2015/11/12 7:20 "Paulo Roberto" <betobran...@gmail.com>: > > Dear list, > > I need some help. > > > After upgrading the openssh-server package to the version: > > ii openssh-server 1:6.9p1-2+b1 amd64 secure shell (SSH) server, for secure access from remote machines > > The option AllowUsers of /etc/ssh/sshd_config stopped working. > Any user can log through ssh even not present in this option.
AllowUsers assumes you have set the default to deny, I think. If that got changed when you merged settings, it would result in what you are seeing. If you need more information, I tend to use the archives at marc.info for the openssh and openbsd lists. Check the archives before you post to the lists. > Before the upgrade everything worked fine. > > I tested the same sshd_config file in my OpenBSD box and there everything worked as expected. > > OpenSSH_6.7, LibreSSL 2.0 > > Could it be a BUG? > > Below follow the sshd debug and my /etc/ssh/sshd_config > > Thanks in advance for your time and help. > > > # /usr/sbin/sshd -D -f /etc/ssh/sshd_config -d > debug1: sshd version OpenSSH_6.9, OpenSSL 1.0.2d 9 Jul 2015 > debug1: private host key #0: ssh-rsa SHA256:************************* > debug1: private host key #1: ssh-dss SHA256:************************* > debug1: private host key #2: ecdsa-sha2-nistp521 SHA256:***************************** > debug1: rexec_argv[0]='/usr/sbin/sshd' > debug1: rexec_argv[1]='-D' > debug1: rexec_argv[2]='-f' > debug1: rexec_argv[3]='/etc/ssh/sshd_config' > debug1: rexec_argv[4]='-d' > Set /proc/self/oom_score_adj from 0 to -1000 > debug1: Bind to port 22 on 0.0.0.0. > Server listening on 0.0.0.0 port 22. > debug1: Bind to port 22 on ::. > Server listening on :: port 22. > debug1: Server will not fork when running in debugging mode. > debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 > debug1: inetd sockets after dupping: 3, 3 > Connection from 200.137.21.34 port 53540 on 192.168.1.3 port 22 > debug1: Client protocol version 2.0; client software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 > debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH_6.6.1* compat 0x04000000 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_6.9p1 Debian-2+b1 > debug1: permanently_set_uid: 112/65534 [preauth] > debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp521 [preauth] > debug1: SSH2_MSG_KEXINIT sent [preauth] > debug1: SSH2_MSG_KEXINIT received [preauth] > debug1: kex: client->server aes256-...@openssh.com <implicit> none [preauth] > debug1: kex: server->client aes256-...@openssh.com <implicit> none [preauth] > debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] > debug1: SSH2_MSG_NEWKEYS sent [preauth] > debug1: expecting SSH2_MSG_NEWKEYS [preauth] > debug1: SSH2_MSG_NEWKEYS received [preauth] > debug1: KEX done [preauth] > debug1: userauth-request for user user1 service ssh-connection method none [preauth] > debug1: attempt 0 failures 0 [preauth] > debug1: user user1 does not match group list hg-users at line 93 > debug1: PAM: initializing for "user1" > debug1: PAM: setting PAM_RHOST to "200.137.21.34" > debug1: PAM: setting PAM_TTY to "ssh" > debug1: userauth-request for user user1 service ssh-connection method publickey [preauth] > debug1: attempt 1 failures 0 [preauth] > debug1: test whether pkalg/pkblob are acceptable [preauth] > debug1: temporarily_use_uid: 1000/1000 (e=0/0) > debug1: trying public key file /home/user1/.ssh/authorized_keys > debug1: fd 4 clearing O_NONBLOCK > debug1: restore_uid: 0/0 > debug1: temporarily_use_uid: 1000/1000 (e=0/0) > debug1: trying public key file /home/user1/.ssh/authorized_keys2 > debug1: Could not open authorized keys '/home/user1/.ssh/authorized_keys2': No such file or directory > debug1: restore_uid: 0/0 > Failed publickey for user1 from 200.137.21.34 port 53540 ssh2: RSA SHA256:*************************** > debug1: userauth-request for user user1 service ssh-connection method password [preauth] > debug1: attempt 2 failures 1 [preauth] > debug1: PAM: password authentication accepted for user1 > debug1: do_pam_account: called > Accepted password for user1 from 200.137.21.34 port 53540 ssh2 > debug1: monitor_child_preauth: user1 has been authenticated by privileged process > debug1: monitor_read_log: child log fd closed > debug1: PAM: establishing credentials > User child is on pid 13122 > debug1: SELinux support disabled > debug1: PAM: establishing credentials > debug1: permanently_set_uid: 1000/1000 > debug1: ssh_packet_set_postauth: called > debug1: Entering interactive session for SSH2. > debug1: server_init_dispatch_20 > debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384 > debug1: input_session_request > debug1: channel 0: new [server-session] > debug1: session_new: session 0 > debug1: session_open: channel 0 > debug1: session_open: session 0: link with channel 0 > debug1: server_input_channel_open: confirm session > debug1: server_input_global_request: rtype no-more-sessi...