I have a NAS in my living room with a bunch of services like GitLab, NextCloud, my personal Website etc. running on it. All these services are reachable via a reverse SSH tunnel between my Ionos VPS with a public IP address running the reverse proxy for my domain and my NAS. This works fine. However, I cannot for the life of me get a regular remote SSH connection from my terminal to the NAS to be established which means I have to SSH into the VPS first and then SSH into the NAS from there and can only use GitLab via HTTPS not SSH. Maybe someone here has an idea. Here's my setup:
NAS (main user malik):
autossh unit:

[Unit]
Description=Reverse SSH Tunnel to VPS
After=network-online.target
Wants=network-online.target

[Service]
User=malik
Environment=HOME=/home/malik
ExecStart=/usr/bin/autossh -M 0 -N \
  -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" \
  -i /home/malik/.ssh/vps_autossh \
  -R 8080:localhost:80 \
  -R 8443:localhost:443 \
  -R 3001:localhost:3001 \
  -R 8001:localhost:8000 \
  -R 8099:localhost:8099 \
  -R 8022:localhost:8022 \
  -R 2222:localhost:2222\
  tunneluser@212.227.63.142
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target

SSHD config:

Include /etc/ssh/sshd_config.d/*.conf

AuthorizedKeysFile      .ssh/authorized_keys

Subsystem       sftp    /usr/lib/ssh/sftp-server

VPS: Main user root for admin and restricted user tunneluser for reverse tunnels SSHD config:

Include /etc/ssh/sshd_config.d/*.conf

KbdInteractiveAuthentication no

UsePAM yes

AcceptEnv LANG LC_*

Subsystem       sftp    /usr/lib/openssh/sftp-server

ClientAliveInterval 120
PermitRootLogin yes

Match User tunneluser
    PasswordAuthentication no
    AllowTcpForwarding yes
    GatewayPorts yes

I use 8022 for GitLab SSH and 2222 for my main NAS user. It looks like everything is working:

root@my-vps:~# sudo netstat -tulnp | grep 8022
tcp        0      0 0.0.0.0:8022            0.0.0.0:*               LISTEN      3546/sshd: tunnelus
tcp6       0      0 :::8022                 :::*                    LISTEN      3546/sshd: tunnelus
root@my-vps:~# sudo netstat -tulnp | grep 2222
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN      3627/sshd: tunnelus
tcp6       0      0 :::2222                 :::*                    LISTEN      3627/sshd: tunnelus

When I try to connect from my laptop I get a network unreachable error:

ssh -p 2222 malik@212.227.63.142
ssh -p 8022 git@212.227.63.142
telnet 212.227.63.142 2222
telnet 212.227.63.142 8022

What am I doing wrong?

I am trying to restrict SSH for a user to a specific host: I would like

to be able to SSH to any host, allowing only pubkey authentication, and only if the connection comes from 192.168.1.17. I've tried the following configs in

/etc/ssh/sshd_config.d/sshd_config.conf

:

Match Group ansible Address !192.168.10.17
    DenyUsers                       ansible
    PubkeyAuthentication            no
    KbdInteractiveAuthentication    no
    PasswordAuthentication          no
    KerberosAuthentication          no
    GSSAPIAuthentication            no
    AllowAgentForwarding            no
    AllowTcpForwarding              no
    X11Forwarding                   no


Match User ansible Address 192.168.10.17
    AuthorizedKeysFile              ~/.ssh/authorized_keys
    PubkeyAuthentication            yes
    KbdInteractiveAuthentication    no
    PasswordAuthentication          no
    KerberosAuthentication          no
    GSSAPIAuthentication            no
    AllowAgentForwarding            no
    AllowTcpForwarding              no
    X11Forwarding                   no

This doesn't work and I'm out of ideas. I did see question "Restrict users to specific ssh" but that didn't really help much. Any ideas are appreciated, thanks!

