RE: SSH madness

Kevin,

We had same issue two weeks ago.
A server was rebuilt, SSH wasn't working.

The directory, as recreated, was group writable. SSH/SFTP wasn't having it. Once we removed the permission to write, the logins worked.

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Matt Lavinder
Sent: Thursday, August 17, 2017 10:06 AM
To: Midrange Systems Technical Discussion
Subject: Re: SSH madness

Kevin -

Thank you very much! Figured it out. I have no idea how I overlooked it but it there was a write permission on his home directory for groups.
Removed that and it worked immediately. Very helpful when you have something that tells you EXACTLY what the issue is.

Of course, now I feel like a moron for stressing how I “checked and double checked”. 😲 I guess I was so focused on the keys and the .ssh folder I managed to overlook the home directory itself. (SSH) Tunnel vision. <--see what I did there

Thanks for all the suggestions and tips!


On Thu, Aug 17, 2017 at 8:01 AM, Kevin Bucknum <Kevin@xxxxxxxxxxxxxxxxxxx>
wrote:

Shut down the sshd daemon and then run it manually with the -d flag.
Then post the output here. NOTE: only one client will be able to
attempt to connect. So make sure no one else is trying at the time.
Some general instructions can be found here:
https://wiki.midrange.com/ index.php/SSH#Diagnosing_Problems

Kevin Bucknum
Senior Programmer Analyst
MEDDATA/MEDTRON
Tel: 985-893-2550

-----Original Message-----

From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf
Of Matt Lavinder
Sent: Thursday, August 17, 2017 6:17 AM
To: Midrange Systems Technical Discussion
Subject: Re: SSH madness

I have disabled password authentication. I was just trying to narrow
it

down

to public key authentication only. It works with the password but
does

not

work with public key

On Thu, Aug 17, 2017 at 6:57 AM Tim Bronski <tim.bronski@xxxxxxxxx>
wrote:

Since you haven't restricted your SSH server to public-key-only
then any client can choose to offer a password if they have one.
Most clients choose to try key before password if they have one
but that can be changed on the client. Perhaps the mac client has
set password to be their preferred option. I'm not a mac person
but for an openssh client you can check out their config file and
verify what they have for the PreferredAuthentications setting. The order matters.

--
Need sFTP or PGP? Download your native sFTP or OpenPGP solutions here:
www.arpeggiosoftware.com

On 8/16/2017 11:59 PM, Matt Lavinder wrote:

We are trying to give a new employee access to the PASE/Bash
command

shell

via Terminal. I have added his Mac’s RSA key to the
authorized_keys file, but it still will not let them connect.
It will let them connect with a password, but that is not what we want.

For the life of me, I cannot figure out what is different
between the way they are configured and I am. This all works
for me when using my key

and

my profile. If I add my Mac's key to their authorized_keys
file, it will not let me connect either (yes, I used their user name).

I have a lot more system authorities than the new employee does,
but I can’t imagine why that would be the issue.

Is there a specific authority a user needs to be able to
communicate with the SSHD?

Does anyone have any other ideas?

--
Need sFTP or PGP? Download your native sFTP or OpenPGP solutions here:
www.arpeggiosoftware.com

---
This email has been checked for viruses by AVG.
http://www.avg.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please

take

a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD

--
Sent from mobile device. Please excuse typos and brevity.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing

list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please
take a moment to review the archives at
http://archive.midrange.com/midrange-
l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD