|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
Get inside! Sample the range of functionality easily built with JMSL Library for Time Series Data Analysis, Heat Maps, Portfolio Optimization, Monte Carlo Simulation, Stock Price Charting and more. Download Now! |
|
#1
March 12th, 2002, 07:16 PM
|
||||
|
||||
|
OpenSSH question
Does OpenSSH have some default mechanism that will lock a user out after too many failed logins?
If so, how is a lock-out rememdied, and how would one adjust settings so this would not happen (or happen as often). Thanks, Brett
|
|
#2
March 12th, 2002, 08:40 PM
|
|||
|
|||
|
>> will lock a user out
That depends on what your definition of lock is. Perhaps you want to block inbound port 22 at packet filter level? Then you need to run sshd under tcpserver. Keep in mind, sshd alone can't deny connection attempt. That's why it's usually built with TCP wrappers support. You can dynamically append his IP to /etc/hosts.allow but you need to write a script to do that. Or you can write a script to parse ssh log file and append that IP to tcpserver's sshd file then rebuild sshd.cdb database. Either way, there shouldn't be any permission problem because sshd need to run as root.
|
|
#3
March 12th, 2002, 10:48 PM
|
||||
|
||||
|
clearification
I appreciate the reply, but I am not sure I expressed my problem correctly.
Lastnight I logged into my collocated FreeBSD box using ssh like alway. I got in successfully, modified a single .html file, then logged out. I then tried to re-login again a little later, messed up the pw initially, then on each successive logon since, I have been unable to get back in. It gives me the message: Quote:
I even tried logging in from another machine, and I get the same thing. In the past, of course, I have messed up the login from time to time, but I have never been denied like this. I have made sure of all the usual - caps lock on/off, etc, but to no avail. The machine is still running, and is serving up webpages like a champ. MySQL is working fine, and as far as I can tell so are the other services. Any thoughts? Thanks, Brett
|
|
#4
March 13th, 2002, 01:29 AM
|
|||
|
|||
|
That "Permission denied" could be caused with many possibilities, just to name a few: hosts.allow, pam.conf or even broken key. What you should do is to add -v flag like so:
ssh -v 12.34.56.78 that should give you more clues of the problem.
|
|
#5
March 13th, 2002, 10:44 AM
|
||||
|
||||
|
Ok, I tried it, and I get no more insight. As much as I do not want to I am going to get it rebooted. If that doesn't work, I guess I will have to get into it where it is physically located.
Thanks for the help though. Brett
|
|
#7
March 13th, 2002, 03:35 PM
|
||||
|
||||
|
output ...
Code:
ssh -v estrabd@www.brettsbsd.net debug: SshAppCommon/sshappcommon.c:154/ssh_app_get_global_regex_context: Allocating global SshRegex context. debug: SshConfig/sshconfig.c:2184/ssh2_parse_config: Unable to open /home/glacier/estrade/.ssh2/ssh2_config debug: Connecting to www.brettsbsd.net, port 22... debug: Ssh2/ssh2.c:1956/main: Entering event loop. debug: Ssh2Client/sshclient.c:1330/ssh_client_wrap: Creating transport protocol. debug: SshAuthMethodClient/sshauthmethodc.c:136/ssh_client_authentication_initialize: Added "publickey" to usable methods. debug: SshAuthMethodClient/sshauthmethodc.c:136/ssh_client_authentication_initialize: Added "password" to usable methods. debug: Ssh2Client/sshclient.c:1362/ssh_client_wrap: Creating userauth protocol. debug: client supports 2 auth methods: 'publickey,password' debug: Ssh2Common/sshcommon.c:495/ssh_common_wrap: local ip = ::ffff:80a0:2ad, local port = 64797 debug: Ssh2Common/sshcommon.c:497/ssh_common_wrap: remote ip = 208.232.10.16, remote port = 22 debug: SshConnection/sshconn.c:1889/ssh_conn_wrap: Wrapping... debug: Remote version: SSH-1.99-OpenSSH_2.3.0 FreeBSD localisations 20010713 debug: Major: 2 Minor: 3 Revision: 0 debug: Ssh2Transport/trcommon.c:1285/ssh_tr_input_version: Remote version has kex packet guess determination bug. debug: Ssh2Transport/trcommon.c:1289/ssh_tr_input_version: Remote version has hostbased looping on failure bug. debug: Ssh2Transport/trcommon.c:1293/ssh_tr_input_version: Remote version can only handle one key in "hostbased" auth. debug: Ssh2Transport/trcommon.c:1373/ssh_tr_input_version: Remote version has rekey incompatibility bug. debug: Ssh2Transport/trcommon.c:1375/ssh_tr_input_version: Remote version is OpenSSH, KEX guesses disabled. debug: Ssh2Transport/trcommon.c:1716/ssh_tr_negotiate: lang s to c: `', lang c to s: `' debug: Ssh2Transport/trcommon.c:1781/ssh_tr_negotiate: c_to_s: cipher aes128-cbc, mac hmac-sha1, compression none debug: Ssh2Transport/trcommon.c:1784/ssh_tr_negotiate: s_to_c: cipher aes128-cbc, mac hmac-sha1, compression none debug: Remote host key found from database. debug: Ssh2Common/sshcommon.c:290/ssh_common_special: Received SSH_CROSS_STARTUP packet from connection protocol. debug: