maemo.org - Talk

maemo.org - Talk (https://talk.maemo.org/index.php)
-   Newbie (https://talk.maemo.org/forumdisplay.php?f=26)
-   -   SSH and root access (https://talk.maemo.org/showthread.php?t=15810)

dgenge 2008-01-28 12:30
SSH and root access
 
Got SSH installed OK, one post said input..
"SSH -1 root@localhost" to gain root access, but I tried and got this.
"Protocol major versions differ: 1 vs. 2"
I installed the proper version of SSH (At least I think) from Maemo downloads for OS2008!
Please what amd I doing wrong....

N800 and OS2008.... Darren Thanks in advance

free 2008-01-28 12:33
Re: SSH and root access
 
Why the "-1" ?
ssh root@localhost

You can also use becomeroot to gain root access.

darkog 2008-01-28 12:37
Re: SSH and root access
 
My 1st post using my n800.


What ssh client are yiu using to ssh into the device? Make sure you set the client to use ssh2 only.

free 2008-01-28 12:55
Re: SSH and root access
 
Quote:
Make sure you set the client to use ssh2 only.
You probably mean the server.

Line
Quote:
Protocol 2
In /etc/ssh/sshd_config.

If this line doesn't exist, v2 will be used and if the client does not understand v1, it will switch to the _insecure_ v1.

dgenge 2008-01-28 14:29
Re: SSH and root access
 
Quote:
Originally Posted by free (Post 134734)
Why the "-1" ?
ssh root@localhost

You can also use becomeroot to gain root access.
Thanks Free your the man! Its was having the "-1" in the command line that was the problem. I put "-1" there because someone posted the string and said this is what you should type!

Thanks again everyone for quick replies....

free 2008-01-28 17:08
Re: SSH and root access
 
This is exactly what you *shouldn't* type. (in your case it's localhost fine but I thought it's worth mentionning)

There are a lot of tools to relay, record traffic, capture password, and manipulate interact sessions for ssh v1. If you add on top of this that you ssh to root then it's heaven for crackers.

These tools have even been ported to nokia devices..

dgenge 2008-01-28 23:49
Re: SSH and root access
 
Thanks Man! Saved a noob again...:-)

Milhouse 2008-01-30 18:07
Re: SSH and root access
 
Quote:
Originally Posted by dgenge (Post 134733)
Got SSH installed OK, one post said input..
"SSH -1 root@localhost" to gain root access
You've mistyped the command, you are entering -1 instead of minus lowercase L (ie. -l) - they look the same but mean very different things to ssh, as -1 forces it to use an older protocol (v1).

There are actually two variants of the command that you should be using and they achieve the same thing:

Code:
ssh -l <user> <host>
or as Free points out
Code:
ssh <user>@<host>
Also see here for my handy dandy instructions on how you can ssh in as the user account without using a password, then use sudo gainroot (after installing the becomeroot package) to gain root priveleges.

caseyd 2008-01-30 19:24
Re: SSH and root access
 
Will I create new problems if I add a password to the user account?
I would rather be able to get into my 810 from anywhere, w/out doing the certificate management dance first.

free 2008-01-30 19:29
Re: SSH and root access
 
No it won't create a problem to put a password for user.

And if you don't like the dance, there is a usefull linux script ssh-copy-id

PHP Code:
ID_FILE="${HOME}/.ssh/id_rsa.pub"

if [ "-i" "$1" ]; then
  shift
  # check if we have 2 parameters left, if so the first is the new ID file
  if [ -"$2" ]; then
    if expr "$1" ".*\.pub" >/dev/nullthen
      ID_FILE="$1"
    else
      ID_FILE="$1.pub"
    fi
    shift         # and this should leave $1 as the target name
  fi
else
  if [ x$SSH_AUTH_SOCK != ] && ssh-add ->/dev/null 2>&1then
    GET_ID="$GET_ID ssh-add -L"
  fi
fi

if [ -"`eval $GET_ID`" ] && [ -"${ID_FILE}] ; then
  GET_ID="cat ${ID_FILE}"
fi

if [ -"`eval $GET_ID`" ]; then
  echo "$0: ERROR: No identities found" >&2
  exit 1
fi

if [ "$#" -lt 1 ] || [ "$1" "-h" ] || [ "$1" "--help" ]; then
  echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2
  exit 1
fi

{ eval "$GET_ID; } | ssh $"umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 
From a linux (or cygwin in windows) to the device:
ssh user@n800
enter the password

And that's it, it won't ever ask you for a password anymore.

For this you will need an ssh-agent (started by common session manager like kdm, gdm)
And enter once the passphrase for your keyring using ssh-add.
On the client, to create your keyring in .ssh/ (only needed once)
ssh-keygen

Milhouse 2008-01-30 19:47
Re: SSH and root access
 
Quote:
Originally Posted by caseyd (Post 135830)
Will I create new problems if I add a password to the user account?
I would rather be able to get into my 810 from anywhere, w/out doing the certificate management dance first.
It won't create a problem but you're making your device less secure - it's highly secure without a password, adding the password weakens the existing security.

The most secure option is to use public/private key authentication for the user account (as described in the thread I linked earlier) and disable logins on the root account (you can still sudo to root from the user account).

free 2008-01-30 20:20
Re: SSH and root access
 
^
|
|
Paranoiac


;p


edit:
After you've used ssh-copy-id, you can then remove the password of user
Do this as root:
usermod -L user

Lazy way of transfering keys..

froghunter 2008-05-04 19:58
Re: SSH and root access
 
Sorry, a bit of a noob, but wondering about why a user password weakens everything, and where would you even use it since there isn't a GDM or anything like that (which btw would be pretty nice). Also, if you change your root password and then disable root login, will it ask for a password when you sudo gainroot? Thanks a lot, I appreciate it.

mwiktowy 2008-05-04 20:46
Re: SSH and root access
 
Quote:
Originally Posted by froghunter (Post 177891)
Sorry, a bit of a noob, but wondering about why a user password weakens everything, and where would you even use it since there isn't a GDM or anything like that (which btw would be pretty nice). Also, if you change your root password and then disable root login, will it ask for a password when you sudo gainroot? Thanks a lot, I appreciate it.
Password authentication is only as strong as the password picked and many people pick weak passwords. So that makes it vulnerable to brute-force attacks to guess your password. Key-pair authentication is essentially immune to this since the size of the key to guess is much, *much* bigger yet you don't have to keep it in your head to be used.

Also if you are not typing in a password, neither someone looking over your shoulder nor a keylogger running on your system or attached to a keyboard cable or sniffing bluethooth signals will allow an attacker to gain access.

So whether you set this up depends on your degree of security required but it is a pretty good trade-off between more security and ease of logins down the road vs. a little bit of up-front pain in getting it all configured right.


All times are GMT. The time now is 14:48.

vBulletin® Version 3.8.8