Disable SSH authentication - openssh

This is a discussion on Disable SSH authentication - openssh ; Hi, I'm running openssh-4.3p2. I need to ability to run a commandon trusted machine remotely. So far as I know, we can use two ways to login to remote machine: 1) Provide user name and password 2) Public key authentication ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: Disable SSH authentication

  1. Disable SSH authentication

    Hi,

    I'm running openssh-4.3p2.

    I need to ability to run a commandon trusted machine remotely. So far as I know, we can use two ways to login to remote machine:
    1) Provide user name and password
    2) Public key authentication
    *
    My question is that can we disable the SSH authentication so that we don't need to either provide user account or the public key? Does anyone has the idea? Thanks


    __________________________________________________ _________
    雅虎邮箱,您的终生邮箱!
    http://cn.mail.yahoo.com/


  2. Re: Disable SSH authentication

    chaoson wrote:
    > I'm running openssh-4.3p2.
    >
    > I need to ability to run a command on trusted machine remotely. So far as I know, we can use two ways to login to remote machine:
    > 1) Provide user name and password
    > 2) Public key authentication
    >
    > My question is that can we disable the SSH authentication so that we don't need to either provide user account or the public key? Does anyone has the idea? Thank

    You mean a completely non authenticated ssh login? ... kind of defeats
    the first S of SSH...

    If I remember correctly, I think Rsh could do this based on source
    address/host, but who uses that in the last decade...

    Why would you want to do such a thing?

    If you really, really, really wanted to do this, you could do it via
    pam, using UsePAM yes in sshd_config and then set the pam for ssh to
    accept without checking for any passwords.
    (Disclaimer: the above may get you shot repeatedly by your wise-cracking
    local security guru... ;-) )

    -h

    --
    Hari Sekhon
    Always open to interesting opportunities
    http://www.linkedin.com/in/harisekhon


  3. Re: Disable SSH authentication

    Hi,

    strange question in a ssh discussion list !
    May be you can use netcat on both sides with standar input and output
    redirected from/to a console.

    Cheers
    Christian


    2008/10/13, chaoson :
    > Hi,
    >
    > I'm running openssh-4.3p2.
    >
    > I need to ability to run a command on trusted machine remotely. So far as I know, we can use two ways to login to remote machine:
    > 1) Provide user name and password
    > 2) Public key authentication
    >
    > My question is that can we disable the SSH authentication so that we don't need to either provide user account or the public key? Does anyone has the idea? Thanks
    >
    >
    >
    > __________________________________________________ _________
    > Ż䣬䣡
    > http://cn.mail.yahoo.com/
    >


  4. Re: Disable SSH authentication

    On Mon, 13 Oct 2008, chaoson wrote:

    > Date: Mon, 13 Oct 2008 15:54:57 +0800 (CST)
    > Hi,
    >
    > I'm running openssh-4.3p2.
    >
    > I need to ability to run a command on trusted machine remotely. So far
    > as I know, we can use two ways to login to remote machine:
    >
    > 1) Provide user name and password
    > 2) Public key authentication
    > *
    > My question is that can we disable the SSH authentication so that we
    > don't need to either provide user account or the public key? Does anyone
    > has the idea? Thanks


    Well, if your machine is SO trusted and so secure that does not require
    authentication, why do you need to use openssh at all? ;-) Use telnet or
    rsh then ;-)

    Why public key authentication does not work for you?

    --
    Serguei A. Mokhov | /~\ The ASCII
    Computer Science Department | \ / Ribbon Campaign
    Concordia University | X Against HTML
    Montreal, Quebec, Canada | / \ Email!


  5. Re: Disable SSH authentication

    On Tue, Oct 14, 2008 at 12:01 PM, Serguei A. Mokhov
    wrote:
    > Why public key authentication does not work for you?


    Indeed, why not setup key based auth with no passwords, other than the
    obvious security implications, as long as you protect your keys, you
    can script authentication without the need for hands on keyboards.

    --
    Dave Hull
    Public key: http://trustedsignal.com/pubkey.txt
    Fingerprint: 4B2B F3AD A9C2 B4E1 CBDF B86F D360 D00F C18D C71B


  6. Re: Disable SSH authentication

    On Tue, 14 Oct 2008, Christian Grunfeld wrote:

    > Date: Tue, 14 Oct 2008 16:46:14 -0300
    >
    > quote=" . . so that we don't need to either provide user account . . "
    >
    > that is what chaoson said !


    Personally, I interpreted that sentence of chaoson to mean "type in user
    credentials". My undestanding of the problem is that they need to run,
    perhaps in unattended/scripted mode, some commands on the remote machine
    without having to interactively enter any credetials (which passphraseless
    ssh authentication would easily achieve, but perhaps chaoson did not
    figure it out yet how it works).


    > With rsh you must provide user and password on the remote host ! also
    > like telnet !
    >
    > I remember to all of you that rsh or telnet are an input/output
    > redirection of a console thru sockets ! !


    You don't at all need to have a user account with telnet. As you said it's
    an I/O redirection through sockets, so you can have written a perl script
    or a C program (or anything really that can listen on sockets) that
    listens on a sepcified port, and interprets commands send to it through a
    telnet client connecting to that port.

    (In fact we do something like that for hardware snapshot inventory of our
    computers (like video card, disk size, etc), which does not require a user
    account and is OK to transmit in clear. We map standart input commands to
    a small subset of commands to query to hardware spec, and send it back.
    For that you don't even need to have a telnet client, but can write your
    own little shell that transmits and receives packets.)

    -s

    > cheers
    >
    > 2008/10/14 Kosala Atapattu :
    > > running commands with Netcat... even wierder....
    > >
    > > This is not the answer to your question. May be you can try good old
    > > "rsh" with the "hosts.allowed"... In some internal networks (withing
    > > the same net zone) I have used that lot... where security is not much
    > > of a concern.
    > >
    > > Kosala
    > >
    > > 2008/10/14 Christian Grunfeld :
    > >> Hi,
    > >>
    > >> strange question in a ssh discussion list !
    > >> May be you can use netcat on both sides with standar input and output
    > >> redirected from/to a console.
    > >>
    > >> Cheers
    > >> Christian
    > >>
    > >>
    > >> 2008/10/13, chaoson :
    > >>> Hi,
    > >>>
    > >>> I'm running openssh-4.3p2.
    > >>>
    > >>> I need to ability to run a command on trusted machine remotely. So far as I know, we can use two ways to login to remote machine:
    > >>> 1) Provide user name and password
    > >>> 2) Public key authentication
    > >>>
    > >>> My question is that can we disable the SSH authentication so that
    > >>> we don't need to either provide user account or the public key? Does
    > >>> anyone has the idea? Thanks


    --
    Serguei A. Mokhov | /~\ The ASCII
    Computer Science Department | \ / Ribbon Campaign
    Concordia University | X Against HTML
    Montreal, Quebec, Canada | / \ Email!


  7. Re: Disable SSH authentication

    > You don't at all need to have a user account with telnet. As you said it's
    > an I/O redirection through sockets, so you can have written a perl script
    > or a C program (or anything really that can listen on sockets) that
    > listens on a sepcified port, and interprets commands send to it through a
    > telnet client connecting to that port.


    You are only talking from client point of view. Obviously you can
    connect a telnet client to every server you want but in case you want
    a telnet sesion (in order to have a console for running commands) you
    connect the telnet client to the telnet server which asks you for
    authentication (user/pass).

    If you connect a telnet client to a perl script or a C program or
    something that listen on sockets you are saying the same as me ! !
    Netcat is that server that listen on sockets.

    And in my case I also use netcat as a client instead of a telnet client !

    C


  8. Re: Disable SSH authentication

    Perhaps what you meant is the possibility of setting up a trust
    relationship with a remote box, and run an automated/cron job without
    prompting you for a password. If that is what you need, that is doable
    by 'scp' the content of your generated pub.key to the authorized-keys of
    the remote box. Bingo! You will never be bothered with the "troubles" of
    uid/passwd: I agree with you, it's a PITA to go thru all that:-)

    Thanks,
    Yinka.



