-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I am having an odd problem with OpenSSH sshd on FC3. I am asking about the problem here because I think the problem may be outside of sshd itself. In the end, I am sure I have caused the problem myself, but am hoping someone else has seen it.
Symptoms: sshd rejects all users but one (my account) with "*user* rejected because not in AllowUsers". This message appears in /var/log/secure. When logging in with ssh, it asks for and appears to reject the password (even though a public key is configured). The funny thing is that AllowUsers is *empty*.
Background: When I installed the server, I immediately created a new user account, added it to AllowUsers, and turned off root login. I reloaded the server (service reload sshd) and began connecting as this user. It worked. Root was, correctly, denied. Now I have added more accounts and wish to allow login for some of them. In fact, I want to allow all users and let the shell setting disallow the users it should (shell=/dev/null). Most of the users have been created by Webmin/Virtualmin. Two were created with useradd at the prompt (including the one that *is* allowed to ssh).
At first, I went into Webmin and added another user to the AllowUsers list and saved it. No effect. I verified that I have set the user's shell (/bin/zsh,which is in /etc/shells). I forced a reload of sshd. I verified that the AllowUsers field had been updated in /etc/ssh/sshd_config.
Next, I went back to Webmin/SSH module and set it to allow all logins (the ones I do not want have shells set to /dev/null). I looked at sshd_config and verified that AllowUsers had been removed from the file (the man page says that it defaults to allow all). No good. I reloaded sshd and still no good.
The original user account is still let in. No new account, whether created in Webmin or by useradd can log in. The original account has its personal group and wheel. Of the other accounts being rejected, at least one is also in wheel. I do not see any other related messages in the logs.
I have also tried setting AllowUsers to "*" and I have tried replacing the *original config file* from the RPM with *no change*.
Questions: 1) Why is sshd not allowing all users with an empty AllowUsers? 2) If it is not defaulting to allow all, why let the original account in? 3) Why did the original config file not reset the behavior (!)?
I am forced to conclude that sshd is simply not reading /etc/ssh/sshd_config, though it is reloading (I get disconnected each time) and I can find no other file on the system which it might be reading instead. In particular, I have gone through every file on the system in which the original account name appears looking for a ghost allow list somewhere with no result. Now I am getting very confused.
- -- - -------------- Eric Vought
Technical Director, Diversity Ink Morgan Family Enterprises -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCAWEiGqlqMhx2Xb0RArsAAJ9HFba4ck8Qv7tzXn/OW0Exqmz5MgCgjpxG /BS1nDgf6ldW3aT1fsHEouI= =S53U -----END PGP SIGNATURE-----
begin:vcard fn:Eric Vought n:Vought;Eric org:Diversity Ink adr;dom:;;;Republic;MO email;internet:evought@xxxxxxxxxxxxxxxx title:Technical Director x-mozilla-html:FALSE url:http://www.diversityink.com version:2.1 end:vcard
