Avatar of Jason Yu
Jason Yu
Flag for United States of America asked on

cannot ssh to a centOS 4.9 server

I have an old centOS 4.9 Server. I cannot ssh to it.

it's a vmware server, I can use console to log into the server as root. I checked the sshd service, it's on, I checked the iptables service, it's off.

I checked the .ssh folder under root and can only find one file called known_hosts. no other files found under the same folder, even no config file.

anyone can help me with this,thanks.
Windows Server 2008SSH / Telnet SoftwareLinuxLinux Distributions

Avatar of undefined
Last Comment
Jason Yu

8/22/2022 - Mon
Jason Yu

ASKER
when i ssh to it from another linux server, it says "Access denied
"
Shiju Jacob

try to stop the selinux and login

check any PAM related files are updated

can you paste the logs when you are trying to ssh from remove

try this on the vmware console
tail -f /var/log/messages
Sudeep Sharma

also check what port the SSH is running from?

Check the file /etc/ssh/sshd_config and check for Port.

As suggested by Shiju above also check the selinux.

Verify the port which is set on sshd_config is configured on Firewall as well.

Sudeep
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Steven Vona

Are you trying to log in as root or a user??

Check service is running:

service sshd status

Check iptables allows connections:

iptables -L -vn | grep "dpt:22"

Check if root is allowed to log in per config:

grep -i permitrootlogin /etc/ssh/sshd_config

Check if config allows password authentication:

grep PasswordAuthentication /etc/ssh/sshd_config
Jason Yu

ASKER
the result of tail -f /var/log/messages

pam_parse: unknown option; reject_username
Jason Yu

ASKER
This is the content of the ssh_config file:



#      $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
   PasswordAuthentication yes
#   HostbasedAuthentication no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
   Port 22
   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#   EscapeChar ~
Host *
      GSSAPIAuthentication yes
# If this option is set to yes then the remote X11 clients will have full access
# to the local X11 display. As virtually no X11 client supports the untrusted
# mode correctly we set this to yes.
       ForwardX11Trusted yes
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Jason Yu

ASKER
iptables service is stopped. not running at all.
Julian Parker

check /etc/hosts.allow and /etc/hosts.deny and the log files /var/log/secure and /var/log/messages
Jason Yu

ASKER
I checked both files, there are nothing in there.

Do I need add my ip in, if so, what is the format?

thanks.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Julian Parker

nope, if they are blank thats cool, they can also be used to restrict access to services most people forget about them.

Looking at your posts above it might be you have a bad entry in pam. Check out the log files again;

/var/log/secure
/var/log/messages
/var/log/audit/audit.log
Julian Parker

btw, when you said its a vmware server, did you mean its a guest OS on a vmware server?
Jason Yu

ASKER
it's a guest os
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Jason Yu

ASKER
IN /var/log/secure

Did not receive identification string from ::ffff:172.16.139.250
Jason Yu

ASKER
in this file : /var/log/messages

There are many lines as below:


PAM-Cracklib[9775]: pam_parse: unknown option; reject_username.

Is there something with my pam_parse module?

Please advise.
Jason Yu

ASKER
I think maybe the pam modules under /etc/pam.d   need to be modified.

Please see the copy scrren for the file /etc/pam.d/sshd  .
pam-picture2.png
Your help has saved me hundreds of hours of internet surfing.
fblack61
Julian Parker

I dont think its that file, it might be in login or system-auth.

Unfortunately I dont have a CentOS 4.9 box I can use to check PAM.

Can you verify the pam package?

rpm -V pam
ls -altr /etc/pam.d

Open in new window

Julian Parker

I'm assuming it does local auth as well and you dont have some strange network auth setup, try running

authconfig --test

Open in new window


It should tell you what its expecting, check the man page for details.
Jason Yu

ASKER
here are the results. Unfortunately, I couldn't copy and paste the result to here, have to use the copy screen from vmware console.
ssh3.JPG
pam-picture4.png
pam-picture3.png
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Jason Yu

ASKER
Here is the detail of /etc/pam.d/system-auth file:
system-auth.png
Julian Parker

system-auth was modified which is fine if thats what you needed for your setup but its worth having a look
Julian Parker

there it is, edit the system-auth file and hash out the line with the reject_username
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Jason Yu

ASKER
how to test to bypass the system-auth file?

