How to disable password authentication for every users except several - openssh

I want to share my answer for question in title, which I can't find quickly.
There many topics how to disable password auth at all:
UsePam yes # it will not be used
ChallengeResponseAuthentication no
PasswordAuthentication no
kbdInteractiveAutentication no
but no topics how to enable for paticular user:
Match User myuser
PasswordAuthentication yes
KbdInteractiveAutentication yes
Also useful command to test sshd config is:
sshd -T -C user=myuser,host=127.1,addr=127.1
Please, note that "127.1" will not work on every system, so you may need paste 127.0.0.1 here.

If it is not about password authentication specifically, you could force usage of pam_access.so and have your /etc/security/access.conf look like so:
+ : myuser : <ip/net here or ALL>
- : ALL : ALL

Related

Ansible Try Multiple Passwords for Same User

I need to login into 50 hosts and perform a specific task.
Each host has one of 2 passwords (ex: pass1 and pass2) for a specific user (ex: foo).
I do not know on which host "foo" is set with "pass1" and on which host "foo" is set with "pass2". I have both passwords in a vault file.
Using Ansible, how can I first make a task where I try to login as "foo" with "pass1", then if unsuccessful login with "pass2" and finally setting a fact with the correct vault value (depending on which password worked i.e. "foo" managed to login).
I then want to use that fact to perform additional tasks on that same host.

SSH Connection without password is not working

I am new to hadoop. Trying to connect namenode and data node through ssh. But I am not able to access ssh without password even though i have setup public key
Below is the sshd config.
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
Please let me know how to fix the issue. I have tried several solution available in google but none of them are working. Please help
Try to follow these steps below.
Change to root user
arif#ubuntu:~$sudo -s
Recreate the SSH directory
root#ubuntu:~# cd ~
root#ubuntu:/# sudo rm -rf .ssh
root#ubuntu:/# ls -l .ssh
ls: cannot access .ssh: No such file or directory
root#ubuntu:/# mkdir .ssh
root#ubuntu:/# chmod 700 .ssh
Create authorized_key file
root#ubuntu:/# touch .ssh/authorized_keys
root#ubuntu:/# chmod 600 .ssh/authorized_keys
Generate a passwordless key
root#ubuntu:/# ssh-keygen -t rsa -P ""
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
4f:f1:83:ad:03:ed:82:46:fa:11:ec:74:10:bf:03:41 root#ubuntu
The key's randomart image is:
+--[ RSA 2048]----+
| .E |
| + |
| o . . |
| . o o = |
| = S + + |
| = + * . . |
| . = . = |
| o . . . |
| . |
+-----------------+
Copy that key to other servers
Also, copy to localhost
root#ubuntu:/# cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
root#ubuntu:/# chmod -R 750 /root/.ssh/authorized_keys
Test your key
root#ubuntu:/# ssh localhost
###########################################################
# WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! #
###########################################################
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
87:21:89:ac:cd:ce:bf:32:30:d6:d2:a2:dc:ff:6d:ad.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:1
remove with: ssh-keygen -f "/root/.ssh/known_hosts" -R localhost
ECDSA host key for localhost has changed and you have requested strict checking.
Host key verification failed.
Following the instructions mentioned in the above error
root#ubuntu:/# ssh-keygen -f "/root/.ssh/known_hosts" -R localhost
# Host localhost found: line 1 type ECDSA
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old
Testing again
root#ubuntu:/# ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is 87:21:89:ac:cd:ce:bf:32:30:d6:d2:a2:dc:ff:6d:ad.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)
* Documentation: https://help.ubuntu.com/
New release '16.04.3 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Wed Dec 20 07:13:15 2017 from localhost
Now, start Hadoop
root#ubuntu:/# cd $HADOOP_HOME
root#ubuntu:~/applications/hadoop/hadoop-2.9.0# sbin/start-all.sh
now always use the sudo -s root user login, before starting the hadoop cluster sbin/start-all or sbin/stop-all, otherwise you have to first mention yes and later provide the password for five times.

How to verify multiple server's root password using bash script?

