ssh access denied putty

IanVaughan · 01-14-2010, 06:59 AM

I can SSH into my RHEL box, but get an "Access denied" error :-

Quote:

login as: root
Access denied
root 192.168.0.10's password:
Last login:.....
#

So, I can SSH in, but it always prints the Access denied!? Why?

jschiwal · 01-14-2010, 07:23 AM

First of all, unless you need to access the RHEL box from a cron job, you shouldn't allow root ssh logins.

There is an option in sshd_config that denies root logins. That may be the default.

You need to run "ssh -vv 192.168.0.1" to provide more information. Also check the RHEL Box's log files. It may say why Access is denied.

Other things that can deny access are:
permissions of .ssh to lax.
permissions of private key to lax
permissions of parent home directory to lax
AllowUsers doesn't list the user
Reverse DNS lookup results in a different hostname. (e.g. hostname.domainname expected but hostname is listed in /etc/hosts)

IanVaughan · 01-14-2010, 08:00 AM

1. I know, I will be adding user accounts, but am interested to know more about this problem.

2. Option was disabled, and I could login ok with root, enabling it doesnt change anything. (rebooted machine!)

Quote:

PermitRootLogin yes

3. "ssh -vv" was very interesting, I cant see anything of interest tho. (

Quote:

OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 172.24.40.130 [172.24.40.130] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 114/256
debug2: bits set: 503/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '172.24.40.130' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:3
debug2: bits set: 515/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa (0x9289ee0)
debug2: key: /root/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found

debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug2: input_userauth_pk_ok: SHA1 fp e5:bb:bb:11:44:5b:4b:35:bc:3d:61:69:ee:b2:45:48:b1:1b:e7:e8
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug2: channel 0: request shell confirm 0
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 2097152

Of course using the "ssh" command is don via another linux terminal. And this doesn't give the "access denied" output/printf!

Its only when I use Putty I get "access denied"!

jschiwal · 01-15-2010, 01:39 AM

OK. I think I am getting the picture. You can use putty-keygen to generate keys. Then load in the private key. An openssh compatible public key will be printed on the top of the dialog box. Copy it and paste it into a file. Add this to the server's authorized_keys file.

If you are a regular user on the server, then this would be in $HOME/.ssh/authorized_keys.
Now you have a public key for when you are accessing it from a Linux terminal and one for when you are accessing it from Putty.

You haven't posted the sshd_config file but apparently it is configured for public key authentication.

Code:

debug1: Authentications that can continue: publickey,gssapi-with-mic,password

There wasn't an attempt for using a password so I don't know how that is configured.

Also important, if you use public key authentication, is to use a passphrase. This is used to encrypt the private key on the client. It isn't used on the server side at all, but will protect the server in the case that your private key is stolen.

Digital Surgeon · 01-15-2010, 08:53 AM

Think bout your network and make sure its not timing out, also establish port forwarding on the router of the linux box running the SSH Server, but yes root login wont work on SSH by default.

-Hope this gives you some more guidance.

gingerjws · 01-25-2011, 09:05 PM

Change another port and try again.

DucQuoc · 12-29-2011, 07:57 PM

Quote:

Originally Posted by IanVaughan

...
3. "ssh -vv" was very interesting, I cant see anything of interest tho. (

Of course using the "ssh" command is don via another linux terminal. And this doesn't give the "access denied" output/printf!

Its only when I use Putty I get "access denied"!

I met the same problem with Putty when trying to connect Ubuntu 10.10 . I resolved it by enabling passwordAuthentication over GSSAPI in sshd_config , and use the SSH option: *SSH-2 only* instead of "SSH-2" .

#### /etc/ssh/sshd_config
PasswordAuthentication yes
GSSAPIAuthentication no
GSSAPICleanupCredentials yes

(then restart daemon: sudo /etc/init.d/ssh restart )

#### Putty Connection -> SSH -> under Protocol options -> Preferred SSH protocol version
2 Only

not sure if it works with RHEL, though
--Duc

kohshan99 · 10-15-2015, 01:06 AM

Open up /etc/ssh/sshd_config and set “PermitRootLogin” to “yes”. (Your ISP probably set it to “without-password”)