SSH - Access Denied via Putty

Matthew Roessner
Matthew Roessner used Ask the Experts™
on
When I attempt to log in to my iSeries server via Putty (Port 22) - I am connected to the server, but when I attempt to log in, I get "Access Denied"

I compared my SSHD_CONFIG to other systems and everything appears to be the same.

I verified that other users get the same thing - so this is not related to any specific user...

Any assistance would be much appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Gary PattersonVP Technology / Senior Consultant

Commented:
If you haven't configured syslog logging for sshd (you should), then error messages will be in individual job logs that get created for every ssh connection.  This article explains how to configure syslog and how to find sshd job logs.

https://www-01.ibm.com/support/docview.wss?uid=nas8N1014301

Post the log messages for a failed connection.  You may want to temporarily increase the logging level configured in sshd config to produce a more detailed log.
Matthew RoessnerSenior Systems Programmer

Author

Commented:
I set up logging as you indicated - but even after resetarting SSH - the logs are clear.   I set the logging level as DEBUG in the /QOpenSys/QIBM/UserData/SC1/OpenSSH/etc/sshd_config file
Gary PattersonVP Technology / Senior Consultant

Commented:
Please post your sshd_config file - after masking anything confidential..
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

Matthew RoessnerSenior Systems Programmer

Author

Commented:
Uploaded SSHD_CONFIG.txt
sshd_config.txt
You should configure Putty to log.  That would get better info about the reason.
       From the PuTTY Configuration, in the left pane, click on  Logging under Session.
       On the right, ensure Log all session output or Log SSH packet data is selected.
       Note the path to the log file which needs to be sent along with sshd logs.

If you used ssh from linux or Mac just add -vvv (3 v) and you'll see verbose output.
Matthew RoessnerSenior Systems Programmer

Author

Commented:
I attached the putty.log output but there isn't much in it...

Still don't see anything in my log file...
putty.log
Did you ensure that you are logging all session output?
Gary PattersonVP Technology / Senior Consultant

Commented:
Enable syslog logging in your sshd_conf.  Uncomment this:

#SyslogFacility AUTH

Then restart sshd.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Tip: Debugging ssh tends to be tough, as simple things cause problems.

Ensure your key file permission is set to user access only, so all other access off. Linux equivalent is...

chmod 600 .../your-key-directory/your-key.rsa

Open in new window


If you still have problems here's a quick way to find the root cause quickly.

1) In one window connected to your server...

/usr/sbin/sshd -p 55555 -D -ddd -e

Open in new window


2) In another window connect to your new sshd instance...

ssh -vvv -2 -4 -p 55555 -i .../your-key-directory/your-key.rsa $user@host

Open in new window


3) Compare the output of both windows + likely you'll immediately see the problem.
Matthew RoessnerSenior Systems Programmer

Author

Commented:
I removed the comment from the SyslogFacility AUTH and then restarted SSHD

After attempting to connect in Putty again, I still do not see anything in my sshlog.ext file that I set up in the logging config.  And I ensured that my Putty logging was set to log all session activity and it shows just what I see on screen (which is basically just an Access Denied message)
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Might be a good test to attempt connecting to your server using an actual ssh client (Linux or OSX machine).

This will tell you if you have a server side or client side problem.

You can always cut + paste output from both windows (per above) + post the output as attachments. Be sure to do this as text, not an image file.
Matthew RoessnerSenior Systems Programmer

Author

Commented:
Unfortunately, I don't have access to either a Linux or OSX machine to test with
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Then back to the 2x window test I described above, which will likely provide sufficient enough detail to debug the problem.

Hum... Also post the actual host or IP where you're trying to login. No way to test a full login + at least a port scan can be run to ensure sshd is listening correctly.

The window test above is best.
Senior Systems Programmer
Commented:
I found the issue.  I ended the SSHD server and then started it in verbose mode and finally found out what was going on.

ENDTCPSVR *SSHD

NETSTAT option 3 and f14, verify port 22 is not on listen status

QSH CMD('/QOpenSys/usr/sbin/sshd -d -d -d')

Recreated issue on Putty side

Pressed f6 to generate a spool file

Found that the new version of Power Ruby we are using (ruby 2.4.4p296 (2018-03-28 revision 63013) [powerpc-aix7.1]) does not have it's bash shell in the same location as it previously did (/PowerRuby/oss/bin/bash)

I was setting the ibmpaseforishell=/PowerRuby/oss/bin/bash option in my SSHD_CONFIG file.

I changed the location to /QOpenSys/pkgs/bin/bash and then things started working as expected.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial