Unable to ssh OL 7.8 login

[ndchung]

Hi all people

I'm having a problem when I can't ssh login to the server with the "Permisson denied" error, and I also can't log in to the web interface even though the user/pass is correct. Below are the steps I took to check. investigated but could not fix it:
- Access server rescue mode with user/password root ok.

- add in /etc/sshd_config : PermitRootLogin yes

- Successfully created user test but cannot log in with the test user's password, same error as on root, non-root user

- check pam_tally2 no ssh login failed warning

Because reinstalling the server will be very complicated, if anyone has a plan to check or handle this error, please let me know, thank you very much.

 

[CaffeineAddict]

add in /etc/sshd_config : PermitRootLogin yes

any service files when edited require service restart to take effect, did you do this?

"Permisson denied" error

Indicates connection error probably caused by firewall.
in rescue mode firewall might be off and that's why it works.

Which firewall do you use?

 

[ndchung]

any service files when edited require service restart to take effect, did you do this?


Indicates connection error probably caused by firewall.
in rescue mode firewall might be off and that's why it works.

Which firewall do you use?

any service files when edited require service restart to take effect, did you do this? --> yes, I restarted the server but nothing changed
I understand what you mean, we have also checked this for other servers in the same locality and it's okay. Connections are made in a local network, connecting directly from the switch to the server

 

[CaffeineAddict]

Connections are made in a local network, connecting directly from the switch to the server

can you ping the server IP and does it respond?

If, not, can you ping the switch IP and does it respond?

otherwise if server responds with ICMP, please install hping3 to test TCP syn test as follows (I assume your host is debian based)

# install the tool
sudo apt install hping3


# perform test against the server SSH port (replace IP with your server IP below)
sudo hping3 -p 22 -S 172.34.55.1

does the hping3 command gets response?

 

[ndchung]

can you ping the server IP and does it respond?

If, not, can you ping the switch IP and does it respond?

otherwise if server responds with ICMP, please install hping3 to test TCP syn test as follows (I assume your host is debian based)

# install the tool
sudo apt install hping3


# perform test against the server SSH port (replace IP with your server IP below)
sudo hping3 -p 22 -S 172.34.55.1

Yes, i can, everything is normal. My server runs oracle linux 7.8.

 

[CaffeineAddict]

Yes, i can, everything is normal. My server runs oracle linux 7.8.

Then we can conclude firewall is not interfering with connection and connectivity works, so the error must be somewhere either in your
/etc/sshd_config on the server or in ssh_config on your local host.

It would be useful if you can post contents of that file from the server if possible?
And also if there is ssh_config file on local host post it's contents too.

 

[ndchung]

This is the sshd_config configuration. Since I couldn't access via ssh, I had to use iLO and take a screenshot

 

[CaffeineAddict]

OK, the re are several things you need to check on your server.

AuthorizedKeysFile which is .ssh/authorized_keys file should contain public key of your local host from which you connect to server, if the file is empty or if it contains public key not form the host from which you connect to server it will not work.

Password authentication should be turned off:
PasswordAuthentication no

You have UsePAM enabled therefore ChallengeResponseAuthentication should be set to yes

~/.ssh/authorized_keys on the server should be chmoded to 600, to ensure that run:
sudo chmod 600 ~/.ssh/authorized_keys
And ~/.shh set to 700 so run sudo chmod 700 ~/.ssh

After these steps are done on the server next step is to make sure your locahost from which you connect is using proper public key to connect, the one which is set in .ssh/authorized_keys on the server!

To verify this on local host run:

List added keys to ssh-agent

# Lists fingerprints of all identities
ssh-add -l

# Lists public key parameters of all identities
ssh-add -L

The above is for informational purposes to verify correct key is set, once you verify the correct one is there copy it to clipboard depending on graphical sessions you use:

Copy public SSH key to clipboard

NOTE: replace public_key.pub with actual file name (public key)

# X11
xclip -selection clipboard < ~/.ssh/public_key.pub

# Wayland
wl-copy < ~/.ssh/public_key.pub

if you don't have these tools installed install them with sudo apt install wl-copy xclip

Once the key is copied to clipboard with which you wish to connect to server, that clipboard contents (public key) needs to be pasted into .ssh/authorized_keys file on the server if it's not already there.

Then restart ssh server service on the server and try to ssh into it from host machine (replace IP with server IP):
ssh [email protected]

 

[ndchung]

OK, the re are several things you need to check on your server.

AuthorizedKeysFile which is .ssh/authorized_keys file should contain public key of your local host from which you connect to server, if the file is empty or if it contains public key not form the host from which you connect to server it will not work.

Password authentication should be turned off:
PasswordAuthentication no

You have UsePAM enabled therefore ChallengeResponseAuthentication should be set to yes

~/.ssh/authorized_keys on the server should be chmoded to 600, to ensure that run:
sudo chmod 600 ~/.ssh/authorized_keys
And ~/.shh set to 700 so run sudo chmod 700 ~/.ssh

After these steps are done on the server next step is to make sure your locahost from which you connect is using proper public key to connect, the one which is set in .ssh/authorized_keys on the server!

To verify this on local host run:

List added keys to ssh-agent

# Lists fingerprints of all identities
ssh-add -l

# Lists public key parameters of all identities
ssh-add -L

The above is for informational purposes to verify correct key is set, once you verify the correct one is there copy it to clipboard depending on graphical sessions you use:

Copy public SSH key to clipboard

NOTE: replace public_key.pub with actual file name (public key)

# X11
xclip -selection clipboard < ~/.ssh/public_key.pub

# Wayland
wl-copy < ~/.ssh/public_key.pub

if you don't have these tools installed install them with sudo apt install wl-copy xclip

Once the key is copied to clipboard with which you wish to connect to server, that clipboard contents (public key) needs to be pasted into .ssh/authorized_keys file on the server if it's not already there.

Then restart ssh server service on the server and try to ssh into it from host machine (replace IP with server IP):
ssh [email protected]

I understand your idea that using a key for SSH authentication, right?

 

[CaffeineAddict]

Btw

I understand your idea that using a key for SSH authentication, right?

Yes, you need a SSH key set up on your local system from which you wish to connect to server, do you have one set up?
If not I'll give you procedure to make one.

 

[ndchung]

Btw

Yes, you need a SSH key set up on your local system from which you wish to connect to server, do you have one set up?
If not I'll give you procedure to make one.

I haven't tried that yet, but I would like to know the cause of the current error and how to troubleshoot it. I noticed that all configurations appear to be normal.

 

[CaffeineAddict]

I haven't tried that yet, but I would like to know the cause of the current error and how to troubleshoot it. I noticed that all configurations appear to be normal.

Sorry I can't help with password authentication, I always do it with SSH keys for security reasons and the procedure is already known to me unlike other methods.