# User can't login via SSH

## EtienneRutten

Hello, 

Here is a newbie question ... 

I've a 2004.3 gentoo installed with postfix. All seems to be all right. Here is my problem : I can't connect via putty on the Gentoo machine as a user, but when I'm root all is good I can connect.

Here is my /etc/ssh/sshd_config file

**** CUT HERE 

# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $ 

# This is the sshd server system-wide configuration file. See 

# sshd_config(5) for more information. 

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin 

# The strategy used for options in the default sshd_config shipped with 

# OpenSSH is to specify options with their default value where 

# possible, but leave them commented. Uncommented options change a 

# default value. 

#Port 22 

Protocol 2 

#ListenAddress 0.0.0.0 

#ListenAddress :: 

# HostKey for protocol version 1 

#HostKey /etc/ssh/ssh_host_key 

# HostKeys for protocol version 2 

#HostKey /etc/ssh/ssh_host_rsa_key 

#HostKey /etc/ssh/ssh_host_dsa_key 

# Lifetime and size of ephemeral version 1 server key 

#KeyRegenerationInterval 1h 

#ServerKeyBits 768 

# Logging 

#obsoletes QuietMode and FascistLogging 

#SyslogFacility AUTH 

#LogLevel INFO 

# Authentication: 

#LoginGraceTime 2m 

#PermitRootLogin yes 

#StrictModes yes 

#MaxAuthTries 6 

#RSAAuthentication yes 

#PubkeyAuthentication yes 

#AuthorizedKeysFile .ssh/authorized_keys 

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 

#RhostsRSAAuthentication no 

# similar for protocol version 2 

#HostbasedAuthentication no 

# Change to yes if you don't trust ~/.ssh/known_hosts for 

# RhostsRSAAuthentication and HostbasedAuthentication 

#IgnoreUserKnownHosts no 

# Don't read the user's ~/.rhosts and ~/.shosts files 

#IgnoreRhosts yes 

# To disable tunneled clear text passwords, change to no here! 

PasswordAuthentication no 

#PermitEmptyPasswords no 

# Change to no to disable s/key passwords 

#ChallengeResponseAuthentication yes 

# Kerberos options 

#KerberosAuthentication no 

#KerberosOrLocalPasswd yes 

#KerberosTicketCleanup yes 

#KerberosGetAFSToken no 

# GSSAPI options 

#GSSAPIAuthentication no 

#GSSAPICleanupCredentials yes 

# Set this to 'yes' to enable PAM authentication, account processing, 

# and session processing. If this is enabled, PAM authentication will 

# be allowed through the ChallengeResponseAuthentication mechanism. 

# Depending on your PAM configuration, this may bypass the setting of 

# PasswordAuthentication, PermitEmptyPasswords, and 

# "PermitRootLogin without-password". If you just want the PAM account and 

# session checks to run without PAM authentication, then enable this but set 

# ChallengeResponseAuthentication=no 

UsePAM yes 

#AllowTcpForwarding yes 

#GatewayPorts no 

#X11Forwarding no 

#X11DisplayOffset 10 

#X11UseLocalhost yes 

#PrintMotd yes 

#PrintLastLog yes 

#TCPKeepAlive yes 

#UseLogin no 

#UsePrivilegeSeparation yes 

#PermitUserEnvironment no 

#Compression yes 

#ClientAliveInterval 0 

#ClientAliveCountMax 3 

#UseDNS yes 

#PidFile /var/run/sshd.pid 

#MaxStartups 10 

# no default banner path 

#Banner /some/path 

# override default of no subsystems 

Subsystem sftp /usr/lib/misc/sftp-server 

Who can help me ??

----------

## adaptr

What do the sshd logs say ?

If your log server does not produce a separate sshd log file then this will be interspersed through /var/log/messages, prefixed with sshd:.

----------

## EtienneRutten

Here is a part of my log :

***Start SSH

sshd[10859]: Server listening on 0.0.0.0 port 22.

Feb 28 10:40:42 linux PAM-env[10781]: Unknown PAM_ITEM: <DISPLAY>

Feb 28 10:40:42 linux sshd[10781]: PAM pam_putenv: delete non-existent entry; DISPLAY

Feb 28 10:40:42 linux PAM-env[10781]: Unknown PAM_ITEM: <XAUTHORITY>

Feb 28 10:40:42 linux sshd[10781]: PAM pam_putenv: delete non-existent entry; XAUTHORITY

*** Trying to connect with user etienne

Feb 28 10:40:53 linux sshd[10868]: error: PAM: Authentication failure for etienne from 192.168.5.35

Feb 28 10:40:59 linux sshd[10868]: Failed password for etienne from 192.168.5.35 port 3256 ssh2

Feb 28 10:40:59 linux sshd(pam_unix)[10874]: auth could not identify password for [etienne]

Feb 28 10:41:01 linux sshd[10868]: error: PAM: Authentication failure for etienne from 192.168.5.35

Feb 28 10:41:01 linux sshd[10868]: Failed password for etienne from 192.168.5.35 port 3256 ssh2

Feb 28 10:41:11 linux sshd(pam_unix)[10880]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.35 $

*** Trying to connect with user chloe

Feb 28 10:41:14 linux sshd[10875]: error: PAM: Authentication failure for chloe from 192.168.5.35

Feb 28 10:41:15 linux sshd(pam_unix)[10875]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.35 $

Feb 28 10:41:18 linux sshd[10875]: Failed password for chloe from 192.168.5.35 port 3257 ssh2

Feb 28 10:41:18 linux sshd(pam_unix)[10881]: auth could not identify password for [chloe]

Feb 28 10:41:20 linux sshd[10875]: error: PAM: Authentication failure for chloe from 192.168.5.35

Feb 28 10:41:20 linux sshd[10875]: Failed password for chloe from 192.168.5.35 port 3257 ssh2

*** Trying to connect with root 

Feb 28 10:41:28 linux sshd[10882]: Accepted keyboard-interactive/pam for root from 192.168.5.35 port 3258 ssh2

----------

## adaptr

What happens when you re-set the passwords for those users to something else ?

Do these users have valid shells (i.e. shells listed in /etc/shells)?

Could you post the contents of /etc/pam.d/login and /etc/pam.d/sshs ?

----------

## EtienneRutten

When I change passwords for users it's the same problem

here are the files you asked me for

*** /etc/pam.d/login

#%PAM-1.0

auth       required     /lib/security/pam_securetty.so

auth       required     /lib/security/pam_stack.so service=system-auth

auth       required     /lib/security/pam_nologin.so

account    required     /lib/security/pam_stack.so service=system-auth

password   required     /lib/security/pam_stack.so service=system-auth

session    required     /lib/security/pam_stack.so service=system-auth

session    optional     /lib/security/pam_console.so

*** /etc/pam.d/sshd

#%PAM-1.0

auth       required     pam_stack.so service=system-auth

auth       required     pam_shells.so

auth       required     pam_nologin.so

account    required     pam_stack.so service=system-auth

password   required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth

*** /etc/shells# /etc/shells: valid login shells

# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/shells,v 1.5 2003/07/15 20:3$

/bin/sh

/bin/bash

/bin/tcsh

/bin/csh

/bin/esh

/bin/ksh

/bin/zsh

/bin/sash

----------

## adaptr

I don't need to see what is in /etc/shells; you need to verify that those users have a valid shell  :Wink: 

```
grep "bash" /etc/passwd
```

Apart from that (I don't think it's very likely), the auth line is still the best lead we have:

```
Feb 28 10:40:59 linux sshd(pam_unix)[10874]: auth could not identify password for [etienne]
```

This suggests there may be something wrong with your shadow password file.

Or not  :Wink: 

----------

## EtienneRutten

OK I succeded !

I have had a solution by editing the /etc/shadow file and remove the password and then re initialize the passwords for the users 

Thank you for your help !

----------

