Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: olivers on May 12, 2010, 04:26:23 AM
-
Today I used the software installer to update my relatively vanilla 7.4 box.
I then renewed/updated my cacert.org ssl server certificate.
Since then, the normal user accounts are unable to login via webmail, WinSCP, Putty or the console. The admin and root accounts can login via any of the methods except webmail.
The messages log gives output as follows when attempting to login remotely via Putty:
May 11 19:11:57 linx sshd(pam_unix)[12261]: session opened for user oliver by (uid=0)
May 11 19:11:57 linx rssh[12277]: setting log facility to LOG_USER
May 11 19:11:57 linx rssh[12277]: setting umask to 022
May 11 19:11:57 linx rssh[12277]: line 15: configuring user oliver
May 11 19:11:57 linx rssh[12277]: setting oliver's umask to 022
May 11 19:11:57 linx rssh[12277]: allowing scp to user oliver
May 11 19:11:57 linx rssh[12277]: allowing sftp to user oliver
May 11 19:11:57 linx rssh[12277]: allowing cvs to user oliver
May 11 19:11:57 linx rssh[12277]: allowing rdist to user oliver
May 11 19:11:57 linx rssh[12277]: allowing rsync to user oliver
May 11 19:11:57 linx rssh[12277]: user oliver attempted to log in with a shell
May 11 19:11:57 linx sshd(pam_unix)[12261]: session closed for user oliver
or this via the console:
May 11 19:22:28 linx login(pam_unix)[13504]: session opened for user oliver by LOGIN(uid=0)
May 11 19:22:28 linx -- oliver[13504]: LOGIN ON tty1 BY oliver
May 11 19:22:28 linx rssh[13523]: setting log facility to LOG_USER
May 11 19:22:28 linx rssh[13523]: setting umask to 022
May 11 19:22:28 linx rssh[13523]: line 15: configuring user oliver
May 11 19:22:28 linx rssh[13523]: setting oliver's umask to 022
May 11 19:22:28 linx rssh[13523]: allowing scp to user oliver
May 11 19:22:28 linx rssh[13523]: allowing sftp to user oliver
May 11 19:22:28 linx rssh[13523]: allowing cvs to user oliver
May 11 19:22:28 linx rssh[13523]: allowing rdist to user oliver
May 11 19:22:28 linx rssh[13523]: allowing rsync to user oliver
May 11 19:22:28 linx rssh[13523]: user oliver attempted to log in with a shell
May 11 19:22:28 linx login(pam_unix)[13504]: session closed for user oliver
The packages installed today were:
May 11 12:38:41 Updated: rmt.i386 0.4b39-3.EL4.3
May 11 12:38:43 Updated: tzdata.noarch 2010i-1.el4
May 11 12:38:53 Updated: glibc-common.i386 2.3.4-2.43.el4_8.3
May 11 12:38:57 Updated: glibc.i686 2.3.4-2.43.el4_8.3
May 11 12:38:58 Updated: openssl.i686 0.9.7a-43.17.el4_8.5
May 11 12:38:58 Updated: net-snmp-libs.i386 5.1.2-18.el4_8.2
May 11 12:38:59 Updated: shadow-utils.i386 2:4.0.3-66.el4_8.1
May 11 12:39:00 Updated: clamav-db.i386 0.96-1.el4.rf
May 11 12:39:02 Updated: clamav.i386 0.96-1.el4.rf
May 11 12:39:03 Updated: net-snmp.i386 5.1.2-18.el4_8.2
May 11 12:39:04 Updated: device-mapper.i386 1.02.28-2.el4_8.1
May 11 12:39:04 Updated: net-snmp-utils.i386 5.1.2-18.el4_8.2
May 11 12:39:04 Updated: clamd.i386 0.96-1.el4.rf
May 11 12:39:06 Updated: freeradius.i386 1.0.1-3.RHEL4.8
May 11 12:39:07 Updated: lvm2.i386 2.02.42-5.el4_8.3
May 11 12:39:08 Updated: curl.i386 7.12.1-11.1.el4_8.3
May 11 12:39:09 Updated: smeserver-clamav.noarch 2.0.0-8.el4.sme
May 11 12:39:10 Updated: logrotate.i386 3.7.1-11.RHEL4
May 11 12:39:12 Updated: httpd-suexec.i386 2.0.52-41.ent.7.centos4
May 11 12:39:13 Updated: cpio.i386 2.5-16.el4_8.1
May 11 12:39:13 Updated: tar.i386 1.14-13.el4_8.1
May 11 12:39:13 Updated: strace.i386 4.5.16-1.el4_8.9
May 11 12:39:15 Updated: vixie-cron.i386 4:4.1-58.el4
May 11 12:39:15 Updated: dump.i386 0.4b39-3.EL4.3
May 11 12:39:16 Updated: httpd.i386 2.0.52-41.ent.7.centos4
May 11 12:39:17 Updated: mod_ssl.i386 1:2.0.52-41.ent.7.centos4
It seems to be ssh related. Any suggestions?
