# ssh connection denied

## _SkeLeToN_

Hi I installed the latest version of openssh and I follow the security guide for the ssh part.

This is my /etc/ssh/sshd_config

```

Port 22

Protocol 2

ListenAddress 192.168.123.124

#ListenAddress 127.0.0.1

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 3600

#ServerKeyBits 768

# Logging

#obsoletes QuietMode and FascistLogging

SyslogFacility AUTH

LogLevel INFO

# Authentication:#LoginGraceTime 120

PermitRootLogin no

#StrictModes yes

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile      .ssh/authorized_keys

# rhosts authentication should not be used

RhostsAuthentication no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!

PasswordAuthentication no

PermitEmptyPasswords no

#Noone else than members of wheel or admin should have access

AllowGroups wheel admin

#And 1 users

AllowUsers skeleton cecil

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver

#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication

# Warning: enabling this may bypass the setting of 'PasswordAuthentication'

#PAMAuthenticationViaKbdInt no

#X11Forwarding no

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#KeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression yes

#MaxStartups 10

# no default banner path

#Banner /some/path

#VerifyReverseMapping no

# override default of no subsystems

Subsystem       sftp    /usr/lib/misc/sftp-server

```

As my user skeleton I created my rsa with the ssh-keygen -t rsa and typed my passphrase.

Now I added another user on the same computer where sshd is running( user skeleton and cecil on the sshd computer). I copy the ida_rsa.pub from my user skeleton to the user cecil under /home/cecil/.ssh/authorized_keys/ 

Under the user cecil I type this  and get :

```

cecil@Atlas:~$ ssh -l skeleton 192.168.123.124

Permission denied (publickey,keyboard-interactive).

cecil@Atlas:~$ ssh -l skeleton 127.0.0.1      

ssh: connect to host 127.0.0.1 port 22: Connection refused

cecil@Atlas:~$ 

```

I'm doing something wrong or I didn't understand something ... plz hlp

PS: I am doing that localy before I try from the outside ... should not be a problem right?

----------

## nihilo

Try commenting out the following line:

```
ListenAddress 192.168.123.124 
```

I had trouble getting ssh to work, after following the security guide, and this was one of the problems that I had.  Without that line, it defaults to listening on any address.

See the following thread for some of the suggestions that were offered when I had the same problem: https://forums.gentoo.org/viewtopic.php?t=22553.  I changed so many things over the course of a couple of weeks, that I can't remember what finally got it working.  I do remember that the ListenAddress line was one of the problems though. You might also want to get it working using password authentication first.  Better to slowly tighten it down than do it all at once.

Here is my working sshd_config file, in case it helps:

```

nihilo@localhost ssh $ cat sshd_config

#Only enable version 2

Protocol 2

#No direct root access

PermitRootLogin no

#Turn on RSA key authentication

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile      .ssh/authorized_keys

#Disable .rhost files and normal password auth.

RhostsAuthentication no

PasswordAuthentication no

PermitEmptyPasswords no

#Noone else than members of wheel or admin should have access

AllowGroups wheel admin

#And 1 user (member of wheel)

AllowUsers nihilo

#add logging level

SyslogFacility AUTH

LogLevel INFO

#bind

Port 9999

nihilo@localhost ssh $

```

One last thing: the "Permission denied (publickey,keyboard-interactive)" message means that the rsa authentication is failing and it can't try anything else (because you have it set to only use rsa), probably because of key issues.  The other error message you're getting means that the connection is refused immediately because you're using an ip address other than the one that you bound it to.  Commenting out that ListenAddress line should get rid of the 'connection refused' issue, then you just have to figure out which key is not correct.

----------

## doug-x07

Take a look in your logs, normally it should give you a bit more information about why the connexion was refused. I've had a few similar issues setting up sshd in the past. Normally two potential problems. Listen adress, saw a post on open ssh mailing suggests to set it:

```
ListenAddress 0.0.0.0
```

 have had no problems since doing that.

The other problem you can encounter is with write permissions on the users directory containing the authorized_keys file. If that or the users home directory are world writeable sshd will refuse to accept connexions from that user. To be sure what the problem is set 

```
LogLevel Debug3
```

 and check the output in authentication.log (sory not connected to Gentoo here so that might not be exact name). Hope that gives you a few tracks skeleton.

