# Cant log in thru putty after update world? (solved)

## Gentobobbyuk

i updated world on all my virtual machines and i can no longer ssh in to my machines ? 

im getting this on putty 

```

login as: root

Keyboard-interactive authentication prompts from server:

| Password:

End of keyboard-interactive prompts from server

Access denied

Keyboard-interactive authentication prompts from server:

| Password:
```

Not really very clued up on the shh configs they have always just worked for me . 

Ive been on google and nothing for me is working the post are very back dated . 

Ive only just got back into Gentoo so sorry if this is such a lame questionLast edited by Gentobobbyuk on Fri Jun 05, 2020 6:27 pm; edited 1 time in total

----------

## NeddySeagoon

Gentobobbyuk,

Password logins for root are no longer permitted by default.

Its a default security enhancement.

Either ssh in as a normal user, then use sudo to become root.

Set up key based login

Edit your configuration on the servers to allow password logins for root.

----------

## Gentobobbyuk

How do i enable root user login ?

which part of the config do i change , 

i havent actually tried a normal user and su . 

I do personally prefer to just be root when im doing test works. 

ive noticed my auth section seems to have nothing under it ? 

I used to have something like permitrootlogin 

did it update all my config files ? i thought it would ask me before this ? 

there is a permitrootlogin prohibit password is it this part ? 

Setup key based logins . what does this mean and how do i do it ? Again please remember gentoo has changed so much since i last used it . 

Its alot trickier than i remember and my dyslexia doesnt help . 

It was all working fine till this morning . 

Thanks for your help again .

----------

## NeddySeagoon

Gentobobbyuk,

The default in /etc/ssh/sshd_config is now

```
#PermitRootLogin prohibit-password
```

You need to change that, if you want root password logins.

That file is normally covered by CONFIG_PROTECT, so you must have either changed  CONFIG_PROTECT or updated it without looking at the changes.

----------

## Gentobobbyuk

I tried that before even commenting its not working at all . 

what does "Keyboard-interactive authentication prompts from server:" even mean 

let me try setup a normal user and see if that works ive emerged wgetpaste 

is there any output i can provide ? 

Also neddy u seem to be everywhere i was just tyring to emerge a desktop environment i dont really use them it was for a friend,  and was wondering why a package was masked. 

found another post by u and i had forgotten to change hiseselect profile to desktop.  :Smile:  the packages then emerged . 

i no im a pain and this is in the same post. 

are u able to explain why a package would be masked because of a profile list. 

Im really trying to just learn or understand  as much as i can as im starting to use gentoo again and keep documentation of my mistakes.

i really appreciate everyone's input and sorry for all the questions.

edit so i can log in as a normal user im happy to just use this and su but im not really learning what ive done wrong . or what the update had done all i done was took the # away in my config as u mentione above

----------

## NeddySeagoon

Gentobobbyuk,

What did you change it to?

Don't tell me, show me. That means any misunderstandings are all my own.

Copy/paste a few lines from the file or put the whole file onto a pastebin site.

Did you restart sshd after you edited the file?

It only reads its configuration file at startup

To answer you masking question, I need to see the command and its entire output.

There are lots of reasons for masking and I need to know which one.

----------

## Gentobobbyuk

yep i restarted my friend . 

I downloaded wgetpaste i am sorry ul have to provide me the command 

cant see a paste bin in emerge except for pastebinit not sure if the same. 

since i started using gentoo again i didnt edit the config file ever it just let me ssh.

All i changed was the sentance u provided above . and all i did was take the hash mark away.

----------

## NeddySeagoon

Gentobobbyuk,

The hash # means its a comment. The text after the hash is the default value, so removing the hash on its own changes nothing. 

That is

```
#PermitRootLogin prohibit-password

PermitRootLogin prohibit-password
```

have exactly the same meaning.

You do need to remove the # but that alone is not enough.

----------

## Gentobobbyuk

im really confused neddy 

before i used to do this 

#permitrootlogin yes

i thought the hash stops the bash shell from processing the command . 

SO what do i need to change on this line to allow the code to work ?

ive always removed the hash in config files ? why does this suddenly mean its not enough ?

or do u mean because its saying prohbit password i need to change something there

----------

## NeddySeagoon

Gentobobbyuk,

So close.

sshd reads /etc/ssh/sshd_config

Its fairly common to allow comments in configuration files, just as they are in scripts, introduced with a #.

Its also common to document the defaut settings by including them as comments in configuration files.

sshd changed its default behavior from   

```
#permitrootlogin yes 
```

to 

```
#PermitRootLogin prohibit-password
```

As you don't like 

```
#PermitRootLogin prohibit-password
```

You need to set a value for PermitRootLogin so its the old behaviour.

Removing the # is required, so that the line is read.  You want the old behaviour back, so need to set the old default value.

----------

## Gentobobbyuk

now it works when set to permit root login yes

what is going on there ????? thats not right surely but now i have access

```

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options override the

# default value.

#Port 22

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_ecdsa_key

#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying

#RekeyLimit default none

# Logging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

permitrootlogin yes

#LoginGraceTime 2m

#PermitRootLogin prohibit-password

#StrictModes yes

#MaxAuthTries 6

#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

# but this is overridden so installations will only check .ssh/authorized_keys

#AuthorizedKeysFile     .ssh/authorized_keys

```

----------

## NeddySeagoon

Gentobobbyuk,

Well done, that's what I was trying to lead you towards.

