Topic: Why is it

[Ron LeVine]

Anyone know why the SSH on 4.1.2 is no longer working on fresh installs?

I tried using the newest version of e-smith and don't care for the 75 charactor mysql key.

Anyone have any ideas how to get SSH to work again?

Thanks in advance
Ron

[Ron LeVine]

Well, it appears that all SSH user logins are disabled on all 4.1.2 installations. Once again, I can log into a server with Root, but not as a user.

If this is the case, I am not going to purchase the Mitel software as I had planned on. This kind of crippling without any forwarning is not good business.

Ron LeVine
LeVine and Associates

[Serge Dutremble]

You must remember what is the intent of the SME 5 server:

To serve as server to a LAN of windows or mac machine while providing all network servies (DHCP, NAT, file, mail, web, ...)

All if not most users only need to access the services through the lan and not directly at the unix command line.  In fact, you do not want to give most users access to the unix prompt as they would not know what to do with it.

Now, if there is a need for some users other than root or admin to access the command line, this is easy enough to do and if you know anything about linux, it should not be an issue.

You may want to have access yourself as a regular user to use unix and get familiar to it withoug taking the risk of damaging the system.  If this is the case, I suggest you install one of the full blown distribution (redHat, Mandrake...) for that.

If you are not sure how to give access to the command line to users and it is still what you want to do, then:

1. Login at the console as root
2. Edit the /etc/passwd file using vi or vim (you may have to read on this if you do not know how to use it.  Some other users may know of another easier console editor...
3. FOr the users you want, there is the shell interface shown at the end of the user entry.  Replace it with the same shell used for root. (I think it is bash).  Save the file and that's it!

Command line should be available for that user.

I hope this helps.

Serge.

[Dan Brown]

All ssh (and telnet) user logins are disabled on 4.1.2 _and_ 5.0.  This is discussed in the manual for 5.0, at least (on page 55 of the downloadable manual); I don't have a 4.1.2 manual handy to check.

I have no idea what you mean by "crippling without any forwarning".  First, this feature doesn't in any way cripple the intended use of the server, and second, it's adequately explained in the current documentation.  As Serge explained, the target market for the SME server wouldn't have much use for user shell access, and closing shell access improves security--a fair number of exploits which have appeared recently depend on malicious users having shell access.  If you really want to open this up, though, don't do as Serge suggests--instead, take a look at chsh.
I'd also point out that (1) the MySQL password _can_ be changed, (2) you don't need to use it for much of anything anyway if you're handling your databases properly, and (3) downgrading to an old version for only this reason seems rather silly.  Further, if you refuse to use the current version, I doubt you'd be able to buy the old version anyway.

[AJ Henley]

I was discomforted by the huge password for mysql as well.
And the first thing I do when I install a new 5.0 system is create another
user (superuser) for mysql to do this, run mysql and then type:

grant all on *.* to clark@((domain goes here, usually localhost)) identified by "kent" with grant option;

this creates a user (clark, with password kent) that has basically all the rights you need to install a script or what have you without having to type the 75 digit key

[Chris O'Donovan]

The users not having shell access is a feature of SME5. Someone purposefully changed the user's shell to /bin/false so that they wouldn't have shell access.

I agree with this change. I think that if you don't require the admin to know how to use a unix prompt then the users shouldn't have shell access.

Conversely, if the admin doesn't know how to change /etc/passwd then the users shouldn't have shell access.

This may be unix snobbery.

Chris

[Ron LeVine]

Ok, My bad. I had a minor(possibly major) brainfart and after the air cleared, I realized that I am the only one who goes into both my server and my client's servers at the SSH level for maintenance and of course, I do so as ROOT. DUH!!!

I am actually not a newbie with Linux as I have been using it since Slackware 3.4 and use Mandrake for my web development machine.

I appologise for any trouble this post may have caused.

Ron

[Damien Curtain]

> the air cleared, I realized that I am the only one who goes
> into both my server and my client's servers at the SSH level
> for maintenance and of course, I do so as ROOT. DUH!!!

This is actually a very insecure practice. You should limit using the root account and instead enable a personal account for yourself and edit the relevant shell entry in the passwd file. Then utilize a utility such as sudo to perform tasks with su privellages...

I still think a limiting factor of e-smith is the requirement to share and utilize the root passwd continually to perform regular tasks.

Ive found reserving a group such as sysadmins for local administrators and tweaking the templates to give anyone belonging to the sysadmin group a login shell usefull. Then you can add the group to the sudoers file. This probably isnt usefull if your main interaction with e-smith is via the web manager, but then again im usually logged into low speed machines and prefer to call the actions directly as my time is an issue....

Regards
--
 Damien