> From: "Yarin" <yarin@xxxxxxxxxxxx> > To: "ssh securityfocus" <secureshell@xxxxxxxxxxxxxxxxx> > Date: 01/18/2010 01:53 PM > Subject: Can't log in as anything but root via SSH > Sent by: listbounce@xxxxxxxxxxxxxxxxx > > Hello all, > > I'm trying to get SSH to work with a non-root user in a VPS > Container running CentOS 5.3. But with no luck. > I can log in to root with no problem, but no matter which way I try, > I can't log in to any normal users that I make. When I try to log in > via SSH, it always fails, and behaves exactly as if though I was > entering the wrong password. (I am entering the right one, though, > I've make sure of that) > > Here I try to log into user "fmain": (with debugging view enabled) > > > # ssh 109.107.120.17 -l fmain -v > OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug1: Connecting to 109.107.120.17 [109.107.120.17] port 22. > debug1: Connection established. > debug1: identity file /home/yarin/.ssh/identity type -1 > debug1: identity file /home/yarin/.ssh/id_rsa type -1 > debug1: identity file /home/yarin/.ssh/id_dsa type -1 > debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 > debug1: match: OpenSSH_4.3 pat OpenSSH_4* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.2 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-ctr hmac-md5 none > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Host '109.107.120.17' is known and matches the RSA host key. > debug1: Found key in /home/yarin/.ssh/known_hosts:1 > debug1: ssh_rsa_verify: signature correct > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: publickey,gssapi-with-mic,password > debug1: Next authentication method: gssapi-with-mic > debug1: Unspecified GSS failure. Minor code may provide more information > No credentials cache found > debug1: Unspecified GSS failure. Minor code may provide more information > No credentials cache found > debug1: Unspecified GSS failure. Minor code may provide more information > debug1: Next authentication method: publickey > debug1: Trying private key: /home/yarin/.ssh/identity > debug1: Trying private key: /home/yarin/.ssh/id_rsa > debug1: Trying private key: /home/yarin/.ssh/id_dsa > debug1: Next authentication method: password > fmain@xxxxxxxxxxxxxx's password: > debug1: Authentications that can continue: publickey,gssapi-with-mic,password > Permission denied, please try again. > fmain@xxxxxxxxxxxxxx's password: > debug1: Authentications that can continue: publickey,gssapi-with-mic,password > Permission denied, please try again. > fmain@xxxxxxxxxxxxxx's password: > debug1: Authentications that can continue: publickey,gssapi-with-mic,password > debug1: No more authentication methods to try. > Permission denied (publickey,gssapi-with-mic,password). > > > The debugging comments are all the same when I successfully log in > to root, except for everything beyond "root@xxxxxxxxxxxxxx's > password:" of course. > > I checked, and all relevent /devs (on the the remote machine) have > 666 privs minimum, so that's not the problem. > > The remote machine's /etc/ssh/sshd_config file looks like this: > (with comment lines stripped) > > > Protocol 2 > SyslogFacility AUTHPRIV > PasswordAuthentication yes > ChallengeResponseAuthentication no > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > UsePAM yes > AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES > AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT > AcceptEnv LC_IDENTIFICATION LC_ALL > X11Forwarding no > Subsystem sftp /usr/libexec/openssh/sftp-server > > > I even tried adding "AllowUsers root fmain" to it, and restarting > the SSH Daemon, but was no help. > > From my googling, there are plenty of people with the opposite > problem (can log in, just not through root). And I tried everything > that the few who seemed to have this same problem had done. > I've exhausted my searching options and don't know where to go from > here. Anyone have any ideas? > > Thanks for any help that you may be able to provide, > Yarin Yarin, Did you check the permissions on the users' .ssh directory? The directory should be owned by the user and have permissions 700. The private keys and known_hosts files should be permission 600, while the public keys and authorized_keys should be 644. Chris
