# ssh only allowing root to login

## puggy

When I log in remotely it refuses all connections except those from root. the log shows this is happening....

```
Mar 25 23:42:28 [sshd] Server listening on 0.0.0.0 port 22.

Mar 25 23:57:12 [sshd] Accepted password for root from 192.168.0.3 port 1932

Mar 25 23:59:34 [sshd] Accepted password for puggy from 192.168.0.3 port 1936

Mar 25 23:59:34 [sshd] fatal: login_get_lastlog: Cannot find account for uid 1001

Mar 26 00:02:50 [sshd] Accepted password for puggy from 192.168.0.3 port 1937

Mar 26 00:02:50 [sshd] fatal: login_get_lastlog: Cannot find account for uid 1001

Mar 26 00:07:56 [sshd] Accepted password for puggy from 192.168.0.3 port 1940

Mar 26 00:07:56 [sshd] fatal: login_get_lastlog: Cannot find account for uid 1001

Mar 26 00:11:18 [sshd] Accepted password for puggy from 127.0.0.1 port 32768 ssh2

Mar 26 00:11:18 [sshd] fatal: login_get_lastlog: Cannot find account for uid 1001

```

I've done a bit of searching and the problem isn't that I've not go a shell on the user account I'm trying to login in as...

```
puggy:x:1001:100:Douglas Russell,,,:/home/puggy:/bin/bash
```

my /etc/sshd_config is as follows (Pretty much default except for X11 forwarding...

```
#       $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

#Port 22

#Protocol 2,1

#ListenAddress 0.0.0.0

#ListenAddress ::

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 3600

#ServerKeyBits 768

# Logging

#obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

#LoginGraceTime 120

#PermitRootLogin yes

#StrictModes yes

#RSAAuthentication yes

#PubkeyAuthentication yes

#AuthorizedKeysFile     .ssh/authorized_keys

# rhosts authentication should not be used

#RhostsAuthentication no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver

#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication

# Warning: enabling this may bypass the setting of 'PasswordAuthentication'

#PAMAuthenticationViaKbdInt no

X11Forwarding yes

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#KeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression yes

#MaxStartups 10

# no default banner path

#Banner /some/path

#VerifyReverseMapping no

# override default of no subsystems

Subsystem       sftp    /usr/lib/misc/sftp-server

```

I can login locally on the machine (well... I can su puggy, and it works) as far as I can tell because the box is not hooked up to a monitor or keyboard or anything. In addition I can login to this machine using the puggy account using samba and samba is using passwords which it gets from the standard logins.

I'm sure this used to work, don't know what could have happened.

Cheers for any help.

Puggy

----------

## deribin

I solve this problem by recompiling the openssh manually, without using the energe tools.

U don't know where is problem exactly, but now it's working.

----------

## puggy

Note: Skip to end...

hmm. I've been able to log in now by setting 

```
UsePrivilegeSeperation no
```

however...

The machine does not know who I am.

i.e.

```

I have no name!@legolas puggy $ whoami

whoami: cannot find username for UID 1001

```

However, it did manage to put me in my home directory so it must be able to read /etc/passwd, surely?

If I do id as root I get:

```

legolas root # id puggy

uid=1001(puggy) gid=100(users) groups=100(users),0(root),10(wheel)

```

but doing it as my user I get:

```

I have no name!@legolas puggy $ id puggy

id: puggy: No such user

```

even...

```

I have no name!@legolas puggy $ id root

id: root: No such user

```

Hmm,  and I just solved the problem...

Somehow the permissions on passwd changed to:

```
 -rw-------    1 root     root         1881 Mar 27 20:01 /etc/passwd 
```

D'Oh!

Well, solved now. Got rid of the priveledge speration line from sshd_config as well.

Puggy

----------

## Chris W

You probably don't want this default either:

```
#PermitRootLogin yes
```

----------

## magnet

you should turn privilege separation on it's really better for security.

----------

## puggy

How does priveledge seperation help security?

Cheers

Puggy

----------

## magnet

taken from http://lwn.net/Vulnerabilities/3290/  ,

 *Quote:*   

> 
> 
> Previously any corruption in the sshd could lead to an immediate remote root compromise if it happened before authentication, and to local root compromise if it happend after authentication. Privilege Separation will make such compromise very difficult if not impossible.
> 
> 

 

----------

## puggy

ah. point taken. haven't run over the securing down of my system yet so will add that to my list of things to do.

Cheers.

Puggy

----------

## credmp

Hi,

Don't you also have to be part of the *wheel* group in order to use ssh? I believe this is gentoo's default configuration.

```

usermod -G wheel user

```

Regards

----------

## magnet

I don t think so.

----------

## rtn

 *credmp wrote:*   

> Don't you also have to be part of the *wheel* group in order to use ssh? I believe this is gentoo's default configuration.

 

No, you don't.

--rtn

----------

## grnfvr

I'm having the same problem with my new gentoo installation.  the permission on /etc/passwd is as follows:

-rw-r--r--    1 root      root            1756 Jun 12 13:36 /etc/passwd

what could the prob be?

----------

## magnet

your rights on this files are ok.does your user have a shell that is listed in /etc/shells ?

----------

## grnfvr

no, the user does not have a shell. I don't understand then how the user can log onto the console.  also, i was able to get ssh to work for this user using rsa keys instead of a password.  if a shell is not specified, how can the user can do those two things..?

----------

## magnet

if I remenber right, you don t need your shell listed in /etc/shells to login.

if your doesn t have a shell setted at all ( like /bin/false or /bin/nologin ) , then you MUST set one using chsh command.note that without a working shell , the users won t be able to log at all.  :Cool: 

----------

## daboe_

Yesterday I upgraded sshd and experienced the same problem... But looking at https://forums.gentoo.org/viewtopic.php?t=34024&highlight=sshd+root+login

taught me to set a valid shell for each user in /etc/passwd, or to use chsh -s /bin/bash <user> for each user...[/url]

----------

## magnet

heh  :Smile: 

----------

## sick@maya

tell me...... 

when you go to your /home/ dir.

is there a home folder for the user you are trying to log in under?

If there is not.... make one..... and check the permissions.

This solved my problem in the past

----------

