Dotaz: SSH VNC problem

Dobry den, mam takove 2 problemy. 1/ VNC pri pripojeni na display 0

(u me GNOME, kdyz se pripojim dojde k selhani systemu (ani tuk, zamrzne, u klienta pouze seda obrazovka, zkousel jsem se pripojit i z toho sameho stroje, vysledek stejny) a je nutny tvrdy restart),

coz pokud chapu spravne je pracovni prostredi. Testoval jsem to tedy na dalsim displaji Tab Window Manager - OK KDE - OK Gnome - problem - uz bezi ... hadam ze dela VNCcku potize. Implicitne jedu v Gnome. 2/ Nefunguje mi z nejakeho overovani pomoci RSA/DSA klicu. Zatim testovano pouze Win(Putty) -> Linux. Klice byyli ulozeny Authorized_keys i Authorized_keys2. Generovany pro OpenSSH. Vcera sem krapet upgradnul SSH, s tim ze by to mohlo zacit spolupracovat

openssl-0.9.8a.tar.gz (MD5) (SHA1) (PGP sign) [LATEST]
openssh-4.3p2.tar.gz
znovu zavedst PAM moduly
a iconfigurovat ssh s
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-libs=-ldl

vse se zda OK. sshd sice vyhodi sshd re-exec requires execution with an absolute path ale to lze spustit /usr/sbin/sshd

sshd -v
OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct 2005

Ale co je pruser, nejenomze nejde overovani podle klicu, ale uz nejde ani podle hesel :( sshd_config --------------------------------------------------------------------------------------------------------------

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes

# Change to yes to enable tunnelled clear text passwords
PasswordAuthentication no


# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

---------------------------------------------- Za kazdou pomoc budu vdecny. Disribuce Debian Sarge

2 - skus sa pripojit z ineho linuxu 'ssh -v' a ten vystup pastnut sem

jeste pripojim pokus o diagnostiku

muff:~# ps -C sshd
PID TTY TIME CMD
muff:~# ps -ef | grep ssh
root 5386 5343 0 18:01 ? 00:00:00 /usr/bin/ssh-agent /usr/bin/gnom e-session
root 5516 5474 0 18:02 pts/3 00:00:00 grep ssh
muff:~# ps -ef | grep ssh
root 5386 5343 0 18:01 ? 00:00:00 /usr/bin/ssh-agent /usr/bin/gnome-session
root 5518 5474 0 18:02 pts/3 00:00:00 grep ssh
muff:~# netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:548 0.0.0.0:* LISTEN 3730/afpd
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 3826/smbd
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 3996/X
tcp 0 0 127.0.0.1:621 0.0.0.0:* LISTEN 3837/famd
tcp 0 0 0.0.0.0:5902 0.0.0.0:* LISTEN 4485/Xtightvnc
tcp 0 0 0.0.0.0:5903 0.0.0.0:* LISTEN 4538/Xtightvnc
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3111/portmap
tcp 0 0 0.0.0.0:5904 0.0.0.0:* LISTEN 4654/Xtightvnc
tcp 0 0 0.0.0.0:5905 0.0.0.0:* LISTEN 5033/Xtightvnc
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN 3698/inetd
tcp 0 0 0.0.0.0:5906 0.0.0.0:* LISTEN 5062/Xtightvnc
tcp 0 0 0.0.0.0:6002 0.0.0.0:* LISTEN 4485/Xtightvnc
tcp 0 0 0.0.0.0:6003 0.0.0.0:* LISTEN 4538/Xtightvnc
tcp 0 0 0.0.0.0:6004 0.0.0.0:* LISTEN 4654/Xtightvnc
tcp 0 0 0.0.0.0:6005 0.0.0.0:* LISTEN 5033/Xtightvnc
tcp 0 0 0.0.0.0:6006 0.0.0.0:* LISTEN 5062/Xtightvnc
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 3841/rpc.statd
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN 3790/postmaster
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3688/exim4
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 3826/smbd
tcp6 0 0 :::80 :::* LISTEN 3852/apache2
tcp6 0 0 :::5432 :::* LISTEN 3790/postmaster
muff:~# /usr/sbin/sshd -d -d -d
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 639
debug2: parse_server_config: config /etc/ssh/sshd_config len 639
debug1: sshd version OpenSSH_4.3p2
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-d'
debug1: rexec_argv[3]='-d'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Bind to port 22 on 0.0.0.0 failed: Address already in use.

muff:~# ps -C ssh-agent
PID TTY TIME CMD
5386 ? 00:00:00 ssh-agent defunct

rodicovskym procesem ssh-agenta je primo gnome-session .. (pokud  uvazuju spravne) ukonceni kontraproduktivni 

a nadale se to chova stejne :(

Problem byl vyresen

Takze takove shrnuti. Po upgradu SSH, vhodnem nastaveni a zprovozneni(ted to presne doladim, zdokumentuju a dam sem vhodne nastaveni). Se problem omezil na autorizaci klicu od PUTTY. Exportovani pro OpenSSH funguje prinejmensim pochybne. Mnohem lepsi zpusob je konverze pomoci ssh-keygen(u)

ssh -i -f soubor_s_verejnym_klicem >> authorized_keys

jak je to se souborem authorized_keys2 presne nevim, johanka se ve svem clanku zminuje, ze byl vyuzivam starsimi klienty. Tady prosim o doplneni od nekoho kdo do toho vidi vic.

Mel bych jeste 2 otazecky ...

