Todd Zullinger wrote:
Frode Petersen wrote:
I had ssh set up and working. Then I got passwordless ssh working
using rsa public keys.
Now, some days later, I can't get ssh to authenticate either way and
in either direction. (Same user on both machines.)
I'm asked for the password (3 times in sequence), but it is rejected
every time. I do enter the password correctly. I log in locally
using the same passwords without a problem.
Since the password request appears, I'd think that the connection
can be established, and that the problem lies within the domain of
authentication, but am a bit perplexed as to how to proceed. How can
I figure out what the problem is?
Run ssh on the client with -v (add more -v's as needed). That is
often quite helpful. Also, take a look at /var/log/secure on the
server side.
Are you using ssh-agent? Is your key added to the agent still?
(ssh-add -l will list the keys ssh-agent is holding for you)
Thank you! A 'tail -f /var/log/secure' showed the reason.
User <user> from <host> not allowed because listed in DenyUsers
In /etc/ssh/sshd.config I have these two lines:
DenyUsers *
AllowGroups <groupname>
(<user> <host> and <groupname> are not used; real names are)
From the openssh manual: <quote>
DenyUsers
This keyword can be followed by a list of user name patterns,
separated by spaces. Login is disallowed for user names that
match one of the patterns. Only user names are valid; a numeri-
cal user ID is not recognized. By default, login is allowed for
all users. If the pattern takes the form USER@HOST then USER and
HOST are separately checked, restricting logins to particular
users from particular hosts. The allow/deny directives are pro-
cessed in the following order: DenyUsers, AllowUsers, DenyGroups,
and finally AllowGroups.
AllowGroups
This keyword can be followed by a list of group name patterns,
separated by spaces. If specified, login is allowed only for
users whose primary group or supplementary group list matches one
of the patterns. Only group names are valid; a numerical group
ID is not recognized. By default, login is allowed for all
groups. The allow/deny directives are processed in the following
order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
<end quote>
I understood the above text, specifically about the order, to mean that
if I added the two lines in the config file, I would
1. Close for all connection from users.
2. Reopen for connections from users in that group.
Obviously, I was mistaken about the logic here.
As to why it worked the first time? Maybe I forgot to restart sshd, I
don't know.
If I try to achieve what I intended, how should I use the Deny* and
Allow* entries in sshd.config? Would using only the AllowGroups line
automatically disable connections from users not belonging to that group?
Again, thanks!
Frode