    Christian Grunfeld wrote:
    > As simple as:
    >
    > server side:
    > nc -l -p 1234 -e /bin/bash
    >
    > client side:
    > nc 1234
    >
    > cheers !
    >
    >
    >
    > 2008/10/14 Kosala Atapattu :
    >
    >> running commands with Netcat... even wierder....
    >>
    >> This is not the answer to your question. May be you can try good old
    >> "rsh" with the "hosts.allowed"... In some internal networks (withing
    >> the same net zone) I have used that lot... where security is not much
    >> of a concern.
    >>
    >> Kosala
    >>
    >> 2008/10/14 Christian Grunfeld :
    >>
    >>> Hi,
    >>>
    >>> strange question in a ssh discussion list !
    >>> May be you can use netcat on both sides with standar input and output
    >>> redirected from/to a console.
    >>>
    >>> Cheers
    >>> Christian
    >>>
    >>>
    >>> 2008/10/13, chaoson :
    >>>
    >>>> Hi,
    >>>>
    >>>> I'm running openssh-4.3p2.
    >>>>
    >>>> I need to ability to run a command on trusted machine remotely. So far as I know, we can use two ways to login to remote machine:
    >>>> 1) Provide user name and password
    >>>> 2) Public key authentication
    >>>>
    >>>> My question is that can we disable the SSH authentication so that we don't need to either provide user account or the public key? Does anyone has the idea? Thanks
    >>>>
    >>>>
    >>>>
    >>>> __________________________________________________ _________
    >>>> Ż䣬䣡
    >>>> http://cn.mail.yahoo.com/
    >>>>
    >>>>

    >>
    >> --
    >> Kosala
    >> --------------------------------------------
    >> Disclaimer: Views expressed in this mail are my personal views and
    >> they would not reflect views of the employer.
    >> --------------------------------------------
    >> blog.kosala.net
    >> www.linux.lk/~kosala/
    >> www.kosala.net
    >>
    >>



  9. RE: Disable SSH authentication

    Kosala ,

    You can still use SSH with PAM and skip both password and key authentication by changing the following entry in /etc/pam.d/sshd file and commenting other auth entries.

    auth sufficient pam_nologin.so no_warn

    i.e. Change the pam_nologin.so to "sufficient" in the auth category and comment all others in this category (I guess even commenting other entries may not be required since we made it "sufficient" but it has to be the first entry, you can try that out).

    -Sharath.



    -----Original Message-----
    From: Christian Grunfeld [mailto:christian.grunfeld@gmail.com]
    Sent: Wednesday, October 15, 2008 1:27 AM
    To: Kosala Atapattu
    Cc: chaoson; secureshell@securityfocus.com
    Subject: Re: Disable SSH authentication

    As simple as:

    server side:
    nc -l -p 1234 -e /bin/bash

    client side:
    nc 1234

    cheers !



    2008/10/14 Kosala Atapattu :
    > running commands with Netcat... even wierder....
    >
    > This is not the answer to your question. May be you can try good old
    > "rsh" with the "hosts.allowed"... In some internal networks (withing
    > the same net zone) I have used that lot... where security is not much
    > of a concern.
    >
    > Kosala
    >
    > 2008/10/14 Christian Grunfeld :
    >> Hi,
    >>
    >> strange question in a ssh discussion list !
    >> May be you can use netcat on both sides with standar input and output
    >> redirected from/to a console.
    >>
    >> Cheers
    >> Christian
    >>
    >>
    >> 2008/10/13, chaoson :
    >>> Hi,
    >>>
    >>> I'm running openssh-4.3p2.
    >>>
    >>> I need to ability to run a command on trusted machine remotely. So far as I know, we can use two ways to login to remote machine:
    >>> 1) Provide user name and password
    >>> 2) Public key authentication
    >>>
    >>> My question is that can we disable the SSH authentication so that we don't need to either provide user account or the public key? Does anyone has the idea? Thanks
    >>>
    >>>
    >>>
    >>> __________________________________________________ _________
    >>> Ż䣬䣡
    >>> http://cn.mail.yahoo.com/
    >>>

    >>

    >
    >
    >
    > --
    > Kosala
    > --------------------------------------------
    > Disclaimer: Views expressed in this mail are my personal views and
    > they would not reflect views of the employer.
    > --------------------------------------------
    > blog.kosala.net
    > www.linux.lk/~kosala/
    > www.kosala.net
    >



  10. Re: Disable SSH authentication

    Hi Sharath,

    On Thu, Oct 16, 2008 at 8:29 AM, Sharath Ballal
    wrote:
    > Kosala ,
    >


    BTW, I'm not the originator of the request... it's chaoson.

