sshd interview questions
Top sshd frequently asked interview questions
How can I restart the SSH service via the command line on Mac OSX Mountain Lion please?
Using ps aux | grep 'ssh', I was able to deduce that the process is most likely /usr/sbin/sshd.
From here I searched the sshd documentation for references to 'restart' but found none.
I don't know what my next step should be.
Source: (StackOverflow)
I was wondering what people use as an SSHd server on Windows? I've decided that I want to be able to log in using SSH on my Windows computers but I don't want to use Linux full-time. What are my options, besides Cygwin (which I know of)? I've looked into some other server software but I don't know which are reliable and it's not easy to find reviews of some of them. Thanks!
Source: (StackOverflow)
I have the same exact problem described in this thread, but the answer accepted there is not the right one for me, because the user's home directory is local.
I think that I configured everything properly on the client side (Windows 7, PuTTY's PAGEANT, PUTTYGEN and PLINK), yet I don't seem to make the public key mechanism work (password based ssh login works). I followed all the steps, cues and hints in:
I now suspect that I may be missing something on the server side (Linux, sshd), so I am posting the current /etc/ssh/sshd_config content:
Protocol 2
SyslogFacility AUTHPRIV
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords yes
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
Subsystem sftp /usr/libexec/openssh/sftp-server
Any idea what I am doing wrong?
UPDATE: I found a tip for running sshd in debug mode, and here is the output:
/home/winwin> /usr/sbin/sshd -d
debug1: sshd version OpenSSH_4.2p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Bind to port 22 on 0.0.0.0 failed: Address already in use.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.1.8 port 49828
debug1: Client protocol version 2.0; client software version PuTTY_Release_0.60
debug1: no match: PuTTY_Release_0.60
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.2
debug1: permanently_set_uid: 74/74
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes256-ctr hmac-sha1 none
debug1: kex: server->client aes256-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user winwin service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "winwin"
debug1: PAM: setting PAM_RHOST to "win7client"
debug1: PAM: setting PAM_TTY to "ssh"
Failed none for winwin from 192.168.1.8 port 49828 ssh2
debug1: userauth-request for user winwin service ssh-connection method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 513/513 (e=0/0)
debug1: trying public key file /home/winwin/.ssh/authorized_keys
Authentication refused: bad ownership or modes for directory /home/winwin
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 513/513 (e=0/0)
debug1: trying public key file /home/winwin/.ssh/authorized_keys
Authentication refused: bad ownership or modes for directory /home/winwin
debug1: restore_uid: 0/0
Failed publickey for winwin from 192.168.1.8 port 49828 ssh2
Received disconnect from 192.168.1.8: 14: No supported authentication methods available
debug1: do_cleanup
debug1: PAM: cleanup
debug1: do_cleanup
debug1: PAM: cleanup
Now, I do notice the two bad ownership or modes for directory /home/winwin messages but I checked the ownership or modes for directory /home/winwin and AFAICT they're OK:
/home> ls -lad winwin
drwxrwxr-x 21 winwin winwin 4096 Jul 13 21:24 winwin
And:
/home/winwin> ls -lad .ssh
drwxr-xr-x 2 winwin winwin 4096 Jul 14 12:06 .ssh
And:
/home/winwin/.ssh> ls -lad *
-rw-r--r-- 1 winwin winwin 210 Jul 14 12:06 authorized_keys
-rw-r--r-- 1 winwin winwin 210 Jul 14 01:58 authorized_keys.pub
-rw-r--r-- 1 winwin winwin 394 Jul 14 01:57 authorized_keys.pub.orig
What could possibly be wrong?
UPDATE II: I tried chmod 600 as suggested in the answer below:
/home/winwin> ls -lad .ssh
drw------- 2 winwin winwin 4096 Jul 14 13:13 .ssh
And:
/home/winwin/.ssh> ls -lad *
-rw------- 1 winwin winwin 210 Jul 14 12:06 authorized_keys
But it still doesn't work. Why am I still getting the Authentication refused: bad ownership or modes for directory /home/winwin error?
Source: (StackOverflow)
During the installation of Hadoop I am trying to setup CYGWIN and ssh. Installed and ssh also started successfully and setup authorization key as instructed HERE but When I try to connect to the localhost using ssh it says..
