2

I've created a local port forwarding and I was trying to ssh into my own port. During the process, I found that my own Linux won't recognize me even when I have the right password

chulhyun@chulhyun-Inspiron-3420:~$ su
password: 
root@chulhyun-Inspiron-3420:/home/chulhyun# ssh root@localhost -p 2200
root@localhost's password: 
Permission denied, please try again.
root@localhost's password: 

root@chulhyun-Inspiron-3420:/home/chulhyun# exit
exit
chulhyun@chulhyun-Inspiron-3420:~$ ssh chulhyun@localhost -p 2200
chulhyun@localhost's password: 
Permission denied, please try again.

I've tried it both as root@localhost and chulhyun@localhost (chulhyun is my user name). In both cases I have no problem logging into the account but when I enter that password when they ask for my password during ssh'ing, they say its wrong...

What am I missing here? Is there supposed to be a separate king of password for network login?

update

here's my sshd_config

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

update

here's the result of ssh -vvv chulhyun@localhost -p 2200

chulhyun@chulhyun-Inspiron-3420:~$ ssh -vvv chulhyun@localhost -p 2200
OpenSSH_5.9p1 Debian-5ubuntu1.4, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 2200.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/chulhyun/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/chulhyun/.ssh/id_rsa type -1
debug1: identity file /home/chulhyun/.ssh/id_rsa-cert type -1
debug1: identity file /home/chulhyun/.ssh/id_dsa type -1
debug1: identity file /home/chulhyun/.ssh/id_dsa-cert type -1
debug1: identity file /home/chulhyun/.ssh/id_ecdsa type -1
debug1: identity file /home/chulhyun/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.4
debug2: fd 3 setting O_NONBLOCK
debug3: put_host_port: [localhost]:2200
debug3: load_hostkeys: loading entries for host "[localhost]:2200" from file "/home/chulhyun/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/chulhyun/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 130/256
debug2: bits set: 501/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 0a:2c:c5:31:6e:46:76:f6:e2:fb:3e:ac:77:96:36:2a
debug3: put_host_port: [127.0.0.1]:2200
debug3: put_host_port: [localhost]:2200
debug3: load_hostkeys: loading entries for host "[localhost]:2200" from file "/home/chulhyun/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/chulhyun/.ssh/known_hosts:2
debug3: load_hostkeys: loaded 1 keys
debug1: Host '[localhost]:2200' is known and matches the RSA host key.
debug1: Found key in /home/chulhyun/.ssh/known_hosts:2
debug2: bits set: 518/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/chulhyun/.ssh/id_rsa ((nil))
debug2: key: /home/chulhyun/.ssh/id_dsa ((nil))
debug2: key: /home/chulhyun/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password
debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_lookup gssapi-keyex
debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-keyex
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug3: authmethod_lookup gssapi-with-mic
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled gssapi-with-mic
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1000' not found

debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1000' not found

debug1: Unspecified GSS failure.  Minor code may provide more information


debug1: Unspecified GSS failure.  Minor code may provide more information
Credentials cache file '/tmp/krb5cc_1000' not found

debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/chulhyun/.ssh/id_rsa
debug1: read PEM private key done: type RSA
debug3: sign_and_send_pubkey: RSA 69:f0:21:fa:39:b5:5e:79:48:25:4d:b2:dc:59:86:23
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/chulhyun/.ssh/id_dsa
debug3: no such identity: /home/chulhyun/.ssh/id_dsa
debug1: Trying private key: /home/chulhyun/.ssh/id_ecdsa
debug3: no such identity: /home/chulhyun/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
chulhyun@localhost's password: 
debug3: packet_send2: adding 64 (len 59 padlen 5 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
Permission denied, please try again.
Michael Mrozek
  • 91,316
  • 38
  • 238
  • 232
kwagjj
  • 2,309
  • 6
  • 22
  • 29
  • I guess you are looking for this.It might be helpful. http://unix.stackexchange.com/a/138864/70728 http://unix.stackexchange.com/a/138859/70728 – Thushi Jun 24 '14 at 07:21
  • @Thushi I don't think that's related to this. That question is about trying to fix the source port.. this question is related to connecting myself to a port and during the process, the password problem just pops out.. – kwagjj Jun 24 '14 at 07:39
  • Usually by default, you will not be able to ssh to a Linux server as root. It's a security issue. If you really want to, you can edit `/etc/ssh/sshd_config` and change the line: `PermitRootLogin no` to `PermitRootLogin yes` and restart ssh, but I don't recommend it. – Warwick Jun 24 '14 at 07:56
  • @Warwick hmm.. I did as you told and the `PermitRootLogin` is set to 'yes' already. Here's the part of my `sshd_config`: `# Authentication: \n LoginGraceTime 120 \n PermitRootLogin yes \n StrictModes yes` could the 'strickmodes' be a problem? – kwagjj Jun 24 '14 at 07:59
  • What about `PasswordAuthentication yes`? Make sure it isn't commented out. – Warwick Jun 24 '14 at 08:09
  • What does your SSH log say? – Jenny D Jun 24 '14 at 08:10
  • @Warwick I've added `PasswordAuthentication yes` at the end of my `sshd_config` file and tried again... Still it won't let me in :( – kwagjj Jun 24 '14 at 08:21
  • Try to connect with `ssh -vvv chulhyun@localhost -p 2200` and see what `ssh` tells you. Alternatively, post the results here (you may have to sanitise it as it will contain lots of information). – garethTheRed Jun 24 '14 at 08:22
  • You say that you have set up port forwarding, but did not show how. Are you perhaps trying to connect to another machine? Besides, take a look at the logs (depending on your distribution, it might be /var/log/secure). Finally, note that changes to sshd_config do not take effect unless sshd is restarted (or instructed to reload the config). – Ansgar Esztermann Jun 24 '14 at 08:23
  • Check the **logs**. ssh -vvv doesn't tell you **why** the server rejects the password; the ssh logs will. – Jenny D Jun 24 '14 at 08:23
  • @AnsgarEsztermann I've used ssh local port forwarding in order to access a remote server through another ssh server. my setup with this is in: http://unix.stackexchange.com/questions/138856/what-does-this-ssh-command-mean – kwagjj Jun 24 '14 at 08:27
  • In that case, are you sure you are entering the correct password for the *remote server*? – Ansgar Esztermann Jun 24 '14 at 08:30
  • @garethTheRed updated my question with the -vvv log.. I don't understand all of it but I guess it does work properly.. I mean, since there's no rsa authentication or anything like that when I'm logging into myself its natural to just ask the password of the account. But again, when I enter my password of `chulhyun` account, it rejects it... – kwagjj Jun 24 '14 at 08:31
  • @AnsgarEsztermann yep I suppose so. I mean instead of typing the passwords for both _ssh server_ and _destination server_, I just configured an rsa authentication for both of them so I won't need to type in the passwords. But anyhow, my question was about logging into myself to port 2200.. could a password to a remote server be relevant?? – kwagjj Jun 24 '14 at 08:33
  • @JennyD I'm trying to find how to check my ssh log... If you're there could you just comment the command for me to save my time? :) – kwagjj Jun 24 '14 at 08:34
  • In your sshd_config the port is set to 22. You connect to port 2200. Is this right? May there is a portforwarding active? – Tobias Jun 24 '14 at 08:36
  • The precise location of your logs depends on your distro (which I don't believe you've mentioned). Try `sudo tail /var/log/secure`. – garethTheRed Jun 24 '14 at 08:38
  • *could a password to a remote server be relevant?* Yes, that is what port forwarding means: everything you do to port 2200 is forwarded to the (remote) port 22, so that is where you connect, and that is also where your password is checked. – Ansgar Esztermann Jun 24 '14 at 08:41
  • May you can show us, how you made the port forwarding? – Tobias Jun 24 '14 at 08:44
  • @garethTheRed Sorry, I'm a newbie at this place.. my distro is Ubuntu 12.04 LTS, Precise Pangolin – kwagjj Jun 24 '14 at 08:58
  • Got it!!!!!!!!!!!!!!!!!!!!! Thanks @AnsgarEsztermann and all of you. With @AnsgarEsztermann 's latest comment I realized that trying to ssh to my own port 2200 is in fact an attempt to log in to the remote destination server. Based on this discovery, not only was I typing in the wrong password, but also, I was trying to log in with the wrong username. The username that I have in the destination server is 'kwagjj' so obviously, trying `chulhyun@localhost` was totally wrong. – kwagjj Jun 24 '14 at 09:04
  • 1
    So I tried `ssh kwagjj@localhost -p 2200` and with the password to the kwagjj account that I have at the destination server, I succeeded to get in. I guess in the end, its really the small things that people miss out.... Anyway, Thanks everyone! – kwagjj Jun 24 '14 at 09:05

2 Answers2

3

This is an answer that I finally reach after the discussion made in the comments.

From the comments, I realized that connecting to port 2200 is in fact an attempt to log in to the remote destination server. Based on this discovery, not only was I typing in the wrong password, but also, I was trying to log in with the wrong username. The username that I have in the destination server is 'kwagjj' so obviously, trying chulhyun@localhost was totally wrong.

So I tried ssh kwagjj@localhost -p 2200 and with the password to the kwagjj account that I have at the destination server and I succeeded to get in.

The point is, when utilizing the local port that you have forwarded, treat it as if you're facing the remote server at the very end of that local port.

kwagjj
  • 2,309
  • 6
  • 22
  • 29
0

Checking this link would be helpful :

http://tweaktheserver.com/ssh-cant-connect-authentications-that-can-continue-publickeygssapi-keyexgssapi-with-micpassword/

hildred
  • 5,759
  • 3
  • 30
  • 43
Gopu
  • 101
  • 6
    It would be better to include the relevant details here and provide the link for backup information and as your source – Anthon Apr 20 '15 at 06:46