    > You can still use SSH with PAM and skip both password and key authentication by changing the following entry in /etc/pam.d/sshd file and commenting other auth entries.
    >
    > auth sufficient pam_nologin.so no_warn
    >
    > i.e. Change the pam_nologin.so to "sufficient" in the auth category and comment all others in this category (I guess even commenting other entries may not be required since we made it "sufficient" but it has to be the first entry, you can try that out).


    I see this in my Ubuntu box.

    # Disallow non-root logins when /etc/nologin exists.
    account required pam_nologin.so

    The description gives a different definition to pam_nologin.so.

    Kosala


  11. RE: Disable SSH authentication

    > # Disallow non-root logins when /etc/nologin exists.
    I didn't have that line in my box and didn't bother to verify what '
    pam_nologin.so' stands for. Now I checked that /etc/nologin did not
    exist in my box (that explains why it worked).
    -Sharath.



    -----Original Message-----
    From: Kosala Atapattu [mailto:kosala.atapattu@gmail.com]
    Sent: Thursday, October 16, 2008 11:12 AM
    To: Sharath Ballal
    Cc: Christian Grunfeld; chaoson; secureshell@securityfocus.com
    Subject: Re: Disable SSH authentication

    Hi Sharath,

    On Thu, Oct 16, 2008 at 8:29 AM, Sharath Ballal
    wrote:
    > Kosala ,
    >


    BTW, I'm not the originator of the request... it's chaoson.

    > You can still use SSH with PAM and skip both password and key

    authentication by changing the following entry in /etc/pam.d/sshd file
    and commenting other auth entries.
    >
    > auth sufficient pam_nologin.so no_warn
    >
    > i.e. Change the pam_nologin.so to "sufficient" in the auth category

    and comment all others in this category (I guess even commenting other
    entries may not be required since we made it "sufficient" but it has to
    be the first entry, you can try that out).


    I see this in my Ubuntu box.

    # Disallow non-root logins when /etc/nologin exists.
    account required pam_nologin.so

    The description gives a different definition to pam_nologin.so.

    Kosala


  12. Re: Disable SSH authentication

    I think the goal could be achived with a different aproach, chaosonou
    wants "the ability to run a command on trusted machine remotely" +
    "don't need to either provide user account or the public key". This
    seems that he/she wants to automate or mechanize the ssh session,
    this could be achieved, without reinventing the wheel, using expect
    With spect you can control the remote session in a programatic way
    without loosing security and controlling outputs of your remote commands

    Further reference:
    http://expect.nist.gov/
    http://www.tcl.tk/man/expect5.31/

    Esteban Dauksis Ortolá
    esteban@dauksis.com
    http://www.linkedin.com/in/estebandauksis

    El 17/10/2008, a las 9:09, Kosala Atapattu escribió:

    > Hi Guys,
    >
    > This has been a very interesting mailing thread. After all the
    > discussion I would like to summarize what I grabbed during these
    > conversations.
    >
    > The ultimate goal, can be achived with following other tools...
    >
    > 1. Interestingly with "NETCAT" with -e option
    >
    > 2. Regular RSH with trusted host.
    >
    > Achieving this through SSH is not logical, since the approach
    > basically defeats the original purpose of SSH.
    >
    > Did I miss something?
    >
    > Kosala
    >
    > On Mon, Oct 13, 2008 at 10:54 AM, chaoson
    > wrote:
    >> Hi,
    >>
    >> I'm running openssh-4.3p2.
    >>
    >> I need to ability to run a command on trusted machine remotely. So
    >> far as I know, we can use two ways to login to remote machine:
    >> 1) Provide user name and password
    >> 2) Public key authentication
    >>
    >> My question is that can we disable the SSH authentication so that
    >> we don't need to either provide user account or the public key?
    >> Does anyone has the idea? Thanks
    >>
    >>
    >> __________________________________________________ _________
    >> 雅虎邮箱,您的终生邮箱!
    >> http://cn.mail.yahoo.com/
    >>

    >
    >
    >
    > --
    > Kosala
    > --------------------------------------------
    > Disclaimer: Views expressed in this mail are my personal views and
    > they would not reflect views of the employer.
    > --------------------------------------------
    > blog.kosala.net
    > www.linux.lk/~kosala/
    > www.kosala.net



+ Reply to Thread