| View previous topic :: View next topic |
| Author |
Message |
_SkeLeToN_
Guru
Joined: 12 Sep 2002
Posts: 506
Location: Montreal,Canada
|
 Posted: Tue Dec 17, 2002 1:03 am Post subject: ssh connection denied |
 |
|
Hi I installed the latest version of openssh and I follow the security guide for the ssh part.
This is my /etc/ssh/sshd_config
| Code: |
Port 22
Protocol 2
ListenAddress 192.168.123.124
#ListenAddress 127.0.0.1
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO
# Authentication:#LoginGraceTime 120
PermitRootLogin no
#StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# rhosts authentication should not be used
RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
#Noone else than members of wheel or admin should have access
AllowGroups wheel admin
#And 1 users
AllowUsers skeleton cecil
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#AFSTokenPassing no
# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no
# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no
# override default of no subsystems
Subsystem sftp /usr/lib/misc/sftp-server
|
As my user skeleton I created my rsa with the ssh-keygen -t rsa and typed my passphrase.
Now I added another user on the same computer where sshd is running( user skeleton and cecil on the sshd computer). I copy the ida_rsa.pub from my user skeleton to the user cecil under /home/cecil/.ssh/authorized_keys/
Under the user cecil I type this and get :
| Code: |
cecil@Atlas:~$ ssh -l skeleton 192.168.123.124
Permission denied (publickey,keyboard-interactive).
cecil@Atlas:~$ ssh -l skeleton 127.0.0.1
ssh: connect to host 127.0.0.1 port 22: Connection refused
cecil@Atlas:~$
|
I'm doing something wrong or I didn't understand something ... plz hlp
PS: I am doing that localy before I try from the outside ... should not be a problem right? |
|
| Back to top |
|
 |
nihilo
Apprentice
Joined: 05 Nov 2002
Posts: 168
Location: berkeley, ca, usa
|
| Posted: Tue Dec 17, 2002 4:26 am Post subject: |
|
|
Try commenting out the following line:
| Code: | | ListenAddress 192.168.123.124 |
I had trouble getting ssh to work, after following the security guide, and this was one of the problems that I had. Without that line, it defaults to listening on any address.
See the following thread for some of the suggestions that were offered when I had the same problem: https://forums.gentoo.org/viewtopic.php?t=22553. I changed so many things over the course of a couple of weeks, that I can't remember what finally got it working. I do remember that the ListenAddress line was one of the problems though. You might also want to get it working using password authentication first. Better to slowly tighten it down than do it all at once.
Here is my working sshd_config file, in case it helps:
| Code: |
nihilo@localhost ssh $ cat sshd_config
#Only enable version 2
Protocol 2
#No direct root access
PermitRootLogin no
#Turn on RSA key authentication
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
#Disable .rhost files and normal password auth.
RhostsAuthentication no
PasswordAuthentication no
PermitEmptyPasswords no
#Noone else than members of wheel or admin should have access
AllowGroups wheel admin
#And 1 user (member of wheel)
AllowUsers nihilo
#add logging level
SyslogFacility AUTH
LogLevel INFO
#bind
Port 9999
nihilo@localhost ssh $
|
One last thing: the "Permission denied (publickey,keyboard-interactive)" message means that the rsa authentication is failing and it can't try anything else (because you have it set to only use rsa), probably because of key issues. The other error message you're getting means that the connection is refused immediately because you're using an ip address other than the one that you bound it to. Commenting out that ListenAddress line should get rid of the 'connection refused' issue, then you just have to figure out which key is not correct. |
|
| Back to top |
|
|
doug-x07
Tux's lil' helper
Joined: 16 Nov 2002
Posts: 122
Location: Paris, France
|
| Posted: Tue Dec 17, 2002 9:43 am Post subject: |
|
|
Take a look in your logs, normally it should give you a bit more information about why the connexion was refused. I've had a few similar issues setting up sshd in the past. Normally two potential problems. Listen adress, saw a post on open ssh mailing suggests to set it:
| Code: | | ListenAddress 0.0.0.0 |
have had no problems since doing that.
The other problem you can encounter is with write permissions on the users directory containing the authorized_keys file. If that or the users home directory are world writeable sshd will refuse to accept connexions from that user. To be sure what the problem is set
and check the output in authentication.log (sory not connected to Gentoo here so that might not be exact name). Hope that gives you a few tracks skeleton.
