Discussion:
SSH config file changed format?
Dotan Cohen
2007-01-28 11:46:38 UTC
Permalink
I tried adding these options to /etc/ssh/ssh_config:
Protocol 2
PermitRootLogin no
AllowUsers myUserName
MaxAuthTries 4

However, when I try test, I get an error that these options are invalid:
$ ssh localhost
/etc/ssh/ssh_config: line 55: Bad configuration option: PermitRootLogin
/etc/ssh/ssh_config: line 56: Bad configuration option: AllowUsers
/etc/ssh/ssh_config: line 57: Bad configuration option: MaxAuthTries
/etc/ssh/ssh_config: terminating, 3 bad configuration options

These are the options that I used the last time I enabled SSH, in FC4
I think. None of the commented-out options seem to replace these, so
how would I go about securing SSH in FC6?

Thanks in advance.

Dotan Cohen

http://lyricslist.com/lyrics/artist_albums/377/nine_inch_nails.html
http://fitha.com
Steve Searle
2007-01-28 12:01:47 UTC
Permalink
Post by Dotan Cohen
Protocol 2
PermitRootLogin no
AllowUsers myUserName
MaxAuthTries 4
I just checked these in my working FC6 config file, and at firt glance
they seem OK. I don't have the AllowUsers one, and the MaxAuthTries is
commented out. It may be worth posting all of your config file.

Also, what version do you have installed? I have:

openssh-server.i386 4.2p1-fc4.10

Steve
--
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting a bad thing?

11:54:13 up 162 days, 14:21, 3 users, load average: 0.00, 0.02, 0.00
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20070128/af8234d7/attachment.bin
Dotan Cohen
2007-01-28 12:09:21 UTC
Permalink
Post by Steve Searle
Post by Dotan Cohen
Protocol 2
PermitRootLogin no
AllowUsers myUserName
MaxAuthTries 4
I just checked these in my working FC6 config file, and at firt glance
they seem OK. I don't have the AllowUsers one, and the MaxAuthTries is
commented out. It may be worth posting all of your config file.
openssh-server.i386 4.2p1-fc4.10
Steve
# ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006

Here is /etc/ssh/ssh_config:

# cat /etc/ssh/ssh_config
# $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $

# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
Host *
GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
ForwardX11Trusted yes
# Send locale-related environment variables
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE
LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL

Protocol 2
PermitRootLogin no
AllowUsers myUserName
MaxAuthTries 4



Of course, I change myUserName to what it should be! Thanks.

Dotan Cohen

http://lyricslist.com/lyrics/artist_albums/568/5th_ward_boyz.html
http://bybon.com
Lars E. Pettersson
2007-01-28 12:34:19 UTC
Permalink
Post by Dotan Cohen
# cat /etc/ssh/ssh_config
# $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $
Ah, the wrong file. You should add those lines to the server file, i.e.
/etc/ssh/sshd_config (note the d in sshd), you have changed the client
file. Easy to mix them up, have done it myself a couple of times... :-)

Lars
--
Lars E. Pettersson <lars at homer.se>
http://www.sm6rpz.se/
Dotan Cohen
2007-01-28 13:59:26 UTC
Permalink
Post by Lars E. Pettersson
Post by Dotan Cohen
# cat /etc/ssh/ssh_config
# $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $
Ah, the wrong file. You should add those lines to the server file, i.e.
/etc/ssh/sshd_config (note the d in sshd), you have changed the client
file. Easy to mix them up, have done it myself a couple of times... :-)
Lars
Thanks, lars. Wiping egg off face now...

Dotan Cohen

http://what-is-what.com/what_is/ajax.html
http://lyricslist.com/lyrics/artist_albums/400/phish.html
Dotan Cohen
2007-01-28 13:59:26 UTC
Permalink
Post by Lars E. Pettersson
Post by Dotan Cohen
# cat /etc/ssh/ssh_config
# $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $
Ah, the wrong file. You should add those lines to the server file, i.e.
/etc/ssh/sshd_config (note the d in sshd), you have changed the client
file. Easy to mix them up, have done it myself a couple of times... :-)
Lars
Thanks, lars. Wiping egg off face now...

Dotan Cohen

http://what-is-what.com/what_is/ajax.html
http://lyricslist.com/lyrics/artist_albums/400/phish.html

Lars E. Pettersson
2007-01-28 12:34:19 UTC
Permalink
Post by Dotan Cohen
# cat /etc/ssh/ssh_config
# $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $
Ah, the wrong file. You should add those lines to the server file, i.e.
/etc/ssh/sshd_config (note the d in sshd), you have changed the client
file. Easy to mix them up, have done it myself a couple of times... :-)

Lars
--
Lars E. Pettersson <lars at homer.se>
http://www.sm6rpz.se/
Dotan Cohen
2007-01-28 12:09:21 UTC
Permalink
Post by Steve Searle
Post by Dotan Cohen
Protocol 2
PermitRootLogin no
AllowUsers myUserName
MaxAuthTries 4
I just checked these in my working FC6 config file, and at firt glance
they seem OK. I don't have the AllowUsers one, and the MaxAuthTries is
commented out. It may be worth posting all of your config file.
openssh-server.i386 4.2p1-fc4.10
Steve
# ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006

Here is /etc/ssh/ssh_config:

# cat /etc/ssh/ssh_config
# $OpenBSD: ssh_config,v 1.21 2005/12/06 22:38:27 reyk Exp $

# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
Host *
GSSAPIAuthentication yes
# If this option is set to yes then remote X11 clients will have full access
# to the original X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
ForwardX11Trusted yes
# Send locale-related environment variables
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE
LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL

Protocol 2
PermitRootLogin no
AllowUsers myUserName
MaxAuthTries 4



Of course, I change myUserName to what it should be! Thanks.

Dotan Cohen

http://lyricslist.com/lyrics/artist_albums/568/5th_ward_boyz.html
http://bybon.com
Fernando Gozalo
2007-01-28 12:37:30 UTC
Permalink
Post by Dotan Cohen
Protocol 2
PermitRootLogin no
AllowUsers myUserName
MaxAuthTries 4
$ ssh localhost
/etc/ssh/ssh_config: line 55: Bad configuration option: PermitRootLogin
/etc/ssh/ssh_config: line 56: Bad configuration option: AllowUsers
/etc/ssh/ssh_config: line 57: Bad configuration option: MaxAuthTries
/etc/ssh/ssh_config: terminating, 3 bad configuration options
These are the options that I used the last time I enabled SSH, in FC4
I think. None of the commented-out options seem to replace these, so
how would I go about securing SSH in FC6?
Thanks in advance.
Put these options in /etc/ssh/sshd_config, not /etc/ssh/ssh_config.

Fernando.
Dotan Cohen
2007-01-28 11:46:38 UTC
Permalink
I tried adding these options to /etc/ssh/ssh_config:
Protocol 2
PermitRootLogin no
AllowUsers myUserName
MaxAuthTries 4

However, when I try test, I get an error that these options are invalid:
$ ssh localhost
/etc/ssh/ssh_config: line 55: Bad configuration option: PermitRootLogin
/etc/ssh/ssh_config: line 56: Bad configuration option: AllowUsers
/etc/ssh/ssh_config: line 57: Bad configuration option: MaxAuthTries
/etc/ssh/ssh_config: terminating, 3 bad configuration options

These are the options that I used the last time I enabled SSH, in FC4
I think. None of the commented-out options seem to replace these, so
how would I go about securing SSH in FC6?

Thanks in advance.

Dotan Cohen

http://lyricslist.com/lyrics/artist_albums/377/nine_inch_nails.html
http://fitha.com
Steve Searle
2007-01-28 12:01:47 UTC
Permalink
Post by Dotan Cohen
Protocol 2
PermitRootLogin no
AllowUsers myUserName
MaxAuthTries 4
I just checked these in my working FC6 config file, and at firt glance
they seem OK. I don't have the AllowUsers one, and the MaxAuthTries is
commented out. It may be worth posting all of your config file.

Also, what version do you have installed? I have:

openssh-server.i386 4.2p1-fc4.10

Steve
--
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting a bad thing?

11:54:13 up 162 days, 14:21, 3 users, load average: 0.00, 0.02, 0.00
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20070128/af8234d7/attachment-0002.bin
Fernando Gozalo
2007-01-28 12:37:30 UTC
Permalink
Post by Dotan Cohen
Protocol 2
PermitRootLogin no
AllowUsers myUserName
MaxAuthTries 4
$ ssh localhost
/etc/ssh/ssh_config: line 55: Bad configuration option: PermitRootLogin
/etc/ssh/ssh_config: line 56: Bad configuration option: AllowUsers
/etc/ssh/ssh_config: line 57: Bad configuration option: MaxAuthTries
/etc/ssh/ssh_config: terminating, 3 bad configuration options
These are the options that I used the last time I enabled SSH, in FC4
I think. None of the commented-out options seem to replace these, so
how would I go about securing SSH in FC6?
Thanks in advance.
Put these options in /etc/ssh/sshd_config, not /etc/ssh/ssh_config.

Fernando.
Loading...