LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-23-2009, 09:40 AM   #1
threezerous
Member
 
Registered: Jul 2009
Posts: 94

Rep: Reputation: 15
sftp login gives permission denied error


We have a server which is accessed from two different clients. Both the clients are separated from the server through firewalls. Networking team has confirmed that the port 22 for ssh has been opened for accessing this server from both the clients. I am told sftp uses the same port as ssh.

From one of the clients I can sftp to the server with an account a@server.domain.com. I have confirmed account a does exist on the server.

From other client when I sftp, this is what I see

[client2@hostname ~]$ sftp a@server.domain.com
Connecting to server.domain.com...
reverse mapping checking getaddrinfo for server.xxx.domain.com failed - POSSIBLE BREAKIN ATTEMPT!
a@server.domain.com's password:
Permission denied, please try again.
a@server.domain.com's password:

Note the reverse mapping checking address(server.xxx.domain.com) is different from the server I am trying to connect(server.domain.com). There is an additional xxx value in the FQDN.

I am not sure what is wrong and what questions do I need to ask Networking team. Per networking team, since ssh and sftp work, their configuration is fine. Per the OS team, since the account a exists on the server and I can connect from other client, means OS configuration is fine.

Any suggestions on where the issue could be and how can we fix it?

Thanks,
 
Old 08-23-2009, 10:01 AM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650
Hi threezerous,

You could run tcpdump on the destination host and ensure that the connection is actually going to the correct host...

cheers,

kbp
 
Old 08-23-2009, 11:36 AM   #3
threezerous
Member
 
Registered: Jul 2009
Posts: 94

Original Poster
Rep: Reputation: 15
Question sftp login gives permission denied error

Not sure I understand.

The connection does not seem to be going through failing with permission denied error. So what is tcpdump going to give me?

Also, a very basic question....I tried running tcpdump and it gives a lot of free-flowing information in a continuous running mode. I am not sure what and where to look for in the output. Do I need to redirect the output to a file? This is the first time I would be using tcpdump
 
Old 08-23-2009, 12:17 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by threezerous
I am told sftp uses the same port as ssh.
sftp is an openssh subsystem. (So unless you're running two different sshd instances, they always use the same port.)

Quote:
Originally Posted by threezerous
reverse mapping checking getaddrinfo for server.xxx.domain.com failed - POSSIBLE BREAKIN ATTEMPT!
a@server.domain.com's password:
Permission denied, please try again.
You can likely get more detailed information about what is going wrong by tailing /var/log/secure on the server side.

IIRC, when UseDNS is enabled in sshd_config, clients who fail a reverse DNS lookup are automatically denied access. (You could test this by temporarily disabling UseDNS and reloaded sshd.)

The long term fix is going to be either 1) using a client that presents its hostname correctly; or 2) disabling UseDNS. The former would be better, as UseDNS helps discourage some cracking attempts.
 
Old 08-23-2009, 02:46 PM   #5
threezerous
Member
 
Registered: Jul 2009
Posts: 94

Original Poster
Rep: Reputation: 15
You can likely get more detailed information about what is going wrong by tailing /var/log/secure on the server side.

I could not find anything in the log for any attempt by the failing client to connect

IIRC, when UseDNS is enabled in sshd_config, clients who fail a reverse DNS lookup are automatically denied access. (You could test this by temporarily disabling UseDNS and reloaded sshd.)

The sshd_config shows that the entry for UseDNS is commented out
#UseDNS yes


The long term fix is going to be either 1) using a client that presents its hostname correctly; or 2) disabling UseDNS. The former would be better, as UseDNS helps discourage some cracking attempts.[/QUOTE]

Thank you for your suggestion. This was an area I had not looked into.
 
Old 08-23-2009, 02:47 PM   #6
threezerous
Member
 
Registered: Jul 2009
Posts: 94

Original Poster
Rep: Reputation: 15
Quote:
You can likely get more detailed information about what is going wrong by tailing /var/log/secure on the server side.
I could not find anything in the log for any attempt by the failing client to connect

Quote:
IIRC, when UseDNS is enabled in sshd_config, clients who fail a reverse DNS lookup are automatically denied access. (You could test this by temporarily disabling UseDNS and reloaded sshd.)
The sshd_config shows that the entry for UseDNS is commented out
#UseDNS yes


Quote:
The long term fix is going to be either 1) using a client that presents its hostname correctly; or 2) disabling UseDNS. The former would be better, as UseDNS helps discourage some cracking attempts.
Thank you for your suggestion. This was an area I had not looked into.

Last edited by threezerous; 08-23-2009 at 02:49 PM.
 
Old 08-23-2009, 03:00 PM   #7
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by threezerous
The sshd_config shows that the entry for UseDNS is commented out
#UseDNS yes
UseDNS is enabled by default. You'll have to explicitly turn it off (if that is the path you want to pursue) and reload sshd.
 
Old 08-24-2009, 11:18 AM   #8
threezerous
Member
 
Registered: Jul 2009
Posts: 94

Original Poster
Rep: Reputation: 15
Thumbs up

Turns out the server.domain.com was actually a VIP for two load balanced servers. The account a was defined in the rssh-ftp group for one of the servers and not defined in the other one. Maybe we kept hitting the wrong one giving us a permission denied error. After the user was added to the group in the second server, sftp worked like a charm.

Thanks all for your suggestions.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Permission Denied Login eluser Ubuntu 3 07-23-2007 12:36 PM
ssh login error : Permission denied, please try again powah Linux - Security 3 07-12-2007 01:32 AM
GNOME login - bind: Permission denied Fle>< Linux - Software 7 11-07-2005 12:11 PM
Login against active directory. Get permission denied! ZilenT-X Linux - Newbie 6 08-15-2005 05:29 AM
permission denied message at login p_test Linux - Newbie 2 10-07-2004 03:53 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 06:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration