SSH - Access Denied via Putty

When I attempt to log in to my iSeries server via Putty (Port 22) - I am connected to the server, but when I attempt to log in, I get "Access Denied"

I compared my SSHD_CONFIG to other systems and everything appears to be the same.

I verified that other users get the same thing - so this is not related to any specific user...

Any assistance would be much appreciated.
LVL 1
Matthew RoessnerSenior Systems ProgrammerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gary PattersonVP Technology / Senior Consultant Commented:
If you haven't configured syslog logging for sshd (you should), then error messages will be in individual job logs that get created for every ssh connection.  This article explains how to configure syslog and how to find sshd job logs.

https://www-01.ibm.com/support/docview.wss?uid=nas8N1014301

Post the log messages for a failed connection.  You may want to temporarily increase the logging level configured in sshd config to produce a more detailed log.
Matthew RoessnerSenior Systems ProgrammerAuthor Commented:
I set up logging as you indicated - but even after resetarting SSH - the logs are clear.   I set the logging level as DEBUG in the /QOpenSys/QIBM/UserData/SC1/OpenSSH/etc/sshd_config file
Gary PattersonVP Technology / Senior Consultant Commented:
Please post your sshd_config file - after masking anything confidential..
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

Matthew RoessnerSenior Systems ProgrammerAuthor Commented:
Uploaded SSHD_CONFIG.txt
sshd_config.txt
serialbandCommented:
You should configure Putty to log.  That would get better info about the reason.
       From the PuTTY Configuration, in the left pane, click on  Logging under Session.
       On the right, ensure Log all session output or Log SSH packet data is selected.
       Note the path to the log file which needs to be sent along with sshd logs.

If you used ssh from linux or Mac just add -vvv (3 v) and you'll see verbose output.
Matthew RoessnerSenior Systems ProgrammerAuthor Commented:
I attached the putty.log output but there isn't much in it...

Still don't see anything in my log file...
putty.log
serialbandCommented:
Did you ensure that you are logging all session output?
Gary PattersonVP Technology / Senior Consultant Commented:
Enable syslog logging in your sshd_conf.  Uncomment this:

#SyslogFacility AUTH

Then restart sshd.
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Tip: Debugging ssh tends to be tough, as simple things cause problems.

Ensure your key file permission is set to user access only, so all other access off. Linux equivalent is...

chmod 600 .../your-key-directory/your-key.rsa

Open in new window


If you still have problems here's a quick way to find the root cause quickly.

1) In one window connected to your server...

/usr/sbin/sshd -p 55555 -D -ddd -e

Open in new window


2) In another window connect to your new sshd instance...

ssh -vvv -2 -4 -p 55555 -i .../your-key-directory/your-key.rsa $user@host

Open in new window


3) Compare the output of both windows + likely you'll immediately see the problem.
Matthew RoessnerSenior Systems ProgrammerAuthor Commented:
I removed the comment from the SyslogFacility AUTH and then restarted SSHD

After attempting to connect in Putty again, I still do not see anything in my sshlog.ext file that I set up in the logging config.  And I ensured that my Putty logging was set to log all session activity and it shows just what I see on screen (which is basically just an Access Denied message)
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Might be a good test to attempt connecting to your server using an actual ssh client (Linux or OSX machine).

This will tell you if you have a server side or client side problem.

You can always cut + paste output from both windows (per above) + post the output as attachments. Be sure to do this as text, not an image file.
Matthew RoessnerSenior Systems ProgrammerAuthor Commented:
Unfortunately, I don't have access to either a Linux or OSX machine to test with
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Then back to the 2x window test I described above, which will likely provide sufficient enough detail to debug the problem.

Hum... Also post the actual host or IP where you're trying to login. No way to test a full login + at least a port scan can be run to ensure sshd is listening correctly.

The window test above is best.
Matthew RoessnerSenior Systems ProgrammerAuthor Commented:
I found the issue.  I ended the SSHD server and then started it in verbose mode and finally found out what was going on.

ENDTCPSVR *SSHD

NETSTAT option 3 and f14, verify port 22 is not on listen status

QSH CMD('/QOpenSys/usr/sbin/sshd -d -d -d')

Recreated issue on Putty side

Pressed f6 to generate a spool file

Found that the new version of Power Ruby we are using (ruby 2.4.4p296 (2018-03-28 revision 63013) [powerpc-aix7.1]) does not have it's bash shell in the same location as it previously did (/PowerRuby/oss/bin/bash)

I was setting the ibmpaseforishell=/PowerRuby/oss/bin/bash option in my SSHD_CONFIG file.

I changed the location to /QOpenSys/pkgs/bin/bash and then things started working as expected.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
System Programming

From novice to tech pro — start learning today.