I've two text files one with list of server name's, another file with their root password (Unique password)
I have to check all server root password by logging to individual servers. but the issue is, by default ssh root login is disabled. Hence i have to login via my normal user(Test) and switch as root and try the root password which is mentioned in the text file.
is there any way i can get this automated ? highly appreciate if anyone can help me out.
Linux passwords are stored in /etc/shadow files.
They're just hashed plain-text, no magic.
Take a look at python's crypt.crypt() function.
# change 'root' password to 'secret' (demo only)
$ echo root:secret | chpasswd
Password for 'root' changed
# get 'root' hashed password
$ grep root /etc/shadow
root:$6$YvK0oNOm$k.zELztgUM2LajbVGsqtp5I3mGP3clC6vL7rNdVCNfg2FUtLOnfb94Bn6acfCp4cQpXxSAZ1Zt55K8rAgQ3nT0:16673:0:::::
# verify hashed password is correct
$ python -c 'import crypt; print crypt.crypt("secret", "$6$YvK0oNOm$") == "$6$YvK0oNOm$k.zELztgUM2LajbVGsqtp5I3mGP3clC6vL7rNdVCNfg2FUtLOnfb94Bn6acfCp4cQpXxSAZ1Zt55K8rAgQ3nT0"'
True
You can collect shadow files from all servers, and verify them locally.
WARNING: Shadow files are very sensitive.
This is a simple solution.
input.csv
192.168.1.1,secret,$6$YvK0oNOm$k.zELztgUM2LajbVGsqtp5I3mGP3clC6vL7rNdVCNfg2FUtLOnfb94Bn6acfCp4cQpXxSAZ1Zt55K8rAgQ3nT0
192.168.1.2,pAssWd,$6$AbcdeFgh$1234fsXXXXXXXXXXXsqtp5I3mGP3clC6vL7rNdVCNfg2FUtLOnfb94Bn6acfCp4cQpXxSAZ1Zt55K8rAgQ3nT0
192.168.1.3,123456,$6$efsjdsix$8787sdfsdsdfsd232sqtp5I3mGP3clC6vL7rNdVCNfg2FUtLOnfb94Bn6acfCp4cQpXxSAZ1Zt55K8rAgQ3nT0
check.py
import csv, crypt
for i, j, k in csv.reader(open('input.csv')):
if crypt.crypt(j, k) != k:
print i
result
$ python check.py
192.168.1.2
192.168.1.3

Using two SSH keys with GitHub along with connection multiplexing

I want to use GitHub with two different SSH keys to access two different accounts. This is no problem and I can set it up easily by aliasing the hostname in my configuration. The problem comes when this configuration is combined with my SSH multiplexing configuration. I cannot seem to override my default ControlPath with a host-specific declaration.
Maybe this is just the way it works? Maybe it is a bug? Am I doing something wrong?
I'm on Mac 10.7 by the way.
Here is my config:
Host *
ControlMaster auto
ControlPath ~/.ssh/connections/ssh-%r#%h:%p
Host github.com-X
TCPKeepAlive yes
ServerAliveInterval 60
ControlPersist 1h
Hostname github.com
User git
IdentityFile ~/.ssh/id_rsa_X
IdentitiesOnly yes
ControlPath ~/.ssh/connections/ssh-%r#%h-X:%p
Host github.com
TCPKeepAlive yes
ServerAliveInterval 60
ControlPersist 1h
I have tinkered around a little bit, but it seems that I always get the ControlPath as specified in the Host * declaration.
ssh -T git#github.com-X
Logs me in as the correct user using id_rsa_X, but it creates the domain socket here:
~/.ssh/connections/ssh-git#github.com:22
Rather than:
~/.ssh/connections/ssh-git#github.com-X:22
So later when I try to issue an SSH command using id_rsa, I get the id_rsa_X user because of connection multiplexing. In other words:
ssh -T git#github.com
Gives me a hello message for the user whose key is id_rsa_X.
You can see that it reads all the settings and then tries to use the wrong ControlPath.
$ ssh -vT git#github.com-X
OpenSSH_5.6p1, OpenSSL 0.9.8y 5 Feb 2013
debug1: Reading configuration data /Users/<username>/.ssh/config
debug1: Applying options for *
debug1: Applying options for github.com-X
debug1: Reading configuration data /etc/ssh_config
debug1: Applying options for *
debug1: auto-mux: Trying existing master
debug1: Control socket "/Users/<username>/.ssh/connections/ssh-git#github.com:22" does not exist
<snip>
Any ideas?
I got a great answer to this question on ServerFault from user gipset.
You need to move the less specific options further down in ~/.ssh/config. The Host * options are applied first and they are not overwritten by later, clashing, options, even if they are more specific. New options that were not specified in Host * will however be applied and I think that is what you saw in your log.
Source: http://linux.die.net/man/5/ssh_config
ssh(1) obtains configuration data from the following sources in the following order:
command-line options
user's configuration file (~/.ssh/config)
system-wide configuration file (/etc/ssh/ssh_config)
For each parameter, the first obtained value will be used. The configuration files contain sections separated by ''Host'' specifications, and that section is only applied for hosts that match one of the patterns given in the specification. The matched host name is the one given on the command line.
Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end.

Nginx - Password Protect Directory

I want to password protect my entire site. I am running Debian Squeeze. Say I want my username to be "Jane" and my password to be "V3RySEcRe7".
In my app-nginx.conf:
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/htpasswd;
In my shell script I have this:
printf "Jane:$(openssl passwd -1 V3RySEcRe7)\n" >> /etc/nginx/htpasswd
When I go to my site it is password protected, but the credentials I use don't work. Where am I going wrong here?
I'm sure you'd have fixed this by now, but thought I'd add this for others:
The Nginx documentation is a little cryptic on this, but does mention the "Apache variant of the MD5-based password algorithm (apr1)" should be used to generate the password hash. So using the -apr1 flag instead of -1 will work:
printf "Jane:$(openssl passwd -apr1 V3RySEcRe7)\n" >> /etc/nginx/htpasswd

Resources