Create a new SSH user but can't login ("Permission denied")

I created a new SSH user (useradd mynewuser), however, when I try to connect remotely, I receive a permission denied error.

I search EE and found this article which looks like the similar problem...but I don't understand the solution:

http://www.experts-exchange.com/OS/Linux/Administration/Q_21613008.html?sfQueryTermInfo=1+creat+ssh+user

This is from my SSH configuration file (/etc/ssh/sshd_config):

   # Authentication:
   PermitRootLogin yes
   #StrictModes yes
   MaxAuthTries 3

Here is my user ID info:

   uid=514(mynewuser) gid=515(mynewuser) groups=515(mynewuser)

Any ideas?
bearclaws75Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ry_berkCommented:
I think the article is saying to change it to : PermitRootLogin no
Then change the uid and gid from 514 and 515 to something else. ( I believe they are root id's)

Give it a shot.

Also check to make sure you are entering the information in correctly every time.
0
medveddCommented:
What about PasswordAuthentication in sshd_config? If it's set to No, change it to Yes and restart sshd
0
bearclaws75Author Commented:

ry_berk --> Isn't "0" the root UID/GID?

medvedd --> PasswordAuthentication is set to "yes". Here are some additional settings from the file.

   # To disable tunneled clear text passwords, change to no here!
   #PermitEmptyPasswords no
   PasswordAuthentication yes

   # Change to no to disable s/key passwords
   #ChallengeResponseAuthentication yes
   ChallengeResponseAuthentication no

   # Kerberos options
   #KerberosAuthentication no
   #KerberosOrLocalPasswd yes
   #KerberosTicketCleanup yes
   #KerberosGetAFSToken no

   # GSSAPI options
   #GSSAPIAuthentication no
   GSSAPIAuthentication yes
   #GSSAPICleanupCredentials yes
   GSSAPICleanupCredentials yes
   
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Jan SpringerCommented:
If you have console access and will not hinder other remote port 22 connections, stop sshd and:

    sshd -D

If you have to maintain the existing port 22 in daemon mode, copy the sshd_config to sshd_24_config, change the port to 24 in the alternate config and:

    sshd -p 24 -D -f /path/to/alternate/sshd_24_config

Have the client connect using port 24.

Things to check:

1) are you requiring forward and inverse DNS and the client does not have matching data
2) do you have an 'AllowUsers' in sshd_config that restricts by username
3) do you have 'PasswordAuthentication yes' in your sshd_config
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tty2Commented:
Can user login locally? Check user's shell and homedir in /etc/passwd.
Set

UsePAM yes

in /etc/ssh/sshd_config
0
bearclaws75Author Commented:
jesper --> i did NOT have the new user in the AllowUsers list.

I added the new user and am now able to connect (i.e. no more permission denied message)...but the connection immediately closes. Here is the message I get:

   Last login: Fri Apr 16 11:08:42 2010 from c-98-214-241-123.hsd1.il.comcast.net
   usage: ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]
              [-D [bind_address:]port] [-e escape_char] [-F configfile]
              [-i identity_file] [-L [bind_address:]port:host:hostport]
              [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
              [-R [bind_address:]port:host:hostport] [-S ctl_path]
              [-w local_tun[:remote_tun]] [user@]hostname [command]
   Connection to 12.345.678.172 closed.
   #

I tested my login as "root" and have no problems.

I've added my sshd_config file here (as .txt) for reference.

sshd-config.txt
0
medveddCommented:
Can you show content of your /etc/pam.d/sshd file?
0
Jan SpringerCommented:
sshd_config uncomment:

   SyslogFacility AUTH

And what is the shell for this account?  It sounds like a valid auth but no valid shell.

If your pam sshd isn't configured correctly, you can immediately find out by changing 'UsePAM to no' in your sshd_config.
0
bearclaws75Author Commented:
This is the content of /etc/pam.d/sshd...

#%PAM-1.0
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so
0
bearclaws75Author Commented:
jesper --> good point RE: shell access. I think the user configuration got messed up during my testing.

I deleted and re-added the user and can now access SSH successfully :)

It looks like this was the primary problem: I simply needed to add user to AllowUsers list

Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.