Ssh2Common/sshcommon.c:340/ssh_common_special: Received SSH_CROSS_ALGORITHMS packet from connection protocol. debug: server offers auth methods 'publickey,password'. debug: SshConfig/sshconfig.c:2184/ssh2_parse_config: Unable to open /home/glacier/estrade/.ssh2/identification debug: Ssh2AuthClient/sshauthc.c:315/ssh_authc_completion_proc: Method 'publickey' disabled. debug: server offers auth methods 'publickey,password'. debug: Ssh2AuthPasswdClient/authc-passwd.c:95/ssh_client_auth_passwd: Starting password query... estrabd's password: debug: server offers auth methods 'publickey,password'. debug: Ssh2AuthPasswdClient/authc-passwd.c:95/ssh_client_auth_passwd: Starting password query... estrabd's password: debug: server offers auth methods 'publickey,password'. debug: Ssh2AuthPasswdClient/authc-passwd.c:95/ssh_client_auth_passwd: Starting password query... estrabd's password: debug: server offers auth methods 'publickey,password'. debug: Ssh2AuthClient/sshauthc.c:315/ssh_authc_completion_proc: Method 'password' disabled. debug: server offers auth methods 'publickey,password'. debug: Ssh2Common/sshcommon.c:137/ssh_common_disconnect: DISCONNECT received: No further authentication methods available. warning: Authentication failed. debug: Ssh2/ssh2.c:116/client_disconnect: locally_generated = TRUE Disconnected; no more authentication methods available (No further authentication methods available.). debug: Ssh2Client/sshclient.c:1395/ssh_client_destroy: Destroying client. debug: SshConnection/sshconn.c:1937/ssh_conn_destroy: Destroying SshConn object. debug: Ssh2Client/sshclient.c:1448/ssh_client_destroy_finalize: Destroying client completed. debug: SshAuthMethodClient/sshauthmethodc.c:162/ssh_client_authentication_uninitialize: Destroying authentication method array. I appreciate the continued help...brett
|
|
#8
March 13th, 2002, 04:16 PM
|
|||
|
|||
|
How come your $HOME has a path of /home/glacier/estrade?
If you have been using publickey auth method in the past it appears that the permission in your $HOME has been modified or changed, and sshd fall back to try password auth but it also fail. You must have done something incorrectly recently causing that kind of permission problem, if it's really a permission issue. Sorry I have never faced such problem before, really can't provide much help on fixing it.
|
|
#9
March 13th, 2002, 05:48 PM
|
||||
|
||||
|
more output
This is from my home machine (FreeBSD); glacier is my machine at work (solaris).
Code:
Script started on Wed Mar 13 17:43:54 2002 bash-2.05$ ssh -v www.brettsbsd.net SSH Version OpenSSH_2.3.0 FreeBSD localisations 20010713, protocol versions 1.5/2.0. Compiled with SSL (0x0090601f). debug: Reading configuration data /etc/ssh/ssh_config debug: ssh_connect: getuid 1000 geteuid 1000 anon 1 debug: Connecting to www.brettsbsd.net [208.232.10.16] port 22. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0 FreeBSD localisations 20010713 debug: match: OpenSSH_2.3.0 FreeBSD localisations 20010713 pat ^OpenSSH[-_]2\.3 debug: Local version string SSH-1.5-OpenSSH_2.3.0 FreeBSD localisations 20010713 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'www.brettsbsd.net' is known and matches the RSA host key. debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Doing password authentication. estrabd@www.brettsbsd.net's password: Permission denied, please try again. estrabd@www.brettsbsd.net's password: Permission denied, please try again. estrabd@www.brettsbsd.net's password: Permission denied. debug: Calling cleanup 0x8058204(0x0) bash-2.05$ exit Script done on Wed Mar 13 17:44:22 2002 Thanks, Brett Last edited by estrabd : March 13th, 2002 at 08:23 PM.
|
|
#10
March 14th, 2002, 02:01 PM
|
||||
|
||||
|
more insite from sshd_congfig
Could this be the cause:
Code:
# After 10 unauthenticated connections, refuse 30% of the new ones, and # refuse any more than 60 total. MaxStartups 10:30:60 I have had it up long enough for it to be a real possibility that I messed up the login over 60 times. Is this line saying that after 60 bad logins, it refuses the connection? Brett
|
|
#11
March 14th, 2002, 07:32 PM
|
|||
|
|||
|
>> MaxStartups 10:30:60
That's not the original cause of the login failure problem. The main problem is why should it failed in the first place. Prior to that problem which auth type did you use? Interactive or non-interactive? Like I said, it could be a corrupted key to sshd fell back to use password authentication but you have never configured sshd to use password authentication (/etc/pam.conf problem).
|
|
#12
March 26th, 2002, 09:53 PM
|
||||
|
||||
|
I am an idiot
Figured out the problem after I arranged getting physical access to my machine.
I changed the login shells for root and my uid to be bash. Well, bash wasn't installed in the directory specified. I appreciate the help. Brett
|
|
| Viewing: Dev Shed Forums > Operating Systems > BSD Help > OpenSSH question |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
