[SOLVED] Can't login to the server from second terminal

ugale · 04-15-2023, 04:58 AM

I have created an OpenBSD Secure Shell server on Ubuntu. I can access it from my laptop as root via ssh. But when I open a second terminal, I can't login.

Thanks in advance.

Turbocapitalist · 04-15-2023, 05:02 AM

Welcome.

Remote access to the root account is not ideal. Most distros block it by default. Can you connect to the Ubuntu server using a normal user account, and then use sudo to work?

ugale · 04-15-2023, 07:15 AM

Oh, sorry. Actually I'm using a user account.

Turbocapitalist · 04-15-2023, 07:27 AM

Can you show what you are typing when you try in a second terminal and it fails? Bonus if you can increase the verbosity of the SSH client with -v, -v -v, or -v -v -v.

ugale · 04-15-2023, 09:20 AM

ssh -v -i ~/.ssh/xxx.pem user@xx.xx.xx.xx
OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /home/user/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to xx.xx.xx.xx [xx.xx.xx.xx] port 22.
debug1: connect to address xx.xx.xx.xx port 22: Connection timed out

It seems that somewhere there is a limit on the number of open sessions per user.

Turbocapitalist · 04-15-2023, 09:24 AM

Quote:

Originally Posted by ugale

It seems that somewhere there is a limit on the number of open sessions per user.

What method did you use to install OpenSSH server on the Ubuntu machine?

Which distro are you connecting from, including version? Ubuntu also?

ugale · 04-15-2023, 10:30 AM

sudo apt-get install openssh-server

server - Lubuntu 18.04.
client - Lubuntu 20.04.

Turbocapitalist · 04-15-2023, 10:36 AM

Thanks. On the server side, did you change anything in /etc/ssh/sshd_config? What about checking the configuration via the extended test mode:

Code:

sudo /usr/sbin/sshd -T | sort

sudo /usr/sbin/sshd -T -C user=ugale | sort

ugale · 04-16-2023, 03:39 AM

Quote:

Originally Posted by Turbocapitalist

On the server side, did you change anything in /etc/ssh/sshd_config?

No. At least not this year.

Quote:

Originally Posted by Turbocapitalist

What about checking the configuration via the extended test mode:

Code:

sudo /usr/sbin/sshd -T | sort

sudo /usr/sbin/sshd -T -C user=ugale | sort

First command gives long list of parameters.
Second gives:
user, host and addr are all required when testing Match configs

Turbocapitalist · 04-16-2023, 04:32 AM

Quote:

Originally Posted by ugale

Second gives:
user, host and addr are all required when testing Match configs

You can add those then,

Code:

sudo /usr/sbin/sshd -T -C user=ugale,addr=192.0.2.25 | sort

addr is the source IP address, host is the source name. I'm not sure both are needed. laddr is the destination IP address. See "man sshd" for details.

Newer versions of the OpenSSH server don't need them.

ugale · 04-17-2023, 04:33 AM

Code:

acceptenv LANG
acceptenv LC_*
addressfamily any
allowagentforwarding yes
allowstreamlocalforwarding yes
allowtcpforwarding yes
authenticationmethods any
authorizedkeyscommand none
authorizedkeyscommanduser none
authorizedkeysfile .ssh/authorized_keys .ssh/authorized_keys2
authorizedprincipalscommand none
authorizedprincipalscommanduser none
authorizedprincipalsfile none
banner none
challengeresponseauthentication no
chrootdirectory none
ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
clientalivecountmax 3
clientaliveinterval 0
compression yes
disableforwarding no
exposeauthinfo no
fingerprinthash SHA256
forcecommand none
gatewayports no
gssapiauthentication no
gssapicleanupcredentials yes
gssapikeyexchange no
gssapistorecredentialsonrekey no
gssapistrictacceptorcheck yes
hostbasedacceptedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
hostbasedauthentication no
hostbasedusesnamefrompacketonly no
hostkeyagent none
hostkeyalgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
hostkey /etc/ssh/ssh_host_ecdsa_key
hostkey /etc/ssh/ssh_host_ed25519_key
hostkey /etc/ssh/ssh_host_rsa_key
ignorerhosts yes
ignoreuserknownhosts no
ipqos lowdelay throughput
kbdinteractiveauthentication no
kerberosauthentication no
kerberosorlocalpasswd yes
kerberosticketcleanup yes
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
listenaddress 0.0.0.0:22
listenaddress [::]:22
logingracetime 120
loglevel INFO
macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
maxauthtries 6
maxsessions 10
maxstartups 10:30:100
passwordauthentication yes
permitemptypasswords no
permitopen any
permitrootlogin without-password
permittty yes
permittunnel no
permituserenvironment no
permituserrc yes
pidfile /run/sshd.pid
port 22
printlastlog yes
printmotd no
pubkeyacceptedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
pubkeyauthentication yes
rekeylimit 0 0
revokedkeys none
streamlocalbindmask 0177
streamlocalbindunlink no
strictmodes yes
subsystem sftp /usr/lib/openssh/sftp-server
syslogfacility AUTH
tcpkeepalive yes
trustedusercakeys none
usedns no
usepam yes
versionaddendum none
x11displayoffset 10
x11forwarding yes
x11uselocalhost yes
xauthlocation /usr/bin/xauth

Turbocapitalist · 04-17-2023, 04:50 AM

Thanks. The server configuration looks quite normal.

I'm not sure where to look next. When you have one SSH connection active, any additional ones always fail? Can you try seeing the initial identification string from the server? For that, instead of making your second connection with the SSH client, use Netcat instead:

Code:

nc 203.0.113.101 22

Obviously substitute the right address for your SSH server. It should output something like this:

SSH-2.0-OpenSSH_9.3

though the version will likely be different.

ugale · 04-18-2023, 06:14 AM

Quote:

Originally Posted by Turbocapitalist

When you have one SSH connection active, any additional ones always fail?

Yes.

Code:

nc x.x.x.x 22
nc: connect x.x.x.x port 22 (tcp) failed: Connection timed out

I think it might be the settings of my router. I will look in this direction.

ugale · 04-29-2023, 05:59 AM

This helped me.
In ~/.ssh/config
post *
# Connection Multiplexing
ControlMaster auto
ControlPersist 600
ControlPath ~/.ssh/ctrl/%C

Turbocapitalist · 04-29-2023, 08:38 AM

Quote:

Originally Posted by ugale

This helped me.
In ~/.ssh/config
post *
# Connection Multiplexing
ControlMaster auto
ControlPersist 600
ControlPath ~/.ssh/ctrl/%C

That runs multiple SSH sessions over a single TCP connection. So, if TCP multiplexing helped, then the problem is at a layer or two lower than the application layer. So look at TCP or IP rather than SSH. That would mean maybe the packet filter or the router.