1

I'm new to Lin/VPS and recently rented a VPS with Ubuntu 16. I log in to it using SSH with Putty, from Win10.

I can log in with SSH successfully only when I'm root && my key is loaded (Pageant).

BUT:

If I'm not root and/or no key is loaded, I can still login with just any username and password (and that includes root!).

You guys surly understand the security breach here as well as the lunacy of this situation. I can't explain it, as when logging as root when my private key is loaded --- I can SSH login just fine, without filling a password.

Can you please explain how this is possible?

  • 1
    To clarify, when you say "with just any username and password", you mean "any valid username and password", correct? – gowenfawr Oct 22 '16 at 02:30
  • Indeed, I mean to that. –  Oct 22 '16 at 02:31
  • So the situation is that you can use an SSH key to log in as root, and you can also use a username & password to log in as root or any other extant user? What exactly are you complaining about? – jwodder Oct 22 '16 at 02:47
  • Also, why does the title say that SSH doesn't work for other users when the body says that you can log in as other users using a password? – jwodder Oct 22 '16 at 02:48
  • I want to log in with SSH --- Not as a root user, in this case. About the heading - It partially describes the issue and I might change it. –  Oct 22 '16 at 03:50

2 Answers2

1

Can you please explain how this is possible?

There are two valid configurations that will permit root to login using a password:

  1. PermitRootLogin yes
  2. PermitRootLogin without-password and ChallengeResponseAuthentication yes AND certain PAM configurations

I seem to remember the Ubuntu default is PermitRootLogin no but I believe that Linode, being a service that provides remote servers which only have a root account initially, have tweaked the default in their build to that their users can log right in without using lish or other remote console options (which can be a little kludgy to use). I actually run a Ubuntu 16 Linode, but my sshd_config was modified right after installation, and that's one setting I always tweak, so I can't tell you how it shipped :)

To quote the sshd_config man page:

PermitRootLogin
    Specifies whether root can log in using ssh(1).  The argument
    must be ``yes'', ``prohibit-password'', ``without-password'',
    ``forced-commands-only'', or ``no''.  The default is ``no''.
    Note that if ChallengeResponseAuthentication is ``yes'', the root
    user may be allowed in with its password even if PermitRootLogin
    is set to ``without-password''.

    If this option is set to ``prohibit-password'' or
    ``without-password'', password and keyboard-interactive
    authentication are disabled for root.

To quote the sshd_config on my Ubuntu 16 system:

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

You may want to read How To Tune your SSH Daemon Configuration on a Linux VPS which, while it doesn't go into this particular issue, is a nice readable survey of what you can do to your sshd_config.

Luc
  • 31,973
  • 8
  • 71
  • 135
gowenfawr
  • 71,975
  • 17
  • 161
  • 198
0

Run the following openssh client command against your ssh server with whatever options (high port number hopefully) you need (you can even do this locally to the public-facing IP if needed):

ssh -o PreferredAuthentications=none

Part of the output will show you the allowed authentication options for the SSH Server and may include text that looks like the following: (publickey,password)

It sounds like you've setup password-less login via shared keys for the root account but not for the other accounts. You're allowed to have both publickey and password authentication options available at the same time even though that may not be what you meant to do. If it's not what you want you'll just need to reconfigure your ssh daemon to your needs.

Trey Blalock
  • 14,099
  • 6
  • 43
  • 49