troubleshooting Question

ESX server SSH login only works from local lan

Avatar of Alexandre Takacs
Alexandre TakacsFlag for Switzerland asked on
SSH / Telnet SoftwareVMwareLinux Networking
6 Comments2 Solutions19 ViewsLast Modified:
For some reason I can't seem to SSH into a recently deployed ESX server 7.0u2 when I am not "sitting" on the LAN. Despite having correct user / pass I get "permission denied".

This is my sshd config  - anything obvious ?

# Version

# running from inetd
# Port 22
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

# Fips mode restricts ciphers to only FIPS-permitted ciphers
# FipsMode yes

# vPP FCS_SSH_EXT.1.7: rekey after 1GB, 1H (instead of default 4GB for AES)
RekeyLimit 1G, 1H

SyslogFacility auth
LogLevel info

PermitRootLogin yes

PrintMotd yes

TCPKeepAlive yes

# Key algorithms used in SSHv2 handshake
# (ed25519 not allowed by current FIPS module)
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512
MACs hmac-sha2-256,hmac-sha2-512

UsePAM yes
# only use PAM challenge-response (keyboard-interactive)
PasswordAuthentication yes

Banner /etc/issue

Subsystem sftp /usr/lib/vmware/openssh/bin/sftp-server -f LOCAL5 -l INFO

AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys

# Timeout value of 10 mins. The default value of ClientAliveCountMax is 3.
# Hence, we get a  3 * 200 = 600 seconds timeout if the client has been
# unresponsive.
ClientAliveCountMax 3
ClientAliveInterval 200

# sshd(8) will refuse connection attempts with a probability of "rate/100"
# (30%) if there are currently "start" (10) unauthenticated connections.  The
# probability increases linearly and all connection attempts are refused if the
# number of unauthenticated connections reaches "full" (100)
MaxStartups 10:30:100

# ESXi is not a proxy server
AllowTcpForwarding no
AllowStreamLocalForwarding no

# The following settings are all default values. They are repeated
# here to simplify auditing settings (for example, DoD STIG).
IgnoreRhosts yes
HostbasedAuthentication no
PermitEmptyPasswords no
PermitUserEnvironment no
StrictModes no
Compression no
GatewayPorts no
X11Forwarding no
PermitTunnel no

# The following settings are disabled during the OpenSSH build.
# They are commented out to avoid spurious warnings in log files.
#GSSAPIAuthentication no
#KerberosAuthentication no

Scott Silva
Network Administrator

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 2 Answers and 6 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 6 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros