<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">I didn't check the old passwd file
closely enough, that "extra" line was in the old passwd file from
a time when ssh was working, but was much higher up in the file
and I missed on my previous brief look. So it obviously is not
(part of) the problem.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Cheers.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Joe Aquilina</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 18/12/19 12:04 pm, Joe Aquilina
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:a21710df-727c-83d1-4c50-f784487c4410@chem.com.au">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div class="moz-cite-prefix">Chris</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Her is the sshd_config file on the
server:</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">$ cat /etc/ssh/sshd_config <br>
<tt># $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj
Exp $</tt><tt><br>
</tt><tt><br>
</tt><tt># This is the sshd server system-wide configuration
file. See</tt><tt><br>
</tt><tt># sshd_config(5) for more information.</tt><tt><br>
</tt><tt><br>
</tt><tt># This sshd was compiled with
PATH=/usr/bin:/bin:/usr/sbin:/sbin</tt><tt><br>
</tt><tt><br>
</tt><tt># The strategy used for options in the default
sshd_config shipped with</tt><tt><br>
</tt><tt># OpenSSH is to specify options with their default
value where</tt><tt><br>
</tt><tt># possible, but leave them commented. Uncommented
options override the</tt><tt><br>
</tt><tt># default value.</tt><tt><br>
</tt><tt><br>
</tt><tt>Port 22</tt><tt><br>
</tt><tt>#AddressFamily any</tt><tt><br>
</tt><tt>#ListenAddress 0.0.0.0</tt><tt><br>
</tt><tt>#ListenAddress ::</tt><tt><br>
</tt><tt><br>
</tt><tt>#HostKey /etc/ssh/ssh_host_rsa_key</tt><tt><br>
</tt><tt>#HostKey /etc/ssh/ssh_host_ecdsa_key</tt><tt><br>
</tt><tt>#HostKey /etc/ssh/ssh_host_ed25519_key</tt><tt><br>
</tt><tt><br>
</tt><tt># Ciphers and keying</tt><tt><br>
</tt><tt>#RekeyLimit default none</tt><tt><br>
</tt><tt><br>
</tt><tt># Logging</tt><tt><br>
</tt><tt>#SyslogFacility AUTH</tt><tt><br>
</tt><tt>#LogLevel INFO</tt><tt><br>
</tt><tt><br>
</tt><tt># Authentication:</tt><tt><br>
</tt><tt><br>
</tt><tt>#LoginGraceTime 2m</tt><tt><br>
</tt><tt>#PermitRootLogin prohibit-password</tt><tt><br>
</tt><tt>AllowUsers joe</tt><tt><br>
</tt><tt>#StrictModes yes</tt><tt><br>
</tt><tt>#MaxAuthTries 6</tt><tt><br>
</tt><tt>#MaxSessions 10</tt><tt><br>
</tt><tt><br>
</tt><tt>#PubkeyAuthentication yes</tt><tt><br>
</tt><tt><br>
</tt><tt># Expect .ssh/authorized_keys2 to be disregarded by
default in future.</tt><tt><br>
</tt><tt>#AuthorizedKeysFile .ssh/authorized_keys
.ssh/authorized_keys2</tt><tt><br>
</tt><tt><br>
</tt><tt>#AuthorizedPrincipalsFile none</tt><tt><br>
</tt><tt><br>
</tt><tt>#AuthorizedKeysCommand none</tt><tt><br>
</tt><tt>#AuthorizedKeysCommandUser nobody</tt><tt><br>
</tt><tt><br>
</tt><tt># For this to work you will also need host keys in
/etc/ssh/ssh_known_hosts</tt><tt><br>
</tt><tt>#HostbasedAuthentication no</tt><tt><br>
</tt><tt># Change to yes if you don't trust ~/.ssh/known_hosts
for</tt><tt><br>
</tt><tt># HostbasedAuthentication</tt><tt><br>
</tt><tt>#IgnoreUserKnownHosts no</tt><tt><br>
</tt><tt># Don't read the user's ~/.rhosts and ~/.shosts files</tt><tt><br>
</tt><tt>#IgnoreRhosts yes</tt><tt><br>
</tt><tt><br>
</tt><tt># To disable tunneled clear text passwords, change to
