Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have setup OpenSSH on an Ubuntu 8.04 server. I am using Putty on a Windows box to connect to the server. I have two accounts on the box. Each account has a /home directory. One of the accounts is the main account that was setup when Ubuntu was installed. The other account is a user account that I created from the command line.
I generated an SSH key pair. I copied the public key to the .ssh/authorized_keys file. I set the permissions for the file and the directory.
I can connect to the box just fine using the default "admin" account that was setup as part of the Ubuntu install process.
When I try to connect using the other user account, Putty returns the error "The server rejected our key."
The permissions for .ssh and everything else for the two accounts are configured identically.
After a lot of troubleshooting my best guess is that it is some sort of account permission problem? The "admin" account can sudo, the account that SSH is having problems with can't.
Please help. I've been beating my head against this thing for four or five hours at this point. I've even generated new keys and the issue persists.
The way to troubleshoot problems like this is by reviewing your system logs. I'm not really familiar with Ubuntu systems, but some guesses about the logs you may need to check are /var/log/secure, /var/log/auth (or similar), /var/log/messages.
Thanks for the tip. There are some error messages in there that do not seem to match up with reality. In particular the error
"User <user> from <ip> not allowed because not listed in AllowUsers"
The <user> is listed under AllowUsers in sshd_config.
I think that I see part of the problem. The two lines below are for the valid login.
Apr 26 13:24:50 subversion sshd[10513]: pam_winbind(sshd:setcred): user 'itadmin' OK
Apr 26 13:25:25 subversion sshd[10632]: pam_winbind(sshd:account): user 'itadmin' granted access
The next two lines are for the failed account.
Apr 26 13:31:06 subversion sshd[10632]: pam_winbind(sshd:setcred): user 'itadmin' OK
Apr 26 13:32:05 subversion sshd[10732]: Failed password for <user> from <ip> port 54842 ssh2
It seems like sshd is using the 'itadmin' account as part of its setcred function. As long as the account logging on matches the setcred account, everything is good. If the two don't match, it fails.
I haven't used pam_winbind, but I am presuming you have explicitly configured it and are intentionally using it..?
I'm not sure yet if the "AllowUsers" message is a red herring or is related to the problem cause. (Check not only AllowUsers in sshd_config, but also DenyUsers, AllowGroups, and DenyGroups, just for grins. Also make sure that if you're using the form USER@HOST, that HOST is correct.)
So, it seems like the answer is to grant the new user access to whatever facility pam_winbind is checking. Just like itadmin...
I did setup winbind intentionally. The box in question is part of an Active Directory domain and is hosting a Subversion repository. I had to setup winbind and Samba so that the backup software could access the repository.
The new user is setup in Active Directory and winbind should recognize it as a valid account. I think it really has something to do with that setcred function. I have posted a question to the SecureShell mailing list. I'm hoping that one of the developers has some clue.
One more obvious thing then while you're waiting for a reply on the mailing list. Make sure you've reloaded or restarted the sshd daemon after adding the new user to AllowUsers.
I could see a situation where you added it and forgot to bounce the daemon, which would cause the sshd "AllowUsers" chatter you described.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.