Thanks in advance,
Oliver
-
By default the SME Server does not allow standard users to be accessed via putty. I suggest you raise a bug in the relevant bug tracker under the contrib you have installed to enable ssh access. Thanks.
-
Today I used the software installer to update my relatively vanilla 7.4 box.
I then renewed/updated my cacert.org ssl server certificate.
Since then, the normal user accounts are unable to login via webmail, WinSCP, Putty or the console. The admin and root accounts can login via any of the methods except webmail.
Webmail should work, please raise a bug. This should not happen normally.
-
Are you sure you reconfigured your machine, either through server-manager or using the signal-event post-upgrade; signal-event reboot method?
-
Yes- I did the signal-event dance several times, including reconfigure, reboot and even tried the domain-modify, email-update, console-save sequence upfront.
-
Yes- I did the signal-event dance several times, including reconfigure, reboot and even tried the domain-modify, email-update, console-save sequence upfront.
Strange, please report a bug and post a reference to the bug here for future readers.
-
I solved this by clearing out the old certificates, then regenerating a new self signed certificate based on these instructions:
http://www.sme-server.de/download/Howtos/ssl.html
I then had to fix the certificate file references in /etc/httpd/conf/httpd/httpd.conf (~line 134) to point at the right certificate files in /home/e-smith/ssl....
I also uninstalled, then reinstalled horde.
In hindsight, I screwed up the certificate renewal process by getting the CommonName wrong.
Thanks for your help.
-
I solved this by clearing out the old certificates, then regenerating a new self signed certificate based on these instructions:
http://www.sme-server.de/download/Howtos/ssl.html (http://www.sme-server.de/download/Howtos/ssl.html)
you should always refer to wiki, I'm sure that that kind of info is available there too
I then had to fix the certificate file references in /etc/httpd/conf/httpd/httpd.conf (~line 134) to point at the right certificate files in /home/e-smith/ssl....
you are not working in the SME way.. you'd never edit the conf file.. next time you reconfigure your server, your change will be lost
I also uninstalled, then reinstalled horde.
this should never be necessary
In hindsight, I screwed up the certificate renewal process by getting the CommonName wrong.
Thanks for your help.
good to hear your server is up again
-
Certificates have nothing to do with logging in via webmail.
I think you mislead us by suggesting that there was a login problem, whereas in fact your webmail login screen wasn't available, because the web server wasn't running.
-
I solved this by clearing out the old certificates, then regenerating a new self signed certificate based on these instructions:
http://www.sme-server.de/download/Howtos/ssl.html
There are simpler and more reliable ways to do that. You will find them documented here.
In hindsight, I screwed up the certificate renewal process by getting the CommonName wrong.
That wouldn't have happened if you used SME server's inbuilt process for generating a new self-signed certificate.
-
olivers
This may help to improve your knowledge, also look at the db command tutorial
http://wiki.contribs.org/Certificates_Concepts