LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   ssh access denied (https://www.linuxquestions.org/questions/linux-newbie-8/ssh-access-denied-860680/)

bino25 02-04-2011 07:47 AM
ssh access denied
 
Howdy all...

I am having a weird issue with ssh. I have a user trying to ssh via putty from a windows server. When he tries to use his account, he keeps getting access denied (I just created his). I temporarily changed my user account password just to have him try that and rule out putty, and he's able to connect with my id.

My hosts.allow and hosts.deny are empty. There is an AllowUsers entry in the sshd_config file which I added him to and restarted ssh (service sshd restart). He's still getting access denied with his account, but he can still log in with my user account.

I know we should be using key authentication, but I just started here and have not implemented that yet.

Any ideas on why I'm getting access denied for his user account?

AlucardZero 02-04-2011 08:22 AM
What does your auth log say? (/var/log/secure or /var/log/auth*log)

bino25 02-04-2011 08:59 AM
secure log shows:

sshd[7638]: Failed password for jsmith from ::ffff:xxx.xx.xx.xx port 1055 ssh2 => I obviously x'd out the ip address and I'm definitely using the correct password


they don't have authlog enabled...

repo 02-04-2011 09:17 AM
In your ssh conf, try to comment out
Code:
AllowGroups users
AllowUsers username
Kind regards

evilmegaman 10-18-2011 02:28 AM
I'm having the EXACT same problem. commented out AllowUsers.. i've created and deleted multiple accounts, but only this one specific account is just flat out getting ACCESS DENIED every time. I'm so tired I've been working on this for hours Idk what to do. this post is kinda a placeholder for possible info by morning... if no response, I'll double post with some extra info too tired now though

phaemon 10-18-2011 03:52 AM
Perhaps try deleting the .ssh directory for that user and see if that fixes it. Otherwise, I assume ssh is checking the password against /etc/shadow so maybe see if that user has something different than the other users have?

singhjc 10-18-2011 06:06 AM
hi have you checked by /etc/ssh/sshd_config in the bottom of this file there is a line like

RootPermitlogin no

line will be there if it is there then remove this line or comment # and after that restart service sshd and try to login

deep27ak 10-18-2011 07:02 AM
Can you post your

Code:
/etc/ssh/sshd_confif

file

evilmegaman 10-18-2011 11:10 AM
I tried commenting out permitrootlogin... nada. Here's a run down of what it looks like to login as the different users(via any ssh client really, but in this case copying out of putty).
Quote:
login as: payton
Debian GNU/Linux 6.0 \n \l

suck my d and b
payton@192.168.0.6's password:
Access denied
payton@192.168.0.6's password:
Quote:
login as: robert
Debian GNU/Linux 6.0 \n \l

suck my d and b
robert@192.168.0.6's password:
Linux cary 2.6.32-5-686 #1 SMP Mon Oct 3 04:15:24 UTC 2011 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
Last login: Tue Oct 18 09:00:05 2011 from 192.168.0.2
robert@cary:~$
Quote:

login as: meowlie
Debian GNU/Linux 6.0 \n \l

suck my d and b
meowlie@192.168.0.6's password:
Linux cary 2.6.32-5-686 #1 SMP Mon Oct 3 04:15:24 UTC 2011 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Oct 18 08:57:04 2011 from 192.168.0.2
meowlie@cary:~$
Quote:
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
#PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#Allows specific users access. Comment if you want all users to access. bad idea
AllowUsers root robert meowlie payton

ClientAliveInterval 1200
ClientAliveCountMax 0

Banner /etc/issue

phaemon 10-19-2011 04:48 AM
Well, /etc/sshd_config looks OK, as it should since other users can log in OK.

Things to try:
Triple check the password is correct! Reset it to something and make sure you can log in directly on the server
There's something wrong in the .ssh folder: mv /home/payton/.ssh /home/payton/ssh_backup
Check /etc/passwd and /etc/shadow and see if there's any difference between the payton and robert accounts

deep27ak 10-19-2011 06:11 AM
@reply
Code:
# Authentication:
LoginGraceTime 120
#PermitRootLogin no
StrictModes yes
just make an entry at the bottom of the above mentioned section
Code:
PermitRootLogin yes
--------------------------------------------------------------------

Code:
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
make a change in this entry only if you are using RSA security authentication to connect via ssh

Code:
IgnoreRhosts no
RhostsRSAAuthentication yes
IgnoreUserKnownHosts no

rest everything seems fine
just restart ssh and check..!!

evilmegaman 10-23-2011 11:35 PM
some malformed demon combination of those two methods seemed to do the trick. thanks!


adding the AllowGroups option stops sshd from working at all. just thought I'd mention..


All times are GMT -5. The time now is 10:10 PM.