
108 > > #UsePrivilegeSeparation yes
109 > > #PermitUserEnvironment no
110 > > #Compression delayed
111 > > #ClientAliveInterval 0
112 > > #ClientAliveCountMax 3
113 > > UseDNS no
114 > > #PidFile /var/run/sshd.pid
115 > > #MaxStartups 10
116 > > #PermitTunnel no
117 > >
118 > > # no default banner path
119 > > #Banner /some/path
120 > >
121 > > # override default of no subsystems
122 > > Subsystem sftp /usr/lib64/misc/sftp-server
123 > >
124 > > # Example of overriding settings on a per-user basis
125 > > #Match User anoncvs
126 > > # X11Forwarding no
127 > > # AllowTcpForwarding no
128 > > # ForceCommand cvs server
129 > >
130 > >
131 > > vt
132 > >
133 > > 2007. március 13. dátummal Aleph ezt írta:
134 > > > A baj az, hogy a jelszavas azonosítás nincs engedélyezve, de elvárja.
135 > >
136 > > Ezért
137 > >
138 > > > a public-key sikeressége után elutasít. Ha minden igaz akkor a
139 > > > configfile-ban nincs kommentelve a pam-ot engedélyező sor.
140 > > >
141 > > > Aleph
142 > > >
143 > > > 2007/3/13, cjvt <cjvt@××××××××.hu>:
144 > > > > udv Mindenki,
145 > > > >
146 > > > > Van egy olyan problemam, hogy nem tudom mi okbol, de az sshd
147 > >
148 > > eltanacsol:
149 > > > > Ha a kliensen (ubuntu - 192.168.1.1) probalkozom, ez az eredmeny:
150 > > > >
151 > > > > $ ssh user@192.168.1.50 -p 225 -v
152 > > > >
153 > > > > OpenSSH_4.3p2 Debian-5ubuntu1, OpenSSL 0.9.8b 04 May 2006
154 > > > > debug1: Reading configuration data /etc/ssh/ssh_config
155 > > > > debug1: Applying options for *
156 > > > > debug1: Connecting to 192.168.1.50 [192.168.1.50] port 225.
157 > > > > debug1: Connection established.
158 > > > > debug1: identity file /home/user/.ssh/identity type -1
159 > > > > debug1: identity file /home/user/.ssh/id_rsa type -1
160 > > > > debug1: identity file /home/user/.ssh/id_dsa type -1
161 > > > > debug1: Remote protocol version 2.0, remote software version
162 > >
163 > > OpenSSH_4.6
164 > >
165 > > > > debug1: match: OpenSSH_4.6 pat OpenSSH*
166 > > > > debug1: Enabling compatibility mode for protocol 2.0
167 > > > > debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-5ubuntu1
168 > > > > debug1: SSH2_MSG_KEXINIT sent
169 > > > > debug1: SSH2_MSG_KEXINIT received
170 > > > > debug1: kex: server->client aes128-cbc hmac-md5 none
171 > > > > debug1: kex: client->server aes128-cbc hmac-md5 none
172 > > > > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
173 > > > > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
174 > > > > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
175 > > > > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
176 > > > > debug1: Host '192.168.1.50' is known and matches the RSA host key.
177 > > > > debug1: Found key in /home/user/.ssh/known_hosts:1
178 > > > > debug1: ssh_rsa_verify: signature correct
179 > > > > debug1: SSH2_MSG_NEWKEYS sent
180 > > > > debug1: expecting SSH2_MSG_NEWKEYS
181 > > > > debug1: SSH2_MSG_NEWKEYS received
182 > > > > debug1: SSH2_MSG_SERVICE_REQUEST sent
183 > > > > debug1: SSH2_MSG_SERVICE_ACCEPT received
184 > > > > debug1: Authentications that can continue: publickey
185 > > > > debug1: Next authentication method: publickey
186 > > > > debug1: Trying private key: /home/user/.ssh/identity
187 > > > > debug1: Trying private key: /home/user/.ssh/id_rsa
188 > > > > debug1: Trying private key: /home/user/.ssh/id_dsa
189 > > > > debug1: No more authentication methods to try.
190 > > > > Permission denied (publickey).
191 > > > >
192 > > > >
193 > > > > a szerver (gentoo - 192.168.1.50) ugyanakkor ezt mondja a lognak:
194 > > > >
195 > > > >
196 > > > > reverse mapping checking getaddrinfo for server [192.168.1.1] failed
197 > > > > - POSSIBLE BREAK-IN ATTEMPT!
198 > > > >
199 > > > > valaki tudja, mit editaltam tonkre? ;)
200 > > > >
201 > > > > vt
202 > > > > --
203 > > > > gentoo-user-hu@g.o mailing list
204 > >
205 > > --
206 > > gentoo-user-hu@g.o mailing list
207
208
209 --
210 gentoo-user-hu@g.o mailing list