SSH locked out (root and standard user)

theluke79 · 29. November 2015

Hello folks,

I was happily using my OMV 1.19 when all of a sudden the SSH Root Access (protected by google multi factor auth) stopped working.
It does not recognize the password anymore and it does not ask for the Google Authentication Code,

I can logon on the WEBUI, but that is it.

If I could edit the SSD_CONFIG file, I'd try to remove the "Use PAM" option, it helped me fix problems with the other NAS I have.

I tried the procedure to create a public key, but I get the error <<permission denied public key>>

I realy need to get SSH ROOT back up, what can I troubleshoot?

Code

Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
AllowGroups root ssh
AddressFamily any
Port 22
PermitRootLogin yes
AllowTcpForwarding no
Compression yes
PasswordAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 /var/lib/openmediavault/ssh/authorized_keys/%u
PubkeyAuthentication yes

Alles anzeigen

subzero79 · 29. November 2015

How did you configure the authenticator in the first place?
Don't tell you just manually edited the file at /etc/ssh/sshd_config?

If you don't have extra options and you have not set up environmental variables then make a change in the webui for ssh. That should default it.
If you modified the pam module then i guess is more trouble.

Try and create a sshd alternate config file in a samba share for example without the pam yes, the use the cron task to run a tmp side sshd server.

/usr/sbin/sshd -p 2222 -f /media/<uuid>/share/sshd_config

That should give you access at port 2222

theluke79 · 29. November 2015

Thanks a mil for helping!

I followed this guide to install the dual factor authentication (it has been working for 2 years now)
howtogeek.com/121650/how-to-secure-ssh-with-google-authenticators-two-factor-authentication/ therefore, YES, I did edit manually the

sudo nano /etc/pam.d/sshd
and sshd_config

As per the instructions.

I have created the second alternative SSHD conf file an configured CRON,
It has fixed the problem!

Thank you

subzero79 · 29. November 2015

Zitat von theluke79

YES, I did edit manually the

sudo nano /etc/pam.d/sshd
and sshd_config

For the pam module do a backup for obvious reasons, for the sshd_config you cannot edit the file, omv will rewrite as soon as you do a change in the ssh section or users section, and you will get lock out as it happened now, this has being discussed in numerous occasions, OMV takes full control of the services it uses.
Use environmental variables to change the default directives present. This has been discussed in se

http://wiki.openmediavault.org…Environment_Variables/all
http://wiki.openmediavault.org…tle=Environment_Variables

You need to restart engined after a var has being added. And remake the service configuration and restart the service

SSH locked out (root and standard user)

Jetzt mitmachen!

Tags