Re: Can't log in as anything but root via SSH

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On or about Sun, 2010-01-17 at 16:43, give or take -0600, Yarin wrote:
> Hello all,

> Here I try to log into user "fmain": (with debugging view enabled)
> 
> 
> # ssh 109.107.120.17 -l fmain -v
> OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to 109.107.120.17 [109.107.120.17] port 22.
> debug1: Connection established.
> debug1: identity file /home/yarin/.ssh/identity type -1
> debug1: identity file /home/yarin/.ssh/id_rsa type -1
> debug1: identity file /home/yarin/.ssh/id_dsa type -1
> debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
> debug1: match: OpenSSH_4.3 pat OpenSSH_4*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.2
snipped..
> I even tried adding "AllowUsers root fmain" to it, and restarting the SSH Daemon, but was no help.
> 
> From my googling, there are plenty of people with the opposite problem (can log in, just not through root). And I tried everything that the few who seemed to have this same problem had done.
> I've exhausted my searching options and don't know where to go from here. Anyone have any ideas?
> 
> Thanks for any help that you may be able to provide,
> Yarin
> 


Are you sure you're connecting to the correct machine? To prove it,
sudo/su/login-as-root locally (if you can) confirm the hostname, then
touch a file in the /root directory called "this_is_the_CentOS_VPS.0"

Next, when you login "as root over SSH", run ls -ltr and look for that
file - if you don't see it, then maybe you are into the wrong machine :)

eg: 
$ssh root@xxxxxxxxxxxxxx
password:
[login banner and motd stuff here]
#hostname
centos-VPS     <---presumably, if not, read on below*****
# touch this_is_the_CentOS_VPS.0
this produces the foillowing file
#ls -ltr

-rw-r--r--   1 root root    0 2010-01-18 20:04 this_is_the_centos-vps.0

this file proves what machine you are actually SSH-ed into.


If not, read on: 

***** A common SSH gotcha occurs when the machine you are trying to
login to (the CentOS VPS one) is actually behind a firewall (or host
NAT, maybe for virtualization) that serves (and answers instead) SSH on
port 22 ( it answers instead, not knowing who root is - root login
disallowed usually - or who user1@, user2@ is )

What happens is, you attempt to ssh in  with

$ssh user@xxxxxxx

but the machine that replies is the firewall protecting that IP, usually
the perimiter firewall. 
It may, or may not, have a user called "root", and may, or may not,
allow the user root to login via SSH.

With the firewall scenario , the easiest way around this is to do PAT,
portforward TCP port 44422 on the firewall to port 22 at the destination
(internal) IP.
then the ssh client line you require is:

$ ssh user@xxxxxxx -p44422

the f/w NATP translates 44422 to 22 and NATting it to the VPS on it's
internal IP target.

In YOUR case, maybe the virtual host machine is running
linux/BSD/OpenSolaris also? and has SSHd listening on port 22? 
$ ssh root@xxxxxxxxxxxxxxx     = rootlogin disallowed and authentication
bombs out

One way to quickly check this, is to first check the debug output:-

{debugsnip}  debug1: Remote protocol version 2.0, remote software
version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
{/debugsnip}

This tells you that the SSH server (that's actually responding to your
connect request; not necessarily the one you want to connect to)
is running _OpenSSH4.3_. To me, this smells a little old? OpenSSH 4.3
smells very old, in fact, even my old IPCOP boxes in remote locations
are up to v4.7. everything else here is 5.1
Check the VPS machine's SSHd version, if it's not 4.3, then you're
actually connecting to something else accidentally at that IP, usually
the virtualisation host (on it's port 22) or the perimiter firewall at
that site (on port 22)

While SSH does a very, very good job at handling multiple concurrent
connections tunneled to disparate ports and onwards to many consecutive
machines, you have to ensure that your are connecting to the correct
machine to let it do that in the first place.

You see, if the virtualisation host is running SSHd on port 22, it sees
the virtualised guest as a seperate machine, usually behind NAT, not
"behind" the.ho.st.ip:22. The virtual networking (+headache) of the
virtualisation host is what determines what conects to what, maybe
NATed or bridged.

Within one machine, sure,  SSH will sort out many connections and
tunnels to many places (confounding CCNAs/MCSAs that are usually taught
one service=one port. The key word here is "within" It's a "unix-y
thing" you see. sockets/pipes and stuff haha) but that assumes your
connection to the SSH server is on the correct __machine__ in the first
place.
  
So, things to check: is there a firewall or unix/linux/IOS router
answering instead of your intended destination? No? Well, how about the
virtual host machine's SSHd, is that it? I've been there a thousand
times, nested several times deep in it :)

I hope that's all clear :)

The main problem is, after about 20 failed attepts and frustrated edits
of sshd.conf s you get in such a mess with your known_hosts being
populated with inaccurate entries that you mistakenly, said "yes" to.
(You really need to keep careful control of fingerprints or the pretty
pictures they use nowadays).
 The debugging then tends to tell you all is OK, when in fact your
known_hosts are full of certs from perimiter firewalls and in-between
routers. You could compare the fingerprints, but in fact, I find it
easier to touch a file in my home and root's home on each destination
machine, AFTER having confirmed the hostname is correct. Touching a file
also helps subsequent SSHFS/SFTP sessions too, it's easy to get lost
with 20 or 30 open across 10+ virtual desktops.  

### granny-sux-eggs-mode-is-ON. I have replied in full and at length to
#help other people browsing the archives in the future. Future traffic
#offlist unless relevant to all.
###



{caution: my home ISP mail queues (F2S/UK are in total disarray, may be
a day or two before they get straightened out, if ever}

de Gord

--
$whoami;pwd
gord
/home/gord
$./morecoffee.sh


[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux