|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [discuss] msec and sshd_config
From: Mark Watts (m.watts
eris.qinetiq.com)
Date: Tue May 06 2003 - 08:52:59 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is all on 9.0 with latest patches btw.
> > Mark Watts wrote:
> > > Hi all,
> > >
> > > /etc/cron.hourly/msec keeps changing my sshd config to allow root
> > > logins. How can i stop it from changing this file?
> > > (I want local root console login, but not remote ssh root login).
> >
> > mmm, yes, the fact that msec makes settings *less* secure than they are
> > should be fixed.
> >
> > But, you should be able to do it by adding
> > allow_remote_root_login(0)
> >
> > to /etc/security/msec/level.local
> >
> > Of course, I wonder if there's an easy way to get it to use
> > PermitRootLogin without-password
> > ...
> >
> > Regards,
> > Buchan
>
> I've tried adding allow_remote_root_login(0) and it didnt make any
> difference...
>
> [rootukmawp01 ssh]# cat /etc/security/msec/level.local
> allow_remote_root_login(0)
> allow_root_login(1)
> [rootukmawp01 ssh]# /etc/cron.hourly/msec
> [rootukmawp01 ssh]# cat sshd_config | grep Root
> PermitRootLogin yes
> [rootukmawp01 ssh]#
>
> syslog has this in it:
>
> May 6 14:31:07 ukmawp01 msec: Reading local rules from
> /etc/security/msec/level.local May 6 14:31:07 ukmawp01 msec: Error loading
> /etc/security/msec/level.local: name 'allow_remote_root_login' is not
> defined ...
> May 6 14:31:07 ukmawp01 msec: Allowing direct root login
> May 6 14:31:07 ukmawp01 msec: replaced in /etc/ssh/sshd_config the line
> 35: May 6 14:31:07 ukmawp01 msec: PermitRootLogin no
> May 6 14:31:07 ukmawp01 msec: with the line:
> May 6 14:31:07 ukmawp01 msec: PermitRootLogin yes
>
>
> If I change level.local to:
>
> allow_remote_root_login=0
> allow_root_login=1
>
> Then this happens:
>
> [rootukmawp01 ssh]# cat sshd_config | grep Root
> PermitRootLogin no
> [rootukmawp01 ssh]# cat /etc/security/msec/level.local
> allow_remote_root_login=0
> allow_root_login=1
> [rootukmawp01 ssh]# /etc/cron.hourly/msec
> [rootukmawp01 ssh]# cat sshd_config | grep Root
> PermitRootLogin yes
> [rootukmawp01 ssh]#
>
>
> No errors appear in the log, but it still says this:
>
> May 6 14:38:19 ukmawp01 msec: Allowing direct root login
> May 6 14:38:19 ukmawp01 msec: replaced in /etc/ssh/sshd_config the line
> 35: May 6 14:38:19 ukmawp01 msec: PermitRootLogin no
> May 6 14:38:19 ukmawp01 msec: with the line:
> May 6 14:38:19 ukmawp01 msec: PermitRootLogin yes
>
>
> Interestingly, if I have this:
>
> allow_root_login=0
>
> Then nothing changes in sshd_config but I _still_ get this in the log:
>
> May 6 14:44:08 ukmawp01 msec: Allowing direct root login
>
>
> I'm getting the impression that msec is either deliberatly ignoring
> level.local or doesnt understand that remote root login is different to
> local root login.
>
> Either way, I'm not very impressed that its touching sshd_config at all.
>
> Mark.
- --
Mark Watts
Systems Engineer
QinetiQ TIM
St Andrews Road, Malvern
GPG Public Key ID: 455420ED
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+t747Bn4EFUVUIO0RAh6VAJ4umdy1kgWgy+HySoqlTBDocZK9vQCfR1X4
qEf//jXC8ov5sEO1MtHxBuI=
=ktZC
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]