1/ proc pri spousteni ssh demona sshd (ted musim spoustet /usr/sbin/sshd) vyhazuje kdyz dam jen sshd sshd re-exec requires execution with an absolute path i kdyz mam v profilu

if [ "`id -u`" -eq 0 ]; then
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/bin/X11"
else
PATH="/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games"
fi

2/ proc je takovy problem spustit ten debug mod (resp ssh korektne ukoncit)

muff:~# ps -C sshd
PID TTY TIME CMD
muff:~# ps -ef | grep ssh
root 5386 5343 0 18:01 ? 00:00:00 /usr/bin/ssh-agent /usr/bin/gnom e-session
root 5516 5474 0 18:02 pts/3 00:00:00 grep ssh
muff:~# ps -ef | grep ssh
root 5386 5343 0 18:01 ? 00:00:00 /usr/bin/ssh-agent /usr/bin/gnome-session
root 5518 5474 0 18:02 pts/3 00:00:00 grep ssh
muff:~# netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:548 0.0.0.0:* LISTEN 3730/afpd
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 3826/smbd
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 3996/X
tcp 0 0 127.0.0.1:621 0.0.0.0:* LISTEN 3837/famd
tcp 0 0 0.0.0.0:5902 0.0.0.0:* LISTEN 4485/Xtightvnc
tcp 0 0 0.0.0.0:5903 0.0.0.0:* LISTEN 4538/Xtightvnc
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3111/portmap
tcp 0 0 0.0.0.0:5904 0.0.0.0:* LISTEN 4654/Xtightvnc
tcp 0 0 0.0.0.0:5905 0.0.0.0:* LISTEN 5033/Xtightvnc
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN 3698/inetd
tcp 0 0 0.0.0.0:5906 0.0.0.0:* LISTEN 5062/Xtightvnc
tcp 0 0 0.0.0.0:6002 0.0.0.0:* LISTEN 4485/Xtightvnc
tcp 0 0 0.0.0.0:6003 0.0.0.0:* LISTEN 4538/Xtightvnc
tcp 0 0 0.0.0.0:6004 0.0.0.0:* LISTEN 4654/Xtightvnc
tcp 0 0 0.0.0.0:6005 0.0.0.0:* LISTEN 5033/Xtightvnc
tcp 0 0 0.0.0.0:6006 0.0.0.0:* LISTEN 5062/Xtightvnc
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 3841/rpc.statd
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN 3790/postmaster
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3688/exim4
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 3826/smbd
tcp6 0 0 :::80 :::* LISTEN 3852/apache2
tcp6 0 0 :::5432 :::* LISTEN 3790/postmaster
muff:~# /usr/sbin/sshd -d -d -d
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 639
debug2: parse_server_config: config /etc/ssh/sshd_config len 639
debug1: sshd version OpenSSH_4.3p2
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-d'
debug1: rexec_argv[3]='-d'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Bind to port 22 on 0.0.0.0 failed: Address already in use.

muff:~# ps -C ssh-agent
PID TTY TIME CMD
5386 ? 00:00:00 ssh-agent defunct

a nadale se to chova stejne :( ... jeste doplnimi kdyz je to z toho videt, ze rodicovskym procesem ssh-agenta je gnome-session, coz znamena samotne prostredi Gnome.

... to jsem moc nepochopil ... napadlo mi nastavit (jeste jsem to nedelal) parametr -d pri inicializaci a vystup poslat do nejakeho souboru, ale je to takove tezkopadne ... eventualne mi napadlo prepnout se do textoveho rezimu a graficky shodit, nebo to udelat uz pri logu (tim bych zbavil problemu s provazanosti ssh-agenta na graficke prostredi)

ad VNC/ uz to taky jede ... pracovni plocha 0 v Linuxu uz je taky sdilena. je k tomu potreba zavedst spec program x11vnc, ktery s parametrem x11vnc -display :0 nasdili pracovni plochu(tzn. chova se identicky s windows), ale pozor ... nasdili ji jako plochu 1 ne 0 tzn. je dostupna na adrese XXX.XXX.XXX.XXX:1

tu samou funkci by mel plnit x0vncserver, ktery je soucasti RealVNC, ale zatim se mi ho nepodarilo rozchodit

muff:~# x0vncserver -display :0

Tue Apr 18 20:35:13 2006
main: XTest extension present - version 2.2
main: unable to bind listening socket: Address already in use (98)
~ImageCleanup called

muff:~# netstat -nltp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:548 0.0.0.0:* LISTEN 3757/afpd
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 3857/smbd
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 4357/X domnivam se, ze problem budou samotna Xka ... resp. asi jejich nastaveni
tcp 0 0 127.0.0.1:652 0.0.0.0:* LISTEN 3868/famd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3139/portmap
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN 3730/inetd
tcp 0 0 0.0.0.0:662 0.0.0.0:* LISTEN 3872/rpc.statd
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN 3821/postmaster
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3724/exim4
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 3857/smbd
tcp6 0 0 :::80 :::* LISTEN 3883/apache2
tcp6 0 0 :::22 :::* LISTEN 3864/sshd
tcp6 0 0 :::5432 :::* LISTEN 3821/postmaster

tady je primo postup http://www.realvnc.com/products/free/4.1/x0.html od vyrobce

knihovnu sem zavedl, XF86config editoval, nepremava, moje anglictina zas tak dobra neni, tak mi mozna neco uniklo

Pokud pisu bludy, prosim o opravu.

ad1, ad2)

Není lepší ten sshd server pouštět pomocí init scriptů? /etc/init.d/ssh start

No a pokud ho chci debugovat, tak si to nastavim v /etc/default/ssh. Já používám Debian, nevím, jak to bude u vaší distribuce, ale něco podobného by tam mohlo existovat.