LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 12-31-2004, 12:58 PM   #1
vrooje
Member
 
Registered: Aug 2003
Posts: 32

Rep: Reputation: 15
Help! ssh to home desktop is listening but not accepting password


I have RedHat on a desktop machine at home and FC2 on my laptop. I'm currently out of town but need to work remotely on my desktop, so I configured ssh before I left -- I think all I did was tell my router to send port 22 to my desktop and run "service sshd start" on the desktop, and I recall adding my username to an authorized list somewhere, but I can't remember what file that was. (I've been a linux end user for years but have only recently installed it at home.)

Anyway, it was working fine until there was a power outage at home. Well, it was working except that I couldn't open forwarded X windows, but I was managing with just terminal access.

My husband is home and restarted the computer and restarted sshd, but now although I can make a connection, I can't actually login, as it won't accept my password.

I desperately need this to work and I feel completely blind since I can't see my home machine. My husband is a Windows man, but he can type commands for me and is happy to help.

Here's the content of verbose ssh from my remote machine:

Code:
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug2: ssh_connect: needpriv 0
debug1: Connecting to XX.XX.XX.XX [XX.XX.XX.XX] port 22.
debug1: Connection established.
debug1: identity file /home/XXXX/.ssh/identity type -1
debug1: identity file /home/XXXX/.ssh/id_rsa type -1
debug1: identity file /home/XXXX/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1
debug1: match: OpenSSH_3.5p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 136/256
debug2: bits set: 1602/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'XX.XX.XX.XX' is known and matches the RSA host key.
debug1: Found key in /home/XXXX/.ssh/known_hosts:11
debug2: bits set: 1580/3191
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug2: userauth_pubkey_agent: no keys at all
debug2: userauth_pubkey_agent: no more keys
debug2: userauth_pubkey_agent: no message sent
debug1: Trying private key: /home/XXXX/.ssh/identity
debug1: Trying private key: /home/XXXX/.ssh/id_rsa
debug1: Trying private key: /home/XXXX/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
XXXX@XX.XX.XX.XX's password: [typed it in here]
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
XXXX@XX.XX.XX.XX's password: [two more tries until I'm disconnected]
For what it's worth, my husband said that my xwindows started as empty (it usually remembers my previous settings and pops up all kinds of windows I regularly use), so something may have been corrupted by the power outage/hard shutdown.

I'm really hoping someone can help me out here... I have some work that I need to get done in the next few days that's crucial, and my home desktop is the only machine I have access to that has the HD space, RAM, and CPU power to get it done.

Thanks in advance!
 
Old 12-31-2004, 09:41 PM   #2
vrooje
Member
 
Registered: Aug 2003
Posts: 32

Original Poster
Rep: Reputation: 15
Update:

I'm not sure if I mentioned this, but I'm running FC2.

Also, I checked my /etc/ssh/sshd_config and everything looks fine to me... I then tried using synaptic to uninstall and re-install openssh-server and synaptic hung on the removal.

Anyone have any ideas?
 
Old 01-01-2005, 12:59 AM   #3
vrooje
Member
 
Registered: Aug 2003
Posts: 32

Original Poster
Rep: Reputation: 15
Sorry... one more update; /var/log/messages shows the following:

Code:
Dec 31 20:17:32 localhost su(pam_unix)[2105]: session opened for user root by username(uid=500)
Dec 31 20:17:47 localhost sshd:  succeeded
Dec 31 20:18:03 localhost sshd(pam_unix)[2166]: check pass; user unknown
Dec 31 20:18:03 localhost sshd(pam_unix)[2166]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=ipxx-xx-xx-xx.sd.sd.cox.net 
Dec 31 20:18:29 localhost sshd(pam_unix)[2166]: check pass; user unknown
Dec 31 20:18:35 localhost sshd(pam_unix)[2166]: check pass; user unknown
Dec 31 20:18:38 localhost sshd(pam_unix)[2166]: 2 more authentication failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=ipxx-xx-xx-xx.sd.sd.cox.net 
Dec 31 20:20:33 localhost su(pam_unix)[2171]: session opened for user root by username(uid=0)
Jan  1 01:17:34 localhost sshd(pam_unix)[2298]: check pass; user unknown
Jan  1 01:17:34 localhost sshd(pam_unix)[2298]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=ipxx-xx-xx-xx.sd.sd.cox.net 
Jan  1 01:17:42 localhost sshd(pam_unix)[2298]: check pass; user unknown
Jan  1 01:17:50 localhost sshd(pam_unix)[2298]: check pass; user unknown
Jan  1 01:17:52 localhost sshd(pam_unix)[2298]: 2 more authentication failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=ipxx-xx-xx-xx.sd.sd.cox.net
(I changed my username to "username" and my from ip to x's in the above; but these are records of me trying to login.)

Also, here's my /etc/ssh/sshd_config file:

Code:
#	$OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
AllowGroups users
AllowUsers username
GatewayPorts no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication 
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt no

#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server
 
Old 01-01-2005, 04:09 PM   #4
Tim Retout
LQ Newbie
 
Registered: Dec 2004
Location: UK
Distribution: Debian
Posts: 21

Rep: Reputation: 15
Sorry for taking so long to reply, but it's been a while since I used RedHat. But I had a copy of FC2 installed on another partition, so thought I'd reboot and have a look. Took me about an hour, but I got there.

It's the 'AllowUsers' and 'AllowGroups' bits in the sshd_config on your home machine. Remove them - they're not necessary unless you want only those users or groups to log in. My setup fails with exactly the errors reported by you.

Once you've confirmed that works, we can get X Forwarding working so that you can see your machine... it'll be slow, though.

Last edited by Tim Retout; 01-01-2005 at 04:32 PM.
 
Old 01-01-2005, 04:13 PM   #5
Tim Retout
LQ Newbie
 
Registered: Dec 2004
Location: UK
Distribution: Debian
Posts: 21

Rep: Reputation: 15
Of course, I'm being a bit presumptuous... try it first.

My setup failed when I had the wrong group in the file... and the fact that it had worked for you in the past suggests there could be problems in /etc/group or something... but let's look for the simple solution to begin with.

Last edited by Tim Retout; 01-01-2005 at 04:56 PM.
 
Old 01-01-2005, 05:14 PM   #6
vrooje
Member
 
Registered: Aug 2003
Posts: 32

Original Poster
Rep: Reputation: 15
Oh my gosh -- you RULE. That worked like a charm! Thank you.

Not that I understand why it worked before and didn't after the reboot, but I'm not complainin'.

I set up the AllowUsers thing because I only want to login as that one user. I actually only have that user, root, and one other user. That third username, though, is a default username that comes with one of the programs I use, so it seems like something someone might use if they wanted to hack my machine and knew I had that software. I'm sure I can fix it so that that user can't login, though.

In terms of the Xwindows stuff, here's the message I get when I try to open emacs remotely:

Code:
_X11TransSocketINETConnect: Can't get address for localhost
emacs: Cannot connect to X server localhost:10.0.
Check the DISPLAY environment variable or use `-d'.
Also use the `xhost' program to verify that it is set to permit
connections from your machine.
I checked the DISPLAY variable and it was set to localhost:10.0 .
I then tried the old trick I used to use a few years ago -- manually setting the DISPLAY variable and using xhost +myip.x.x.x etc. That didn't work either; and in fact the computer seemed to hang on the xhost + command.

I don't know if it's relevant, but both my home desktop and this laptop are going through a router; I have the ssh port open but not many others on the home desktop, and I don't believe my parents (I'm home for the holidays) have any ports open on this end.
 
Old 01-02-2005, 02:31 AM   #7
Tim Retout
LQ Newbie
 
Registered: Dec 2004
Location: UK
Distribution: Debian
Posts: 21

Rep: Reputation: 15
Oh good. Root logins are disabled in your setup - that's a good thing. Check the other user's login shell in /etc/passwd - change it to /bin/false, and no-one can log in with it. Hope it won't upset your other program, though. If you really must allow only one user, you only need to use the 'AllowUsers' thing, not the AllowGroups. To clarify what I said earlier (again); I had the correct username after AllowUsers, but the wrong group name, and it failed. Check that you actually are in the group 'users'.

With that out the way, let's just check that you're using the -X flag to ssh...

Code:
ssh -X username@host
If it's something more complicated than that, I'll have to think again. You have X11 forwarding enabled in your sshd_config at home, so the only other thing might be that your X server has unusual settings... which would be, er, unusual.

Last edited by Tim Retout; 01-02-2005 at 03:07 AM.
 
Old 01-02-2005, 02:47 AM   #8
Tim Retout
LQ Newbie
 
Registered: Dec 2004
Location: UK
Distribution: Debian
Posts: 21

Rep: Reputation: 15
Oh, even easier; there's a 'DenyUsers' option you can use... but anyway, I digress. Carry on.
 
Old 01-02-2005, 03:02 AM   #9
student04
Member
 
Registered: Jan 2004
Location: USA
Distribution: macOS, OpenBSD
Posts: 669

Rep: Reputation: 34
Tim Retout? I was wondering maybe if you could have a look at mine.. I have the same situation, except that even with the specified users in the sshd_config, they cannot connect. I posted here. Please take a look if you have the time, I would really appreciate it, if you would

Thanks.
 
Old 01-02-2005, 03:23 AM   #10
Tim Retout
LQ Newbie
 
Registered: Dec 2004
Location: UK
Distribution: Debian
Posts: 21

Rep: Reputation: 15
No problem... done, hopefully.
 
Old 01-02-2005, 08:22 PM   #11
vrooje
Member
 
Registered: Aug 2003
Posts: 32

Original Poster
Rep: Reputation: 15
Whoa -- I swear to you that ssh -X user@host did NOT work before! But it works now! That's so strange... I don't know why that would happen, but again, no complaints here.

So if I add the line "DenyUsers badusername" to my sshd_config file, that'll cover it? I'll try that when I get back home.

You're a dream for being so helpful and patient. Thank you so much!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
want to ssh/ftp to home machine (Slack) from office through home router fincher69 Linux - Networking 2 09-21-2005 10:55 PM
ssh listening on port 22 sharpie Linux - Security 9 06-08-2004 03:28 PM
Looking for a way to password protect a file within my Home folder BadKarma Linux - Security 2 12-26-2003 08:13 PM
mySQL Not Accepting Password TastyWheat Linux - Software 6 09-01-2003 10:19 PM
sshd not accepting password Ionized Linux - Networking 2 08-06-2002 12:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 01:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration