/var/log/auth.log <==Oct 5 16:57:05 www3 sshd[26592]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.62 user=root
I'm trying, without success, to get this new server I am building to accept root access through ssh and it just won't open.
[www3 ~]# grep -v "#" /etc/ssh/sshd_config
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
UsePAM yes
X11Forwarding yes
Subsystem sftp /usr/lib/ssh/sftp-server
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
[ruben@flatbush ~]$ ssh -v -l root www3
OpenSSH_7.5p1, OpenSSL 1.1.0f 25 May 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: Connecting to www3 [10.0.0.37] port 22.
debug1: Connection established.
debug1: identity file /home/ruben/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ruben/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ruben/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ruben/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ruben/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ruben/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ruben/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ruben/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.5
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5 debug1: match: OpenSSH_7.5 pat OpenSSH* compat 0x04000000
debug1: Authenticating to www3:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:RGmLAlUbSktwwZ838wOGKz6r+3s/lS9/sAzH7TzbAsg
debug1: Host 'www3' is known and matches the ECDSA host key.
debug1: Found key in /home/ruben/.ssh/known_hosts:16
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/ruben/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Trying private key: /home/ruben/.ssh/id_dsa
debug1: Trying private key: /home/ruben/.ssh/id_ecdsa
debug1: Trying private key: /home/ruben/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:
Authentication failed.
[ruben@flatbush ~]$
log from the server
/var/log/auth.log <==Oct 5 16:57:05 www3 sshd[26592]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.62 user=root
Oct 5 16:57:05 www3 sshd[26592]: pam_access(sshd:account): login_access: user=root, from=10.0.0.62, file=/etc/security/access.conf
Oct 5 16:57:05 www3 sshd[26592]: pam_access(sshd:account): line 86: + : root : ALL
Oct 5 16:57:05 www3 sshd[26592]: pam_access(sshd:account): list_match: list= root , item=root
Oct 5 16:57:05 www3 sshd[26592]: pam_access(sshd:account): user_match: tok=root, item=root
Oct 5 16:57:05 www3 sshd[26592]: pam_access(sshd:account): string_match: tok=root, item=root
Oct 5 16:57:05 www3 sshd[26592]: pam_access(sshd:account): user_match=1, "root"
Oct 5 16:57:05 www3 sshd[26592]: pam_access(sshd:account): list_match: list= ALL, item=root
Oct 5 16:57:05 www3 sshd[26592]: pam_access(sshd:account): from_match: tok=ALL, item=10.0.0.62
Oct 5 16:57:05 www3 sshd[26592]: pam_access(sshd:account): string_match: tok=ALL, item=10.0.0.62
Oct 5 16:57:05 www3 sshd[26592]: pam_access(sshd:account): from_match=2, "10.0.0.62"
Oct 5 16:57:05 www3 sshd[26590]: fatal: Internal error: PAM auth succeeded when it should have failed
pan has a cascade of config files which I am trying to debug:
[ruben@www3 pam.d]$ sudo cat sshd
#%PAM-1.0
#auth required pam_securetty.so #disable remote root
auth include system-remote-login
account include system-remote-login
password include system-remote-login
session include system-remote-login
[ruben@www3 pam.d]$ sudo cat system-remote-login
#%PAM-1.0
auth include system-login
account include system-login
password include system-login
session include system-login
[ruben@www3 pam.d]$ sudo cat system-login
#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_tally.so onerr=succeed file=/var/log/faillog
auth required pam_shells.so
auth include system-auth
auth [success=2 default=ok] pam_debug.so auth=perm_denied cred=success auth [default=reset] pam_debug.so auth=success cred=perm_denied auth [success=done default=die] pam_debug.so
account required pam_access.so debug
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_loginuid.so
session include system-auth
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so dir=/var/spool/mail standard quiet -session optional pam_elogind.so
session required pam_env.so
[ruben@www3 pam.d]$ sudo cat system-auth
#%PAM-1.0
auth required pam_unix.so debug try_first_pass nullok
auth optional pam_permit.so
auth required pam_env.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
password required pam_unix.so try_first_pass nullok sha512 shadow password optional pam_permit.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.so
I'm trying, without success, to get this new server I am building to accept root access through ssh and it just won't open.
[www3 ~]# grep -v "#" /etc/ssh/sshd_config
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
UsePAM yes
X11Forwarding yes
Subsystem sftp /usr/lib/ssh/sftp-server
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
[ruben@flatbush ~]$ ssh -v -l root www3
OpenSSH_7.5p1, OpenSSL 1.1.0f 25 May 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: Connecting to www3 [10.0.0.37] port 22.
debug1: Connection established.
debug1: identity file /home/ruben/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ruben/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ruben/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ruben/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ruben/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ruben/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ruben/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ruben/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.5
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.5 debug1: match: OpenSSH_7.5 pat OpenSSH* compat 0x04000000
debug1: Authenticating to www3:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:RGmLAlUbSktwwZ838wOGKz6r+3s/lS9/sAzH7TzbAsg
debug1: Host 'www3' is known and matches the ECDSA host key.
debug1: Found key in /home/ruben/.ssh/known_hosts:16
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/ruben/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Trying private key: /home/ruben/.ssh/id_dsa
debug1: Trying private key: /home/ruben/.ssh/id_ecdsa
debug1: Trying private key: /home/ruben/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:
Authentication failed.
[ruben@flatbush ~]$
debug1: Offering RSA public key: /home/ruben/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Trying private key: /home/ruben/.ssh/id_dsa
debug1: Trying private key: /home/ruben/.ssh/id_ecdsa
debug1: Trying private key: /home/ruben/.ssh/id_ed25519
debug1: Next authentication method: keyboard-interactive
Password:
Authentication failed.
[ruben@flatbush ~]$debug1: Sending env LANG = en_GB.UTF-8
our server does not accept the contents of /home/ruben/.ssh/id_rsa
If I try and log in as root, which is disallowed I get the same problem
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 286 |
Nodes: | 16 (2 / 14) |
Uptime: | 86:42:21 |
Calls: | 6,496 |
Calls today: | 7 |
Files: | 12,099 |
Messages: | 5,277,131 |