PDA

View Full Version : SLES 12 ssh login messages



mikenash
11-Jan-2016, 22:27
I want to remove or redirect the output from a ssh login session and produce my own output.
After changing the sshd_config file I still have 2 lines that remain.
I could put in the "clear" command in the .profile and then produce my own output to obtain the results I require.
However, I would like to know if I could achieve these results through the sshd_config file or another configuration file.
I expected no output with setting LogLevel to Quiet. I did not find any other parameter that may work.
Is there an explanation for why these two messages will always occur?
Is these a source file where this output can be changed?
Other suggestions? Thanks!

I configured sshd_config parameters - LogLevel - PrintMotd - PrintLastLog
LogLevel QUIET
PrintMotd no
PrintLastLog no


Original Output:
Using username "root".
Authenticating with public key "rsa-key-20150918"
Last login: Mon Jan 11 16:02:58 2016 from ibm758-r8pxkkk.pok.ibm.com

Results:
Using username "root".
Authenticating with public key "rsa-key-20150918"

malcolmlewis
11-Jan-2016, 23:31
On Mon 11 Jan 2016 09:34:02 PM CST, mikenash wrote:

I want to remove or redirect the output from a ssh login session and
produce my own output.
After changing the sshd_config file I still have 2 lines that remain.
I could put in the "clear" command in the .profile and then produce my
own output to obtain the results I require.
However, I would like to know if I could achieve these results through
the sshd_config file or another configuration file.
I expected no output with setting LogLevel to Quiet. I did not find any
other parameter that may work.
Is there an explanation for why these two messages will always occur?
Is these a source file where this output can be changed?
Other suggestions? Thanks!

I configured sshd_config parameters - LogLevel - PrintMotd -
PrintLastLog
LogLevel QUIET
PrintMotd no
PrintLastLog no


Code:
--------------------
Original Output:
Using username "root".
Authenticating with public key "rsa-key-20150918"
Last login: Mon Jan 11 16:02:58 2016 from ibm758-r8pxkkk.pok.ibm.com

Results:
Using username "root".
Authenticating with public key "rsa-key-20150918"
--------------------




Hi
If you turn motd back on then just make it a blank file, it should (in
theory) work like you expect.

I use a custom /etc/motd here, that's all I see and the PrintLastLog, I
turn that off and only see my motd.

--
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 SP1|GNOME 3.10.2|3.12.51-60.20-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

mikenash
12-Jan-2016, 15:39
Greeting Malcolm, thank you for your reply. I have the expected results of no messages being issued when I manually login but when I use the authorized keys I receive these two messages. Maybe for security reasons but I do not see how this would improve security. This messages are more informative and should be suppressed by using the QUIET option. Logging messages to a file would be better option.

malcolmlewis
12-Jan-2016, 16:20
Greeting Malcolm, thank you for your reply. I have the expected results of no messages being issued when I manually login but when I use the authorized keys I receive these two messages. Maybe for security reasons but I do not see how this would improve security. This messages are more informative and should be suppressed by using the QUIET option. Logging messages to a file would be better option.
Hi
I use keys as well and just don't see that appear either via user or root... So to me it would appear something outside sshd is triggering those messages.

If you set sshd_config back to the defaults, suppress PrintLastLog and have a bank motd file, do they still appear?

mikenash
12-Jan-2016, 22:04
Greetings Malcolm, my /etc/motd is an empty file. I reset sshd_defaults and the three lines do appear. I changed PrintLastLog to no and this line did not appear but the first two lines do appear. I deleted /etc/motd and the first two lines appear. I change LogLevel to QUIET and the first two lines appear. After each change I executed systemctl restart sshd. I am on Suse 12 SP1 on s390. Could this come from selinux? I am not sure how to check status or turn off. The sestatus command is not available and I do not have a /etc/selinux/config file.

mikenash
12-Jan-2016, 22:56
I tried this configuration on Red Hat 7.2 s390 and I receive the same results. On this system I also verified that selinux was disabled. Any suggestions?

malcolmlewis
13-Jan-2016, 00:38
On Tue 12 Jan 2016 10:04:02 PM CST, mikenash wrote:

I tried this configuration on Red Hat 7.2 s390 and I receive the same
results. On this system I also verified that selinux was disabled. Any
suggestions?




Hi
I don't have SLES 12 SP1 still haven't upgraded. But do have SLED 12
SP1 and can't duplicate, I think it's outside ssh, but maybe adding
some verbosity to you ssh connection may help, eg;



ssh -vvv root@somehost


What form of authentication is being used, just local account for root,
or some other method. If not root user, is it the same?

--
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 SP1|GNOME 3.10.2|3.12.51-60.20-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

mikenash
13-Jan-2016, 16:24
Greetings Malcolm, I do not receive these messages when I manually log on. This is the output when I change /etc/ssh/sshd_config to use LogLevel DEBUG3 after I restart the service.
>systemctl status sshd
sshd.service - OpenSSH Daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled)
Active: active (running) since Wed 2016-01-13 10:07:27 EST; 11min ago
Process: 2438 ExecStartPre=/usr/sbin/sshd-gen-keys-start (code=exited, status=0/SUCCESS)
Main PID: 2441 (sshd)
CGroup: /system.slice/sshd.service
└─2441 /usr/sbin/sshd -D

Jan 13 10:07:44 linux140 sshd[2448]: debug3: mm_request_send entering: type 120 [preauth]
Jan 13 10:07:44 linux140 sshd[2448]: debug3: mm_request_receive_expect entering: type 121 [preauth]
Jan 13 10:07:44 linux140 sshd[2448]: debug3: mm_request_receive entering [preauth]
Jan 13 10:07:44 linux140 sshd[2448]: debug1: monitor_read_log: child log fd closed
Jan 13 10:07:44 linux140 sshd[2448]: debug3: mm_share_sync: Share sync
Jan 13 10:07:44 linux140 sshd[2448]: debug3: mm_share_sync: Share sync end
Jan 13 10:07:44 linux140 sshd[2448]: debug3: ssh_sandbox_parent_finish: finished
Jan 13 10:07:44 linux140 sshd[2448]: debug1: PAM: establishing credentials
Jan 13 10:07:44 linux140 sshd[2448]: debug3: PAM: opening session
Jan 13 10:07:44 linux140 sshd[2448]: pam_unix(sshd:session): session opened for user root by (uid=0)
I only receive the messages when I use the credentials. I receive the same results on other levels of Suse/RedHat Enterprise. I am guessing that this is a bug with the Enterprise distribution. Can you offer any suggestions to redirect this output?

ab
14-Jan-2016, 14:30
On 01/12/2016 08:24 AM, malcolmlewis wrote:
>
> mikenash;31120 Wrote:
>> Greeting Malcolm, thank you for your reply. I have the expected results
>> of no messages being issued when I manually login but when I use the
>> authorized keys I receive these two messages. Maybe for security
>> reasons but I do not see how this would improve security. This messages
>> are more informative and should be suppressed by using the QUIET option.
>> Logging messages to a file would be better option.
> Hi
> I use keys as well and just don't see that appear either via user or
> root... So to me it would appear something outside sshd is triggering
> those messages.
>
> If you set sshd_config back to the defaults, suppress PrintLastLog and
> have a bank motd file, do they still appear?


Like malcolmlewis, I use SSH keys for just about everything (maybe except
the first login as a user on a system) and I have never seen this message.

Considering that the choice of which key is used for authentication is
ONLY something on the client side, I think troubleshooting the SSH server
is the wrong approach. The SSH server has no idea about which keys are
available, and only knows that a key is sent from the client and can then
check that. As a result, my guess is that this is purely a client-side thing.

