Sun Microsystems, Inc.  Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1007586.1
Update Date:2010-08-27
Keywords:

Solution Type  Technical Instruction Sure

Solution  1007586.1 :   smsconfig -s ssh can fail with "Permission denied" when sshd_config includes 'Banner' directive  


Related Items
  • Sun Fire E25K Server
  •  
  • Solstice FTAM
  •  
  • Sun Fire E20K Server
  •  
  • Sun Fire 12K Server
  •  
  • Sun Fire 15K Server
  •  
Related Categories
  • GCS>Sun Microsystems>Servers>High-End Servers
  •  
  • GCS>Sun Microsystems>Enterprise Computing>Systems Management
  •  

PreviouslyPublishedAs
210494


Description
Some users of the Sun Fire[TM] F12K, F15K and E20K and E25K systems desire to
use custom SSH configurations, which can interfere with the operation of
System Management Services (SMS) and the smsconfig script configuration
script.

This document discusses one of the issues that has been encountered by
customers using the 'Banner' directive in sshd_config and how it can cause
smsconfig -s ssh to fail.

Steps to Follow
This failure can be caused by a number of different issues which are
typically sshd configuration related.
Blueprints available at http://www.sun.com/security/blueprints

        o  Securing Sun  Fire[TM]  12K  and  15K  System  Controller:
           Updated for SMS 1.4
and
        o  Securing Sun Fire 12K and 15K Domains: Updated for SMS
           1.4
cover how to configure SC's for security and should be reviewed before
continuing with this Technical Instruction.

One issue that is not noted in the documentation in the Blueprint for
setting up ssh on the High End system controllers is the fact that the
smsconfig script may fail with the message below due to the customers
sshd_config, the config file for the sshd daemon.

# smsconfig -s ssh
Enabling ssh...
Password/passphrase authentication can be ignored

/usr/bin/ssh: Permission denied.
/usr/bin/ssh is not enabled.

This may be the result of the sshd configuration including the
instruction to present a banner to the user. This banner is presented
regardless of wether the connection is an interactive connection, or a
single command, such as the following, run as root:
  ssh TheOtherSC touch /var/tmp/afile

When trying to enable ssh, smsconfig tries to run a command similar to the
above, and directs all output to a /tmp/.sshout file. If this file has any
content, (which will include any bannner, from the sshd_config Banner
directive) the config script will test to see if the ssh command has
completed. Due to logic that behaves differently if there is output, the
script will arrive at the check faster than the ssh command can complete,
and result in the above error.

The fix for this problem is to remove the 'Banner' directive from the
sshd_config file, restart sshd and then ensure that ssh between SC0 and SC1
can occur without ANY output as per below:

In the sshd_config file, replace:
# Banner to be printed before authentication starts.
Banner /etc/issue

with:
# Banner to be printed before authentication starts.
#Banner /etc/issue       <--- Note - Now commented out.

Then, test.
eg:
=======================================================
myhost:/ # ssh yourhost touch /tmp/zxzxzx
myhost:/ #

This output is good.
=======================================================


=======================================================
myhost:/ # ssh yourhost touch /tmp/zxzxzx
>>>AN ISSUE MESSAGE FROM /etc/issue<<<
myhost:/ #

This output is bad
=======================================================

Once the user can ssh between SC's as root with NO output as above, re-run
the smsconfig -s ssh command.

Product
Sun Fire E25K Server
Sun Fire E20K Server
Sun Fire 15K Server
Sun Fire 12K Server
System Management Services 1.1 Software
System Management Services 1.2 Software
System Management Services 1.3 Software
System Management Services 1.4 Software
System Management Services 1.4.1 Software

Internal Comments
This statement is intended for use by Sun IT and Sun IT Partner Engineers only.

Bug 5067722 has been created in an attempt to have smsconfig modified in a way that is can tolerate 'good' output from ssh output. Unfortunately, due to the way that ssh interacts between hosts, the Banner directives output arrives on stderr, not stdout. See the bug for further details.
starcat, amazon, system, controller, smsconfig, sms, sshd, sshd_config, 12K, 15K, 20K, 25K
Previously Published As
77111

Change History
Date: 2005-09-16
User Name: 25440
Action: Update Canceled
Comment: *** Restored Published Content *** Metadata update only.
Version: 0
Date: 2005-09-16
User Name: 25440
Action: Update Started
Comment: Adding techgroup.
Version: 0
Date: 2005-06-27
User Name: 95826
Action: Update Canceled
Comment: *** Restored Published Content *** canceling update as updater is no longer within Sun
Version: 0
Date: 2005-06-27

Attachments
This solution has no attachment
  Copyright © 2011 Sun Microsystems, Inc.  All rights reserved.
 Feedback