Cannot SSH as root

Question

Cannot SSH as root

I can SSH using other accounts, but not as root to a 10.4.4 server.

In the past iterations of OS X server, I had to manually edit the /etc/ssh/ssh_config file (or something like that) and edit a parameter to allow root SSH's.

Now that 10.4 Server has Service ACL's, it'd be nice to just go, grab root, and add it to the list, but I cannot.

What's the best way?

This is mostly due to the fact that I'm creating replicas....

Thanks,
j

Many different systems..., Mac OS X (10.4.4)

Posted on Jan 25, 2006 7:28 AM

Reply

Answer 1

schyth

Level 1

0 points

Jan 25, 2006 11:48 PM in response to Jeremy Matthews

Hi,

Edit /etc/sshd_config, find the line #PermitRootLogin yes and uncomment it, restart the service....

Well actually, i come from a *nix world - and this is how you do it there 😉
But it worth a shot..

Although i would never allow root to log in directly - look at sudo in stead - root login is a dangerous thing...

/Martin

Reply

Answer 2

Jan 26, 2006 5:12 PM in response to schyth

schyth,

Thanks, I'll try it out, though for some reason in 10.4.4 server I did not see that line, like I have in earlier versions of OS X server (maybe a Service ACL deal?)...

I only ask because there is a replica on a small network that cannot ssh as root to establish itself as a replica...and constantly complains of such.

Thanks,
jeremy

Reply

Answer 3

schyth

Level 1

0 points

Jan 26, 2006 10:36 PM in response to Jeremy Matthews

A little hint - as root do this in terminal:

cd /etc
grep -i root `find . | grep -i ssh`

This looks for the text root in all the files in /etc which has the text ssh in the filename 🙂

/Martin

Reply

Answer 4

MacLemon

Level 2

455 points

Jan 27, 2006 3:41 AM in response to Jeremy Matthews

There are two ways to lock out root from direct SSH login. One is /etc/sshd_config and the other is service Limitations in ServerAdmin. The former simply will play "dumb" and not accept any password for root for ssh login. The latter will catch a little later in the process by refusing the authentication for root against Netinfo for the ssh service.

As mentioned before I'd NEVER allow direct SSH login by root. Not from the LAN, and especially not from the WAN. I'd even go as far as changing the default ssh port from 22 to something obscure. (Which sadly isn't easy with 10.4 and launchd)

I actually only know a single thing where you need direct ssh root login and that is to set up an OD replica. Once that is established, you can disable root ssh login again.
MacLemon

Reply

Answer 5

schyth

Level 1

0 points

Jan 27, 2006 3:52 AM in response to MacLemon

Hi MacLemon,

There also a nice saying "Security by obscurity". In the hope this will not be a long political discussion 🙂 i will try to give an alternative..

Use the firewall and block ssh traffic from all unknown IP adresses - a much nicer solution.

And even if i know i's only a few years back since the last hole in SSH was discovered, i would say that this is one of the more secure protocols to hold open for all traffic on the public network. I could find other protocols that i would rarther shut down...

/Martin

Reply

Answer 6

MacLemon

Level 2

455 points

Jan 27, 2006 4:09 AM in response to schyth

I didn't mean to refer to "security by obscurity". Blocking outside ssh access from all unknown IPs sometimes is not feasable. For example if you frequently need to access a machine from varying customers whose IP ranges you cannot predict.

By changing the ssh port you can at least reduce the lines for bad login attempts that are generated at an increasing rate by automated scripts that usually don't bother to scan for open ports and then try to find an ssh server on a non-standard port.

Of course with an auditing tool like Nessus you can find the port and service. I totally agree. It's just that most automated attacks target standard ports and in that case moving to an obscure port will give you a lot more silence in your secure.log.

Of course a really good password or public key authentication will further help to increase security. (In my case public key auth is not possible either, since I need to access from my varying customer's machines.)
MacLemon

Reply

Answer 7

Jan 27, 2006 5:54 AM in response to MacLemon

Interesting stuff guys...

In the past, I've actually changed ports a number of times...until we started running into clients tat refused to do this, due to SysAdmin policy and, of course, that some apps that use SSH/2 run on 22, and cannot be changed. This resulted in creating special firewall rules and rerouting of packets...and made life a little bit less comfortable.

Still good stuff..but sometimes doesn't work for a number of reasons.

And yes...I enjoy the SACL's in 10.4 server....MUCH nicer than editing text files 🙂

Thanks again,
jeremy

Reply

Answer 8

MacLemon

Level 2

455 points

Jan 27, 2006 7:49 AM in response to Jeremy Matthews

Just out of curiosity: What applications do you use that use ssh and cannot have their port changed?
MacLemon

Reply

Answer 9

Jan 27, 2006 2:04 PM in response to MacLemon

MacLemon,

I can't remember all the freeware/shareware/OTS apps...but the most recent troublesome ones were homebrewed apps by various folks (mostly from IT-related departments).

Thanks,
jeremy

Reply

Answer 10

Feb 1, 2006 5:44 PM in response to Jeremy Matthews

I'd never condone allowing root access via ssh, but if you have to turn it on, do yourself a favor and install denyhosts (http://denyhosts.sourceforge.net), which automatically blocks an IP address after a configurable number of failed login attempts.

Reply

Answer 11

Feb 1, 2006 5:50 PM in response to Dave Walcott

Dave,

Thanks for the tip!

When establishing (Mac OS X Server) replicas in a Mac OS X-based Open Directory environment, the replica must be established using the following:

Root IP address
Root Password
Directory Admin short name
Directory Admin password

So it uses those credentials to connect as root in order to establish it as a trusted source...I;ve tried using other admin credentials, but it only likes root.

-jeremy

Reply