ssh: can't log in

C1ivey · #1 23rd April 2007, 08:48 PM

I am not able to log in to my computer with ssh, either from a different computer or from the same one. When I try to login locally I am asked for my password but when I enter the same password I always use I get:

Permission denied, please try again.

If I try to login from a remote computer I do not even get asked for my password and I just get:

ssh: connect to host 81.158.159.199 port 22: Connection refused

I have forwarded port 22 to my machine, and I have

ALL : 192.168 LOCAL : ALLOW

in my /etc/hosts.allow file. Can anyone tell me what else I need to do?

paul matthijsse · #2 23rd April 2007, 09:33 PM

Hi, I've got some problems with ssh like you described as well. Here it"s most of the time solved by logging in a couple of times (2 or 3 times; that's why it says "try again"!). Still have to find out why this happens, but I am afraid I prefer the lazy route... :-)

Cheers, Paul.

opasveer · #3 24th April 2007, 07:48 AM

Have you tried adding the following line to your /etc/ssh/sshd_config:
AllowUsers <username>

Other than that, your IP is 81.158.159.199 and you allow 192.168
The 192.168 is a local range and connecting from a remote system your IP adress will be other than 192.168

Do you mean conecting from a 2nd local machine? In that case try connecting to the local address rather than the public 81.158.159.199 address.

C1ivey · #4 24th April 2007, 11:18 AM

Thx for the replies.

I see that I must have to allow more than 192.168 if I want to connect remotely, but I am still confused as to why my password gets refused when I try to login locally.
Will see if editing /etc/ssh/sshd_config works when I get home.

C1ivey · #5 25th April 2007, 11:34 AM

Tried adding AllowUsers followed by my username to /etc/ssh/sshd_config but I'm still having problems.
Now I always get

ssh: connect to host 81.158.159.199 port 22: Connection refused

whether I try to connect remotely using my external IP or locally using the local IP. Is it possible that this is a problem with my ISP?

opasveer · #6 25th April 2007, 11:45 AM

Do you try to connect from your local IP to your external IP?
If so, this is not possible for most of the ISP's.

Connecting from 192.168.x.x to 192.168.x.x should be possible.

Just a thought, is port 22 open in your iptables configuration? (as root start system-config-securitylevel)
This could be the reason that remote access is not permited.

For the local part, check your sshd_config and see if you accept password login
# Authentication:
PasswordAuthentication no -> in your case this should be 'yes'

C1ivey · #7 26th April 2007, 08:56 AM

PasswordAuthentication is set to yes in sshd_config.
I have port 22 open also. I have port 22 forwarded from my router to this terminal.
I should be able to cnonect locally even if my ISP blocks this port shouldn't I?

opasveer · #8 26th April 2007, 03:05 PM

please post the output of
ssh -v -v -v <hostname> (yes, three times -v i.e. debug level3)

This shows a lot of status messages during the connection and authentication.

C1ivey · #9 26th April 2007, 05:33 PM

cb@0[~]$ ssh -v -v -v 192.168.1.137
OpenSSH_4.2p1 Debian-7ubuntu3.1, OpenSSL 0.9.8a 11 Oct 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.1.137 [192.168.1.137] port 22.
debug1: connect to address 192.168.1.137 port 22: Connection refused
ssh: connect to host 192.168.1.137 port 22: Connection refused

opasveer · #10 26th April 2007, 06:50 PM

Defenitly looks like a firewall issue.

Other than that, when connecting to a remote server, be sure to add the username (in your statement above, you try to connect as 'cb'

What happens if you connect from your server to your server using the -v -v -v option?

C1ivey · #11 27th April 2007, 12:47 AM

I think I was trying to connect from server to my server. The local IP of my Desktop at home is 192.168.1.137. The firewall I am using is firestarter and I get the same message if I turn the firewall off.

stanjam · #12 27th April 2007, 02:49 AM

I would need to see your configuration file to debug more (sshd_config). Can you post it? Also are you running denyhost (you should if you don't).

C1ivey · #13 27th April 2007, 08:44 AM

# $OpenBSD: sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $

# This sshd was compiled with PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin

# This is the sshd server system-wide configuration file. See sshd(8)
# for more information.

Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
#
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog no
KeepAlive yes

# Logging
SyslogFacility AUTH
LogLevel INFO
#obsoletes QuietMode and FascistLogging

#RhostsAuthentication no
#
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
#
RSAAuthentication yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no

# Uncomment to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

# To change Kerberos options
# NB: Debian's ssh ships without Kerberos Support
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

#CheckMail yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes

AllowUsers cb

C1ivey · #14 27th April 2007, 08:45 AM

I'm not sure if I am running denyhost. How would I find out?

opasveer · #15 27th April 2007, 11:48 AM

ps -ef | grep denyhosts

If you do, this should be the result:
root 25016 1 0 11:48 ? 00:00:00 python /usr/bin/denyhosts.py --daemon --config=/etc/denyhosts.conf
root 25041 16399 0 12:46 pts/1 00:00:00 grep deny

denyhosts checks your log files for failed login attempts. After 3 attempts the ip is banned from your system by entering in in the /etc/hosts.deny file.
Check your /etc/hosts.deny file to see if your ip (192.168.1.137) is listed.
If so, remove it, save the file and try to connect again.