_________________
#! /usr/bin/perl
if( @first != $succeed ) {
post { $question->forum && eval '$answers' };
try { $again } catch { $problem && $resolve };
bless $posters; } |
|
| Back to top |
|
|
doug-x07
Tux's lil' helper
Joined: 16 Nov 2002
Posts: 122
Location: Paris, France
|
| Posted: Tue Dec 17, 2002 9:45 am Post subject: |
|
|
Sorry typo in the above
_________________
#! /usr/bin/perl
if( @first != $succeed ) {
post { $question->forum && eval '$answers' };
try { $again } catch { $problem && $resolve };
bless $posters; } |
|
| Back to top |
|
|
rtn
Guru
Joined: 15 Nov 2002
Posts: 427
|
| Posted: Tue Dec 17, 2002 4:16 pm Post subject: Re: ssh connection denied |
|
|
| _SkeLeToN_ wrote: | Now I added another user on the same computer where sshd is running( user skeleton and cecil on the sshd computer). I copy the ida_rsa.pub from my user skeleton to the user cecil under /home/cecil/.ssh/authorized_keys/
|
What you probably want is to copy ida_rsa.pub to the flat file called
/home/cecil/.ssh/authorized_keys, not put it into a directory.
Also, if you connect with ssh -v, it will give you more output as to why
your connection might have failed.
Lastly, don't forget that unless you've specifically set USE="-tcpd" that
sshd will be built with tcp wrapper support - so you may need to edit
your /etc/hosts.allow if you have ALL:ALL in your /etc/hosts.deny.
It would look like this:
| Code: | $ ssh -v localhost
OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/rtn/.ssh/identity type -1
debug1: identity file /home/rtn/.ssh/id_rsa type -1
debug1: identity file /home/rtn/.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host
debug1: Calling cleanup 0x8062c74(0x0) |
--rtn |
|
| Back to top |
|
|
_SkeLeToN_
Guru
Joined: 12 Sep 2002
Posts: 506
Location: Montreal,Canada
|
| Posted: Wed Dec 18, 2002 12:46 am Post subject: |
|
|
Ok I made some changes ... First I recompile ssh with the -tcpd in the USE FLAG. Then I try the ListenAdress 0.0.0.0 and still no luck. I comment out the line and try back and no luck either. ( I start and stop the service each time I change something in the sshd_config)
As for cecil I copy the id_rsa.pub to /home/cecil/.ssh/authorized_keys file.
My use have the right on it and still no luck I cant seem to find a solution for it.
| Code: |
cecil@Atlas:~/.ssh$ ssh -v -l skeleton 192.168.123.124
OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to 192.168.123.124 [192.168.123.124] port 22.
debug1: Connection established.
debug1: identity file /home/cecil/.ssh/identity type -1
debug1: identity file /home/cecil/.ssh/id_rsa type 1
debug1: identity file /home/cecil/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.5p1
debug1: match: OpenSSH_3.5p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.5p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 117/256
debug1: bits set: 1557/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.123.124' is known and matches the RSA host key.
debug1: Found key in /home/cecil/.ssh/known_hosts:1
debug1: bits set: 1617/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try privkey: /home/cecil/.ssh/identity
debug1: try pubkey: /home/cecil/.ssh/id_rsa
debug1: authentications that can continue: publickey,keyboard-interactive
debug1: try privkey: /home/cecil/.ssh/id_dsa
debug1: next auth method to try is keyboard-interactive
debug1: authentications that can continue: publickey,keyboard-interactive
debug1: no more auth methods to try
Permission denied (publickey,keyboard-interactive).
debug1: Calling cleanup 0x806c4a0(0x0)
|
any idea? |
|
| Back to top |
|
|
rtn
Guru
Joined: 15 Nov 2002
Posts: 427
|
| Posted: Wed Dec 18, 2002 2:45 am Post subject: |
|
|
If you're trying to log into skeleton@192.68.123.124, you need to have
your authorized_keys file in that directory, not in /home/cecil.
--rtn |
|
| Back to top |
|
|
_SkeLeToN_
Guru
Joined: 12 Sep 2002
Posts: 506
Location: Montreal,Canada
|
| Posted: Wed Dec 18, 2002 2:55 pm Post subject: |
|
|
Oh ! My bad that should be my error.... I cant try right now but I will look at it toonight.
Thanks |
|
| Back to top |
|
|
|
Networking & Security
