× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. August 2017

Re: SSH madness

FYI, there's a good article on setting things up here:
[1]http://club.alanseiden.com/learninghall/article/locking-down-ssh-on-the-ibm-i-with-public-keys/

The reasoning behind this is pretty sound:
- nobody but the user should have write permission to the
.ssh/authorized_keys file because otherwise another user could add their
key to the file and log in as that user
- nobody but the user should have write permission to the .ssh directory
because otherwise another user could rename the .ssh/authorized_keys file
and create their own...
- nobody but the user should have write permission to their home directory
because otherwise another user could rename the .ssh directory and create
their own...

Also, asked earlier is how to enable logging on sshd. This is done by
setting the LogLevel sshd_config option:

LogLevel
Gives the verbosity level that is used when logging messages
from sshd(8). The possible values are:
QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2,
and DEBUG3. The default is INFO. DEBUG and
DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher
levels of debugging output. Logging with
a DEBUG level violates the privacy of users and is not
recommended.

I usually set it to DEBUG3. If you change it, you must restart the *SSHD
server. Then when you're at the password prompt you can pull up the job
log for the sshd child job that was spawned for that connection and view
the debug log. You can also start sshd -d from the command line (as
someone else mentioned) and connect to that if you prefer. You can use up
to 3 -d to enable DEBUG, DEBUG2, or DEBUG3: sshd -ddd -p 9000. The server
will only stay alive for one connection.

--
Kevin Adler
Software Development - PASE, Open Source, IBM i Access ODBC
IBM Systems, Dept 47U
Email: kadler@xxxxxxxxxx
015-3 C117
3605 HWY 52 N
Rochester, MN 55901-1407
United States



----- Original message -----
From: Matt Lavinder <mlavinder@xxxxxxxxxxxxxxxxxxx>
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Cc:
Subject: Re: SSH madness
Date: Thu, Aug 17, 2017 9:06 AM

Kevin -

Thank you very much! Figured it out. I have no idea how I overlooked
it
but it there was a write permission on his home directory for groups.
Removed that and it worked immediately. Very helpful when you have
something that tells you EXACTLY what the issue is.

Of course, now I feel like a moron for stressing how I �checked and
double
checked�. � I guess I was so focused on the keys and the .ssh
folder I
managed to overlook the home directory itself. (SSH) Tunnel vision.
<--see
what I did there

Thanks for all the suggestions and tips!

On Thu, Aug 17, 2017 at 8:01 AM, Kevin Bucknum
<Kevin@xxxxxxxxxxxxxxxxxxx>
wrote:

