Having problems getting a simple SSH connection to even localhost on my Ubuntu 15.10. Server was set up many months ago and was able to create access for SSH with keys, but cannot duplicate that remote access for a new user. I can access with PuTTY from my original user, but even that user can't access via localhost.
For toubleshooting, I tried to simply access via localhost and bare password, hopefully minimizing the variables that can be wrong – if there is a better test, let me know.
I have fail2ban and firewall, but since I can access the server remotely with the original account, I wouldn't immediately suspect these are the problem. Still, firewall rules are output below.
Here are the steps I followed and some more data:
create new user & set password
sudo useradd teachers -m -s /bin/bash;
sudo passwd teachers;
config SSH (/etc/ssh/sshd_config) for basic access for testing
AllowUsers teachers
PasswordAuthentication yes
LogLevel VERBOSE
There are no SSH keys yet at this point, since I'm just trying to get password access.
Here is the output from my attempt at the command line:
~$ ssh -v localhost
OpenSSH_6.9p1 Ubuntu-2ubuntu0.1, OpenSSL 1.0.2d 9 Jul 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: SELinux support disabled
debug1: key_load_public: No such file or directory
debug1: identity file /home/teachers/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/teachers/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/teachers/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/teachers/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/teachers/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/teachers/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/teachers/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/teachers/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9p1 Ubuntu-2ubuntu0.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.9p1 Ubuntu-2ubuntu0.1
debug1: match: OpenSSH_6.9p1 Ubuntu-2ubuntu0.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to localhost:22 as 'teachers'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client chacha20-poly1305@openssh.com <implicit> none
debug1: kex: client->server chacha20-poly1305@openssh.com <implicit> none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:AS0MYlPqe9JOcx5ygQN9jIN2jdDV850oCSCmtp+cy2w
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:AS0MYlPqe9JOcx5ygQN9jIN2jdDV850oCSCmtp+cy2w.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
################################################################################
# This is a restricted system.... #
################################################################################
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/teachers/.ssh/id_rsa
debug1: Trying private key: /home/teachers/.ssh/id_dsa
debug1: Trying private key: /home/teachers/.ssh/id_ecdsa
debug1: Trying private key: /home/teachers/.ssh/id_ed25519
debug1: Next authentication method: password
teachers@localhost's password:
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
teachers@localhost's password:
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
teachers@localhost's password:
debug1: Authentications that can continue: publickey,password
debug1: No more authentication methods to try.
Permission denied (publickey,password).
Here is the auth.log from my attempted access:
Apr 19 05:41:52 lists sshd[27165]: Set /proc/self/oom_score_adj to 0
Apr 19 05:41:52 lists sshd[27165]: Connection from 127.0.0.1 port 45192 on 127.0.0.1 port 22
Apr 19 05:42:03 lists sshd[27165]: PAM (sshd) illegal module type: umask
Apr 19 05:42:03 lists sshd[27165]: PAM pam_parse: expecting return value; [...002]
Apr 19 05:42:03 lists sshd[27165]: PAM (sshd) no module name supplied
Apr 19 05:42:13 lists sshd[27165]: Failed password for teachers from 127.0.0.1 port 45192 ssh2
Apr 19 05:42:20 lists sshd[27165]: Failed password for teachers from 127.0.0.1 port 45192 ssh2
Apr 19 05:42:27 lists sshd[27165]: Failed password for teachers from 127.0.0.1 port 45192 ssh2
Apr 19 05:42:27 lists sshd[27165]: Connection closed by 127.0.0.1 [preauth]
Here is the output of my iptables:
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 222.0.0.0/8 anywhere tcp dpt:ssh
fail2ban-dovecot tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s
fail2ban-postfix tcp -- anywhere anywhere multiport dports smtp,urd,submission
fail2ban-sasl tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
DROP tcp -- 222.186.34.202 anywhere tcp dpt:ssh
fail2ban-dovecot tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s
fail2ban-postfix tcp -- anywhere anywhere multiport dports smtp,urd,submission
fail2ban-sasl tcp -- anywhere anywhere multiport dports smtp,urd,submission,imap2,imap3,imaps,pop3,pop3s
fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:2812
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-dovecot (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain fail2ban-postfix (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain fail2ban-sasl (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain fail2ban-ssh (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
RETURN all -- anywhere anywhere
And I believe this demonstrates port 22 should be available:
$ nc -z -v -w 5 localhost 22
Connection to localhost 22 port [tcp/ssh] succeeded!
EDIT: including sshd config:
$ cat /etc/ssh/sshd_config
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel VERBOSE
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin yes
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
AllowUsers listman teachers
Only file in /etc/pam.d/ is/etc/pam.d/sshd:
$ cat /etc/pam.d/sshd
# PAM configuration for the Secure Shell service
umask 002
# Standard Un*x authentication.
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Set the loginuid process attribute.
session required pam_loginuid.so
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password
What am I missing here?
Best Answer
The line
is not a valid PAM configuration on it's own. Remove it.
To set the umask for ssh sessions see this Serverfault thread:
How to setup ssh's umask for all type of connections