Solved

cannot login via SSH after allowing the user

Posted on 2010-11-09
31
545 Views
Last Modified: 2012-05-10
I have created a new user in Unbuntu server. I have added it to the same groups as the root login user. I have also edited the sshd config file to AllowUsers newuser. I have restarted ssh but I still cannot login via this particular user.

What am I doing wrong?

Many Thanks in advance
0
Comment
Question by:bilbazafa
  • 17
  • 11
  • 2
  • +1
31 Comments
 
LVL 4

Expert Comment

by:Antyrael
Comment Utility
Does this user have the group ID 0 (root)?
Then you problably disallowed ssh root logon in your sshd_config file (which is actually a good thing).
0
 

Author Comment

by:bilbazafa
Comment Utility
I'm new to Linux so you'll have to bare with me...

I'm not quit sure about the group ID your asking me but it does say in the sshd file PermitRootLogin yes

Thanks
0
 
LVL 4

Expert Comment

by:Antyrael
Comment Utility
Did you set a password for this new user? he/she can login locally?
PermitRootLogin is yes so that's not holding it back.
0
 

Author Comment

by:bilbazafa
Comment Utility
Yes Antyrael I have set the password for the user and no they cannot login locally either.

Thanks
0
 
LVL 4

Accepted Solution

by:
Antyrael earned 250 total points
Comment Utility
It looks like the user doesn't have a shell assigned, try this command:
usermod -s /bin/bash accountname
Replace accountname with the actual account name.
0
 

Author Comment

by:bilbazafa
Comment Utility
What I did is created a new user with a password. I then had a look at the groups the root user was on, then just addd the newuser to those groups also.

Have a missed something?
0
 
LVL 4

Expert Comment

by:Antyrael
Comment Utility
I'm not very familiar with any graphical interfaces on Ubuntu (or any other Linux for that matter).
The earlier usermod command I mentioned needs to be run as root by the way.

You could also check the /var/log/messages log for errors with that account.
0
 

Author Comment

by:bilbazafa
Comment Utility
I have done the 'sudo usermod -s /bin/bash accountname' command and it says 'usermod: no change'

I did all of the changes via ssh locally, as there is no gui in Unbuntu server from what I know of.

How would I check the log file?

Thanks
'
0
 

Author Comment

by:bilbazafa
Comment Utility
I've just gone into the messages via nano and there is only 4 lines of text each has nothing to do with what we are talking about.
0
 
LVL 4

Expert Comment

by:Antyrael
Comment Utility
It returned "no change" because the account already had /bin/bash set as command environment.
You can check the logfile with a few commands:
1) less /var/log/messages
2) tail /var/log/messages
3) grep username /var/log/messages

1: this way you can use the arrow keys, Page Down and Page Up to scroll through the entire log file.
2: this command will output the last 10 lines of the log file; use tail -n20 to show 20 lines, etc.
3: grep will search the file /var/log/messages for the string "username" and output the lines containing it.

You can also use tail -f /var/log/messages to follow the log file as it receives additional info (hit CTRL-C to exit).
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
grep accountname /etc/passwd
grep accountname /etc/shadow

Check to make sure that the entry in /etc/shadow has a password
accountname:$1$dsfdsfsdfdsfdssf:
versus
accountname:!!:

0
 

Author Comment

by:bilbazafa
Comment Utility
after you have done the grep command what do I then do??? As it does not open anything?
0
 

Author Comment

by:bilbazafa
Comment Utility
Answer to Arnold the shadow accountname does a have a password against it as far as I can see
0
 
LVL 4

Expert Comment

by:Antyrael
Comment Utility
It should show you at least 1 line per command, like this:
~@host# grep accountname /etc/passwd
accountname:x:501:501:accountname,,,:/home/accountname:/bin/bash

~@host# grep accountname /etc/shadow
accountname:randomcharacters:number:0:0::::

Values are fictional in above examples.

If you get no output from these commands (the 2nd will automatically show nothing if the 1st shows nothing), then the account with accountname does not exist.
0
 

Author Comment

by:bilbazafa
Comment Utility
Arnold they do look like you have in your examples, so all looks right there
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:bilbazafa
Comment Utility
If I do this command Antyrael 'grep username /var/log/messages' It appears to do nothing. Do I need to do something else to see the results?
0
 
LVL 4

Expert Comment

by:Antyrael
Comment Utility
No, if you get no output with that command, it simply means the string "username" is not found in the file.

