LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 04-26-2010, 02:58 PM   #1
dave562
LQ Newbie
 
Registered: Apr 2010
Posts: 3

Rep: Reputation: 0
Question SSH logon issues / Ubuntu / OpenSSH


I have setup OpenSSH on an Ubuntu 8.04 server. I am using Putty on a Windows box to connect to the server. I have two accounts on the box. Each account has a /home directory. One of the accounts is the main account that was setup when Ubuntu was installed. The other account is a user account that I created from the command line.

I generated an SSH key pair. I copied the public key to the .ssh/authorized_keys file. I set the permissions for the file and the directory.

I can connect to the box just fine using the default "admin" account that was setup as part of the Ubuntu install process.

When I try to connect using the other user account, Putty returns the error "The server rejected our key."

The permissions for .ssh and everything else for the two accounts are configured identically.

After a lot of troubleshooting my best guess is that it is some sort of account permission problem? The "admin" account can sudo, the account that SSH is having problems with can't.

Please help. I've been beating my head against this thing for four or five hours at this point. I've even generated new keys and the issue persists.
 
Old 04-26-2010, 03:14 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
The way to troubleshoot problems like this is by reviewing your system logs. I'm not really familiar with Ubuntu systems, but some guesses about the logs you may need to check are /var/log/secure, /var/log/auth (or similar), /var/log/messages.

You're looking for chatter from sshd.
 
Old 04-26-2010, 03:47 PM   #3
dave562
LQ Newbie
 
Registered: Apr 2010
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks for the tip. There are some error messages in there that do not seem to match up with reality. In particular the error

"User <user> from <ip> not allowed because not listed in AllowUsers"

The <user> is listed under AllowUsers in sshd_config.

I think that I see part of the problem. The two lines below are for the valid login.

Apr 26 13:24:50 subversion sshd[10513]: pam_winbind(sshd:setcred): user 'itadmin' OK
Apr 26 13:25:25 subversion sshd[10632]: pam_winbind(sshd:account): user 'itadmin' granted access

The next two lines are for the failed account.

Apr 26 13:31:06 subversion sshd[10632]: pam_winbind(sshd:setcred): user 'itadmin' OK
Apr 26 13:32:05 subversion sshd[10732]: Failed password for <user> from <ip> port 54842 ssh2

It seems like sshd is using the 'itadmin' account as part of its setcred function. As long as the account logging on matches the setcred account, everything is good. If the two don't match, it fails.
 
Old 04-26-2010, 03:54 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
I haven't used pam_winbind, but I am presuming you have explicitly configured it and are intentionally using it..?

I'm not sure yet if the "AllowUsers" message is a red herring or is related to the problem cause. (Check not only AllowUsers in sshd_config, but also DenyUsers, AllowGroups, and DenyGroups, just for grins. Also make sure that if you're using the form USER@HOST, that HOST is correct.)

So, it seems like the answer is to grant the new user access to whatever facility pam_winbind is checking. Just like itadmin...
 
Old 04-26-2010, 04:02 PM   #5
dave562
LQ Newbie
 
Registered: Apr 2010
Posts: 3

Original Poster
Rep: Reputation: 0
I did setup winbind intentionally. The box in question is part of an Active Directory domain and is hosting a Subversion repository. I had to setup winbind and Samba so that the backup software could access the repository.

The new user is setup in Active Directory and winbind should recognize it as a valid account. I think it really has something to do with that setcred function. I have posted a question to the SecureShell mailing list. I'm hoping that one of the developers has some clue.
 
Old 04-26-2010, 04:09 PM   #6
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
One more obvious thing then while you're waiting for a reply on the mailing list. Make sure you've reloaded or restarted the sshd daemon after adding the new user to AllowUsers.

I could see a situation where you added it and forgot to bounce the daemon, which would cause the sshd "AllowUsers" chatter you described.
 
  


Reply

Tags
key, openssh, rejected, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
openSSH vs SSH gautamnarayan Linux - Networking 5 10-31-2008 09:40 AM
ssh, openssh... telnet desjazz Linux - Newbie 2 03-10-2003 02:23 PM
SSH Vulnerabilities and OpenSSH mikeyt_333 Linux - Security 3 01-09-2003 11:15 PM
Difference b/w OpenSSH and SSH? Rampage2884 Linux - Newbie 2 09-13-2002 02:26 PM
SSH/OpenSSH mikesvx1 Linux - Security 2 12-21-2001 05:18 PM


All times are GMT -5. The time now is 04:51 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration