ssh is not allowing individual user to login through passwd authentication

rammaghenthar
rammaghenthar used Ask the Experts™
on
Hi

      I have this version of ssh available in our server
ssh: F-Secure SSH 5.0.3 on powerpc-ibm-aix5.3.0.0
I have created user testttu in local lpar  I am unable to login this lpar with this user.

/var/log/messages shows below--------Error message -Could anybody help please?

sshd2[716844]: password authentication failed. Connection from <hostname>denied. Authentication as user testttu was attempted.
below is the ssh_config entry I have in server

lsuser testttu
testttu id=206 pgrp=staff groups=staff home=/home/testttu shell=/usr/bin/ksh auditclasses=barclays_audit1 login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=5 pwdwarntime=7 account_locked=false minage=0 maxage=4 maxexpired=-1 minalpha=2 minother=2 mindiff=2 maxrepeats=4 minlen=8 histexpire=52 histsize=12 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=-1 stack=-1 core=-1 rss=-1 nofiles=-1 fsize_hard=-1 cpu_hard=-1 data_hard=-1 stack_hard=-1 core_hard=-1 rss_hard=-1 nofiles_hard=-1 time_last_unsuccessful_login=1272466585 tty_last_unsuccessful_login=ssh host_last_unsuccessful_login=tide2001u unsuccessful_login_count=0 roles=


below is the ssh_config entry I have in server



# $Header: /repos/consol/mandatory/aix/SSHLR2/RCS/node_sshd2_config_template,v 2.4 2005/10/18 13:09:20 root Exp $
#
# sshd default node configuration template for Landscape Release 2
#



AllowAgentForwarding    yes
#Specifies whether agent forwarding is permitted

AllowedAuthentications  password, publickey
#This keyword specifies the authentication methods that are allowed. If RequiredAuthentications is specified, AllowedAuthentications is simply ignored.

AllowedPasswordAuthentications  kerberos,local
#This keyword specifies the different password authentication schemes that are allowed.

#AllowGroups    su_root
#This keyword can be followed by any number of group name patterns, separated by commas.

AllowHosts      NOT SPECIFIED
#This keyword can be followed by any number of host name patterns, separated by commas.

#AllowSHosts    NOT SPECIFIED
#This keyword can be followed by any number of host name patterns, separated by commas.

AllowTcpForwarding      yes
#Specifies whether TCP forwarding is permitted.

AllowTcpForwardingForGroups     NOT SPECIFIED
#The syntax is the same as in AllowGroups, but instead of login, this controls the ability to forward ports, in remote or local forwarding.

AllowTcpForwardingForUsers      NOT SPECIFIED
#Syntax is the same as in AllowUsers, but instead of login, this controls the ability to forward ports, in remote or local forwarding.

#AllowUsers     NOT SPECIFIED
AllowUsers      testttu*
#This keyword can be followed by any number of user name patterns or user@host patterns, separated by commas.

AllowX11Forwarding              yes
#Specifies whether X11 forwarding is permitted.

AuthorizationFile       authorization
#Specifies the name of the user's authorization file.

BannerMessageFile       /etc/ssh2/ssh_banner_message
#Specifies the path to the message that is sent to the client before authentication.

CheckMail       no
#Specifies if sshd should print information whether there is new mail or not when a user logs in interactively.

#ChRootGroups   NOT SPECIFIED
#Specifies whether sshd should give the user who belongs to the defined group a chrooted environment.

#ChRootUsers    NOT SPECIFIED
#Specifies whether sshd should give the user a chrooted environment.

Ciphers aes, 3des
#Specifies the ciphers to use for encrypting the session.

#DenyGroups     NOT SPECIFIED
#This keyword can be followed by any number of group name patterns, separated by commas.

#DenyHosts      NOT SPECIFIED
#This keyword can be followed by any number of host name patterns, separated by commas

#DenySHosts     NOT SPECIFIED
#This keyword can be followed by any number of host name patterns, separated by commas

#DenyTcpForwardingForGroups     NOT SPECIFIED
#The syntax is the same as in DenyGroups, but instead of login, this controls the ability to forward ports, in remote or local forwarding.

#DenyTcpForwardingForUsers      NOT SPECIFIED
#The syntax is the same as in DenyUsers, but instead of login, this controls the ability to forward ports, in remote or local forwarding.

#DenyUsers      NOT SPECIFIED
#This keyword can be followed by any number of user name patterns or user@host patterns, separated by commas.

#DontFork       yes
#VERSION 3.3 ONLY - Controls whether or not the server should fork after starting.

#ForcePTTYAllocation    NOT SPECIFIED
#Force tty allocation, i.e., allocate a tty even if a command is given.

HostbasedAuthForceClientHostnameDNSMatch        no
#If the host name given by the client does not match the one found in DNS, fail host-based authentication.

