# [SOLVED] password login no longer works through "ssh"

## marcelser

Hi,

I have a very strange problem, it seems that "ssh" no longer allows me to login through my password. This was working perfectly for years now and suddenly it stopped.[/code] What is still working is logging in with a private key file. I don't know what caused this functionality to stop and if it has something to do which changed in pam or something but I'm completely out of ideas. Here's my /etc/ssh/sshd_config

```

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

#Port 22

#AddressFamily any

#ListenAddress 0.0.0.0

#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new

# installations. In future the default will change to require explicit

# activation of protocol 1

Protocol 2

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 1024

# Logging

# obsoletes QuietMode and FascistLogging

SyslogFacility AUTH

LogLevel DEBUG

# Authentication:

#LoginGraceTime 2m

PermitRootLogin no

#StrictModes yes

#MaxAuthTries 6

#MaxSessions 10

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile   .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

PasswordAuthentication yes

PermitEmptyPasswords no

# Change to no to disable s/key passwords

ChallengeResponseAuthentication no

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 

# and session processing. If this is enabled, PAM authentication will 

# be allowed through the ChallengeResponseAuthentication and

# PasswordAuthentication.  Depending on your PAM configuration,

# PAM authentication via ChallengeResponseAuthentication may bypass

# the setting of "PermitRootLogin without-password".

# If you just want the PAM account and session checks to run without

# PAM authentication, then enable this but set PasswordAuthentication

# and ChallengeResponseAuthentication to 'no'.

UsePAM yes

AllowAgentForwarding yes

AllowTcpForwarding yes

#GatewayPorts no

X11Forwarding yes

#X11DisplayOffset 10

#X11UseLocalhost yes

PrintMotd no

PrintLastLog no

#TCPKeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression delayed

#ClientAliveInterval 0

#ClientAliveCountMax 3

UseDNS no

#PidFile /var/run/sshd.pid

#MaxStartups 10

#PermitTunnel no

#ChrootDirectory none

# no default banner path

#Banner /some/path

# override default of no subsystems

Subsystem   sftp   /usr/lib/misc/sftp-server

# Example of overriding settings on a per-user basis

#Match User anoncvs

#   X11Forwarding no

#   AllowTcpForwarding no

#   ForceCommand cvs server

```

does anyone have an idea what's wrong? Another strange thing is that I don't see any errors when I do a "tail -f /var/log/*" in any logfile, although I have set the loglevel in the sshd config to DEBUG, no log entries appear when I try to login through password. I'm totally out of ideas as I can't see whats going wrong. any ideas on how to get more output. I already tried re-emerging "pam" and "ssh" but with on luck. I also tried setting a new password as root and as user, both times passwd reports that the password was changed succesfully but when I try to login through ssh I still only get the message "Access denied". It doesn't matter if I try it from inside the network using the machine name, from the internet with port forwarding.  It also doesn't matter if I try putty or another linux machine to logon I always get "access denied".

Please any help would be great I'm totally out-of-ideas as there are no entries in the /var/log/* files.

Thanks in advance.Last edited by marcelser on Tue Aug 03, 2010 6:10 pm; edited 1 time in total

----------

## sysnom

Have you checked that you're actually logging in with 'username@address' instead of just 'address'? It's a common mistake if you're moving to a terminal with a different username. Also try 'sshd -dd' and see what it spits out and it might be worth taking a look in /etc/pam.d/sshd.

----------

## xibo

you mean `ssh -vv username@hostname`, -dd isn't an option. at least not one listed by the man page.

does the username you want to use work localy and is it's terminal and home directory getting set correctly?

you can't login as root via slogin due to `PermitRootLogin no` in your config file.

also, /etc/pam.d might contain the problem. I'm not sure if it's concerning kerberos logins only, but i had etc-update making multiples of my systems unloginable by modifying those files two weeks ago.

----------

## timeBandit

 *marcelser wrote:*   

> 
> 
> ```
> ChallengeResponseAuthentication no
> ```
> ...

 Change that to yes.

----------

## marcelser

Thanks for all your help.

I tried all the suggestions and still got no output in the logfiles using "sshd -dd" or "ssh -vv" which solved the problem. After some hours of trial & error I stopped sshd and forgot to start it but the ssh client still got a connection which told me that something very weird as going on, how can I connect to an ssh server if there's no ssh server running?

So I began to search and after quite some time we found it: The router has a ssh managment console, which someone has activated on port 22. This eliminated the routing of port 22 to the ssh server for this domainname. I just disabled the managment console on the router to re-establish the port forwarding to the machine and everything went back to normal. Now it's clear to me why all the logs and the DEBUG setting for the ssh client stayed silent.

Thanks for any help on this subject and sorry for the trouble.

----------

## sysnom

 *xibo wrote:*   

> you mean `ssh -vv username@hostname`, -dd isn't an option. at least not one listed by the man page.

 

http://www.openbsd.org/cgi-bin/man.cgi?query=sshd

----------

## marcelser

 *sysnom wrote:*   

>  *xibo wrote:*   you mean `ssh -vv username@hostname`, -dd isn't an option. at least not one listed by the man page. 
> 
> http://www.openbsd.org/cgi-bin/man.cgi?query=sshd

 

well sysnom you have to look carefully, if you click on the link you posted it shows this text in the man page:

```
    -d      Debug mode.  The server sends verbose debug output to standard

             error, and does not put itself in the background.  The server

             also will not fork and will only process one connection.  This

             option is only intended for debugging for the server.  Multiple

             -d options increase the debugging level.  Maximum is 3.

```

It's also listed in the synopsis in the first few characters "[-46DdeiqTt]". So "-dd" is an option to "sshd", and "-vv" is an option to "ssh", don't mix them up. The one is the daemon and the other one is the client and you can start the daemon in debug mode even -ddd would be possible to increase the debugging level to 3.

Best regards,

Marc

----------