I want to first identify the problem, then consider how to resolve it.

Here I am attaching the detail of this system-auth file for your scrutinization.
system--001.png
system-002.png
Julian Parker

line 14, put a # at the start and save it, then try and ssh in
open another console window and try and login locally too or use ssh localhost in the console
Julian Parker

I found this if you need cracklib enabled
http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Jason Yu

ASKER
after I modified this system-auth file and run ssh localhost as root, it shows "Permission denied, please try again.

please see the copy screen.
new.png
Julian Parker

ok, put the cracklib line back but just remove the reject_username so it reads;

password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 minclass=3

Open in new window

Jason Yu

ASKER
the result is the same:

Please see the copy screen.
ssh-error.png
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Jason Yu

ASKER
Here are the two configuration files.
ssh_config
Jason Yu

ASKER
Jason Yu

ASKER
I tried to catch the log from /var/log/secure and found the following lines when tried to login

Failed password for jasony from ::ffff:172.16.49.115 port 53389 ssh2
login-error.png
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Jason Yu

ASKER
I checked the secure file, it keep saying "Failed password for myusername from ::ffff:XXX.XXX.XXX.XXX(my desktop IP) port 54043 ssh2.

Please see the copy screen.
logon-error-2.png
Julian Parker

can you reset the password??
Jason Yu

ASKER
I just reset the password for my username. but when I ssh to the server, it still says "access denied".

from the /var/log/secure file, it shows:

Failed password for jasony from  ::ffff:my ip port 60157 ssh2.

The port number is different every time I tried to login.

thanks.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Julian Parker

Is it doing local auth? can you post the output to authconfig --test as mentioned above.

The port number mentioned in the log is the source port which varies so thats ok.
Jason Yu

ASKER
what do you mean by usering authconfig --test?

How to use it for test?

I tried to run "ssh -vvv localhost" and get the following error as it showed in the attachment.
error-003.png
error-004.png
Jason Yu

ASKER
I got it running, please see picture.
008.png
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Jason Yu

ASKER
This is the second page of the result of authconfig --test command.
009.png
Julian Parker

it uses kerberos....

do you need that?

I'm not suggesting you change it as it might affect your security policy.

running authconfig --test should have displayed printed output,
Julian Parker

if you want to test it without then save a copy of the auth files in pam and make notes of the settings then (only if you are allowed) change the setting to disable kerberos and try that, if you can then login you now know where to look and you should involve your security team if you have one.

Alas I dont know much about kerberos.. :-D
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Jason Yu

ASKER
What is this Kerberos authentication? Is the settings for Kerberos crashed?

How can I use SSH with Kerberos? Or I need disable Kerberos to use SSH, please advise.

Thanks in advance.
Jason Yu

ASKER
After I disabled Kerberos, it's still not working.

The error message is the same in /var/log/secure file.

thanks.
Julian Parker

kerberos needs an external server for auth as far as I know. Can you post your authconfig again please.

we need to be sure its disabled.

Is there any possibility in showing more of the secure file and is there anything in messages?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Julian Parker

I just build a 4.8 vm and the system-auth file on a base install looks like this;

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

Open in new window

not sure if it helps?!
Jason Yu

ASKER
The KerberoAuthenticsation is enabled.

Please see the attached copy screen from the file /etc/ssh/sshd_config.


I will copy the secure file and message file later.
kerberos-enabled.png
Jason Yu

ASKER
Here are the copy screens of the command "authconfig --test". I talked to my coworkers, they said this server is integrated with Active directory for authentication. From the second copy screen, you can see a domain controller's name.
authconfig-001.png
authconfig--002.png
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER CERTIFIED SOLUTION
Julian Parker

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Jason Yu

ASKER
I got a new problem right now, I cannot use root user to login from the console, it says root user is locked. I have to use my own account to login from the console ans su to root.
Jason Yu

ASKER
I found a line

UsePam yes

Do I need disable it for testing?
Jason Yu

ASKER
This time, it works now. After I set up KerberosAuthentication to no, it works.

# Kerberos options
KerberosAuthentication no
KerberosOrLocalPasswd no
#KerberosTicketCleanup yes


But my root account is still locked, how could I unlock it?

thanks.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Julian Parker

did you modify the auth-config file??
Jason Yu

ASKER
Thanks experts for all of your help.