Old versions of sshd were coded with 

```
 PermitRootLogin yes
```

which you could override in sshd_config if you needed to.

You did not need to.

New versions are coded with 

```
PermitRootLogin prohibit-password
```

 which you have overridden by setting 

```
PermitRootLogin yes
```

 in sshd_config.

That restores the old behaviour.

----------

## Gentobobbyuk

im so confused shouldnt it be set to no >

----------

## Jaglover

Best is key based login. Why don't you set it up and leave password logins disabled. You can push your key to remote user account and then copy over to root, just make sure the permissions are correct, otherwise SSH won't accept it. Once this is done you can log directly into remote root.

----------

## Gentobobbyuk

it works fine now but i dont get why repmitrootogin yes allows it shouldnt be no ?

----------

## Tony0945

 *Gentobobbyuk wrote:*   

> it works fine now but i dont get why repmitrootogin yes allows it shouldnt be no ?

 

No, It says "Yes, Root Logins are Permitted"

Here is a a handy script to generate random passwords that I use:

```
MSI ~ # cat /usr/local/bin/genpassword

#! /bin/bash

CUT=12

if [ "$#" -gt 1 ] ;

then

 echo "too many parameters"  && exit 1;

fi

if [ "$#" -eq 1 ] ;

then

        CUT=$1;

fi

dd if=/dev/urandom count=10000 2>/dev/null | sha256sum |cut -c-"${CUT}"

```

  It takes one parameter. the number of digits in the password, defaulting to 12.

This part "dd if=/dev/urandom count=10000 2>/dev/null | sha256sum" is taken from a very old Gentoo forum post.

Sometimes sites require (as opposed to permit or suggest) both cases/ symbols. I usually add something like "FU!" to satisfy them. If I enter a random 20 digit hexadecimal number that's plenty random. IIRC, something around the number of atoms in the universe".

Someone more adept at shell might add random case changes and random placement of special characters. But not all sites accept all characters. Most will accept either ! or % or $ if not all of those. But the random 12 hex numbers are fine for your home network and I would say business networks too. On external websites I usually set it for their maximum length (less 2 if the require case and special characters).

BTW, most commercial sites would accept Biteme2! Which I don't accept as a safe password.

EDIT:

Examples:

```
MSI ~ # genpassword

232861edec76

MSI ~ # genpassword 20

f738c80fd1811fc73cd6

MSI ~ # genpassword 22

25841c136e06a381651b2e

MSI ~ # genpassword 50

d87a906c7dfcff12d590ab11ce6ebb72f22525d51aae31d98a

```

----------

## Gentobobbyuk

bro thank u for ur reply i need to read it about twenty times. 

to understand fully. 

Permit i thought was deny im dyslexic im so confused why would yes = no in laymans termit 

have i got this the opisite way round

hey why would i want random passwords ? please explain why this is usefull

----------

## Hu

 *Tony0945 wrote:*   

> Here is a a handy script to generate random passwords that I use:
> 
> ```
> dd if=/dev/urandom count=10000 2>/dev/null | sha256sum |cut -c-"${CUT}"
> ```
> ...

 The count is probably excessive.  Even a relatively small amount of good randomness (say, 16-20 bytes), fed through the hash algorithm, is probably sufficient. *Tony0945 wrote:*   

> Sometimes sites require (as opposed to permit or suggest) both cases/ symbols. I usually add something like "FU!" to satisfy them. If I enter a random 20 digit hexadecimal number that's plenty random.

 Of course, the really fun ones are the ones that both require special characters and impose ridiculously short maximum password lengths, so you cannot get good entropy through sheer length and are forced to get it through a larger alphabet. *Tony0945 wrote:*   

> Someone more adept at shell might add random case changes and random placement of special characters.

 Using base64 instead of a hash would get quite a few more characters, although base64 is sufficiently biased towards alphanumerics that you could easily get a password that still has no special characters.  At the expense of using a somewhat more esoteric tool, you can get more variety easily: head -c12 /dev/urandom | basenc --z85.  Note that z85 has alignment requirements:

```
                        when encoding, input length must be a multiple of 4;

                        when decoding, input length must be a multiple of 5
```

So head -c12 or head -c16 are fine, but head -c13 is not.

----------

## Tony0945

Hmmm! That's interesting, Hu. Of course I don't understand it at all, whereas I did understand /dev/urandom. 

Re count 10000 excessive: I'm sure you are right. I don't recall when the original was posted. I think 2006 or 2008. I discovered the thread by accident while googling for something entirely different.  But it gave me a password generator that wasn't somebody's binary blob.

EDIT: 2006 not 1006. I doubt it was posted sixty years before the Norman Conquest. the web page didn't have that parchment look.  :Smile: 

----------

## Gentobobbyuk

This topic is solved although im left wondering how to edit the post to say solved. 

Im a stupid idiot for some reason i thought permit ment deny. 

Um how do i change this to solved

----------

## Banana

 *Gentobobbyuk wrote:*   

> This topic is solved although im left wondering how to edit the post to say solved. 
> 
> Im a stupid idiot for some reason i thought permit ment deny. 
> 
> Um how do i change this to solved

 

should be done by editing the first post on this topic

----------

## Gentobobbyuk

Thanks b

----------