@openssh.com want_reply 0 > debug1: server_input_channel_req: channel 0 request pty-req reply 1 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req pty-req > debug1: Allocating pty. > debug1: session_new: session 0 > debug1: SELinux support disabled > debug1: session_pty_req: session 0 alloc /dev/pts/4 > debug1: server_input_channel_req: channel 0 request env reply 0 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req env > debug1: server_input_channel_req: channel 0 request shell reply 1 > debug1: session_by_channel: session 0 channel 0 > debug1: session_input_channel_req: session 0 req shell > Starting session: shell on pts/4 for user1 from 200.137.21.34 port 53540 > debug1: Setting controlling tty using TIOCSCTTY. > debug1: Received SIGCHLD. > debug1: session_by_pid: pid 13123 > debug1: session_exit_message: session 0 channel 0 pid 13123 > debug1: session_exit_message: release channel 0 > debug1: session_by_tty: session 0 tty /dev/pts/4 > debug1: session_pty_cleanup: session 0 release /dev/pts/4 > debug1: session_by_channel: session 0 channel 0 > debug1: session_close_by_channel: channel 0 child 0 > debug1: session_close: session 0 pid 0 > debug1: channel 0: free: server-session, nchannels 1 > Received disconnect from 200.137.21.34: 11: disconnected by user > Disconnected from 200.137.21.34 > debug1: do_cleanup > debug1: do_cleanup > debug1: PAM: cleanup > debug1: PAM: closing session > debug1: PAM: deleting credentials > debug1: audit_event: unhandled event 12 > > ============================================================== > sshd_config: > > > # Package generated configuration file > # See the sshd_config(5) manpage for details > > # What ports, IPs and protocols we listen for > Port 22 > # Use these options to restrict which interfaces/protocols sshd will bind to > #ListenAddress :: > #ListenAddress 0.0.0.0 > Protocol 2 > # HostKeys for protocol version 2 > HostKey /etc/ssh/ssh_host_rsa_key > HostKey /etc/ssh/ssh_host_dsa_key > HostKey /etc/ssh/ssh_host_ecdsa_key > #Privilege Separation is turned on for security > UsePrivilegeSeparation yes > > # Lifetime and size of ephemeral version 1 server key > KeyRegenerationInterval 3600 > ServerKeyBits 4096 > > # Logging > SyslogFacility AUTH > LogLevel INFO > > # Authentication: > LoginGraceTime 120 > #PermitRootLogin without-password > PermitRootLogin no > StrictModes yes > > RSAAuthentication yes > PubkeyAuthentication yes > #AuthorizedKeysFile %h/.ssh/authorized_keys > > # Don't read the user's ~/.rhosts and ~/.shosts files > IgnoreRhosts yes > # For this to work you will also need host keys in /etc/ssh_known_hosts > RhostsRSAAuthentication no > # similar for protocol version 2 > HostbasedAuthentication no > # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication > #IgnoreUserKnownHosts yes > > # To enable empty passwords, change to yes (NOT RECOMMENDED) > PermitEmptyPasswords no > > # Change to yes to enable challenge-response passwords (beware issues with > # some PAM modules and threads) > ChallengeResponseAuthentication no > > # Change to no to disable tunnelled clear text passwords > #PasswordAuthentication yes > > # Kerberos options > #KerberosAuthentication no > #KerberosGetAFSToken no > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > > # GSSAPI options > #GSSAPIAuthentication no > #GSSAPICleanupCredentials yes > > X11Forwarding yes > X11DisplayOffset 10 > PrintMotd no > PrintLastLog yes > TCPKeepAlive yes > Ciphers aes256-cbc,aes256-...@openssh.com,aes256-cbc > MACs hmac-sha2-512,hmac-sha2-256 > #UseLogin no > > #MaxStartups 10:30:60 > #Banner /etc/issue.net > > # Allow client to pass locale environment variables > AcceptEnv LANG LC_* > > Subsystem sftp /usr/lib/openssh/sftp-server > > # Set this to 'yes' to enable PAM authentication, account processing, > # and session processing. If this is enabled, PAM authentication will > # be allowed through the ChallengeResponseAuthentication and > # PasswordAuthentication. Depending on your PAM configuration, > # PAM authentication via ChallengeResponseAuthentication may bypass > # the setting of "PermitRootLogin without-password". > # If you just want the PAM account and session checks to run without > # PAM authentication, then enable this but set PasswordAuthentication > # and ChallengeResponseAuthentication to 'no'. > UsePAM yes > > AllowUsers remoteguest > > >