Which SSH client are you using? I'm using the one that comes with openssh
on Linux (openSUSE specifically). If you are using some other client,
tuning its logging may be what you want.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

mikenash
14-Jan-2016, 15:23
Greetings ab, I am using the sshd that comes with Suse 12 SP1. From my workstation I am using putty, release 0.63. In putty configuration I unchecked display pre-authentication banner. This did not change the output. No other options seemed as likely candidates. What ssh clients for a windows 7 workstation are available?

ab
14-Jan-2016, 15:44
Oh... windows, which I cannot test. Well, that changes things I guess but
since the Linux clients are not showing that line, it seems pretty likely
that this is clint-side related.

Try adding cygwin to your computer and then SSH from there.
Alternatively, try to SSH to the server from itself using its own SSH
client to see if you still see the message. Be sure to setup keys first,
of course, but this should be a pretty simple task:



ssh-keygen -t rsa
ssh-agent /bin/bash
ssh-add
ssh-copy-id localhost
#login once as yourself
ssh localhost
#see if you see any odd messages like you do on windows


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

malcolmlewis
14-Jan-2016, 15:58
On Thu 14 Jan 2016 02:24:02 PM CST, mikenash wrote:

Greetings ab, I am using the sshd that comes with Suse 12 SP1. From my
workstation I am using putty, release 0.63. In putty configuration I
unchecked display pre-authentication banner. This did not change the
output. No other options seemed as likely candidates. What ssh clients
for a windows 7 workstation are available?




Hi
Tried on WinX with PuTTY version 0.66, no additional messages seen, just
like logging in from SLED 12 or openSUSE Leap 42.1.

--
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 SP1|GNOME 3.10.4|3.12.51-60.20-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

malcolmlewis
14-Jan-2016, 16:22
On Thu 14 Jan 2016 02:58:12 PM CST, malcolmlewis wrote:



On Thu 14 Jan 2016 02:24:02 PM CST, mikenash wrote:

Greetings ab, I am using the sshd that comes with Suse 12 SP1. From my
workstation I am using putty, release 0.63. In putty configuration I
unchecked display pre-authentication banner. This did not change the
output. No other options seemed as likely candidates. What ssh clients
for a windows 7 workstation are available?




Hi
Tried on WinX with PuTTY version 0.66, no additional messages seen, just
like logging in from SLED 12 or openSUSE Leap 42.1.



Hi
OK, I take it back, confirmed I see the same now..... so it's the PuTTY
client....

--
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 SP1|GNOME 3.10.4|3.12.51-60.20-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

malcolmlewis
15-Jan-2016, 22:24
On Thu 14 Jan 2016 03:22:02 PM CST, malcolmlewis wrote:



On Thu 14 Jan 2016 02:58:12 PM CST, malcolmlewis wrote:



On Thu 14 Jan 2016 02:24:02 PM CST, mikenash wrote:

Greetings ab, I am using the sshd that comes with Suse 12 SP1. From my
workstation I am using putty, release 0.63. In putty configuration I
unchecked display pre-authentication banner. This did not change the
output. No other options seemed as likely candidates. What ssh clients
for a windows 7 workstation are available?




Hi
Tried on WinX with PuTTY version 0.66, no additional messages seen, just
like logging in from SLED 12 or openSUSE Leap 42.1.



Hi
OK, I take it back, confirmed I see the same now..... so it's the PuTTY
client....



Hi
Try the Bitvise SSH Client, you can import your keys, it is ok for
Individual use and works as expected.

I see in the putty code, it can set a (well doesn't set, or give an
option with putty [plink shows username]) FLAG_VERBOSE which doesn't
seem to work as expected, as in still shows those items, if it did then
you would not see the info....

--
Cheers Malcolm °¿° LFCS, SUSE Knowledge Partner (Linux Counter #276890)
SUSE Linux Enterprise Desktop 12 SP1|GNOME 3.10.4|3.12.51-60.20-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

mikenash
18-Jan-2016, 14:35
Greetings, thanks everyone. Unfortunately I can only use what the company provides. Their download site has the older version of putty. When a newer version becomes available I will give it a try!