no here!</tt><tt><br>
</tt><tt>#PasswordAuthentication yes</tt><tt><br>
</tt><tt>#PermitEmptyPasswords no</tt><tt><br>
</tt><tt><br>
</tt><tt># Change to yes to enable challenge-response passwords
(beware issues with</tt><tt><br>
</tt><tt># some PAM modules and threads)</tt><tt><br>
</tt><tt>ChallengeResponseAuthentication no</tt><tt><br>
</tt><tt><br>
</tt><tt># Kerberos options</tt><tt><br>
</tt><tt>#KerberosAuthentication no</tt><tt><br>
</tt><tt>#KerberosOrLocalPasswd yes</tt><tt><br>
</tt><tt>#KerberosTicketCleanup yes</tt><tt><br>
</tt><tt>#KerberosGetAFSToken no</tt><tt><br>
</tt><tt><br>
</tt><tt># GSSAPI options</tt><tt><br>
</tt><tt>#GSSAPIAuthentication no</tt><tt><br>
</tt><tt>#GSSAPICleanupCredentials yes</tt><tt><br>
</tt><tt>#GSSAPIStrictAcceptorCheck yes</tt><tt><br>
</tt><tt>#GSSAPIKeyExchange no</tt><tt><br>
</tt><tt><br>
</tt><tt># Set this to 'yes' to enable PAM authentication,
account processing,</tt><tt><br>
</tt><tt># and session processing. If this is enabled, PAM
authentication will</tt><tt><br>
</tt><tt># be allowed through the
ChallengeResponseAuthentication and</tt><tt><br>
</tt><tt># PasswordAuthentication. Depending on your PAM
configuration,</tt><tt><br>
</tt><tt># PAM authentication via
ChallengeResponseAuthentication may bypass</tt><tt><br>
</tt><tt># the setting of "PermitRootLogin without-password".</tt><tt><br>
</tt><tt># If you just want the PAM account and session checks
to run without</tt><tt><br>
</tt><tt># PAM authentication, then enable this but set
PasswordAuthentication</tt><tt><br>
</tt><tt># and ChallengeResponseAuthentication to 'no'.</tt><tt><br>
</tt><tt>UsePAM yes</tt><tt><br>
</tt><tt>UseLogin no</tt><tt><br>
</tt><tt><br>
</tt><tt>#AllowAgentForwarding yes</tt><tt><br>
</tt><tt>#AllowTcpForwarding yes</tt><tt><br>
</tt><tt>#GatewayPorts no</tt><tt><br>
</tt><tt>X11Forwarding yes</tt><tt><br>
</tt><tt>#X11DisplayOffset 10</tt><tt><br>
</tt><tt>#X11UseLocalhost yes</tt><tt><br>
</tt><tt>#PermitTTY yes</tt><tt><br>
</tt><tt>PrintMotd no</tt><tt><br>
</tt><tt>#PrintLastLog yes</tt><tt><br>
</tt><tt>#TCPKeepAlive yes</tt><tt><br>
</tt><tt>#PermitUserEnvironment no</tt><tt><br>
</tt><tt>#Compression delayed</tt><tt><br>
</tt><tt>#ClientAliveInterval 0</tt><tt><br>
</tt><tt>#ClientAliveCountMax 3</tt><tt><br>
</tt><tt>#UseDNS no</tt><tt><br>
</tt><tt>#PidFile /var/run/sshd.pid</tt><tt><br>
</tt><tt>#MaxStartups 10:30:100</tt><tt><br>
</tt><tt>#PermitTunnel no</tt><tt><br>
</tt><tt>#ChrootDirectory none</tt><tt><br>
</tt><tt>#VersionAddendum none</tt><tt><br>
</tt><tt><br>
</tt><tt># no default banner path</tt><tt><br>
</tt><tt>#Banner none</tt><tt><br>
</tt><tt><br>
</tt><tt># Allow client to pass locale environment variables</tt><tt><br>
</tt><tt>AcceptEnv LANG LC_*</tt><tt><br>
</tt><tt><br>
</tt><tt># override default of no subsystems</tt><tt><br>
</tt><tt>Subsystem sftp /usr/lib/openssh/sftp-server</tt><tt><br>
</tt><tt><br>
</tt><tt># Example of overriding settings on a per-user basis</tt><tt><br>
</tt><tt>#Match User anoncvs</tt><tt><br>
</tt><tt># X11Forwarding no</tt><tt><br>
</tt><tt># AllowTcpForwarding no</tt><tt><br>
</tt><tt># PermitTTY no</tt><tt><br>
</tt><tt># ForceCommand cvs server</tt><tt><br>
</tt></div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I just checked the passwd file on the
server and both accounts I use to login finish with /bin/bash.
However, I also noticed that the last line of the passwd file
looks like this:</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><tt>sshd:x:100:65534::/run/sshd:/usr/sbin/nologin</tt></div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Looking at the passwd file from a
backup done before the upgrade, and when ssh logins were
working, this line is a recent addition - it does not appear in
past instances of the passwd file. Is this the cause of my
problems? Can I simply delete this line and try again?</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Cheers.</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Joe Aquilina</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 18/12/19 11:49 am, Chris Hoy Poy
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAGNDYR+DceSHz5WCkDem1aWv0WWZKh24qeQ=aOiAMtJ_wPLTHw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<div dir="auto">Hey Joe,
<div dir="auto"><br>
</div>
<div dir="auto">Can you check what "usePrivilegeSeparation" is
defined as in the server sshd_config is ?</div>
<div dir="auto"><br>
</div>
<div dir="auto">Cheers</div>
<div dir="auto">/Chris</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, 18 Dec 2019, 11:42
am Joe Aquilina, <<a href="mailto:joe@chem.com.au"
moz-do-not-send="true">joe@chem.com.au</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div>sestatus and getenforce both show selinux as
disabled.</div>
<div><br>
</div>
<div>There is already another account that is occasionally
used to login to the server - it fails exactly the same
as my (joe) account. I don't believe that any scripts at
login.<br>
</div>
<div><br>
</div>
<div>And yes I did edit the output to protect the "guilty"
... replaced the real server name with <server>
and the server's IP address. I presumed that is what was
requested when it was suggested that I post a sanitised
copy of the login attempt output.</div>
<div><br>
</div>
<div>Cheers.</div>
<div><br>
</div>
<div>Joe Aquilina<br>
</div>
<div><br>
</div>
<div>On 18/12/19 11:08 am, mike wrote:<br>
</div>
<blockquote type="cite">
<div>On 18/12/2019 10:43, Joe Aquilina wrote:<br>
</div>
<blockquote type="cite">I have no idea about selinux,
whether it is installed/enabled. How do I check that
and disable it if necessary, and then re-enable?</blockquote>
<br>
<pre>sestatus or <span></span>getenforce
If file not found then not in use.
Are you removing details from the output? IE:
Authenticated to <server> ([ip.address of server]:22).
Mine says
debug1: Authentication succeeded (publickey).
Authenticated to nos ([10.222.0.4]:22).
Another thought is what does the passwd file say for your login? I have /bin/bash on the end
What user are you trying to login as?
Are you running any scripts at login that may be failing?
Have you tried another user?
Maybe create a new user and try logging in with that just to remove the user as being an issue.
</pre>
<pre cols="72">--
'ooroo
Mike...(:)-)
---------------------------------------------------
Email: <a href="mailto:mike@wolf-rock.com" target="_blank" rel="noreferrer" moz-do-not-send="true">mike@wolf-rock.com</a> o
You need only two tools. o /////
A hammer and duct tape. If it /@ `\ /) ~
doesn't move and it should use > (O) X< ~ Fish!!
the hammer. If it moves and `\___/' \) ~
shouldn't, use the tape. \\\
---------------------------------------------------</pre>
</blockquote>
_______________________________________________<br>
</div>
PLUG discussion list: <a href="mailto:plug@plug.org.au"
target="_blank" rel="noreferrer" moz-do-not-send="true">plug@plug.org.au</a><br>
<a href="http://lists.plug.org.au/mailman/listinfo/plug"
rel="noreferrer noreferrer" target="_blank"
moz-do-not-send="true">http://lists.plug.org.au/mailman/listinfo/plug</a><br>
Committee e-mail: <a href="mailto:committee@plug.org.au"
target="_blank" rel="noreferrer" moz-do-not-send="true">committee@plug.org.au</a><br>
PLUG Membership: <a
href="http://www.plug.org.au/membership" rel="noreferrer
noreferrer" target="_blank" moz-do-not-send="true">http://www.plug.org.au/membership</a></blockquote>
</div>
</blockquote>
</blockquote>
--
<pre class="moz-signature" cols="72">Joe Aquilina
Central Chemical Consulting Pty Ltd
PO Box 2546 Malaga WA 6944 Australia
1/11 Narloo St Malaga 6090 Australia
Tel: +61 8 9248 2739 Fax: +61 8 9248 2749
<a class="moz-txt-link-abbreviated" href="mailto:joe@chem.com.au">joe@chem.com.au</a> <a class="moz-txt-link-abbreviated" href="http://www.chem.com.au">www.chem.com.au</a></pre>
</body>
</html>