headers
Hans-Peter | 2 Dec 2008 15:12

How to dig deeper

In order to get more information on IO performance problems I created the script below:
#!/usr/sbin/dtrace -s
#pragma D option flowindent
syscall::*write*:entry
/pid == $1 && guard++ == 0/
{
        self -> ts = timestamp;
        self->traceme = 1;
        printf("fd: %d", arg0);
}
fbt:::
/self->traceme/
{
/*      elapsd =timestamp - self -> ts;
        printf(" elapsed : %d" , elapsd); */
        printf(" timestamp : %d" , timestamp);
}
syscall::*write*:return
/self->traceme/
{
        self->traceme = 0;
        elapsed=timestamp - self -> ts;
        printf(" timestamp : %d" , timestamp);
        printf("\telapsed : %d" , elapsed);
        exit(0);
}

I gives me the timestamp for every fbt call during a write system call.
A snippet is here below
  8                  <- schedctl_save          timestamp : 1627201334052600
(Continue reading)

Permalink | Reply | 0 comments |
headers
Wei Jiang | 3 Dec 2008 03:26
Picon
Favicon

How to allow root to access SSH remotely on opensolaris 11?

I have a new opensolaris11 (2008.05) installed on a laptop. I can ssh as a normal user to a remote server, but I
could not ssh as root to the remote server.

I changed the following on the remove server.
1. modified "PermitRootLogin" from no to yes on the file /etc/ssh/sshd_config 
   PermitRootLogin yes   

2. commonted out CONSOLE=/dev/console  on the file /etc/default/login
  #CONSOLE=/dev/console  

After restart sshd on server1, I still could not ssh to the remove server as root.  
Client$ ssh root <at> removeserver
password:
password:

After enter the root password, It still keeps asking password.

Root access to SSH is denied. Could you please let me know what should I do?

Any information would be appreciated. Thanks in advance.
--

-- 
This message posted from opensolaris.org
Permalink | Reply | 15 comments |
headers
Dale Ghent | 4 Dec 2008 02:54

Re: How to allow root to access SSH remotely on opensolaris 11?


Did you restart the ssh service after making the changes to  
sshd_config ?

svcadm restart ssh

/dale

On Dec 2, 2008, at 9:26 PM, Wei Jiang wrote:

> I have a new opensolaris11 (2008.05) installed on a laptop. I can  
> ssh as a normal user to a remote server, but I could not ssh as root  
> to the remote server.
>
> I changed the following on the remove server.
> 1. modified "PermitRootLogin" from no to yes on the file /etc/ssh/ 
> sshd_config
>   PermitRootLogin yes
>
> 2. commonted out CONSOLE=/dev/console  on the file /etc/default/login
>  #CONSOLE=/dev/console
>
> After restart sshd on server1, I still could not ssh to the remove  
> server as root.
> Client$ ssh root <at> removeserver
> password:
> password:
>
> After enter the root password, It still keeps asking password.
>
(Continue reading)

Permalink | Reply | 14 comments |
headers
Iain MacDonnell | 4 Dec 2008 03:48
Picon

Re: How to allow root to access SSH remotely on opensolaris 11?


Isn't root a role on OpenSolaris?

     ~Iain

Dale Ghent wrote:
> Did you restart the ssh service after making the changes to  
> sshd_config ?
> 
> svcadm restart ssh
> 
> /dale
> 
> On Dec 2, 2008, at 9:26 PM, Wei Jiang wrote:
> 
>> I have a new opensolaris11 (2008.05) installed on a laptop. I can  
>> ssh as a normal user to a remote server, but I could not ssh as root  
>> to the remote server.
>>
>> I changed the following on the remove server.
>> 1. modified "PermitRootLogin" from no to yes on the file /etc/ssh/ 
>> sshd_config
>>   PermitRootLogin yes
>>
>> 2. commonted out CONSOLE=/dev/console  on the file /etc/default/login
>>  #CONSOLE=/dev/console
>>
>> After restart sshd on server1, I still could not ssh to the remove  
>> server as root.
>> Client$ ssh root <at> removeserver
(Continue reading)

Permalink | Reply | 13 comments |
headers
Dale Ghent | 4 Dec 2008 05:04

Re: How to allow root to access SSH remotely on opensolaris 11?


That's the command to restart ssh, isn't it. Obtaining the cred needed  
to successfully execute it is an exercise for the reader.

On Dec 3, 2008, at 9:48 PM, Iain MacDonnell wrote:

>
> Isn't root a role on OpenSolaris?
>
>    ~Iain
>
>
>
> Dale Ghent wrote:
>> Did you restart the ssh service after making the changes to   
>> sshd_config ?
>> svcadm restart ssh
>> /dale
>> On Dec 2, 2008, at 9:26 PM, Wei Jiang wrote:
>>> I have a new opensolaris11 (2008.05) installed on a laptop. I can   
>>> ssh as a normal user to a remote server, but I could not ssh as  
>>> root  to the remote server.
>>>
>>> I changed the following on the remove server.
>>> 1. modified "PermitRootLogin" from no to yes on the file /etc/ssh/  
>>> sshd_config
>>>  PermitRootLogin yes
>>>
>>> 2. commonted out CONSOLE=/dev/console  on the file /etc/default/ 
>>> login
(Continue reading)

Permalink | Reply | 12 comments |
headers
Iain MacDonnell | 4 Dec 2008 06:42
Picon

Re: How to allow root to access SSH remotely on opensolaris 11?


I don't think roles can login [via ssh]. I don't have an osol system
at hand to test...

     ~Iain

Dale Ghent wrote:
> That's the command to restart ssh, isn't it. Obtaining the cred needed  
> to successfully execute it is an exercise for the reader.
> 
> On Dec 3, 2008, at 9:48 PM, Iain MacDonnell wrote:
> 
>> Isn't root a role on OpenSolaris?
>>
>>    ~Iain
>>
>>
>>
>> Dale Ghent wrote:
>>> Did you restart the ssh service after making the changes to   
>>> sshd_config ?
>>> svcadm restart ssh
>>> /dale
>>> On Dec 2, 2008, at 9:26 PM, Wei Jiang wrote:
>>>> I have a new opensolaris11 (2008.05) installed on a laptop. I can   
>>>> ssh as a normal user to a remote server, but I could not ssh as  
>>>> root  to the remote server.
>>>>
>>>> I changed the following on the remove server.
>>>> 1. modified "PermitRootLogin" from no to yes on the file /etc/ssh/
(Continue reading)

Permalink | Reply | 11 comments |
headers
Damian Wojslaw | 4 Dec 2008 10:04
Picon

Re: How to allow root to access SSH remotely on opensolaris 11?

Iain MacDonnell pisze:
> I don't think roles can login [via ssh]. I don't have an osol system
> at hand to test...
> 
>      ~Iain

Roles cannot log in. Only real users can. Besides asking yourself a 
question, why would you ever need to allow remote root logins, you need 
to change root to a normal user and give a password.

--

-- 
Damian Wojslaw
http://pl.opensolaris.org/ | SCA OS0073
http://www.opensolaris.org/os/community/on/
http://opensolaris.org/os/project/szc-osug/
http://www.linkedin.com/in/trochej
Permalink | Reply | 10 comments |
headers
Ken Gunderson | 4 Dec 2008 11:01

Re: How to allow root to access SSH remotely on opensolaris 11?


On Thu, 2008-12-04 at 10:04 +0100, Damian Wojslaw wrote:
> Iain MacDonnell pisze:
> > I don't think roles can login [via ssh]. I don't have an osol system
> > at hand to test...
> > 
> >      ~Iain
> 
> Roles cannot log in. Only real users can. Besides asking yourself a 
> question, why would you ever need to allow remote root logins, you need 
> to change root to a normal user and give a password.
> 
> 

Finally some sense talking here  ^^^^^^

Assuming remote box is non OSOL:

1) Config Mortal Account as necessary to allow root access

a) su
b) or even better sudo to provide more granular control

2) Further restrict who can connect via SSH

a) create sshusers group and add users as appropriate
b) Add to sshd_config:	AllowGroups sshusers

A few other options that you may want consider.  This off top of my
head, check man sshd_config for more.
(Continue reading)

Permalink | Reply | 9 comments |
headers
Jeff Victor | 4 Dec 2008 13:22
Picon

Re: How to allow root to access SSH remotely on opensolaris 11?

Ken Gunderson wrote:
> On Thu, 2008-12-04 at 10:04 +0100, Damian Wojslaw wrote:
>   
>> Iain MacDonnell pisze:
>>     
>>> I don't think roles can login [via ssh]. I don't have an osol system
>>> at hand to test...
>>>       
>> Roles cannot log in. Only real users can. Besides asking yourself a 
>> question, why would you ever need to allow remote root logins, you need 
>> to change root to a normal user and give a password.
>>     
> Finally some sense talking here  ^^^^^^
>
> Assuming remote box is non OSOL:
>
> 1) Config Mortal Account as necessary to allow root access
>
> a) su
> b) or even better sudo to provide more granular control
>   
c) or even better(-er?) use RBAC with privileges
> 2) Further restrict who can connect via SSH
>
> a) create sshusers group and add users as appropriate
> b) Add to sshd_config:	AllowGroups sshusers
>   
--JeffV
Permalink | Reply | 1 comment |
headers
Moore, Joe | 4 Dec 2008 14:13
Picon

Re: How to allow root to access SSH remotely on opensolaris 11?

Ken Gunderson wrote:

> 4) login as mortal user
> 
> 5) "super user up"

Is there a way to transfer a root-only access file (consider fetching /etc/shadow for an offline password
audit, or pushing a new /etc/motd up to the server)?

Currently, I use {,p}scp and am left with either targetting root <at> theserver:/path or doing a multistep
copy (ssh joe <at> theserver "getrootequiv cp thefile /tmp" ; scp joe <at> theserver:/tmp/thefile . # reverse
the steps if uploading)

The former requires root to be a real user with root role/privs.  The latter gives me a headache, and leaves a
privileged file in /tmp.

I imagine I could switch to rsync over ssh (rsync -e ssh --path-to-rsync="sudo rsync" ./motd
joe <at> theserver:/etc/motd) or something like that, but that seems like serious overkill.  And if sudo or
whatever is elevating privs requires a password, this breaks.

--Joe
Permalink | Reply | 6 comments |

Gmane