Two parts: first, turn up debugging on your ssh sever. Edit /etc/ssh/sshd_config
and increase LogLevel to DEBUG. Then force your ssh server to reload it's config with killall -HUP <sshd pid>
.
That will cause the server to add much more details to your /var/log/secure
and/or /var/log/auth
logfiles.
Secondly (actually you cant try this first), increase the debug level on the client side. ssh in to the box with
$ ssh -vvv hostname
and that will print out lots more info about where the process is failing.
If you do turn up the debug level on your ssh server, don't forget to turn it back down when you are finished.
Don't use a password. Generate a passphrase-less SSH key and push it to your VM.
If you already have an SSH key, you can skip this step…
Just hit Enter for the key and both passphrases:
$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
Copy your keys to the target server:
$ ssh-copy-id id@server
id@server's password:
Now try logging into the machine, with ssh 'id@server'
, and check-in:
.ssh/authorized_keys
Note: If you don't have .ssh dir and authorized_keys file, you need to create it first
to make sure we haven’t added extra keys that you weren’t expecting.
Finally, check to log in…
$ ssh id@server
id@server:~$
You may also want to look into using ssh-agent
if you want to try keeping your keys protected with a passphrase.
Best Answer
From what I gather you want to permit passwords from some users, but not others?
You could setup a
Match
block. So your config might look something like below.Since you mentioned these password-based transactions are happening from drupal, perhaps you could whitelist based on the host address?
Match address 127.0.0.1/32
You should even be able to combine the criteria, and say only a specific account from a specific address can do password authentication.
Links