Access denied - SSH login
-
@fuznutz04 said in Access denied - SSH login:
I have a new FreePBX box that I setup SSH access for, and I cannot login. I'm attempting to login with a password, on another port, and I keep receiving access denied messages. I went through the same process as I always do for enabling SSH connectivity. Either something is wrong that I've never run into before, or I'm just having a brain fail this morning.
Added a user
useradd user1 passwd user1
Added user to wheel group
gpasswd -a user1 wheel
Edited the /etc/ssh/sshd_config file and:
Changed the port number
Added AllowGroups wheel
Changed PermitRootLogin to no.Restarted the SSH service
Tail of secure says:
Failed password for user1 from xxx.xxx.xxx.xxx port 52293 ssh
What am I missing?
Reset the password for the user account again?
-
@JaredBusch Yep, and I also created another user just to be sure. No dice. Also restarted the entire server for good measure.
-
@fuznutz04 said in Access denied - SSH login:
@JaredBusch Yep, and I also created another user just to be sure. No dice. Also restarted the entire server for good measure.
Reenable root login via SSH and see if that works on the new port setup.
-
Nope, Permission denied after allowing root, changing root's password, and restarting ssh
-
Up the verbosity when you connect and see if it provides any additional clues.
ssh -vvv user@host
-
After entering password:
debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again.
-
Have you tried stopping Fail2Ban? Anything strange showing up in your Fail2Ban logs?
-
This will show your Fail2Ban jails and display whether your IP blacklisted.
sudo iptables -L -n
-
Nothing is blacklisted. In fact, in both Fail2Ban as well as the Responsive firewall in firewall, the IP I'm trying to connect from is whitelisted/in the trusted zone.
For good measure, I stopped Fail2Ban, and still receive the same messages.
-
<sarcasm>
Are you certain CAPS-LOCK isn't on?
</sarcasm> -
Are you monitoring the /var/log/secure file as you are trying to connect? Have you tried connecting to the freepbx IP instead of hostname?
-
Just tried, and it says Failed password for invalid user root from IP port xxxxx ssh2
-
"invalid user root"
What does your sshd_config file look like? Is root allowed? Have you restarted the ssh server since you made the last changes to the config file?
-
@RamblingBiped said in Access denied - SSH login:
"invalid user root"
What does your sshd_config file look like? Is root allowed? Have you restarted the ssh server since you made the last changes to the config file?
Yes, service is restarted. The only changes to the stock sshd_config flle is:
PermitRootLogin yes
AllowGroups wheel
Port xxxx
AddressFamily inet -
Firewall?
-
Test the login from the box itself using the loopback 127.0.0.1
-
@scottalanmiller said in Access denied - SSH login:
Test the login from the box itself using the loopback 127.0.0.1
No go. Permission denied, using the same password that I just logged in with.
-
@fuznutz04 said in Access denied - SSH login:
@scottalanmiller said in Access denied - SSH login:
Test the login from the box itself using the loopback 127.0.0.1
No go. Permission denied, using the same password that I just logged in with.
Okay, so you can rule out networking, both firewalls, etc. It's all down to SSH configuration at this point.
-
@scottalanmiller said in Access denied - SSH login:
@fuznutz04 said in Access denied - SSH login:
@scottalanmiller said in Access denied - SSH login:
Test the login from the box itself using the loopback 127.0.0.1
No go. Permission denied, using the same password that I just logged in with.
Okay, so you can rule out networking, both firewalls, etc. It's all down to SSH configuration at this point.
Thanks for the tip. That definitely narrowed it down. So after playing with the config file for a while, I concluded that the problem is the line:
AllowGroups wheel
If I comment that out, it works perfect. if it's uncommented, it doesn't allow access, even to root.
(looks up and to the right while squinting eyes, confused...)
-
Yeah, that is a bit odd.