-   Linux - Security (
-   -   Need help using Webmin to tell SSH to allow logins (

Xolo 11-16-2004 02:25 PM

Need help using Webmin to tell SSH to allow logins
Hello everyone.

I'm having a slight problem that I can't wrap my mind around today.
I've built myself a server running Mandrake 9 and set the security level to 'Paranoid'.
This effectively closed my box from the outside world, which is great. and it actually listened to me when I told it I wanted to use FTP, HTTP and Samba SWAT and Webmin publicly through the firewall. Except for SSHd. this lil' bugger won't let me connect to it, it will simply disconnect without warning.

So I need help using Webmin to alter the SSH server settings so it -will- allow users to log in remotely (Except root ofcourse.)

Thanks for your time.

guitarman85281 11-16-2004 10:14 PM

Is SSHd allowing login initially then booting you off or is it refusing the connection altogether?

Xolo 11-17-2004 01:26 AM

SSHd is started at boot, but it does not allow connections from the outside.
Here's a sample terminal from the box itself:

[xander@Xolo xander]$ ssh localhost
bash: /usr/bin/ssh: Permission denied
[xander@Xolo xander]$ su
[root@Xolo xander]# ssh localhost
root@localhost's password:
Permission denied, please try again.
root@localhost's password:

If I attempt SSH to the IP of the box from say, my work office, I don't
get anything, the terminal just disconnects. (Using PuTTY with default settings)

Basicly I think my error lies in the fact that users aren't authorised to log in
(need a public key first?) and that SSHd doesn't present me with a login prompt
but rather tries to determine who is attempting a login and then simply disconnects
when it doesn't see a valid username (and possibly an accompanying key).

guitarman85281 11-17-2004 08:11 AM

Looks like root login in not allowed. That's actually a smarting to do security-wise. Look at your .conf file and see who is in the valid users list as well.

Xolo 11-17-2004 03:57 PM

Indeed Root isn't allowed to use SSH, nor is he allowed to log into the system directly ;)
However when I look at Webmin's page for SSH's Access Control, the part where it says 'Only allow users' the check is set to 'All'. that leads me to think all users are allowed to log into SSH, but it doesn't appear to work that way.


Network and login access control options

Only allow users        All
Only allow members of groups        None
Deny users        None
Deny members of groups        All

These are the default settings.

I forgot to mention that i've tried to alter these settings in a previous install, to:


Network and login access control options

Only allow users        user1 user2 user3 user4
Only allow members of groups        user1 user2 user3 user4
Deny users        None
Deny members of groups        (Any non-user group here)

But that didn't change anything as far as I could see, even after a full reboot.

Xolo 11-22-2004 03:29 AM

Clean start, reinstalled the entire machine from scratch.
Still need to get SSH working for my users. SSHd is running, but does not allow login. default settings so far, but could use a hint or two for Webmin.. ;) i'll try some stuff later when I have free time, since i'm at the office right now.

mardanian 11-22-2004 05:03 AM

okay I assume to have direct access to this machine? if yes then do this and then try to ssh to the box

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

if stll not working then poke into sshd.conf file.

Xolo 11-22-2004 06:31 AM

I did enable SSH access in the firewall but I will re-check it anyway against what you told me to use when I get home.

Xolo 11-22-2004 11:26 AM

Well, checked the firewall and it's in there alright... but it doesn't work. It's SSHd itself that is disconnecting me when I try to log in.
Here's a bit out of iptables -L:


Chain net2fw (1 references)
target    prot opt source              destination
ACCEPT    all  --  anywhere            anywhere          state RELATED,ESTABLISHED
newnotsyn  tcp  --  anywhere            anywhere          state NEW tcp flags:!SYN,RST,ACK/SYN
ACCEPT    tcp  --  anywhere            anywhere          state NEW tcp dpt:http
ACCEPT    tcp  --  anywhere            anywhere          state NEW tcp dpt:https
ACCEPT    tcp  --  anywhere            anywhere          state NEW tcp dpt:domain
ACCEPT    tcp  --  anywhere            anywhere          state NEW tcp dpt:ssh
ACCEPT    tcp  --  anywhere            anywhere          state NEW tcp dpt:ftp-data
ACCEPT    tcp  --  anywhere            anywhere          state NEW tcp dpt:ftp
ACCEPT    tcp  --  anywhere            anywhere          state NEW tcp dpt:swat
ACCEPT    tcp  --  anywhere            anywhere          state NEW tcp dpt:8000
ACCEPT    tcp  --  anywhere            anywhere          state NEW tcp dpt:8001
ACCEPT    tcp  --  anywhere            anywhere          state NEW tcp dpt:8888
ACCEPT    tcp  --  anywhere            anywhere          state NEW tcp dpt:10000
ACCEPT    udp  --  anywhere            anywhere          state NEW udp dpt:domain
net2all    all  --  anywhere            anywhere

So I think port 22 is open, as SSHd does take the connection in the first two seconds..

I've tried ssh -v localhost to get some verbose output, maybe it's of use:

[root@Xolo bin]# ssh -v localhost
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to localhost [] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host
debug1: Calling cleanup 0x8068fc0(0x0)

Do I need to set up public keys or something? if yes, how? i'm not having much luck with ssh-keygen..

Xolo 11-22-2004 03:57 PM

Here's my sshd_config, by the way [edited for user privacy]:


#        $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
Protocol 1,2
#ListenAddress ::

# HostKey for protocol version 1
HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 600
#PermitRootLogin yes
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile        .ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#Compression yes

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem        sftp        /usr/lib/ssh/sftp-server
PermitRootLogin no
IgnoreRhosts yes
RhostsRSAAuthentication no
RhostsAuthentication no
IgnoreUserKnownHosts no
PrintMotd yes
StrictModes yes
RSAAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication yes
ReverseMappingCheck no
GatewayPorts no
AllowTcpForwarding yes
LoginGraceTime 120
KeepAlive yes
DenyGroups adm apache bin ctools user5 ftp games gdm lp machines mail mysql named news nogroup postdrop postfix postgres root rpm sshd
AllowGroups user1 user2 user3 user4
AllowUsers user1 user2 user3 user4
KeyRegenerationInterval 1800

And my ssh_config file:


#        $OpenBSD: ssh_config,v 1.15 2002/06/20 20:03:34 stevesk Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *
#  ForwardAgent no
#  ForwardX11 no
#  RhostsAuthentication no
#  RhostsRSAAuthentication no
#  RSAAuthentication yes
#  PasswordAuthentication yes
#  BatchMode no
#  CheckHostIP yes
#  StrictHostKeyChecking ask
#  IdentityFile ~/.ssh/identity
#  IdentityFile ~/.ssh/id_rsa
#  IdentityFile ~/.ssh/id_dsa
#  Port 22
#  Protocol 2,1
#  Cipher 3des
#  Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#  EscapeChar ~

Host *
        ForwardX11 yes
        Protocol 1,2
        StrictHostKeyChecking no

I can't really tell if there is an error in there anywhere. I did not edit either file by hand, any non-default lines were created through Webmin's control panel for SSH Server.

All times are GMT -5. The time now is 02:30 PM.