# SSH - permission denied with correct password

## 0x001A4

I've been trying to get SSH going on my computer again so I can connect to it from work. When I try

```
$ ssh localhost
```

 Then it prompts me for the password. Once I enter it it tells me 

```
permission denied, please try again.
```

 Now, I know I'm entering the correct password, so what could be the problem?

----------

## r.stiltskin

Could it be that you are doing this as root, and you have set

PermitRootLogin No

in sshd_config?

----------

## converter

Check your logs. You'll probably find something in /var/log/auth.log or /var/log/syslog.

If you don't find any useful information in the logs, run a stand-alone instance of sshd using the -D and -p switches:

```
# sshd -D -p <port number>
```

where <port number> is some unused port that you want sshd to listen on. The -D switch will cause sshd not to become a daemon. Information that sshd usually transmits to the system logger will be dumped to the console/xterm it's running in so that you can see what it's doing when you try to log in.

Run your ssh session with:

```
$ ssh -p <port number> localhost
```

and watch the console or xterm where sshd is running. If this doesn't produce any helpful information, add the -v switch to the ssh client command line to get debugging output from the client.

Let us know how it goes.

----------

## 0x001A4

Well after doing what you suggested I got some interesting results. It says it failed to bind to port 54987 on 0.0.0.0 because the address is already in use? Here is what I got as debug output:

```
 # /usr/sbin/sshd -Dd -p 54987

debug1: sshd version OpenSSH_4.5p1

debug1: read PEM private key done: type RSA

debug1: private host key: #0 type 1 RSA

debug1: read PEM private key done: type DSA

debug1: private host key: #1 type 2 DSA

debug1: rexec_argv[0]='/usr/sbin/sshd'

debug1: rexec_argv[1]='-Dd'

debug1: rexec_argv[2]='-p'

debug1: rexec_argv[3]='54987'

debug1: Bind to port 54987 on ::.

Server listening on :: port 54987.

debug1: Bind to port 54987 on 0.0.0.0.

Bind to port 54987 on 0.0.0.0 failed: Address already in use.

debug1: Server will not fork when running in debugging mode.

debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7

debug1: inetd sockets after dupping: 3, 3

Connection from 127.0.0.1 port 47018

debug1: Client protocol version 2.0; client software version OpenSSH_4.5

debug1: match: OpenSSH_4.5 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_4.5

debug1: permanently_set_uid: 22/22

debug1: list_hostkey_types: ssh-rsa,ssh-dss

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: kex: server->client aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received

debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT

debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: KEX done

debug1: userauth-request for user mat service ssh-connection method none

debug1: attempt 0 failures 0

debug1: PAM: initializing for "mat"

debug1: PAM: setting PAM_RHOST to "localhost"

debug1: PAM: setting PAM_TTY to "ssh"

Failed none for mat from 127.0.0.1 port 47018 ssh2

debug1: userauth-request for user mat service ssh-connection method keyboard-interactive

debug1: attempt 1 failures 1

debug1: keyboard-interactive devs

debug1: auth2_challenge: user=mat devs=

debug1: kbdint_alloc: devices 'pam'

debug1: auth2_challenge_start: trying authentication method 'pam'

PAM: Module is unknown for mat from localhost

Failed keyboard-interactive/pam for mat from 127.0.0.1 port 47018 ssh2

debug1: Unable to open the btmp file /var/log/btmp: No such file or directory

debug1: userauth-request for user mat service ssh-connection method password

debug1: attempt 2 failures 2

debug1: PAM: password authentication failed for mat: Module is unknown

Failed password for mat from 127.0.0.1 port 47018 ssh2

debug1: Unable to open the btmp file /var/log/btmp: No such file or directory

Connection closed by 127.0.0.1

debug1: do_cleanup

debug1: do_cleanup
```

----------

## converter

Would you paste the uncommented lines from your /etc/ssh/sshd_config file?

If you run this as root, it should print only the lines we're interested in:

```
sed '/[^ \t]/!d;/^[ \t]*#/d' /etc/ssh/sshd_config
```

----------

## 0x001A4

here we go:

```
Port 54978

Protocol 2

LoginGraceTime 30

PermitRootLogin no

StrictModes yes

MaxAuthTries 3

PasswordAuthentication yes

PermitEmptyPasswords no

ChallengeResponseAuthentication yes

UsePAM yes

AllowUsers mat

Subsystem       sftp    /usr/lib64/misc/sftp-server
```

----------

## JoeUser

try:

```
ssh -p 54978 -l mat localhost
```

Your sshd_config shows it using port 54978 rather then the default 22 and AllowUsers only allows the one user "mat".  If I remember correctly, if you don't specify the user name in the command line it assumes the user you're currently logged in as for the shh login name.

----------

## 0x001A4

yeah i've used port 54978 before with no problems, and I have also tried $ssh mat@localhost -p 54978 and it still gives me the error that I'm entering the wrong password. And also, mat is the only user on this computer besides root :s

----------

