Ok, I have spent all day searching and cannot find a solution to this. I am acting as a server admin for a Red Hat server running Apache but do not have physical access to the server. I have 2 main problems at the moment. The first is that I can SSH into the server while on the local network and make necessary changes but I cannot SSH from anywhere outside of the local network and this is necessary.

contents of /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
sshd:ALL

contents of iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

I have no idea what else to try. also i ran the command "service iptables stop" as root and tried to ssh from outside of the network and still couldn't get access. What happens is that when you tell it to connect it just sits there and never does anything. (Also, I can view my webpages stored on the server from anywhere.)

My second problem is that I have 3 users. Two of the users can connect locally via SSH and can use modify the server files. But the third account cannot connect via SSH. I have reset that users password via root and the third user still cannot connect. SSH secure file transfer (the name of the program being used) just continually asks for the password even after entered correctly (which I think means the password isn't being verified)

here is the /var/log/secure
Oct 21 05:12:37 sysb sshd[20815]: User XXX not allowed because shell /bin/
shell does not exist
Oct 21 05:12:37 sysb sshd[20816]: input_userauth_request: invalid user XXX
Oct 21 05:12:37 sysb sshd[20815]: reverse mapping checking getaddrinfo for
10.155.xxx.xxxxxxxx.edu failed - POSSIBLE BREAK-IN ATTEMPT!
Oct 21 05:12:50 sysb sshd[20815]: pam_unix(sshd:auth): authentication fail
ure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1xx.xx.xxx.xx user=XXX
Oct 21 05:12:52 sysb sshd[20815]: Failed password for invalid user XXX fro
m 1xx.xx.xxx.xx port 51720 ssh2

I'm am completely lost as what to do here. I appreciate any help I can get.

P.S. sorry about the length, just wanted to show as much info as my day's worth of searching could provide

Do you need to VPN to the local network?

This is probably true, isn't it? I don't have a /bin/shell, and none of my friends do. /bin/bash, and /bin/sh exist, though. The user may have a messed up .profile or .bashrc. Can they login to any UNIX/Linux machine?

Post output from: # grep 'user_here' /etc/passwd

@jhwilliams
What do you mean do I need to VPN? I don't want to VPN into the network if at all possible.

@anomie
Here is the output:
XXX:x:503:504::/home/XXX:/bin/shell
(the 3 capital X's are me replacing the userName just for the forum, the lower case x in the above output was actual output)

fix the shell to a real one

Yes, either use chsh(1) to change the shell, or carefully edit /etc/passwd using vipw(8). You can set the user's shell to /bin/bash, if appropriate.

Ok, thanks a lot for the suggestion, I will give this a shot tomorrow and let everyone know how it goes.

Also, to any who are interested I think that the problem is with SSH not working from outside the network has to do with a firewall from the agency providing my servers connection. I'm going to try to get in touch with those in charge and get them to open the port for me (hopefully thats the problem).

Actually, the port needs to be forwarded on the firewall, not just opened.... eg


you.....external_ip_fw----internal_ip_fw.......server_fw

HTH

@anomie & alucardZero
Both of you rock. Thanks a lot now I can access the system via that user. I really can't thank you enough.

@chrism01
The server has a static public IP. So if I understand IP stuff correctly that just means there is a firewall that closes off those ports to my IP before it reaches me. In which case their would be no forwarding needed, just the port being opened, right? Unlike if I was hosting a website on a server behind a router with an IP of 192.xxx.xxx.xxx, which would need forwarding. Either way though its something that's out of my hands

Ok, So I have spoke with the person in charge of the network and they say they are not blocking port 22 that it must be something with my RedHat setup. So I'm back to square one with the original problem. I cannot SSH into the server unless I am on the local network that services the Server, I cannot SSH in even when iptables are disabled. Any ideas anyone?

Are you sure your Red Hat host is on public IP space?

Also, let's see the output of: # netstat -ltn

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:605 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN
tcp 0 0 :::80 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 :::443 :::* LISTEN

Also my iptables is stopped right now. don't know if that matters. Also when I try to telnet to port 22 (just for testing) from outside the network it just times out without ever connecting.

OK, so sshd is listening on port 22 on all interfaces, both ipv4 and ipv6.

And your IP address is not on private IP space, right..? Please double check. If it is, we can't help you. (i.e. You'll need to work out NAT with your network staff.)

I'm pretty sure its public IP space. Its not 10.x 172.x or 192.x. And you can access the server via a web browser from anywhere(you can see the web pages on it).

Well, if you're not filtering traffic at the host level (iptables), and your network admin claims they're not filtering inbound tcp 22 traffic, then some other hop between your testing point and your Linux server is...

Can you access any tcp ports on your Linux server?

On the server, do:
$ nc -l 9922

Then on the external testing workstation, do:
$ nc -zvw 3 linux.host.here 9922

What do you see?

-------

BTW, how are you disabling iptables? Use:
# service iptables stop