I have installed cento 5.3. I enabled the ssh deamon. I have found that 2 options that I normally use does respond as I expect. Has anyone else had similar problems with the following options in sshd_config: - Port 6666 - if I set the port to anything other than 22 (default), using ssh -p6666 name at servername, does not work. Yet if I leave keep the default, then ssh name at servername allows me to login. - PasswordAuthentication no - if I set this option to "no" (default is "yes"), and my ssh key is either missing or in error, I will be prompted for user system login password. If this is set to "no", it should not allow me to login if I have not ssh key specified or in error. Has anyone else run into this problem. Is there a workaround? What are my options? Please help. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20090922/3c697673/attachment.html>
Hi, On Tue, 2009-09-22 at 11:01 -0700, Karl Kobata wrote:> I have installed cento 5.3. I enabled the ssh deamon. I have found > that 2 options that I normally use does respond as I expect. Has > anyone else had similar problems with the following options in > sshd_config: > > - Port 6666 ? if I set the port to anything other than 22 (default), > using ssh ?p6666 name at servername, does not work. Yet if I leave keep > the default, then ssh name at servername allows me to login.Did you check your iptables rules ? port 6666 is closed by default. I use a sshd with port 443, so it should work.> > - PasswordAuthentication no ? if I set this option to ?no? (default is > ?yes?), and my ssh key is either missing or in error, I will be > prompted for user system login password. If this is set to ?no?, it > should not allow me to login if I have not ssh key specified or in > error. Has anyone else run into this problem.Erhm.. I remember it does ask for a password but just doesn't let you in. But I can me mistaken :) Regards, Michel>
On Tue, Sep 22, 2009 at 1:01 PM, Karl Kobata <Karl.Kobata at syncira.com> wrote:> - Port 6666 ? if I set the port to anything other than 22 (default), using > ssh ?p6666 name at servername, does not work.? Yet if I leave keep the default, > then ssh name at servername allows me to login.You need to change the port in iptables as well.
Hi Michel,> Hi,> On Tue, 2009-09-22 at 11:01 -0700, Karl Kobata wrote: > > I have installed cento 5.3. I enabled the ssh deamon. I have found > > that 2 options that I normally use does respond as I expect. Has > > anyone else had similar problems with the following options in > > sshd_config: > > > > - Port 6666 - if I set the port to anything other than 22 (default), > > using ssh -p6666 name at servername<http://lists.centos.org/mailman/listinfo/centos> , does not work. Yet if I leave keep> > the default, then ssh name at servername<http://lists.centos.org/mailman/listinfo/centos> allows me to login.> Did you check your iptables rules ? port 6666 is closed by default. I > use a sshd with port 443, so it should work.Was this the only change you made to change the port? Did you also makes changes in iptables?> > > > - PasswordAuthentication no - if I set this option to "no" (default is > > "yes"), and my ssh key is either missing or in error, I will be > > prompted for user system login password. If this is set to "no", it > > should not allow me to login if I have not ssh key specified or in > > error. Has anyone else run into this problem. > Erhm.. I remember it does ask for a password but just doesn't let you > in. But I can me mistaken :)It does ask you for a password, and if you entered your user system password, It will log you in. I am surprised that this failure exists.> > Regards, > > Michel-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20090922/5f6630f0/attachment.html>
Hi Larry,> On Tue, Sep 22, 2009 at 1:01 PM, Karl Kobata <Karl.Kobata at syncira.com<http://lists.centos.org/mailman/listinfo/centos> > wrote:> > - Port 6666 - if I set the port to anything other than 22 (default),using> > ssh -p6666 name at servername<http://lists.centos.org/mailman/listinfo/centos> , does not work. Yet if I leave keep the default,> > then ssh name at servername<http://lists.centos.org/mailman/listinfo/centos> allows me to login.> You need to change the port in iptables as well.How do I modify the iptables? thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20090922/450e146e/attachment.html>
Hi,> > On Tue, 2009-09-22 at 11:01 -0700, Karl Kobata wrote: > > > I have installed cento 5.3. I enabled the ssh deamon. I have found > > > that 2 options that I normally use does respond as I expect. Has > > > anyone else had similar problems with the following options in > > > sshd_config: > > > > > > - Port 6666 ? if I set the port to anything other than 22 (default), > > > using ssh ?p6666 name at servername, does not work. Yet if I leave keep > > > the default, then ssh name at servername allows me to login. > > Did you check your iptables rules ? port 6666 is closed by default. I > > use a sshd with port 443, so it should work. > Was this the only change you made to change the port?Yes the only change to change the port in the SSHD.> Did you also makes changes in iptables?Of course : iptables -I RH-Firewall-1-INPUT -j ACCEPT -p tcp --dport 6666 and after that to make it persistent : service iptables save for more options : man iptables (which you should read before playing with firewalls).> > > - PasswordAuthentication no ? if I set this option to ?no? (default is > > > ?yes?), and my ssh key is either missing or in error, I will be > > > prompted for user system login password. If this is set to ?no?, it > > > should not allow me to login if I have not ssh key specified or in > > > error. Has anyone else run into this problem. > > Erhm.. I remember it does ask for a password but just doesn't let you > > in. But I can me mistaken :) > It does ask you for a password, and if you entered your user system password, > It will log you in. I am surprised that this failure exists.I think its not a failure ;) Regards, Michel>
Hi, On Tue, Sep 22, 2009 at 14:01, Karl Kobata <Karl.Kobata at syncira.com> wrote:> - PasswordAuthentication no ? if I set this option to ?no? (default is > ?yes?), and my ssh key is either missing or in error, I will be prompted for > user system login password.? If this is set to ?no?, it should not allow me > to login if I have not ssh key specified or in error.? Has anyone else run > into this problem.This is related to PAM authentication, which is what is used in (most) Linux systems. To prevent sshd from authenticating with passwords I believe you have to set "ChallengeResponseAuthentication no" instead, at least that is what I gather from reading the comments in /etc/ssh/sshd_config. HTH, Filipe
I want to thank everyone for contributing to solving the implementation problem I was having. It seems in the end it was an "operator" problem. To summarize the results: - regarding sshd port change - uncomment port, and change the port number entry in /etc/ssh/sshd_config. Restart the sshd service. Update /etc/sysconfig/iptables to reflect the port number change from 22 to the port number specified in / etc/ssh/sshd_config, then restart iptables service. - PasswordAuthentication no - this requires an additional option to be change, "ChallengeResponseAuthentication no". Having made both of these changes, causes the login to abort is a valid ssh key is not specified. Again many thanks to everyone. _____ From: Karl Kobata [mailto:Karl.Kobata at syncira.com] Sent: Tuesday, September 22, 2009 11:02 AM To: 'centos at centos.org' Subject: sshd options - centos 5.3 I have installed cento 5.3. I enabled the ssh deamon. I have found that 2 options that I normally use does respond as I expect. Has anyone else had similar problems with the following options in sshd_config: - Port 6666 - if I set the port to anything other than 22 (default), using ssh -p6666 name at servername, does not work. Yet if I leave keep the default, then ssh name at servername allows me to login. - PasswordAuthentication no - if I set this option to "no" (default is "yes"), and my ssh key is either missing or in error, I will be prompted for user system login password. If this is set to "no", it should not allow me to login if I have not ssh key specified or in error. Has anyone else run into this problem. Is there a workaround? What are my options? Please help. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20090923/673c6738/attachment.html>
Reasonably Related Threads
- Centos 5.3 - kickstart configuration
- realmd and net rpc privileges
- [Bug 3736] New: sshd falls back to password prompt after PAM module returns a PAM_MAXTRIES.
- SSHD password authentication issue in 4.9-RELEASE and 5.1-RELEASE
- secuirty bug with /etc/login.access