$ ssh -v localhost
OpenSSH_6.2p1, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug1: identity file /home/manu/.ssh/id_rsa type 1
debug1: identity file /home/manu/.ssh/id_rsa-cert type -1
debug1: identity file /home/manu/.ssh/id_dsa type -1
debug1: identity file /home/manu/.ssh/id_dsa-cert type -1
debug1: identity file /home/manu/.ssh/id_ecdsa type -1
debug1: identity file /home/manu/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA ec:bb:51:bb:d4:74:8f:27:49:8c:ef:59:a6:2b:ab:59
debug1: Host 'localhost' is known and matches the ECDSA host key.
debug1: Found key in /home/manu/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/manu/.ssh/id_rsa
Connection closed by ::1
After lots of googling I tried ssh -v cyg_server@localhost but it promt for password which I don't know..
$ ssh -v cyg_Server@localhost
OpenSSH_6.2p1, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug1: identity file /home/manu/.ssh/id_rsa type 1
debug1: identity file /home/manu/.ssh/id_rsa-cert type -1
debug1: identity file /home/manu/.ssh/id_dsa type -1
debug1: identity file /home/manu/.ssh/id_dsa-cert type -1
debug1: identity file /home/manu/.ssh/id_ecdsa type -1
debug1: identity file /home/manu/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA ec:bb:51:bb:d4:74:8f:27:49:8c:ef:59:a6:2b:ab:59
debug1: Host 'localhost' is known and matches the ECDSA host key.
debug1: Found key in /home/manu/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/manu/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /home/manu/.ssh/id_dsa
debug1: Trying private key: /home/manu/.ssh/id_ecdsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
cyg_Server@localhost's password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
cyg_Server@localhost's password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
cyg_Server@localhost's password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: No more authentication methods to try.
Permission denied (publickey,password,keyboard-interactive).
Can someone please help me to establish a successful authenticated ssh connection with localhost.. Either by password or by creating another user or skipping authentication step.. It would be great to me! Thanks.
Source: (StackOverflow)
How can I restrict incoming SSH connection request to only one interface? I'm using Ubuntu Server 10.04 LST.
I want to lock down access to SSH to only one interface because I use the server as a gateway to my home network. One interface is connected to the DSL modem/router and the other is connected to the home network. I only want to allow access to SSH form inside the home network.
Is restricting SSH to one IP in this case sufficient? Or do I have to lock it down to one interface?
Source: (StackOverflow)
I installed cygwin/sshd without good results. I removed the c:\cygwin directory to reinstall. I removed the sshd Administrator user by hand.
I reinstalled the cygwin again, then run the 'ssh-host-config -y'. Strangely, it doesn't ask anything about making a new user. And the procedure is really short.
$ ssh-host-config -y
* Query: Overwrite existing /etc/ssh_config file? (yes/no) yes
Info: Creating default /etc/ssh_config file
Query: Overwrite existing /etc/sshd_config file? (yes/no) yes
Info: Creating default /etc/sshd_config file
Info: Privilege separation is set to yes by default since OpenSSH 3.3.
Info: However, this requires a non-privileged account called 'sshd'.
Info: For more info on privilege separation read /usr/share/doc/openssh
ME.privsep.
* Query: Should privilege separation be used? (yes/no) yes
*** Info: Updating /etc/sshd_config file
*** Info: Host configuration finished. Have fun!
When I ran 'cygrunsrv -S sshd', I get an error.
"Win 32 error 1069: The service did not start due to logon failure".
It's reasonable message, as I deleted the sshd as a user, and the reinstall procedure did nothing for that again.
I see I got something wrong with the uninstallation.
Q: How can I uninstall the sshd related thing perfectly so that I can reinstall it again?
Source: (StackOverflow)
I want to ssh to remote servers, both running CentOS with X11Forwarding enabled.
However the X application cannot run properly on one of them - on host B it works fine. But on host A I get the error "couldn't connect to display", each time I launch X application.
After checking the DISPLAY environment variable on host A which I think is related to X window, I found its value localhost:10.0. Following the tips here, I change DISPLAY=0:10.0 and it works. However, DISPLAY on host B is still localhost:10.0 and works fine.
My question is, what does the value in DISPLAY represent? What is the difference between localhost:10.0 and 0:10.0?
It is said that localhost identifies a host name. Then which host does it identify, the server(host A/B) on which my X application is running or my local client where I want the X window to display?
Any hints or pointers to documentation would be appreciated.
Source: (StackOverflow)
After a cygwin sshd install, sshd service fails with:
Error 1069: The service did not start due to a logon failure
I try to give cyg_server standard user and admin access.
The error is the same with graphical interface and cygrunsrv.exe -S sshd.
Edit: What worked for me:
Install cyglsa-config
Run sshd with SYSTEM account
chown SYSTEM /var/empty
Source: (StackOverflow)
I installed Git for Windows and it came with the "Git Bash", which is basically MinGW32. I noticed that it has SSH, but doesn't have SSHD.
What is the easiest way to get SSHD in MinGW32?
Source: (StackOverflow)
I would like to ssh into my Windows box running Cygwin sshd and run the Windows GUI application in that Windows box. I don't want X forwarding.
e.g. From ubuntu-server terminal, I ssh into Windows running sshd and then I launch a notepad.exe. The notepad.exe will display in Windows, not in ubuntu-server without X windows.
Source: (StackOverflow)
I'm using Ubuntu.
I'm just wondering if it's possible to have libpam-google-authenticator (which lets you log in using a code generated by your phone) AND certificate authentication set up to work together, and if it is possible, how I'd go about setting it up. Thus - in order to log into my account, you'd have to have my password, my phone (and its passcode) AND my certificate/private key and its password.
I've gotten both to work independently but have never been able to get them to work together. I'm sure somehow it's possible though.
Thanks.
Source: (StackOverflow)
I have been trying to setup a ssh server on my desktop for remote access and have been running into a few issues. The first I have found is that sshd is not starting on boot. As soon as I run:
sudo service sshd start
manually I am able to ssh into the computer from itself, so I know ssh daemon is installed properly. Now I just want it to start at boot.
After looking into it I have found in
/etc/rc.d/rc3.d
I have found a script
K##sshd
or something along those lines. I believe the K implies that when entering run-level 3, it is shutting down sshd. Is all I need to do to make it start is create a file S##sshd to have it restart or is there a better way to go about this. I figured I should get some more knowledgeable opinions before I ran around renaming and creating random files on a hunch.
Source: (StackOverflow)
I use the PAM to authenticate users login
info from - http://linux.die.net/man/8/pam_listfile
in my Linux red-hat machine I have 5 diff users
user1
user2
user3
user4
user5
I want to enable ssh login only to the first three users
so
I created the file
more /etc/logins_users.txt
user1
user2
user3
and I add to /etc/pam.d/sshd file the following
auth required pam_listfile.so item=user onerr=fail sense=allow file=/etc/logins_user.txt
I restart the sshd service
but user4 and user5 are still have access to the linux machine in spite they not defined in the logins_users.txt file
What is wrong with my configuration?
Why user4 and user5 still have ssh login access in spite they are blocked???
Source: (StackOverflow)
I need to have a group of users hop through a server ('bastion') into another machine ('dest') via ssh to commit code.
Seems like my options are:
tell users to use ProxyCommand in their .ssh/config file, something like:
Host dest
ProxyCommand ssh -q bastion nc -q0 dest 22
use ForceCommand in the sshd config file, like
Match Group hopUsers
ForceCommand ssh dest $SSH_ORIGINAL_COMMAND
use the command option in the .ssh/authorized_keys users' file, like
command="ssh dest"
The first solution is great, it works with mercual commits, etc. -- The problem is that I don't want to give my users a valid shell on the bastion machine. I could set their login shell to /bin/false, but this leaves a whole set of issues unattended (see here) -- unless perhaps coupled with a dedicated set of options (like noX11Forwarding) in the sshd config file, within a Match stanza.
The problem with the second and third solution is that public key authentication is 'lost', i.e. unless the client uses the -A option when launching ssh, the server will respond with:
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: .ssh/XXXXXX
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LC_ALL = en_US.UTF-8
debug1: Sending env LANG = en_US.UTF-8
Hence requesting the user password. This is not acceptable.
I think there is something that can be done with nc in proxy mode, but I can't seem to get it to work.
Any help would be greatly appreciated.
Source: (StackOverflow)
I'm currently configuring ssh on a server and reading trough several guides.
Many feature a @url.tld after the option in KexAlgorithms like:
KexAlgorithms curve25519-sha256@libssh.org
This is also mentioned, but not explained in the man pages.
My question is, what does the @url.tld do in the key exchange process and how does it affect it?
edit: I've found out that the SSH protocol allows custom algorithms which must be annotated using a @domain, resulting in the above mentioned @libssh.org at the end of the end of curve25519-sha256.
Source: (StackOverflow)