What can be learned about a 'user' from a failed malicious SSH attempt?
/var/log/secure)/var/log/secure)Are there any methods of extracting anything else? Whether it's info hidden in log files, random tricks or from 3rd party tools etc.
Many tutorials tell you to config your ssh server like this:
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
but with this setup you cannot use PAM, as i plan to use 2 Factor Auth with Google Authenticator (OTP Onetime Password) i need PAM.
So how to configure a fresh debian jessie ssh deamon, if i want to prevent the login with the normal password but still allow to use PAM.
maybe the exact question is how to configure pam to disallow passwords?
Details on PAM Authentication
Disabling PAM-based password authentication is rather un-intuitive. It is needed on pretty much all GNU/Linux distributions (with the notable exception of Slackware), along with FreeBSD. If you're not careful, you can have PasswordAuthentication set to 'no' and still login with just a password through PAM authentication. It turns out that you need to set 'ChallengeResponseAuthentication' to 'no' in order to truly disable PAM authentication. The FreeBSD man pages have this to say, which may help to clarify the situation a bit:
Note that if ChallengeResponseAuthentication is 'yes', and the PAM authentication policy for sshd includes pam_unix(8), password authentication will be allowed through the challenge-response mechanism regardless of the value of PasswordAuthentication.
http://www.unixlore.net/articles/five-minutes-to-more-secure-ssh.html
How do I switch on PAM debugging in Debian Squeeze at the admin level?
I have checked every resource I was able to find. Google, manpages, whatever. The only thing I haven't tried yet (I simply not dare to, did I mention that I hate PAM?) is digging into the PAM's library source.
I tried to google for a solution, nothing. What I found so far:
http://www.bitbull.ch/wiki/index.php/Pam_debugging_funktion (/etc/pam_debug) and
http://nixdoc.net/man-pages/HP-UX/man4/pam.conf.4.html (debug option on PAM entries in /etc/pam.d/).
Nope, does not work. No PAM output, nothing, absolute silence.
While searching for a solution I even followed links to Pam, that are gas stations here in Germany. Well, yes, perhaps in all those billion of hits might hiding a clue, but shoot me I'd be dead before I discover.
Rest is FYI:
What problem did I have?
After upgrading to Debian Squeeze something got weird (well, hey, it once was, uh, what was right over the Etch .. ah, yes, Woody). So it's probably not Debian's fault, just a long lived screwed up setup. I immediately had the impression it has to do something with PAM, but I really did not know what's going on. I was completely in the dark, left alone, helpless as a baby, YKWIM. Some ssh logins worked, some not. It was kind of funny. No clues in ssh -v, no clues in /var/log/*, nothing. Just "auth succeeded" or "auth fail", sometimes the same user logging in parallely succeeded with one session and failed with the other, at the same time. And nothing you really can get hold of.
After digging trainloads of other options I was able to find out. There is nullok and nullok_secure, a Debian special. Something screwed with /etc/securetty and depending on the tty (which is somewhat random) a login was rejected or not. REALLY NICE, phew!
The fix was easy and everything's now fine again.
However this left me with the question, how to debug such a mess in future. It's not the first time PAM drives me nuts. So I would like to see a final solution. Final as in "solved", not final as in "armageddon". Thanks.
Ah, BTW, this again strengthened my belief in that it's good to hate PAM since it came up. Did I mention that I do?
I am trying to raise the open file descriptor maximum for all users on an ubuntu machine.
I've added the following lines to /etc/security/limits.conf:
* soft nofile 100000
* hard nofile 100000
And, based on this question I've checked the /etc/pam.conf settings for pam_limits:
$ grep "pam_limits" /etc/pam.d/*
/etc/pam.d/atd:session required pam_limits.so
/etc/pam.d/common-session:session required pam_limits.so
/etc/pam.d/cron:session required pam_limits.so
/etc/pam.d/login:session required pam_limits.so
/etc/pam.d/sshd:session required pam_limits.so
/etc/pam.d/su:session required pam_limits.so
/etc/pam.d/sudo:session required pam_limits.so
And my file-max seems to be fine:
$ cat /proc/sys/fs/file-max
762659
Yet I still have the default 1024 when I check ulimit -a:
$ ulimit -a | grep files
open files (-n) 1024
What else can I check?
I'm using Ubuntu 10.04 Server.