Link to home
Start Free TrialLog in
Avatar of OmniUnlimited
OmniUnlimitedFlag for United States of America

asked on

Unable to Log In Via SSH

Hello Experts!

I am having a problem being able to log in via SSH with a user I created using the article found at http://derek.rule88.com/2011/05/17/simple-jailed-sftp-users-with-centos/.  When I set up the user with its password on the server, and try to log in via SSH through PuTTY, I get a "Access denied" error.  It does not matter how many times or in what shape or form I make the password, I get the same error every time.

Here is a copy of my sshd_config file:
#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
#Subsystem      sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server
UseDNS  no

Subsystem       sftp    internal-sftp
AllowGroups root sftponly
Match Group sftponly
        ChrootDirectory /home/newuser
        ForceCommand    internal-sftp
        AllowTcpForwarding      no

Open in new window

Any help or ideas you can give me would be greatly appreciated.

Thanks.
Avatar of Tintin
Tintin

What user are you trying to connect as?

Do you really want a chrooted sftp environment?
Avatar of OmniUnlimited

ASKER

The user is newuser.  What I am trying to do is to limit SSH access of this user to just his directory under the /home directory, which in this case is /home/newuser.  The article I posted the link to seems to set this up, however I am not the expert in this, if you have a better solution, I am all ears.
So you want the user to be able to login to the command line or do they just require the ability to transfer files?

There's quite a difference to setting up a chrooted ssh environment compared to a chrooted sftp environment.
They need to be able to login to the command line but only have access to their directory.
SOLUTION
Avatar of Tintin
Tintin

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
That does look interesting, but since I've never done that before, I think I should ask you first:

Can the chroot directory be the /home/newuser directory?

Also, in the middle of the tutorial is this:

At this point all is ready and we can chroot

# chroot /vat/chroot
bash-4.2# ls /  
bash: ls: command not found

Open in new window


Is

# chroot /vat/chroot

Open in new window


supposed to be

# chroot /var/chroot

Open in new window

?
The catch here is that if you restrict some users' access to their home directories then they won't access other stuff like /bin which probably includes their login shell binary or /usr/lib which is pretty much used by all binary executables.

What is it exactly that makes you think that it's a (security?) risk for a user to leave the home directory?

Why not use good old file permissions or not-so-old-but-still-old ACLs to prevent them doing something nasty?
@Tintin:  You never answered my questions, but I went ahead and tried the instructions from your link and I ended up with the same problem.  I continue getting an "access denied" error.

@Surrano:  I would prefer that people not see what programs and platforms I am using on my machine, and what directory structures exist on my sites.
Is newuser in the group sftponly? Have you try to comment out the following section, restart ssh and see if  it even work without the match group option?

AllowGroups root sftponly
Match Group sftponly
        ChrootDirectory /home/newuser
        ForceCommand    internal-sftp
        AllowTcpForwarding      no

Open in new window

Hello Mazdajai!

I appreciate your assistance with this issue.  To answer your questions:

1. Newuser is in sftponly group
2. Per your suggestion, I tried commenting out everything you listed and restarted sshd.  I still get an Access denied error when attempting to log in with Newuser.
Do yo have a original copy of the sshd_config? Is ssh ever work with newuser on this box? Recreating the user with userdel/useradd? It might be quicker to reinstall ssh and start from scratch, one step at a time.

If not, can you provide the output of the following? (Case sensitive)

ssh -vvv -l newuser <servername>

Open in new window

The original copy of sshd_config is identical to what is there now with the exception of the commented out Subsystem and the last six lines of the file. SSH has never allowed Newuser to log in.  I tried recreating the user, I get a "Creating mailbox file: File exists" notice.  You would need to walk me through reinstallation of SSH if you feel that is absolutely necessary.

