troubleshooting Question

ESX server SSH login only works from local lan

Avatar of Alexandre Takacs
Alexandre TakacsFlag for Switzerland asked on
SSH / Telnet SoftwareVMwareLinux Networking
6 Comments2 Solutions19 ViewsLast Modified:
Hello
For some reason I can't seem to SSH into a recently deployed ESX server 7.0u2 when I am not "sitting" on the LAN. Despite having correct user / pass I get "permission denied".

This is my sshd config  - anything obvious ?

# Version 7.0.2.1


# running from inetd
# Port 22
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key


# Fips mode restricts ciphers to only FIPS-permitted ciphers
# FipsMode yes


# vPP FCS_SSH_EXT.1.7: rekey after 1GB, 1H (instead of default 4GB for AES)
RekeyLimit 1G, 1H


SyslogFacility auth
LogLevel info


PermitRootLogin yes


PrintMotd yes


TCPKeepAlive yes


# Key algorithms used in SSHv2 handshake
# (ed25519 not allowed by current FIPS module)
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,rsa-sha2-512
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-256,hmac-sha2-512


UsePAM yes
# only use PAM challenge-response (keyboard-interactive)
PasswordAuthentication yes


Banner /etc/issue


Subsystem sftp /usr/lib/vmware/openssh/bin/sftp-server -f LOCAL5 -l INFO


AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys


# Timeout value of 10 mins. The default value of ClientAliveCountMax is 3.
# Hence, we get a  3 * 200 = 600 seconds timeout if the client has been
# unresponsive.
ClientAliveCountMax 3
ClientAliveInterval 200


# sshd(8) will refuse connection attempts with a probability of "rate/100"
# (30%) if there are currently "start" (10) unauthenticated connections.  The
# probability increases linearly and all connection attempts are refused if the
# number of unauthenticated connections reaches "full" (100)
MaxStartups 10:30:100


# ESXi is not a proxy server
AllowTcpForwarding no
AllowStreamLocalForwarding no


# The following settings are all default values. They are repeated
# here to simplify auditing settings (for example, DoD STIG).
IgnoreRhosts yes
HostbasedAuthentication no
PermitEmptyPasswords no
PermitUserEnvironment no
StrictModes no
Compression no
GatewayPorts no
X11Forwarding no
AcceptEnv
PermitTunnel no


# The following settings are disabled during the OpenSSH build.
# They are commented out to avoid spurious warnings in log files.
#GSSAPIAuthentication no
#KerberosAuthentication no




ASKER CERTIFIED SOLUTION
Scott Silva
Network Administrator

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 2 Answers and 6 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 6 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros