From owner-freebsd-questions Fri Feb 22 9:31:25 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mailout03.sul.t-online.com (mailout03.sul.t-online.com [194.25.134.81]) by hub.freebsd.org (Postfix) with ESMTP id A10E037B400 for ; Fri, 22 Feb 2002 09:31:20 -0800 (PST) Received: from fwd07.sul.t-online.de by mailout03.sul.t-online.com with smtp id 16eJXT-0004am-00; Fri, 22 Feb 2002 18:31:19 +0100 Received: from moria.hn.org (520055305743-0001@[217.225.77.144]) by fmrl07.sul.t-online.com with esmtp id 16eJXD-1qkLKaC; Fri, 22 Feb 2002 18:31:03 +0100 Received: from dojo (dojo.wg [192.168.0.23]) by moria.hn.org (8.11.6/8.11.6) with ESMTP id g1MHWfG13420 for ; Fri, 22 Feb 2002 18:32:41 +0100 (CET) (envelope-from uzsv2k@uni-bonn.de) Date: Fri, 22 Feb 2002 18:36:15 +0100 From: Philipp Reichmuth X-Mailer: The Bat! (v1.53d) Personal Reply-To: Philipp Reichmuth X-Priority: 3 (Normal) Message-ID: <5910885041.20020222183615@web.de> To: questions@freebsd.org Subject: sshd: not allowed to connect MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Sender: 520055305743-0001@t-dialin.net Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hello questions-folks, I've got a problem getting users to connect to sshd on my gateway (running 4.5-stable, "FreeBSD moria.wg 4.5-STABLE FreeBSD 4.5-STABLE #0: Thu Feb 14 09:16:22 CET 2002 admin@moria.wg:/usr/obj/usr/src/sys/MORIA.586 i386" to be precise) For example, I've got the user "drow" with the following data: -------------- passwd entry --------------- tibi:*:1000:1000:Name:/home/tibi:/usr/local/bin/bash drow:*:1001:1000:Name:/home/drow:/usr/local/bin/bash -------------- group entries -------------- network:*:69:root,drow,tibi,... staff:*:1000:root netstuff:*:1001:drow ------------------------------------------- I remember having some trouble back when upgrading from 4.2 to 4.4-STABLE, at first due to PAM, then due to drow being in the wheel group, which apparently constituted enough of a danger for sshd to lock drow out. After removing drow from wheel, administering the system got a bit more tedious of course because drow could su no more, but it worked. Now all of a sudden drow's connections get refused for no apparent reason. Yesterday, for example, things worked like this: --------------- sshd log ----------------- Feb 21 15:39:32 moria sshd[249]: Accepted password for drow from 192.168.0.23 port 1112 ssh2 Feb 21 15:47:12 moria sshd[249]: Received disconnect from 192.168.0.23: 11: Disconnect requested by Windows SSH Client. ------------------------------------------ Today, however, after no changes to the system configuration, I get: --------------- sshd log ----------------- Feb 22 17:43:24 moria sshd[13077]: Denied connection for drow from dojo.wg [192.168.0.23]. Feb 22 17:43:24 moria sshd[13077]: Disconnecting: Sorry, you are not allowed to connect. ------------------------------------------ The interesting thing is that drow's connections get refused, while tibi's don't. The only difference between the two accounts is that drow is in an extra group for historic reasons. He has been there for quite some time, however. This is my sshd config file, for sake of completeness: --------------- sshd config -------------- Port 22 Protocol 2,1 HostKey /etc/ssh/ssh_host_key HostKey /etc/ssh/ssh_host_dsa_key ServerKeyBits 768 LoginGraceTime 120 KeyRegenerationInterval 3600 PermitRootLogin no MaxStartups 10:30:60 IgnoreRhosts yes StrictModes yes X11Forwarding yes X11DisplayOffset 10 PrintMotd yes KeepAlive yes SyslogFacility AUTH LogLevel INFO RhostsAuthentication no RhostsRSAAuthentication no HostbasedAuthentication no RSAAuthentication yes PasswordAuthentication yes PermitEmptyPasswords no Subsystem sftp /usr/libexec/sftp-server ------------------------------------------ Sorry for the gargantuan mail, but I've got no clue what's going on here. Philipp ___________________ Having been erased, / The document you're seeking / Must now be retyped To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message