Can't SSH as root anymore (but can still FTP)
So at work, we host most of our clients websites on a server we have (from Lunar Pages) and I can ssh as root from work just fine, but from home, all of a sudden, I can't ssh as root anymore. I can't ssh as anyone (certain users have permission to ssh).
I can still FTP into the different sites and stuff from home, so it isn't an AFP issue (I doubled checked the deny_hosts.rules (or whatever it is) just in case). I used to be able to ssh as root into the server from home... what could have changed? Has anyone had this problem? Being able to FTP from all IPs but only SSH from some? Thanks |
Compare 'ssh -v -v -v' from a denied and an accepted remote location with auth, system and daemon log output on the server. However using or accessing a root account directly over the network is not a security best practice. So whatever got changed, if server-side, was good.
|
Here's the one from the denied host:
cameron-laptop:~ cameron$ ssh -v -v -v root@hostrainmaker.com OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009 debug1: Reading configuration data /etc/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to hostrainmaker.com [209.200.237.113] port 22. debug1: connect to address 209.200.237.113 port 22: Operation timed out ssh: connect to host hostrainmaker.com port 22: Operation timed out cameron-laptop:~ cameron$ I'll check out the results from my work computer tomorrow. |
Is there any company firewall out of your reach which was reconfigured?
|
No company firewall.
Here's the -v -v -v output from work: Cameron:~ cameron$ ssh -v -v -v root@hostrainmaker.com OpenSSH_5.2p1, OpenSSL 0.9.7l 28 Sep 2006 debug1: Reading configuration data /etc/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to hostrainmaker.com [209.200.237.113] port 22. debug1: Connection established. debug1: identity file /Users/cameron/.ssh/identity type -1 debug1: identity file /Users/cameron/.ssh/id_rsa type -1 debug1: identity file /Users/cameron/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 debug1: match: OpenSSH_4.3 pat OpenSSH_4* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.2 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug2: dh_gen_key: priv key bits set: 131/256 debug2: bits set: 535/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /Users/cameron/.ssh/known_hosts debug3: check_host_in_hostfile: match line 2 debug3: check_host_in_hostfile: filename /Users/cameron/.ssh/known_hosts debug3: check_host_in_hostfile: match line 2 debug1: Host 'hostrainmaker.com' is known and matches the RSA host key. debug1: Found key in /Users/cameron/.ssh/known_hosts:2 debug2: bits set: 493/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /Users/cameron/.ssh/identity (0x0) debug2: key: /Users/cameron/.ssh/id_rsa (0x0) debug2: key: /Users/cameron/.ssh/id_dsa (0x0) debug1: Authentications that can continue: publickey,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-with-mic,password debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /Users/cameron/.ssh/identity debug3: no such identity: /Users/cameron/.ssh/identity debug1: Trying private key: /Users/cameron/.ssh/id_rsa debug3: no such identity: /Users/cameron/.ssh/id_rsa debug1: Trying private key: /Users/cameron/.ssh/id_dsa debug3: no such identity: /Users/cameron/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password root@hostrainmaker.com's password: |
I asked you to compare output with auth, system and daemon log output on the server.
// *snort* you don't even use pubkey auth... |
Yeah... I don't know what either of those things means. I didn't set up this server, I don't own the server, I just want access.
|
Quote:
|
Ok, thanks. I'll dig further and let you know what I find out.
Thanks for your input. |
I guess it needed to be specifically whitelisted. I could have sworn it was working before, but maybe not... Maybe I'm crazy.
Thanks for your guys' help and sorry for wasting you time =) [edit]: To be specific, I added my home IP to /etc/apf/allow_host.rules |
check the port your trying to connect is correct & firewall is not blocking your connection.
|
All times are GMT -5. The time now is 04:08 AM. |