Re: ssh password problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Todd Zullinger wrote:
Frode Petersen wrote:
I had ssh set up and working. Then I got passwordless ssh working
using rsa public keys.

Now, some days later, I can't get ssh to authenticate either way and
in either direction. (Same user on both machines.)

I'm asked for the password (3 times in sequence), but it is rejected
every time. I do enter the password correctly. I log in locally
using the same passwords without a problem.

Since the password request appears, I'd think that the connection
can be established, and that the problem lies within the domain of
authentication, but am a bit perplexed as to how to proceed. How can
I figure out what the problem is?

Run ssh on the client with -v (add more -v's as needed).  That is
often quite helpful.  Also, take a look at /var/log/secure on the
server side.

Are you using ssh-agent?  Is your key added to the agent still?
(ssh-add -l will list the keys ssh-agent is holding for you)



Thank you! A 'tail -f /var/log/secure' showed the reason.
User <user> from <host> not allowed because listed in DenyUsers

In /etc/ssh/sshd.config I have these two lines:
DenyUsers *
AllowGroups <groupname>

(<user> <host> and <groupname> are not used; real names are)

From the openssh manual: <quote>
DenyUsers
     This keyword can be followed by a list of user name patterns,
     separated by spaces.  Login is disallowed for user names that
     match one of the patterns.  Only user names are valid; a numeri-
     cal user ID is not recognized.  By default, login is allowed for
     all users.  If the pattern takes the form USER@HOST then USER and
     HOST are separately checked, restricting logins to particular
     users from particular hosts.  The allow/deny directives are pro-
     cessed in the following order: DenyUsers, AllowUsers, DenyGroups,
     and finally AllowGroups.

AllowGroups
     This keyword can be followed by a list of group name patterns,
     separated by spaces.  If specified, login is allowed only for
     users whose primary group or supplementary group list matches one
     of the patterns.  Only group names are valid; a numerical group
     ID is not recognized.  By default, login is allowed for all
     groups.  The allow/deny directives are processed in the following
     order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

<end quote>

I understood the above text, specifically about the order, to mean that if I added the two lines in the config file, I would
1. Close for all connection from users.
2. Reopen for connections from users in that group.

Obviously, I was mistaken about the logic here.

As to why it worked the first time? Maybe I forgot to restart sshd, I don't know.

If I try to achieve what I intended, how should I use the Deny* and Allow* entries in sshd.config? Would using only the AllowGroups line automatically disable connections from users not belonging to that group?

Again, thanks!

Frode


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux