Home » 2010 » January » 29 » Can't log in as anything but root via SSH
5:21 AM
Can't log in as anything but root via SSH
Are you sure you're connecting to the correct machine? To prove it,
sudo/su/login-as-root locally (if you can) confirm the hostname, then
touch a file in the /root directory called "this_is_the_CentOS_VPS.0"

Next, when you login "as root over SSH", run ls -ltr and look for that
file - if you don't see it, then maybe you are into the wrong machine :)

$ssh root@
[login banner and motd stuff here]
centos-VPS     <---presumably, if not, read on below*****
# touch this_is_the_CentOS_VPS.0
this produces the foillowing file
#ls -ltr

-rw-r--r--   1 root root    0 2010-01-18 20:04 this_is_the_centos-vps.0

this file proves what machine you are actually SSH-ed into.

If not, read on:

***** A common SSH gotcha occurs when the machine you are trying to
login to (the CentOS VPS one) is actually behind a firewall (or host
NAT, maybe for virtualization) that serves (and answers instead) SSH on
port 22 ( it answers instead, not knowing who root is - root login
disallowed usually - or who user1@, user2@ is )

What happens is, you attempt to ssh in  with

$ssh user@y.y.y.y

but the machine that replies is the firewall protecting that IP, usually
the perimiter firewall.
It may, or may not, have a user called "root", and may, or may not,
allow the user root to login via SSH.

With the firewall scenario , the easiest way around this is to do PAT,
portforward TCP port 44422 on the firewall to port 22 at the destination
(internal) IP.
then the ssh client line you require is:

$ ssh user@y.y.y.y -p44422

the f/w NATP translates 44422 to 22 and NATting it to the VPS on it's
internal IP target.

In YOUR case, maybe the virtual host machine is running
linux/BSD/OpenSolaris also? and has SSHd listening on port 22?
$ ssh root@wro.ng.mac.hine     = rootlogin disallowed and authentication
bombs out

One way to quickly check this, is to first check the debug output:-

{debugsnip}  debug1: Remote protocol version 2.0, remote software
version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*

This tells you that the SSH server (that's actually responding to your
connect request; not necessarily the one you want to connect to)
is running _OpenSSH4.3_. To me, this smells a little old? OpenSSH 4.3
smells very old, in fact, even my old IPCOP boxes in remote locations
are up to v4.7. everything else here is 5.1
Check the VPS machine's SSHd version, if it's not 4.3, then you're
actually connecting to something else accidentally at that IP, usually
the virtualisation host (on it's port 22) or the perimiter firewall at
that site (on port 22)

While SSH does a very, very good job at handling multiple concurrent
connections tunneled to disparate ports and onwards to many consecutive
machines, you have to ensure that your are connecting to the correct
machine to let it do that in the first place.

You see, if the virtualisation host is running SSHd on port 22, it sees
the virtualised guest as a seperate machine, usually behind NAT, not
"behind" the.ho.st.ip:22. The virtual networking (+headache) of the
virtualisation host is what determines what conects to what, maybe
NATed or bridged.

Within one machine, sure,  SSH will sort out many connections and
tunnels to many places (confounding CCNAs/MCSAs that are usually taught
one service=one port. The key word here is "within" It's a "unix-y
thing" you see. sockets/pipes and stuff haha) but that assumes your
connection to the SSH server is on the correct __machine__ in the first

So, things to check: is there a firewall or unix/linux/IOS router
answering instead of your intended destination? No? Well, how about the
virtual host machine's SSHd, is that it? I've been there a thousand
times, nested several times deep in it :)

I hope that's all clear :)

The main problem is, after about 20 failed attepts and frustrated edits
of sshd.conf s you get in such a mess with your known_hosts being
populated with inaccurate entries that you mistakenly, said "yes" to.
(You really need to keep careful control of fingerprints or the pretty
pictures they use nowadays).
 The debugging then tends to tell you all is OK, when in fact your
known_hosts are full of certs from perimiter firewalls and in-between
routers. You could compare the fingerprints, but in fact, I find it
easier to touch a file in my home and root's home on each destination
machine, AFTER having confirmed the hostname is correct. Touching a file
also helps subsequent SSHFS/SFTP sessions too, it's easy to get lost
with 20 or 30 open across 10+ virtual desktops.

### granny-sux-eggs-mode-is-ON. I have replied in full and at length to
#help other people browsing the archives in the future. Future traffic
#offlist unless relevant to all.

{caution: my home ISP mail queues (F2S/UK are in total disarray, may be
a day or two before they get straightened out, if ever}

de Gord

Views: 469 | Added by: b1zz4rd | Rating: 0.0/0
Total comments: 0
Name *:
Email *:
Code *: