1 |
Most nincs engedélyezve az egyik azonosítási mód sem. :-) |
2 |
Ajánlom: |
3 |
http://www.gentoo.org/doc/hu/security/security-handbook.xml?part=1&chap=10#doc_chap11 |
4 |
|
5 |
Aleph |
6 |
|
7 |
2007/3/13, cjvt <cjvt@××××××××.hu>: |
8 |
> |
9 |
> $ cat sshd_config |
10 |
> |
11 |
> # $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $ |
12 |
> |
13 |
> # This is the sshd server system-wide configuration file. See |
14 |
> # sshd_config(5) for more information. |
15 |
> |
16 |
> # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin |
17 |
> |
18 |
> # The strategy used for options in the default sshd_config shipped with |
19 |
> # OpenSSH is to specify options with their default value where |
20 |
> # possible, but leave them commented. Uncommented options change a |
21 |
> # default value. |
22 |
> |
23 |
> Port 225 |
24 |
> Protocol 2 |
25 |
> #AddressFamily any |
26 |
> #ListenAddress 0.0.0.0 |
27 |
> #ListenAddress :: |
28 |
> |
29 |
> # HostKey for protocol version 1 |
30 |
> #HostKey /etc/ssh/ssh_host_key |
31 |
> # HostKeys for protocol version 2 |
32 |
> #HostKey /etc/ssh/ssh_host_rsa_key |
33 |
> #HostKey /etc/ssh/ssh_host_dsa_key |
34 |
> |
35 |
> # Lifetime and size of ephemeral version 1 server key |
36 |
> #KeyRegenerationInterval 1h |
37 |
> #ServerKeyBits 768 |
38 |
> |
39 |
> # Logging |
40 |
> # obsoletes QuietMode and FascistLogging |
41 |
> #SyslogFacility AUTH |
42 |
> #LogLevel INFO |
43 |
> |
44 |
> # Authentication: |
45 |
> |
46 |
> #LoginGraceTime 2m |
47 |
> PermitRootLogin no |
48 |
> #StrictModes yes |
49 |
> #MaxAuthTries 6 |
50 |
> |
51 |
> #RSAAuthentication yes |
52 |
> #PubkeyAuthentication yes |
53 |
> #AuthorizedKeysFile .ssh/authorized_keys |
54 |
> |
55 |
> # For this to work you will also need host keys in |
56 |
> /etc/ssh/ssh_known_hosts |
57 |
> #RhostsRSAAuthentication no |
58 |
> # similar for protocol version 2 |
59 |
> #HostbasedAuthentication no |
60 |
> # Change to yes if you don't trust ~/.ssh/known_hosts for |
61 |
> # RhostsRSAAuthentication and HostbasedAuthentication |
62 |
> #IgnoreUserKnownHosts no |
63 |
> # Don't read the user's ~/.rhosts and ~/.shosts files |
64 |
> #IgnoreRhosts yes |
65 |
> |
66 |
> # To disable tunneled clear text passwords, change to no here! |
67 |
> PasswordAuthentication no |
68 |
> #PermitEmptyPasswords no |
69 |
> |
70 |
> # Change to no to disable s/key passwords |
71 |
> #ChallengeResponseAuthentication yes |
72 |
> |
73 |
> # Kerberos options |
74 |
> #KerberosAuthentication no |
75 |
> #KerberosOrLocalPasswd yes |
76 |
> #KerberosTicketCleanup yes |
77 |
> #KerberosGetAFSToken no |
78 |
> |
79 |
> # GSSAPI options |
80 |
> #GSSAPIAuthentication no |
81 |
> #GSSAPICleanupCredentials yes |
82 |
> |
83 |
> # Set this to 'yes' to enable PAM authentication, account processing, |
84 |
> # and session processing. If this is enabled, PAM authentication will |
85 |
> # be allowed through the ChallengeResponseAuthentication and |
86 |
> # PasswordAuthentication. Depending on your PAM configuration, |
87 |
> # PAM authentication via ChallengeResponseAuthentication may bypass |
88 |
> # the setting of "PermitRootLogin without-password". |
89 |
> # If you just want the PAM account and session checks to run without |
90 |
> # PAM authentication, then enable this but set PasswordAuthentication |
91 |
> # and ChallengeResponseAuthentication to 'no'. |
92 |
> UsePAM no |
93 |
> |
94 |
> #AllowTcpForwarding yes |
95 |
> #GatewayPorts no |
96 |
> #X11Forwarding no |
97 |
> #X11DisplayOffset 10 |
98 |
> #X11UseLocalhost yes |
99 |
> #PrintMotd yes |
100 |
> #PrintLastLog yes |
101 |
> #TCPKeepAlive yes |
102 |
> #UseLogin no |
103 |
> #UsePrivilegeSeparation yes |
104 |
> #PermitUserEnvironment no |
105 |
> #Compression delayed |
106 |
> #ClientAliveInterval 0 |
107 |
> #ClientAliveCountMax 3 |
108 |
> UseDNS no |
109 |
> #PidFile /var/run/sshd.pid |
110 |
> #MaxStartups 10 |
111 |
> #PermitTunnel no |
112 |
> |
113 |
> # no default banner path |
114 |
> #Banner /some/path |
115 |
> |
116 |
> # override default of no subsystems |
117 |
> Subsystem sftp /usr/lib64/misc/sftp-server |
118 |
> |
119 |
> # Example of overriding settings on a per-user basis |
120 |
> #Match User anoncvs |
121 |
> # X11Forwarding no |
122 |
> # AllowTcpForwarding no |
123 |
> # ForceCommand cvs server |
124 |
> |
125 |
> |
126 |
> vt |
127 |
> 2007. március 13. dátummal Aleph ezt írta: |
128 |
> > A baj az, hogy a jelszavas azonosítás nincs engedélyezve, de elvárja. |
129 |
> Ezért |
130 |
> > a public-key sikeressége után elutasít. Ha minden igaz akkor a |
131 |
> > configfile-ban nincs kommentelve a pam-ot engedélyező sor. |
132 |
> > |
133 |
> > Aleph |
134 |
> > |
135 |
> > 2007/3/13, cjvt <cjvt@××××××××.hu>: |
136 |
> > > udv Mindenki, |
137 |
> > > |
138 |
> > > Van egy olyan problemam, hogy nem tudom mi okbol, de az sshd |
139 |
> eltanacsol: |
140 |
> > > |
141 |
> > > Ha a kliensen (ubuntu - 192.168.1.1) probalkozom, ez az eredmeny: |
142 |
> > > |
143 |
> > > $ ssh user@192.168.1.50 -p 225 -v |
144 |
> > > |
145 |
> > > OpenSSH_4.3p2 Debian-5ubuntu1, OpenSSL 0.9.8b 04 May 2006 |
146 |
> > > debug1: Reading configuration data /etc/ssh/ssh_config |
147 |
> > > debug1: Applying options for * |
148 |
> > > debug1: Connecting to 192.168.1.50 [192.168.1.50] port 225. |
149 |
> > > debug1: Connection established. |
150 |
> > > debug1: identity file /home/user/.ssh/identity type -1 |
151 |
> > > debug1: identity file /home/user/.ssh/id_rsa type -1 |
152 |
> > > debug1: identity file /home/user/.ssh/id_dsa type -1 |
153 |
> > > debug1: Remote protocol version 2.0, remote software version |
154 |
> OpenSSH_4.6 |
155 |
> > > debug1: match: OpenSSH_4.6 pat OpenSSH* |
156 |
> > > debug1: Enabling compatibility mode for protocol 2.0 |
157 |
> > > debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-5ubuntu1 |
158 |
> > > debug1: SSH2_MSG_KEXINIT sent |
159 |
> > > debug1: SSH2_MSG_KEXINIT received |
160 |
> > > debug1: kex: server->client aes128-cbc hmac-md5 none |
161 |
> > > debug1: kex: client->server aes128-cbc hmac-md5 none |
162 |
> > > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent |
163 |
> > > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP |
164 |
> > > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent |
165 |
> > > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY |
166 |
> > > debug1: Host '192.168.1.50' is known and matches the RSA host key. |
167 |
> > > debug1: Found key in /home/user/.ssh/known_hosts:1 |
168 |
> > > debug1: ssh_rsa_verify: signature correct |
169 |
> > > debug1: SSH2_MSG_NEWKEYS sent |
170 |
> > > debug1: expecting SSH2_MSG_NEWKEYS |
171 |
> > > debug1: SSH2_MSG_NEWKEYS received |
172 |
> > > debug1: SSH2_MSG_SERVICE_REQUEST sent |
173 |
> > > debug1: SSH2_MSG_SERVICE_ACCEPT received |
174 |
> > > debug1: Authentications that can continue: publickey |
175 |
> > > debug1: Next authentication method: publickey |
176 |
> > > debug1: Trying private key: /home/user/.ssh/identity |
177 |
> > > debug1: Trying private key: /home/user/.ssh/id_rsa |
178 |
> > > debug1: Trying private key: /home/user/.ssh/id_dsa |
179 |
> > > debug1: No more authentication methods to try. |
180 |
> > > Permission denied (publickey). |
181 |
> > > |
182 |
> > > |
183 |
> > > a szerver (gentoo - 192.168.1.50) ugyanakkor ezt mondja a lognak: |
184 |
> > > |
185 |
> > > |
186 |
> > > reverse mapping checking getaddrinfo for server [192.168.1.1] failed - |
187 |
> > > POSSIBLE BREAK-IN ATTEMPT! |
188 |
> > > |
189 |
> > > valaki tudja, mit editaltam tonkre? ;) |
190 |
> > > |
191 |
> > > vt |
192 |
> > > -- |
193 |
> > > gentoo-user-hu@g.o mailing list |
194 |
> |
195 |
> |
196 |
> -- |
197 |
> gentoo-user-hu@g.o mailing list |
198 |
> |
199 |
> |