HostKeyFile     /etc/ssh2/hostkey
#Specifies the file containing the private host key (default /etc/ssh2/hostkey).

#HostSpecificConfig     NOT SPECIFIED
# Specifies a subconfiguration file to be used for listed hosts.

IdleTimeOut     0
#Sets the idle timeout limit to time in seconds (s or nothing after number), in minutes (m), in hours (h), in days (d), or in weeks (w )

IgnoreRhosts    no
#Specifies that the rhosts and shosts files will not be used in "hostbased" authentication (see AllowedAuthentications )

IgnoreRlogin    no
#VERSION 3.3 ONLY - The SSH server's handling of the AIX rlogin flag can now be specified in the server config file by changing the value of the IgnoreRlogin configuration option.

IgnoreRootRhosts        yes
#Specifies that the rhosts and shosts files will not be used in authentication for root.

KeepAlive       yes
#Specifies whether the system should send keepalive messages to the other side.

ListenAddress   xx.xx.xx.xxx
#Specifies the IP address of the interface where the sshd2 server socket is bound.

LoginGraceTime  1200
#The server disconnects after this time if the user has not successfully logged in

MACs    hmac-sha1
#Specifies the MAC (Message Authentication Code) algorithm to use for data integrity verification.

MaxBroadcastsPerSecond  0
#Specifies how many UDP broadcasts server handles per second.

MaxConnections  0
#Specifies the maximum number of connections sshd2 will handle simultaneously.

NoDelay no
#If "yes", enable socket option TCP_NODELAY.

PasswordGuesses 3
#Specifies the number of tries that the user has when using password authentication

PermitEmptyPasswords    no
#When password authentication is allowed, it specifies whether the server allows login to accounts with empty password strings.

PermitRootLogin nopwd
#Specifies whether the root can log in using ssh2.

Port    22
#Specifies the port number that sshd2 listens on.

PrintMotd       yes
#Specifies whether sshd2 should print /etc/motd when a user logs in interactively.

PublicHostKeyFile       /etc/ssh2/hostkey.pub
#Specifies the file containing the public host key (default /etc/ssh2/hostkey.pub).

QuietMode       no
#Specifies whether the system runs in quiet mode. In quiet mode, nothing is logged in the system log, except fatal errors.

#RadiusKey      NOT SPECIFIED
#Specifies the shared secret used between ssh and RADIUS servers.

#RadiusServer   NOT SPECIFIED
#Specifies the RADIUS server address.

#RandomSeedFile NOT SPECIFIED
#Specifies the name of the random seed file.

#RekeyIntervalSeconds   NOT SPECIFIED
#Specifies the interval in seconds at which the key exchange will be done again.

RequiredAuthentications password
#Related to AllowedAuthentications, this is used to specify what authentication methods the users must complete before continuing

RequireReverseMapping   no
#This is used to check whether hostname DNS lookup must succeed when checking whether connections from host are allowed using AllowHosts and DenyHosts.

#SettableEnvironmentVars        NOT SPECIFIED
#This keyword can be followed by any number of patterns, separated by commas.

Ssh1Compatibility       no
#Specifies whether to use SSH1 compatibility code.

#Sshd1ConfigFile        NOT SPECIFIED
#Specifies alternate config file to specify for sshd1, when it is executed by sshd2 in compatibility mode.

#Sshd1Path      NOT SPECIFIED
#Specifies the path to sshd1 daemon which will be executed if the client supports only SSH 1.x protocols.

#SshPAMClientPath       NOT SPECIFIED
#Specifies the path to ssh-pam-client, which is used as a helper application to converse with the PAM modules by sshd2.

StrictModes     no
#Specifies whether sshd2 should check file modes and ownership of the user's home directory and rhosts files before accepting login.

subsystem-sftp  /usr/bin/sftp-server2
#subsystem-sftp  internal://sftp-server
#Sftp uses a subsystem of sshd2 to transfer files securely. In order to use the sftp server, you must have the following subsystem definition:

SyslogFacility  AUTH
#Gives the facility code that is used when logging messages from sshd2.

UserConfigDirectory     %D/.ssh2
#Specifies where user-specific configuration data should be fetched from.

UserKnownHosts  yes
#Specifies whether the user's $HOME/.ssh2/knownhosts/ directory can be used to fetch host public keys when using "hostbased" authentication.

UserSpecificConfig      root /etc/ssh2/root_subconfig
# Specifies a subconfiguration file to be used for listed users.

#VerboseMode    NOT SPECIFIED
#Verbose mode. Causes sshd2 to print debugging messages about its progress.




Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2013
Top Expert 2013
Commented:
1)
AllowHosts      NOT SPECIFIED
needs to be commented out, else only hosts "NOT" and "SPECIFIED" are allowed.

2)  Do you use tcp wrappers? If yes, what's in /etc/host.allow resp. /etc/host.deny?

wmp
We have reconfigured ssh then it went fine

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial