Access denied - SSH login

AdamF

I have a new FreePBX box that I setup SSH access for, and I cannot login. I'm attempting to login with a password, on another port, and I keep receiving access denied messages. I went through the same process as I always do for enabling SSH connectivity. Either something is wrong that I've never run into before, or I'm just having a brain fail this morning.

Added a user

useradd user1
passwd user1

Added user to wheel group

gpasswd -a user1 wheel

Edited the /etc/ssh/sshd_config file and:
Changed the port number
Added AllowGroups wheel
Changed PermitRootLogin to no.

Restarted the SSH service

Tail of secure says:

Failed password for user1 from xxx.xxx.xxx.xxx port 52293 ssh

What am I missing?

JaredBusch

@fuznutz04 said in Access denied - SSH login:

I have a new FreePBX box that I setup SSH access for, and I cannot login. I'm attempting to login with a password, on another port, and I keep receiving access denied messages. I went through the same process as I always do for enabling SSH connectivity. Either something is wrong that I've never run into before, or I'm just having a brain fail this morning.

Added a user

useradd user1
passwd user1

Added user to wheel group

gpasswd -a user1 wheel

Edited the /etc/ssh/sshd_config file and:
Changed the port number
Added AllowGroups wheel
Changed PermitRootLogin to no.

Restarted the SSH service

Tail of secure says:

Failed password for user1 from xxx.xxx.xxx.xxx port 52293 ssh

What am I missing?

Reset the password for the user account again?

AdamF

@JaredBusch Yep, and I also created another user just to be sure. No dice. Also restarted the entire server for good measure.

JaredBusch

@fuznutz04 said in Access denied - SSH login:

@JaredBusch Yep, and I also created another user just to be sure. No dice. Also restarted the entire server for good measure.

Reenable root login via SSH and see if that works on the new port setup.

AdamF

Nope, Permission denied after allowing root, changing root's password, and restarting ssh

RamblingBiped

Up the verbosity when you connect and see if it provides any additional clues.

ssh -vvv user@host

AdamF

After entering password:

debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
Permission denied, please try again.

RamblingBiped

Have you tried stopping Fail2Ban? Anything strange showing up in your Fail2Ban logs?

RamblingBiped

This will show your Fail2Ban jails and display whether your IP blacklisted.

sudo iptables -L -n

AdamF

Nothing is blacklisted. In fact, in both Fail2Ban as well as the Responsive firewall in firewall, the IP I'm trying to connect from is whitelisted/in the trusted zone.

For good measure, I stopped Fail2Ban, and still receive the same messages.

RamblingBiped

<sarcasm>
Are you certain CAPS-LOCK isn't on?
</sarcasm>

RamblingBiped

Are you monitoring the /var/log/secure file as you are trying to connect? Have you tried connecting to the freepbx IP instead of hostname?

AdamF

Just tried, and it says Failed password for invalid user root from IP port xxxxx ssh2

RamblingBiped

"invalid user root"

What does your sshd_config file look like? Is root allowed? Have you restarted the ssh server since you made the last changes to the config file?

AdamF

@RamblingBiped said in Access denied - SSH login:

"invalid user root"

What does your sshd_config file look like? Is root allowed? Have you restarted the ssh server since you made the last changes to the config file?

Yes, service is restarted. The only changes to the stock sshd_config flle is:

PermitRootLogin yes
AllowGroups wheel
Port xxxx
AddressFamily inet

Alex Sage

Firewall?

scottalanmiller

Test the login from the box itself using the loopback 127.0.0.1

AdamF

@scottalanmiller said in Access denied - SSH login:

Test the login from the box itself using the loopback 127.0.0.1

No go. Permission denied, using the same password that I just logged in with.

scottalanmiller

@fuznutz04 said in Access denied - SSH login:

@scottalanmiller said in Access denied - SSH login:

Test the login from the box itself using the loopback 127.0.0.1

No go. Permission denied, using the same password that I just logged in with.

Okay, so you can rule out networking, both firewalls, etc. It's all down to SSH configuration at this point.

AdamF

@scottalanmiller said in Access denied - SSH login:

@fuznutz04 said in Access denied - SSH login:

@scottalanmiller said in Access denied - SSH login:

Test the login from the box itself using the loopback 127.0.0.1

No go. Permission denied, using the same password that I just logged in with.

Okay, so you can rule out networking, both firewalls, etc. It's all down to SSH configuration at this point.

Thanks for the tip. That definitely narrowed it down. So after playing with the config file for a while, I concluded that the problem is the line:

AllowGroups wheel

If I comment that out, it works perfect. if it's uncommented, it doesn't allow access, even to root.

(looks up and to the right while squinting eyes, confused...)