Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition | |||
|
|
Solution Type Technical Instruction Sure Solution 1007586.1 : smsconfig -s ssh can fail with "Permission denied" when sshd_config includes 'Banner' directive
PreviouslyPublishedAs 210494 Description Some users of the Sun Fire[TM] F12K, F15K and E20K and E25K systems desire to use custom SSH configurations, which can interfere with the operation of System Management Services (SMS) and the smsconfig script configuration script. This document discusses one of the issues that has been encountered by customers using the 'Banner' directive in sshd_config and how it can cause smsconfig -s ssh to fail. Steps to Follow This failure can be caused by a number of different issues which are typically sshd configuration related. Blueprints available at http://www.sun.com/security/blueprints o Securing Sun Fire[TM] 12K and 15K System Controller: Updated for SMS 1.4 and o Securing Sun Fire 12K and 15K Domains: Updated for SMS 1.4 cover how to configure SC's for security and should be reviewed before continuing with this Technical Instruction. One issue that is not noted in the documentation in the Blueprint for setting up ssh on the High End system controllers is the fact that the smsconfig script may fail with the message below due to the customers sshd_config, the config file for the sshd daemon. # smsconfig -s ssh Enabling ssh... Password/passphrase authentication can be ignored /usr/bin/ssh: Permission denied. /usr/bin/ssh is not enabled. This may be the result of the sshd configuration including the instruction to present a banner to the user. This banner is presented regardless of wether the connection is an interactive connection, or a single command, such as the following, run as root: ssh TheOtherSC touch /var/tmp/afile When trying to enable ssh, smsconfig tries to run a command similar to the above, and directs all output to a /tmp/.sshout file. If this file has any content, (which will include any bannner, from the sshd_config Banner directive) the config script will test to see if the ssh command has completed. Due to logic that behaves differently if there is output, the script will arrive at the check faster than the ssh command can complete, and result in the above error. The fix for this problem is to remove the 'Banner' directive from the sshd_config file, restart sshd and then ensure that ssh between SC0 and SC1 can occur without ANY output as per below: In the sshd_config file, replace: # Banner to be printed before authentication starts. Banner /etc/issue with: # Banner to be printed before authentication starts. #Banner /etc/issue <--- Note - Now commented out. Then, test. eg: ======================================================= myhost:/ # ssh yourhost touch /tmp/zxzxzx myhost:/ # This output is good. ======================================================= ======================================================= myhost:/ # ssh yourhost touch /tmp/zxzxzx >>>AN ISSUE MESSAGE FROM /etc/issue<<< myhost:/ # This output is bad ======================================================= Once the user can ssh between SC's as root with NO output as above, re-run the smsconfig -s ssh command. Product Sun Fire E25K Server Sun Fire E20K Server Sun Fire 15K Server Sun Fire 12K Server System Management Services 1.1 Software System Management Services 1.2 Software System Management Services 1.3 Software System Management Services 1.4 Software System Management Services 1.4.1 Software Internal Comments This statement is intended for use by Sun IT and Sun IT Partner Engineers only. Bug 5067722 has been created in an attempt to have smsconfig modified in a way that is can tolerate 'good' output from ssh output. Unfortunately, due to the way that ssh interacts between hosts, the Banner directives output arrives on stderr, not stdout. See the bug for further details. starcat, amazon, system, controller, smsconfig, sms, sshd, sshd_config, 12K, 15K, 20K, 25K Previously Published As 77111 Change History Date: 2005-09-16 User Name: 25440 Action: Update Canceled Comment: *** Restored Published Content *** Metadata update only. Version: 0 Date: 2005-09-16 User Name: 25440 Action: Update Started Comment: Adding techgroup. Version: 0 Date: 2005-06-27 User Name: 95826 Action: Update Canceled Comment: *** Restored Published Content *** canceling update as updater is no longer within Sun Version: 0 Date: 2005-06-27 Attachments This solution has no attachment |
||||||||||||
|