----------

## doug-x07

Sorry typo in the above

```
LogLevel DEBUG3 
```

----------

## rtn

 *_SkeLeToN_ wrote:*   

> Now I added another user on the same computer where sshd is running( user skeleton and cecil on the sshd computer). I copy the ida_rsa.pub from my user skeleton to the user cecil under /home/cecil/.ssh/authorized_keys/ 
> 
> 

 

What you probably want is to copy ida_rsa.pub to the flat file called

/home/cecil/.ssh/authorized_keys, not put it into a directory.

Also, if you connect with ssh -v, it will give you more output as to why 

your connection might have failed.

Lastly, don't forget that unless you've specifically set USE="-tcpd" that

sshd will be built with tcp wrapper support - so you may need to edit

your /etc/hosts.allow if you have ALL:ALL in your /etc/hosts.deny.

It would look like this:

```
$ ssh -v localhost

OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f

debug1: Reading configuration data /usr/local/etc/ssh_config

debug1: Rhosts Authentication disabled, originating port will not be trusted.

debug1: ssh_connect: needpriv 0

debug1: Connecting to localhost [127.0.0.1] port 22.

debug1: Connection established.

debug1: identity file /home/rtn/.ssh/identity type -1

debug1: identity file /home/rtn/.ssh/id_rsa type -1

debug1: identity file /home/rtn/.ssh/id_dsa type -1

ssh_exchange_identification: Connection closed by remote host

debug1: Calling cleanup 0x8062c74(0x0)
```

--rtn

----------

## _SkeLeToN_

Ok I made some changes ... First I recompile ssh with the -tcpd in the USE FLAG.  Then I try the ListenAdress 0.0.0.0 and still no luck.  I comment out the line and try back and no luck either. ( I start and stop the service each time I change something in the sshd_config)

As for cecil I copy the id_rsa.pub to /home/cecil/.ssh/authorized_keys  file.

My use have the right on it and still no luck I cant seem to find a solution for it.

```

cecil@Atlas:~/.ssh$ ssh -v -l skeleton 192.168.123.124

OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Rhosts Authentication disabled, originating port will not be trusted.

debug1: ssh_connect: needpriv 0

debug1: Connecting to 192.168.123.124 [192.168.123.124] port 22.

debug1: Connection established.

debug1: identity file /home/cecil/.ssh/identity type -1

debug1: identity file /home/cecil/.ssh/id_rsa type 1

debug1: identity file /home/cecil/.ssh/id_dsa type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_3.5p1

debug1: match: OpenSSH_3.5p1 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.5p1

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-cbc hmac-md5 none

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: dh_gen_key: priv key bits set: 117/256

debug1: bits set: 1557/3191

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host '192.168.123.124' is known and matches the RSA host key.

debug1: Found key in /home/cecil/.ssh/known_hosts:1

debug1: bits set: 1617/3191

debug1: ssh_rsa_verify: signature correct

debug1: kex_derive_keys

debug1: newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: waiting for SSH2_MSG_NEWKEYS

debug1: newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: done: ssh_kex2.

debug1: send SSH2_MSG_SERVICE_REQUEST

debug1: service_accept: ssh-userauth

debug1: got SSH2_MSG_SERVICE_ACCEPT

debug1: authentications that can continue: publickey,keyboard-interactive

debug1: next auth method to try is publickey

debug1: try privkey: /home/cecil/.ssh/identity

debug1: try pubkey: /home/cecil/.ssh/id_rsa

debug1: authentications that can continue: publickey,keyboard-interactive

debug1: try privkey: /home/cecil/.ssh/id_dsa

debug1: next auth method to try is keyboard-interactive

debug1: authentications that can continue: publickey,keyboard-interactive

debug1: no more auth methods to try

Permission denied (publickey,keyboard-interactive).

debug1: Calling cleanup 0x806c4a0(0x0)

```

any idea?

----------

## rtn

If you're trying to log into skeleton@192.68.123.124, you need to have

your authorized_keys file in that directory, not in /home/cecil.

--rtn

----------

## _SkeLeToN_

Oh ! My bad that should be my error.... I cant try right now but  I will look at it toonight.

Thanks

----------