> Shut down the sshd daemon and then run it manually with the -d flag.
Then
> post the output here. NOTE: only one client will be able to attempt to
> connect. So make sure no one else is trying at the time. Some general
> instructions can be found here: [2]https://wiki.midrange.com/
> index.php/SSH#Diagnosing_Problems
>
>
> >
>
>
> Kevin Bucknum
> Senior Programmer Analyst
> MEDDATA/MEDTRON
> Tel: 985-893-2550
>
> -----Original Message-----
> > From: MIDRANGE-L [[3]mailto:midrange-l-bounces@xxxxxxxxxxxx] On
Behalf
> > Of Matt Lavinder
> > Sent: Thursday, August 17, 2017 6:17 AM
> > To: Midrange Systems Technical Discussion
> > Subject: Re: SSH madness
> >
> > I have disabled password authentication. I was just trying to narrow
it
> down
> > to public key authentication only. It works with the password but
does
> not
> > work with public key
> >
> > On Thu, Aug 17, 2017 at 6:57 AM Tim Bronski <tim.bronski@xxxxxxxxx>
> > wrote:
> >
> > > Since you haven't restricted your SSH server to public-key-only
then
> > > any client can choose to offer a password if they have one. Most
> > > clients choose to try key before password if they have one but
that
> > > can be changed on the client. Perhaps the mac client has set
password
> > > to be their preferred option. I'm not a mac person but for an
openssh
> > > client you can check out their config file and verify what they
have
> > > for the PreferredAuthentications setting. The order matters.
> > >
> > > --
> > > Need sFTP or PGP? Download your native sFTP or OpenPGP solutions
here:
> > > www.arpeggiosoftware.com
> > >
> > > On 8/16/2017 11:59 PM, Matt Lavinder wrote:
> > > > We are trying to give a new employee access to the PASE/Bash
command
> > > shell
> > > > via Terminal. I have added his Mac�s RSA key to the
authorized_keys
> > > > file, but it still will not let them connect. It will let them
> > > > connect with a password, but that is not what we want.
> > > >
> > > > For the life of me, I cannot figure out what is different
between
> > > > the way they are configured and I am. This all works for me
when
> > > > using my key
> > > and
> > > > my profile. If I add my Mac's key to their authorized_keys
file, it
> > > > will not let me connect either (yes, I used their user name).
> > > >
> > > > I have a lot more system authorities than the new employee does,
but
> > > > I can�t imagine why that would be the issue.
> > > >
> > > > Is there a specific authority a user needs to be able to
communicate
> > > > with the SSHD?
> > > >
> > > > Does anyone have any other ideas?
> > >
> > > --
> > > Need sFTP or PGP? Download your native sFTP or OpenPGP solutions
here:
> > > www.arpeggiosoftware.com
> > >
> > > ---
> > > This email has been checked for viruses by AVG.
> > > [4]http://www.avg.com
> > >
> > > --
> > > This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing
> > > list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe,
> > > unsubscribe, or change list options,
> > > visit: [5]http://lists.midrange.com/mailman/listinfo/midrange-l
> > > or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
> > take
> > > a moment to review the archives at
> > > [6]http://archive.midrange.com/midrange-l.
> > >
> > > Please contact support@xxxxxxxxxxxx for any subscription related
> > > questions.
> > >
> > > Help support midrange.com by shopping at amazon.com with our
affiliate
> > > link: [7]http://amzn.to/2dEadiD
> > >
> > --
> > Sent from mobile device. Please excuse typos and brevity.
> > --
> > This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing
> list
> > To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
> > unsubscribe, or change list options,
> > visit: [8]http://lists.midrange.com/mailman/listinfo/midrange-l
> > or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take
> > a moment to review the archives at
[9]http://archive.midrange.com/midrange-
> > l.
> >
> > Please contact support@xxxxxxxxxxxx for any subscription related
> > questions.
> >
> > Help support midrange.com by shopping at amazon.com with our
affiliate
> > link: [10]http://amzn.to/2dEadiD
> --
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: [11]http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at [12]http://archive.midrange.com/midrange-l.
>
> Please contact support@xxxxxxxxxxxx for any subscription related
> questions.
>
> Help support midrange.com by shopping at amazon.com with our affiliate
> link: [13]http://amzn.to/2dEadiD
>

--

*Matt Lavinder Programmer AnalystData Management Inc.Phone: (336)
573-5045Fax: (336) 573-5001*
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: [14]http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at [15]http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: [16]http://amzn.to/2dEadiD



References

Visible links
1. http://club.alanseiden.com/learninghall/article/locking-down-ssh-on-the-ibm-i-with-public-keys/
2. https://wiki.midrange.com/
3. mailto:midrange-l-bounces@xxxxxxxxxxxx
4. http://www.avg.com/
5. http://lists.midrange.com/mailman/listinfo/midrange-l
6. http://archive.midrange.com/midrange-l
7. http://amzn.to/2dEadiD
8. http://lists.midrange.com/mailman/listinfo/midrange-l
9. http://archive.midrange.com/midrange
10. http://amzn.to/2dEadiD
11. http://lists.midrange.com/mailman/listinfo/midrange-l
12. http://archive.midrange.com/midrange-l
13. http://amzn.to/2dEadiD
14. http://lists.midrange.com/mailman/listinfo/midrange-l
15. http://archive.midrange.com/midrange-l
16. http://amzn.to/2dEadiD

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.