Here is the output you requested (the IP address has been blocked out for security purposes.)
# ssh -vvv -l Newuser xxx.xxx.xxx.xxx
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/identity-cert type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug3: Wrote 960 bytes for a total of 981
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug3: Wrote 24 bytes for a total of 1005
debug2: dh_gen_key: priv key bits set: 133/256
debug2: bits set: 491/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: Wrote 144 bytes for a total of 1149
debug3: check_host_in_hostfile: host xxx.xxx.xxx.xxx filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: host xxx.xxx.xxx.xxx filename /root/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'xxx.xxx.xxx.xxx' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug2: bits set: 500/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: Wrote 16 bytes for a total of 1165
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug3: Wrote 48 bytes for a total of 1213
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug3: Wrote 64 bytes for a total of 1277
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug3: Trying to reverse map address xxx.xxx.xxx.xxx.
debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_0' not found

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug3: no such identity: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
Newuser@xxx.xxx.xxx.xxx's password:
debug3: packet_send2: adding 64 (len 58 padlen 6 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug3: Wrote 144 bytes for a total of 1421
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
Permission denied, please try again.
Newuser@xxx.xxx.xxx.xxx's password:

Open in new window

Is the username newuser or Newuser? Not sure if reinstall is necessary yet, your output looks fine.
It is Newuser.  What about the Permission denied error at the end?  I have tried resetting the password many times.
Not sure if it is a typo, your home directory have a different uername - /home/newuser, try recreating the user.

userdel -r Newuser
useradd Newuser
echo 'Newuser123'|passwd --stdin Newuser
ssh -vvv -l Newuser <server>

Open in new window

Yey, that did it!  I was able to log in successfully under SSH with the user Newuser.  But now I have the problem that the user has full access to the server (that is, he can see all the files.)  How do I create a jailed environment for this user?  When I try and uncomment the lines in sshd_config, PuTTY gets a network error and aborts.
What distro are you using? Are you able to login with either AllowGroup or MatchGroup?
Ok, I think I am understanding a little as to what is going on here.  I am able to log in after having modified sshd_config with both AllowGroup and MatchGroup.  The problems arise when I try and set up the ChrootDirectory to something other than /home/<username>.  Is there a way to change this, or must ChrootDirectory be in the format "/home/<username>"?  (I am using a Centos 6.5 distro.)
You are looking at an article to chroot sftp via centos 5.

Are you looking to chroot sftp or ssh?
SSH.
You were looking sftp, Take a look of the following for chroot ssh -

http://how-to.linuxcareer.com/how-to-automatically-chroot-jail-selected-ssh-user-logins
This is the same link shared by Tintin earlier.  The problem is that I need to chroot a directory that is accessible via web (ex. /home/sitename/public_html/Newuser), not the /var/chroot directory as described in the article.  Is this possible?
Try this on the sshd_config -

ChrootDirectory /home/sitename/pubic/html/%u 

Open in new window

That goes back to what I said above:

The problems arise when I try and set up the ChrootDirectory to something other than /home/<username>.  Is there a way to change this, or must ChrootDirectory be in the format "/home/<username>"?
It should set to %u if you want to jail the user in their perspective home directory. I can take a look of the lab machine tomorrow.

Exactly what problem are you referring to?
The problem where PuTTY blows up with a "Network error: Software caused connection abort" error.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
@Surrano:  Sorry for the delay in responding.  I've been playing around with the system trying to overcome the issue you described and have had no luck.  Do you have any ideas as to what I can do to achieve my goal?
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi Mazdajai!

Thanks for coming back to my assistance.  I was getting worried there.

Listen, this is the problem I am facing:

I have a website directory, let's call it /home/account/public_html/sitename.  I want to make this folder the jailed directory.  Is this possible?  (Note there is no mention of the username)
It is possible, all you need to do is change the user home directory in /etc/passwd to what you desire.

If you are trying to do something else than below then I would suggest you to open a new thread instead.

What I am trying to do is to limit SSH access of this user to just his directory under the /home directory, which in this case is /home/newuser.
Circumstances changed.  What you proposed is the solution to the current question.

Please see new question at https://www.experts-exchange.com/questions/28364681/Unable-to-Log-In-Via-SSH.html
Hey Mazdajai, aren't you going to help me anymore?  You have yet to post on the new question (the one you suggested I open.)
You have not forgotten. :)

I see other experts have already responded but I have add few lines as well.
Hey Mazdajai, got another question if you are interested:

https://www.experts-exchange.com/questions/28371494/How-Do-You-Set-Up-FTP.html