Hi; Can someone please remind me how to update my VPS so that I have to authenticate first as "user" before I can su to root? TIA, Victor
I am not sure what a VPS is, but assuming you only have SSH login enabled, then this will do it :
grep -i root /etc/ssh/sshd_config #PermitRootLogin yes
and restart sshd
On Mon, Oct 26, 2009 at 4:05 PM, Victor Subervi victorsubervi@gmail.com wrote:
Hi; Can someone please remind me how to update my VPS so that I have to authenticate first as "user" before I can su to root? TIA, Victor
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I am not sure what a VPS is
VPS stands for virtual private server.
Neil
-- Neil Aggarwal, (281)846-8957, http://www.JAMMConsulting.com CentOS 5.4 KVM VPS $55/mo, no setup fee, no contract, dedicated 64bit CPU, 1GB dedicated RAM, 40GB RAID storage, 500GB/mo premium BW
What I was interested in doing was to make it impossible for root to login directly, but rather enable other users to login and then su to root. So I edited /etc/ssh/sshd_config to read: #PermitRootLogin no (It was the dir I didn't know.) It initially said "yes", but it was and is commented. How is it that I then and still can login directly as root? Is reboot necessary? TIA, V
On Mon, Oct 26, 2009 at 4:17 PM, Neil Aggarwal neil@jammconsulting.comwrote:
I am not sure what a VPS is
VPS stands for virtual private server.
Neil-- Neil Aggarwal, (281)846-8957, http://www.JAMMConsulting.com CentOS 5.4 KVM VPS $55/mo, no setup fee, no contract, dedicated 64bit CPU, 1GB dedicated RAM, 40GB RAID storage, 500GB/mo premium BW
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Did you remove the # in front of the line? You still have it in your example.
-- Neil Aggarwal, (281)846-8957, http://www.JAMMConsulting.com http://www.jammconsulting.com/ CentOS 5.4 KVM VPS $55/mo, no setup fee, no contract, dedicated 64bit CPU 1GB dedicated RAM, 40GB RAID storage, 500GB/mo premium BW, Zero downtime
_____
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Victor Subervi Sent: Tuesday, October 27, 2009 9:52 AM To: CentOS mailing list Subject: Re: [CentOS] Change from Root
What I was interested in doing was to make it impossible for root to login directly, but rather enable other users to login and then su to root. So I edited /etc/ssh/sshd_config to read: #PermitRootLogin no (It was the dir I didn't know.) It initially said "yes", but it was and is commented. How is it that I then and still can login directly as root? Is reboot necessary? TIA, V
On Mon, Oct 26, 2009 at 4:17 PM, Neil Aggarwal neil@jammconsulting.com wrote:
I am not sure what a VPS is
VPS stands for virtual private server.
Neil
-- Neil Aggarwal, (281)846-8957, http://www.JAMMConsulting.com CentOS 5.4 KVM VPS $55/mo, no setup fee, no contract, dedicated 64bit CPU, 1GB dedicated RAM, 40GB RAID storage, 500GB/mo premium BW
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Tue, Oct 27, 2009 at 9:51 AM, Victor Subervi victorsubervi@gmail.com wrote:
What I was interested in doing was to make it impossible for root to login directly, but rather enable other users to login and then su to root. So I edited /etc/ssh/sshd_config to read: #PermitRootLogin no (It was the dir I didn't know.) It initially said "yes", but it was and is commented. How is it that I then and still can login directly as root? Is reboot necessary?
remove the # and save the file, then service sshd restart
Victor Subervi wrote:
What I was interested in doing was to make it impossible for root to login directly, but rather enable other users to login and then su to root. So I edited /etc/ssh/sshd_config to read: #PermitRootLogin no (It was the dir I didn't know.) It initially said "yes", but it was and is commented. How is it that I then and still can login directly as root? Is reboot necessary?
It's not going to have any effect unless you remove the # sign. You don't need to reboot, but do a 'service sshd restart'.
Les Mikesell lesmikesell@gmail.com schrieb am 27.10.2009 16:04:56:
Victor Subervi wrote:
What I was interested in doing was to make it impossible for root to login directly, but rather enable other users to login and then su to root. So I edited /etc/ssh/sshd_config to read: #PermitRootLogin no (It was the dir I didn't know.) It initially said "yes", but it was
and
is commented. How is it that I then and still can login directly as root? Is reboot necessary?
It's not going to have any effect unless you remove the # sign. You don't need to reboot, but do a 'service sshd restart'.
Please, *don't* restart the service. If you fuck up your sshd_config and you have no OOB remote access you're lost. `service sshd reload' is something more recommendable as it doesn't drop your current SSH sessions.
Just for the records: Another way would be to set PermitRootLogin to without-password and thus pinning it down to logins via ssh-keys only.
Frank.
Well, I'm baffled. Changing to this: PermitRootLogin no does nothing without reboot. With respect to the other, I have the following documentation:
# Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication mechanism. # Depending on your PAM configuration, this may bypass the setting of # PasswordAuthentication, PermitEmptyPasswords, and # "PermitRootLogin without-password". If you just want the PAM account and # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no
I don't want PAM. Please advise. V
On Tue, Oct 27, 2009 at 11:16 AM, Frank.Brodbeck@klingel.de wrote:
Les Mikesell lesmikesell@gmail.com schrieb am 27.10.2009 16:04:56:
Victor Subervi wrote:
What I was interested in doing was to make it impossible for root to login directly, but rather enable other users to login and then su to root. So I edited /etc/ssh/sshd_config to read: #PermitRootLogin no (It was the dir I didn't know.) It initially said "yes", but it was
and
is commented. How is it that I then and still can login directly as root? Is reboot necessary?
It's not going to have any effect unless you remove the # sign. You don't need to reboot, but do a 'service sshd restart'.
Please, *don't* restart the service. If you fuck up your sshd_config and you have no OOB remote access you're lost. `service sshd reload' is something more recommendable as it doesn't drop your current SSH sessions.
Just for the records: Another way would be to set PermitRootLogin to without-password and thus pinning it down to logins via ssh-keys only.
Frank. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
The RedHat docs worked. Thanks! V
On Tue, Oct 27, 2009 at 11:28 AM, Victor Subervi victorsubervi@gmail.comwrote:
Well, I'm baffled. Changing to this: PermitRootLogin no does nothing without reboot. With respect to the other, I have the following documentation:
# Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication mechanism. # Depending on your PAM configuration, this may bypass the setting of # PasswordAuthentication, PermitEmptyPasswords, and # "PermitRootLogin without-password". If you just want the PAM account and # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no
I don't want PAM. Please advise. V
On Tue, Oct 27, 2009 at 11:16 AM, Frank.Brodbeck@klingel.de wrote:
Les Mikesell lesmikesell@gmail.com schrieb am 27.10.2009 16:04:56:
Victor Subervi wrote:
What I was interested in doing was to make it impossible for root to login directly, but rather enable other users to login and then su to root. So I edited /etc/ssh/sshd_config to read: #PermitRootLogin no (It was the dir I didn't know.) It initially said "yes", but it was
and
is commented. How is it that I then and still can login directly as root? Is reboot necessary?
It's not going to have any effect unless you remove the # sign. You don't need to reboot, but do a 'service sshd restart'.
Please, *don't* restart the service. If you fuck up your sshd_config and you have no OOB remote access you're lost. `service sshd reload' is something more recommendable as it doesn't drop your current SSH sessions.
Just for the records: Another way would be to set PermitRootLogin to without-password and thus pinning it down to logins via ssh-keys only.
Frank.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Frank.Brodbeck@klingel.de wrote:
Les Mikesell lesmikesell@gmail.com schrieb am 27.10.2009 16:04:56:
Victor Subervi wrote:
What I was interested in doing was to make it impossible for root to login directly, but rather enable other users to login and then su to root. So I edited /etc/ssh/sshd_config to read: #PermitRootLogin no (It was the dir I didn't know.) It initially said "yes", but it was
and
is commented. How is it that I then and still can login directly as root? Is reboot necessary?
It's not going to have any effect unless you remove the # sign. You don't need to reboot, but do a 'service sshd restart'.
Please, *don't* restart the service. If you fuck up your sshd_config and you have no OOB remote access you're lost. `service sshd reload' is something more recommendable as it doesn't drop your current SSH sessions.
I've done a restart without being dropped. Are you sure it is supposed to drop existing connections?
Les Mikesell lesmikesell@gmail.com schrieb am 27.10.2009 16:29:18:
Frank.Brodbeck@klingel.de wrote:
Les Mikesell lesmikesell@gmail.com schrieb am 27.10.2009 16:04:56:
Victor Subervi wrote:
What I was interested in doing was to make it impossible for root to
login directly, but rather enable other users to login and then su
to
root. So I edited /etc/ssh/sshd_config to read: #PermitRootLogin no (It was the dir I didn't know.) It initially said "yes", but it was
and
is commented. How is it that I then and still can login directly as root? Is reboot necessary?
It's not going to have any effect unless you remove the # sign. You don't need to reboot, but do a 'service sshd restart'.
Please, *don't* restart the service. If you fuck up your sshd_config and you have no OOB remote access you're lost. `service sshd reload'
is
something more recommendable as it doesn't drop your current SSH
sessions.
I've done a restart without being dropped. Are you sure it is supposed to drop existing connections?
See me baffled.
It is at least what I was expecting and I think it happens on some distros. Though reading /etc/init.d/sshd clearly shows that calling stop isn't suppossed to kill all connections. Which is funny, at least I would expect a service sshd stop to drop all ssh sessions. Good to know I have to kill all sessions by hand if I want to kick people out... :-/
Anyways, SIGHUP normally is enough to make OpenSSH reread it's configuration file, which makes it safe to use across distros and even platforms but this is a different story.
Frank.
Frank.Brodbeck@klingel.de schrieb:
Please, *don't* restart the service. If you fuck up your sshd_config and you have no OOB remote access you're lost. `service sshd reload' is something more recommendable as it doesn't drop your current SSH sessions.
No, it seems it is safe to restart sshd. Your current connection stays open and you can test your new sshd config with another ssh sesstion.
Rainer
Victor:
Also, check out section 4.4.2 of the security guide: http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s 1-wstation-privileges.html
It addresses your question precisely.
Neil
-- Neil Aggarwal, (281)846-8957, http://www.JAMMConsulting.com http://www.jammconsulting.com/ CentOS 5.4 KVM VPS $55/mo, no setup fee, no contract, dedicated 64bit CPU 1GB dedicated RAM, 40GB RAID storage, 500GB/mo premium BW, Zero downtime
_____
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Victor Subervi Sent: Tuesday, October 27, 2009 9:52 AM To: CentOS mailing list Subject: Re: [CentOS] Change from Root
What I was interested in doing was to make it impossible for root to login directly, but rather enable other users to login and then su to root. So I edited /etc/ssh/sshd_config to read: #PermitRootLogin no (It was the dir I didn't know.) It initially said "yes", but it was and is commented. How is it that I then and still can login directly as root? Is reboot necessary? TIA, V
On Mon, Oct 26, 2009 at 4:17 PM, Neil Aggarwal neil@jammconsulting.com wrote:
I am not sure what a VPS is
VPS stands for virtual private server.
Neil
-- Neil Aggarwal, (281)846-8957, http://www.JAMMConsulting.com CentOS 5.4 KVM VPS $55/mo, no setup fee, no contract, dedicated 64bit CPU, 1GB dedicated RAM, 40GB RAID storage, 500GB/mo premium BW
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Alan McKay -
Frank.Brodbeck@klingel.de -
Larry Vaden -
Les Mikesell -
Neil Aggarwal -
Rainer Traut -
Victor Subervi