Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

SSH problem

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
koko13
Posts: 5
Joined: 2005-03-30 07:50

SSH problem

#1 Post by koko13 »

Hello Everybody!

I have a little problem with debian ssh.
It allows only the root login. If I try to log in as a user it says: Permission denied. (Before the bash prompt appears)
I checked the rights on the user's home directory and it is OK. The passwd file is OK. (The shell is defined /bin/bash).
I've tried PAM and RSA authentication but didn't work.
I've debugged on another port it hasn't helped me.
Thanx in advance!

Koko13

sprucio
Posts: 143
Joined: 2005-03-29 03:30

#2 Post by sprucio »

Can you give us a detailed explanation on how you are trying to connect from the client side.

Also, if you can post your /etc/ssh/sshd_config file using the quote buttons on this forum, that might be helpful.

koko13
Posts: 5
Joined: 2005-03-30 07:50

ssh problem

#3 Post by koko13 »

sprucio wrote:Can you give us a detailed explanation on how you are trying to connect from the client side.

Also, if you can post your /etc/ssh/sshd_config file using the quote buttons on this forum, that might be helpful.
Hello,
This is my sshd_config file:


# Package generated configuration file
# See the sshd(8) manpage for defails

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# ...but breaks Pam auth via kbdint, so we have to turn it off
# Use PAM authentication via keyboard-interactive so PAM modules can
# properly interface with the user (off due to PrivSep)
PAMAuthenticationViaKbdInt no
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 600
PermitRootLogin yes
# StrictModes yes

AllowGroups root efebbt
AllowUsers root efebbt efebkft

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

# rhosts authentication should not be used
RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes


# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
#PrintLastLog no
KeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem sftp /usr/lib/sftp-server



I`ve tried putty and winscp from windows, and ssh -l username -vvv ipaddress, but the debug mode didn`t help me.
Thanks in advance,

Koko13

sprucio
Posts: 143
Joined: 2005-03-29 03:30

#4 Post by sprucio »

OK. First things first, if you post an output of a file, please use the code tags so that it's easier to read.

I just read the man pages:

Code: Select all

$man 5 sshd_config
and it looks like your entires regarding:

Code: Select all

AllowGroups root efebbt
AllowUsers root efebbt efebkft
is probably the problem.

I certainly don't have them in my config file and you can probably comment them out using '#' and restarting SSH.

koko13
Posts: 5
Joined: 2005-03-30 07:50

#5 Post by koko13 »

Hello!

I've tried to delete these rows, but it hasn't helped.
I need these rows for the RSA authentication. (Without these lines I cannot log in even as root.)
Anyway everything look good until the bash promt. (Everything works fine /watching the ssh debug on another port/, but the promt doesn't appear.)
Any other idea?
Thanks in advance,

Koko

sprucio
Posts: 143
Joined: 2005-03-29 03:30

#6 Post by sprucio »

Why do you need need those two rows? Have you tried commenting them out and restarting SSH?

koko13
Posts: 5
Joined: 2005-03-30 07:50

#7 Post by koko13 »

sprucio wrote:Why do you need need those two rows? Have you tried commenting them out and restarting SSH?
Yes I've tried, but it hasn't helped.


Koko

sprucio
Posts: 143
Joined: 2005-03-29 03:30

#8 Post by sprucio »

The only advice I can give you is to read the man page for this file and try to see if that helps.

Do you have TCP wrappers for SSH set (/etc/hosts.allow, /etc/hosts.deny)? SSH usually doesn't use this (and I'm not even 100% sure if it does) but I would check that out.

It also doesn't look like you are using PAM for SSH authentication as well so I'm not sure what the problem here is.

lacek
Posts: 764
Joined: 2004-03-11 18:49
Location: Budapest, Hungary
Contact:

#9 Post by lacek »

Also, check if the file /etc/nologin is present. It theorically disallows any but root login, but is removed during startup (or it should be).

Post Reply