I’d like to enable ssh login for a user created by uno administration console. I checked all the things described in Unable to login as admin with SSH. I have correct sshd configuration and libpam-ldapd installed. Yet, when trying to login I’m disconnected after successful authentication. ssh -v output below.
└─▪ ssh -v tforia@cc
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/piotr/.ssh/config
debug1: /Users/piotr/.ssh/config line 46: Applying options for cc
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: /etc/ssh_config line 102: Applying options for *
debug1: Connecting to cc [xx.xxx.xx.xx] port 22.
debug1: Connection established.
debug1: identity file /Users/piotr/.ssh/id_rsa type 1
debug1: identity file /Users/piotr/.ssh/id_rsa-cert type -1
debug1: identity file /Users/piotr/.ssh/id_dsa type -1
debug1: identity file /Users/piotr/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-4+deb7u2
debug1: match: OpenSSH_6.0p1 Debian-4+deb7u2 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA d7:ca:d1:54:57:c3:23:45:fd:11:9c:31:c8:dc:e9:d4
debug1: Host 'cc' is known and matches the RSA host key.
debug1: Found key in /Users/piotr/.ssh/known_hosts:75
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/piotr/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /Users/piotr/.ssh/id_dsa
debug1: Next authentication method: password
tforia@cc's password:
debug1: Authentication succeeded (password).
Authenticated to cc ([xx.xxx.xx.xx]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LC_CTYPE = UTF-8
Linux cc 2.6.32-042stab094.8 #1 SMP Tue Dec 16 20:36:56 MSK 2014 x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Wed Dec 31 11:45:12 2014 from brln-4d0c89d2.pool.mediaways.net
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to cc closed.
Transferred: sent 2896, received 2704 bytes, in 0.3 seconds
Bytes per second: sent 8552.4, received 7985.4
debug1: Exit status 1
What can I do to make it work? I’d suspect that the shell is not configured for the said user but I have no idea where to look set it.
All-right, I now understand that we actually CANNOT connect to SSH using one of the user created by Yunohost.
All we can do (as far as I understand), is deactivate “root” and use “admin” instead.
The password for admin is the same as the administration password on the web interface.
If you deactivate root ssh connection, don’t forget to add “AllowUsers admin” in sshd.conf .
Nevertheless… It should be possible to grant ssh access to standard users. Ideally, this could be an option for users on the web admin interface, along with the e-mail addresses.
Questions for the developers of Yunohost:
how to record this kind of suggestion for future versions?
in the meantime… how to do this manually on the ssh console?
As I didn’t wanted “admin” to be authorised ssh user (to obvious for me), I found a turnaround : I simply created in the command line with the “adduser” command a new user (different from the ones on my yunohost box).
This is not a bug, it is more of a security concern. We chose not to enable SSH login for users because this way users would be able to exploit server’s security holes more easily.
But @xof is right, we should at least provide a tutorial to enable SSH for the users.
I don’t exactly know the procedure, but you should change the shell value for the specific user in the LDAP base (by default to /bin/false), then change the /etc/ssh/sshd_config file to allow your user to connect (by default only admin can).
Another solution :
Install phpLDAPadmin app (app in progress)
click login, enter admin password, then on the left side panel click the only item available -> ou=users -> uid=user then scroll down until you see login shell and replace /bin/false by /bin/bash
following @freezix solution to install phpLDAPadmin, I made a small script which avoid to install the app if you just want to allow ssh connections, which does what @kload suggested. You will need the command ldapmodify, though.
#!/bin/bash
#
# Enable ssh login for a user
#
# Usage : ./enableSSHlogin.sh username true
#
USER=$1
if [[ $2 == "true" ]]
then
NEWLOGINSHELL="/bin/bash"
else
NEWLOGINSHELL="/bin/false"
fi
echo "dn: uid=$USER,ou=users,dc=yunohost,dc=org
changetype: modify
replace: loginShell
loginShell: $NEWLOGINSHELL" | ldapmodify -D cn=admin,dc=yunohost,dc=org -h 127.0.0.1 -W
ldapmodify will ask for a password, which should be the admin password.
Hope that helps some people !
Edit : note that you will probably still need to add AllowUsers username in your /etc/ssh/sshd_config
Hello,
The script of @CaptainSqrt2 works; in /etc/ssh/sshd_config I did not had to add AllowUsers, but it may be so because I’ve set:
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
and I created-chowned this user’s authorized_keys.