Home / server / Questions / 759821
Accepted
user1700494
Asked: 2016-02-26 09:32:32 +0800 CST

Passwordless root login with ssh tectia denied by policy

  • 772

I need to setup passwordless root access with ssh tectia. I've done the following:

  • created keypair via ssh-keygen as usual
  • copied private key to *source_host*:/etc/opt/SSHtectia/keys/root . Also i created file /etc/opt/SSHtectia/keys/root/identification and specified private key there.
  • copied public key to *target_host*:/etc/opt/SSHtectia/keys/root . Also i created file /etc/opt/SSHtectia/keys/root/authorization and specified public key there.

When tried to login, i see that key was accepted, but login was denied

    Feb 25 11:52:42 targethost ssh-server-g3: 400 Connect, Policy name: connection, Src: sourcehost.my.domain,sourcehost, Src IP: x.x.7.131, Dst IFace: default, Dst IP: x.x.7.151, Src Port: 38158, Dst Port: 22, Ver: SSH-2.0-6.3.8.79 SSH Secure Shell, Session-Id: 288135
    Feb 25 11:52:42 targethost ssh-server-g3: 1002 Algorithm_negotiation_success, "kex_algorithm=diffie-hellman-group1-sha1, hostkey_algorithm=ssh-rsa, cipher=aes128-cbc/aes128-cbc, mac=hmac-sha1/hmac-sha1, compression=none/none", Session-Id: 288135
    Feb 25 11:52:42 targethost ssh-server-g3: 703 Auth_methods_available, Username: root, Auth methods: publickey, Session-Id: 288135
    Feb 25 11:52:42 targethost ssh-server-g3: 707 Publickey_auth_success, Username: root, Algorithm: publickey, "The user's public key matched the key (/etc/opt/SSHtectia/keys/root/authorized_11.pub, fingerprint xozel-pezer-sacok-vunud-horim-ropuc-milaf-nobip-setuc-zedar-boxex/bd7afcbc846e24252f8b29181f3940ac771f49b0) in the user's authorization file (/etc/opt/SSHtectia/keys/root/authorization)", Session-Id: 288135
    Feb 25 11:52:42 targethost ssh-server-g3: 700 Auth_method_success, Username: root, Auth method: publickey, Session-Id: 288135
    Feb 25 11:52:42 targethost ssh-server-g3: 702 Auth_methods_completed, Username: root, Auth methods: publickey, Src IP: x.x.7.131, Src Port: 38158, Ver: SSH-2.0-6.3.8.79 SSH Secure Shell, Session-Id: 288135 
    Feb 25 11:52:42 targethost ssh-server-g3: 410 Login_success, Username: root, Src: sourcehost.my.domain,sourcehost, Src IP: x.x.7.131, Dst IFace: default, Dst IP: x.x.7.151, Src Port: 38158, Dst Port: 22, Ver: SSH-2.0-6.3.8.79 SSH Secure Shell, Session-Id: 288135
    Feb 25 11:52:42 targethost ssh-server-g3: 420 Session_channel_open, Username: root, Error: Denied by policy, Command: shell, Sub ID: 0, Session-Id: 288135
    Feb 25 11:52:42 targethost ssh-server-g3: 421 Session_channel_close, Username: root, Sub ID: 0, Session-Id: 288135
    Feb 25 11:52:42 targethost ssh-server-g3: 412 Logout, Username: root, Reason: By application, Src: sourcehost.my.domain,sourcehost, Src IP: x.x.7.131, Dst IFace: default, Dst IP: x.x.7.151, Src Port: 38158, Dst Port: 22, "Connection discarded by broker, Remote Disconnect", Session-Id: 288135
    Feb 25 11:52:42 targethost ssh-server-g3: 402 Disconnect, Reason: By application, Src: sourcehost.my.domain,sourcehost, Src IP: x.x.7.131, Dst IFace: default, Dst IP: x.x.7.151, Src Port: 38158, Dst Port: 22, "Connection discarded by broker, Remote Disconnect", Session-Id: 288135

ssh-broker-config.xml

ssh-server-config.xml

Non-root passwordless logins are working fine.

ssh

1 Answers

  1. Best Answer

    From the error you are getting:

    Feb 25 11:52:42 targethost ssh-server-g3: 410 Login_success, Username: root, Src: sourcehost.my.domain,sourcehost, Src IP: x.x.7.131, Dst IFace: default, Dst IP: x.x.7.151, Src Port: 38158, Dst Port: 22, Ver: SSH-2.0-6.3.8.79 SSH Secure Shell, Session-Id: 288135
Feb 25 11:52:42 targethost ssh-server-g3: 420 Session_channel_open, Username: root, Error: Denied by policy, Command: shell, Sub ID: 0, Session-Id: 288135

    It seems the authentication works but then the user is denied a shell or terminal access.

    This is because in the rule group for admins you have: terminal action="deny".

    You need to change the terminal action to "allow"in the ssh-server-config.xml forrule group="admins"`.

    <rule group="admins" idle-timeout="0" print-motd="no">
      <environment allowed-case-sensitive="TERM,PATH,TZ,LANG,LC_*" />
      <terminal action="allow" />
      <subsystem type="sftp" action="allow" application="sft-server-g3" />
      <command action="allow" />
      <tunnel-agent action="deny" />
      <tunnel-x11 action="deny" />
      <tunnel-local action="deny" />
      <tunnel-remote action="deny" />
    </rule>

    As mentioned in Configuration Settings in ssh-server-config.xml, the user has no access to a command shell when terminal access is denied.

    Restricting Terminal Access

    You can restrict terminal access so that it is allowed only for users in group admin. To disable terminal access from everyone else, make the following settings in the ssh-server-config.xml file, in the services block:

    <rule group="admin">
      <terminal action="allow" />
    ...
    </rule>

    <rule group="SFTP-users">
      <terminal action="deny" />
    ...
    </rule>

    <rule>
      <terminal action="deny" />
    ...
    </rule>

    This setting denies also X11 and agent forwarding and shell commands for the specified group (unless some commands are explicitly allowed).

    The users will be able to use SFTP and other subsystems defined in the SSH Tectia Server configuration. Any other "exec" and "shell" requests will be denied for the users. This includes forced commands with public keys and the legacy-style password changing when performed as a forced command.

    • 1