Can you show us the output of the command "grep username /etc/passwd" (without the quotes, replace username with the actual account)?
Please feel free to mask the actual username and description.
0
 

Author Comment

by:bilbazafa
Comment Utility
It says:-

user:x:1001:33::/home/user:/bin/bash
0
 

Author Comment

by:bilbazafa
Comment Utility
Would it be worth deleting the user then you telling me how you would create a new admin user that has all the privileges of the root user and is able to login locally via ssh?
0
 
LVL 4

Expert Comment

by:Antyrael
Comment Utility
Well, I don't make a habit of creating a user account that has root privileges, because that would imply the user having ID 0 and GID 0, just like the root account and that is a huge security risk.
If you want to delegate administrative tasks to someone else, I would advise to add the use to the sudoers file.
You do this with the following command: sudoedit /etc/sudoers
Simply add a line similar to this:
username ALL=(ALL) ALL

If you look at the file and see a line "%admin ALL=(ALL) ALL", you can also add the user account to the admin group.
sudo usermod -G admin username
0
 

Author Comment

by:bilbazafa
Comment Utility
OK thanks I'll give it a go. So should I delete this user and then start again from scratch?
0
 
LVL 4

Expert Comment

by:Antyrael
Comment Utility
Maybe that would be a good idea, since you've already been changing group memberships.
A fresh start might just be what this needs.
0
 

Author Comment

by:bilbazafa
Comment Utility
If I run the delete user command will it delete the home folder and all permissions I assigned to it, groups etc?
0
 

Author Comment

by:bilbazafa
Comment Utility
As in remove all trace of the user?
0
 

Author Comment

by:bilbazafa
Comment Utility
Just deleted the user and his home directory. Created the user again granted him access to admin as I did before. But he still cannot log in via ssh locally????
0
 
LVL 4

Expert Comment

by:Antyrael
Comment Utility
No, you have to manually delete the /home/username folder.
For the rest, it's all gone.
0
 

Author Comment

by:bilbazafa
Comment Utility
There has to be something missing, as in I need to add the user to something specific to allow him to login to ssh!!
0
 
LVL 4

Assisted Solution

by:Antyrael
Antyrael earned 250 total points
Comment Utility
I think your first priority would be to make sure the user can actually login on the console locally, not through ssh.
If the user can't even login locally, on the console, ssh will never work.

This is how I would add a user:
sudo useradd tester
sudo usermod -G admin
sudo passwd tester

This way, a new user is able to login through ssh.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
You do not need to add to a specific group to have the user have ssh rights.
The only thing that controls whether the user can login on ssh or locally is the shell.
if the shell you set is valid i.e.not /bin/false etc. provided the user provides the correct username/password combination, the session will be allowed.
Check /var/log/secure to see whether ssh logged anything there.
There is no need to add the rule to sshd_config as you have.

If you while logged in in a terminal window run
exec login and then try to login with the username/password, what happens?

if this fails, can you double check that you have/use the correct password?
sudo bash
passwd accountname
newpassword
newpassword

and now try again.
0
 
LVL 16

Expert Comment

by:gelonida
Comment Utility
I would suggest following steps:

1.) check, that your new user can login on the console
if it can't you know where your problem is.

2,) try to ssh from localhost
ssh mynewuser@localhost

if this doesn't succeed, try to run the ssh comand with the -v option.
ssh -v mynewuser@localhost
and send us the output.


If it works try to ssh from another host (with option -v) and send us the output
0
 

Author Closing Comment

by:bilbazafa
Comment Utility
Thanks for you help, it was down to a few things I'd done incorectly but the above answers you gave  Antyrael were 2 of them. Many Thanks to you and eveybody that help. I'm jotting all of the above down as I am new to Linux and it's for future reference.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
We all know how boring and exhausting it is to transfer huge web projects developed locally to a webserver simply via FTP. The File Transfer Protocol is a really nice solution if you need to transfer small amounts of files, but if you're plannin…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now