ssh password problem

Frode Petersen fropeter at online.no
Tue Aug 21 20:51:18 UTC 2007 

Todd Zullinger wrote:
> Frode Petersen wrote:
>> I had ssh set up and working. Then I got passwordless ssh working
>> using rsa public keys.
>>
>> Now, some days later, I can't get ssh to authenticate either way and
>> in either direction. (Same user on both machines.)
>>
>> I'm asked for the password (3 times in sequence), but it is rejected
>> every time. I do enter the password correctly. I log in locally
>> using the same passwords without a problem.
>>
>> Since the password request appears, I'd think that the connection
>> can be established, and that the problem lies within the domain of
>> authentication, but am a bit perplexed as to how to proceed. How can
>> I figure out what the problem is?
> 
> Run ssh on the client with -v (add more -v's as needed).  That is
> often quite helpful.  Also, take a look at /var/log/secure on the
> server side.
> 
> Are you using ssh-agent?  Is your key added to the agent still?
> (ssh-add -l will list the keys ssh-agent is holding for you)
> 
> 

Thank you! A 'tail -f /var/log/secure' showed the reason.
User <user> from <host> not allowed because listed in DenyUsers

In /etc/ssh/sshd.config I have these two lines:
DenyUsers *
AllowGroups <groupname>

(<user> <host> and <groupname> are not used; real names are)

 From the openssh manual: <quote>
DenyUsers
      This keyword can be followed by a list of user name patterns,
      separated by spaces.  Login is disallowed for user names that
      match one of the patterns.  Only user names are valid; a numeri-
      cal user ID is not recognized.  By default, login is allowed for
      all users.  If the pattern takes the form USER at HOST then USER and
      HOST are separately checked, restricting logins to particular
      users from particular hosts.  The allow/deny directives are pro-
      cessed in the following order: DenyUsers, AllowUsers, DenyGroups,
      and finally AllowGroups.

AllowGroups
      This keyword can be followed by a list of group name patterns,
      separated by spaces.  If specified, login is allowed only for
      users whose primary group or supplementary group list matches one
      of the patterns.  Only group names are valid; a numerical group
      ID is not recognized.  By default, login is allowed for all
      groups.  The allow/deny directives are processed in the following
      order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.

<end quote>

I understood the above text, specifically about the order, to mean that 
if I added the two lines in the config file, I would
1. Close for all connection from users.
2. Reopen for connections from users in that group.

Obviously, I was mistaken about the logic here.

As to why it worked the first time? Maybe I forgot to restart sshd, I 
don't know.

If I try to achieve what I intended, how should I use the Deny* and 
Allow* entries in sshd.config? Would using only the AllowGroups line 
automatically disable connections from users not belonging to that group?

Again, thanks!

Frode

More information about the users mailing list