Updated sshd journal on both jumphost and jumptarget ---------- Full logs are too long to be pasted. uploaded to gist three files are logs that : Local -> Jumpper -> Debian by ssh -j Local -> Jumpper -> Debian by ssh Debian Local -> Jumpper by ssh jumpper Jumper -> Debian by ssh 10.10.10.3 FYI: During this time, the IP address was re-planned 10.10.1.3 -> 10.10.10.3, and a domain was added in the hosts. These shouldn't have any effect on the problem. ---------- A similar problem is [SSH ProxyJump on macOS Catalina is not working](https://superuser.com/q/1510997) . but the answer doesn't solve my case I'm configuring ssh jump with the following configures:

Host Jumper
	HostName domainName
	User username
	Port 1234

Host Debian
	HostName 10.10.1.3
	User username
	Port 22
	ProxyJump Jumper

The result of ssh Debian -vvv is

...
debug1: kex_exchange_identification: banner line 0: \033(B\033[mSSH-2.0-OpenSSH_9.2p1 Debian-2
kex_exchange_identification: banner line contains invalid characters
...

it shows OpenSSH, so I think the port should be correct ssh Jumper is fine, and manully ssh 10.10.1.3 on jumper is also fine. The local host is a Macos at OpenSSH_9.0p1 and the others are OpenSSH_9.2p2

I have a RHEL9 server where I ran the RHEL9 CIS ansible-lockdown role and configured it so that root can ssh in (yes I know, will be remedied in the future). The system is doing something very strange. After reboot, I can not paste the ssh password into the terminal, it only lets me in if I type it out. As soon as any ssh session has been created, I CAN paste the password into the ssh prompt and it lets me in just fine. Here are logs showing the attempts. Note that the same password was in the clipboard the whole time, so I absolutely did not fat-finger the root password.

Jul 15 15:55:13 myhost sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.8  user=root
# ^password pasted
Jul 15 15:55:20 myhost sshd: pam_unix(sshd:session): session opened for user root(uid=0) by root(uid=0)
# ^password typed
Jul 15 15:55:21 myhost sshd: pam_unix(sshd:session): session closed for user root
Jul 15 15:55:24 myhost sshd: pam_unix(sshd:session): session opened for user root(uid=0) by root(uid=0)
# ^password pasted

I found someone posted something similar here: https://forums.rockylinux.org/t/weird-ssh-issue-on-9-3-ssh-login-fails-until-another-user-logs-in/13489/2 but there was no explanation and no fix. This isn't really a good setup for me since the generated passwords are very long and complex. One thing I notice is that the PID of sshd changed, but that hasn't helped me diagnose the issue. In the other forum there's no mention of CIS hardening, and I don't have another test system where I want to try a fresh install, so I'm not sure if it's due to the lockdown. Any ideas? Edit 1: once ANY user has logged in, in any way (like with ssh key), then pasting the password also works. So it does not have to be entered manually once, the requirement is someone (anyone) has to log in once, then pasted passwords work. Edit 2: like the person in the link it is related to the terminal, I was using SecureCRT. When I ssh using regular command prompt, the pasted password works immediately after reboot. I would prefer to find a real reason for this, because this seems to be specific to RHEL9, and in this environment SecureCRT is the app that users are provided. Edit 3: successfully sshing from a different terminal does NOT fix the password paste issue in SecureCRT. You still have to connect *once* from SecureCRT and after that you can reconnect by pasting a password. (and I mean really reconnect, no ControlMaster)

Updated openssh to sshd 8.1. Error connecting to server: sshd fatal: Access denied for user A by PAM account configuration [preauth] Configured ldap, authorization by key. I don't understand what's wrong, can't connect to the server? not by key, not by password. I work through a long-open connection in the terminal. Distro Oracle Linux Server" VERSION="8.7"

I can't find my sshd logs in the standard places. What I've tried: - Not in /var/log/auth.log - Not in /var/log/secure - Did a system search for 'auth.log' and found nothing - I've set /etc/ssh/sshd_config to explicitly use SyslogFacility AUTH and LogLevel INFO and restarted sshd and still can't find them. I'm using OpenSSH 6.5p1-2 on Arch Linux.

Previously asked this question on askubuntu.com but I thought this is rather a general linux question so I'm asking here again: I'm having trouble "sshing" to localhost and getting a permission denied. I have tried everything from root or using sudo as well. Ran the following: ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys cat /root/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys chmod 0600 ~/.ssh/authorized_keys ssh localhost As the root user I have also done the following in case I use either user and the directories get mixed up: cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys cat /home/shervleradvm/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys First time was because the service was not running. So I did sudo service ssh start
I have also disabled the ufw for the test. sudo ufw disable
read/write permissions on the key files are drwx------ 2 shervleradvm shervleradvm 4096 Nov 21 23:15 . drwxr-xr-x 6 shervleradvm shervleradvm 4096 Nov 21 23:25 .. -rw-r----- 1 shervleradvm shervleradvm 1146 Nov 21 23:23 authorized_keys -r-------- 1 root shervleradvm 2610 Nov 18 13:17 id_rsa -r-------- 1 shervleradvm shervleradvm 577 Nov 18 13:17 id_rsa.pub -rw-r--r-- 1 shervleradvm shervleradvm 444 Nov 18 15:05 known_hosts sshd_config file was missing the following so I added and tested each and combinations of: - AllowUsers: added shervleradvm - AuthorizedKeysFile: added ~/.ssh/authorized_keys /root/.ssh/authorized_keys I then changed my config file a little after reading https://askubuntu.com/questions/783843/please-explain-the-complete-steps-involved-in-the-installation-of-openssh-server/783844#783844 so now it looks like: > # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ > > # This is the sshd server system-wide configuration file. See > # sshd_config(5) for more information. > > # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin > > # The strategy used for options in the default sshd_config shipped with > # OpenSSH is to specify options with their default value where > # possible, but leave them commented. Uncommented options override the > # default value. > > Include /etc/ssh/sshd_config.d/*.conf > > #Port 22 > #AddressFamily any > #ListenAddress 0.0.0.0 > #ListenAddress :: > > #HostKey /etc/ssh/ssh_host_rsa_key > #HostKey /etc/ssh/ssh_host_ecdsa_key > #HostKey /etc/ssh/ssh_host_ed25519_key > > # Ciphers and keying > #RekeyLimit default none > > # Logging > #SyslogFacility AUTH > ########################################## EDITED > LogLevel VERBOSE > ################################################## > > # Authentication: > ############################################################## NEW STUFF ############ > AllowUsers shervleradvm root > ##################################################################################### > > > #LoginGraceTime 2m > ########################################### EDITED > PermitRootLogin yes > ################################################## > #StrictModes yes > #MaxAuthTries 6 > #MaxSessions 10 > > PubkeyAuthentication yes > > # Expect .ssh/authorized_keys2 to be disregarded by default in future. > ########################################################################### EDITED > AuthorizedKeysFile ~/.ssh/authorized_keys /root/.ssh/authorized_keys > > #AuthorizedPrincipalsFile none > > #AuthorizedKeysCommand none > #AuthorizedKeysCommandUser nobody > > # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts > #HostbasedAuthentication no > # Change to yes if you don't trust ~/.ssh/known_hosts for > # HostbasedAuthentication > #IgnoreUserKnownHosts no > # Don't read the user's ~/.rhosts and ~/.shosts files > #IgnoreRhosts yes > > # To disable tunneled clear text passwords, change to no here! > PasswordAuthentication no > #PermitEmptyPasswords no > > # Change to yes to enable challenge-response passwords (beware issues with > # some PAM modules and threads) > ChallengeResponseAuthentication no > > # Kerberos options > #KerberosAuthentication no > #KerberosOrLocalPasswd yes > #KerberosTicketCleanup yes > #KerberosGetAFSToken no > > # GSSAPI options > #GSSAPIAuthentication no > #GSSAPICleanupCredentials yes > #GSSAPIStrictAcceptorCheck yes > #GSSAPIKeyExchange no > > # Set this to 'yes' to enable PAM authentication, account processing, > # and session processing. If this is enabled, PAM authentication will > # be allowed through the ChallengeResponseAuthentication and > # PasswordAuthentication. Depending on your PAM configuration, > # PAM authentication via ChallengeResponseAuthentication may bypass > # the setting of "PermitRootLogin without-password". > # If you just want the PAM account and session checks to run without > # PAM authentication, then enable this but set PasswordAuthentication > # and ChallengeResponseAuthentication to 'no'. > UsePAM yes > > #AllowAgentForwarding yes > ############################################ EDITED > AllowTcpForwarding no > #################################################### > #GatewayPorts no > ############################################ EDITED > X11Forwarding no > #################################################### > #X11DisplayOffset 10 > #X11UseLocalhost yes > #PermitTTY yes > PrintMotd no > #PrintLastLog yes > #TCPKeepAlive yes > #PermitUserEnvironment no > #Compression delayed > #ClientAliveInterval 0 > #ClientAliveCountMax 3 > #UseDNS no > #PidFile /var/run/sshd.pid > #MaxStartups 10:30:100 > #PermitTunnel no > #ChrootDirectory none > #VersionAddendum none > > # no default banner path > ########################################## EDITED > Banner /etc/issue.net > ##################################################### > > # Allow client to pass locale environment variables > AcceptEnv LANG LC_* > > # override default of no subsystems > Subsystem sftp /usr/lib/openssh/sftp-server > > # Example of overriding settings on a per-user basis > #Match User anoncvs > # X11Forwarding no > # AllowTcpForwarding no > # PermitTTY no > # ForceCommand cvs server I'm not sure what else I can try I've been stuck on this for days and I have read all the other questions regarding ssh. The verbose output is: OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: Connecting to localhost [127.0.0.1] port 22. debug1: Connection established. debug1: identity file /home/shervleradvm/.ssh/id_rsa type 0 debug1: identity file /home/shervleradvm/.ssh/id_rsa-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_dsa type -1 debug1: identity file /home/shervleradvm/.ssh/id_dsa-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_ecdsa type -1 debug1: identity file /home/shervleradvm/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/shervleradvm/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_ed25519 type -1 debug1: identity file /home/shervleradvm/.ssh/id_ed25519-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_ed25519_sk type -1 debug1: identity file /home/shervleradvm/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_xmss type -1 debug1: identity file /home/shervleradvm/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 pat OpenSSH* compat 0x04000000 debug1: Authenticating to localhost:22 as 'shervleradvm' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:RhXPmgq8gMMrSRv7+VlpLb84pRnXi2vDiqdg0EfocK0 debug1: Host 'localhost' is known and matches the ECDSA host key. debug1: Found key in /home/shervleradvm/.ssh/known_hosts:1 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/shervleradvm/.ssh/id_rsa RSA SHA256:WfkneDotRaioAvWLHi+4L0CpHg+EZ8cWMPPGbx/jUXQ debug1: Will attempt key: /home/shervleradvm/.ssh/id_dsa debug1: Will attempt key: /home/shervleradvm/.ssh/id_ecdsa debug1: Will attempt key: /home/shervleradvm/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/shervleradvm/.ssh/id_ed25519 debug1: Will attempt key: /home/shervleradvm/.ssh/id_ed25519_sk debug1: Will attempt key: /home/shervleradvm/.ssh/id_xmss debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs= debug1: SSH2_MSG_SERVICE_ACCEPT received *************************************************************************** SOME BANNER I HAVE PUT This computer system is the private property of its owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. **************************************************************************** debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/shervleradvm/.ssh/id_rsa RSA SHA256:WfkneDotRaioAvWLHi+4L0CpHg+EZ8cWMPPGbx/jUXQ debug1: Authentications that can continue: publickey debug1: Trying private key: /home/shervleradvm/.ssh/id_dsa debug1: Trying private key: /home/shervleradvm/.ssh/id_ecdsa debug1: Trying private key: /home/shervleradvm/.ssh/id_ecdsa_sk debug1: Trying private key: /home/shervleradvm/.ssh/id_ed25519 debug1: Trying private key: /home/shervleradvm/.ssh/id_ed25519_sk debug1: Trying private key: /home/shervleradvm/.ssh/id_xmss debug1: No more authentication methods to try. shervleradvm@localhost: Permission denied (publickey). **UPDATE 1**: the syslog in /var/log/syslog only says: Nov 20 01:05:54 ShervLeRad kernel: [35460.503034] WSL2: Performing memory compaction. Nov 20 01:06:55 ShervLeRad kernel: [35521.519400] WSL2: Performing memory compaction. Nov 20 01:07:56 ShervLeRad kernel: [35582.535366] WSL2: Performing memory compaction. Nov 20 01:08:57 ShervLeRad kernel: [35643.552061] WSL2: Performing memory compaction. Nov 20 01:09:58 ShervLeRad kernel: [35704.567029] WSL2: Performing memory compaction. Nov 20 01:10:59 ShervLeRad kernel: [35765.582427] WSL2: Performing memory compaction. Nov 20 01:12:00 ShervLeRad kernel: [35826.597374] WSL2: Performing memory compaction. the auth.log in /var/log/auth.log says: Nov 19 18:48:34 ShervLeRad sudo: shervleradvm : TTY=pts/0 ; PWD=/etc/ssh ; USER=root ; COMMAND=/usr/bin/ssh localhost Nov 19 18:48:34 ShervLeRad sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Nov 19 18:48:34 ShervLeRad sshd: Connection closed by authenticating user root 127.0.0.1 port 39490 [preauth] Nov 19 18:48:34 ShervLeRad sudo: pam_unix(sudo:session): session closed for user root Nov 19 18:48:37 ShervLeRad sudo: shervleradvm : TTY=pts/0 ; PWD=/etc/ssh ; USER=root ; COMMAND=/usr/bin/vim sshd_config Nov 19 18:48:37 ShervLeRad sudo: pam_unix(sudo:session): session opened for user root by (uid=0) Nov 19 18:48:51 ShervLeRad sudo: pam_unix(sudo:session): session closed for user root **UPDATE 2**: I ran ssh with -vvv and the output is: OpenSSH_8.2p1 Ubuntu-4ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug2: resolving "localhost" port 22 debug2: ssh_connect_direct debug1: Connecting to localhost [127.0.0.1] port 22. debug1: Connection established. debug1: identity file /home/shervleradvm/.ssh/id_rsa type 0 debug1: identity file /home/shervleradvm/.ssh/id_rsa-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_dsa type -1 debug1: identity file /home/shervleradvm/.ssh/id_dsa-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_ecdsa type -1 debug1: identity file /home/shervleradvm/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/shervleradvm/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_ed25519 type -1 debug1: identity file /home/shervleradvm/.ssh/id_ed25519-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_ed25519_sk type -1 debug1: identity file /home/shervleradvm/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/shervleradvm/.ssh/id_xmss type -1 debug1: identity file /home/shervleradvm/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.1 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to localhost:22 as 'shervleradvm' debug3: hostkeys_foreach: reading file "/home/shervleradvm/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /home/shervleradvm/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys from localhost debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib@openssh.com,zlib debug2: compression stoc: none,zlib@openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib@openssh.com debug2: compression stoc: none,zlib@openssh.com debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: compression: none debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: Server host key: ecdsa-sha2-nistp256 SHA256:RhXPmgq8gMMrSRv7+VlpLb84pRnXi2vDiqdg0EfocK0 debug3: hostkeys_foreach: reading file "/home/shervleradvm/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /home/shervleradvm/.ssh/known_hosts:1 debug3: load_hostkeys: loaded 1 keys from localhost debug1: Host 'localhost' is known and matches the ECDSA host key. debug1: Found key in /home/shervleradvm/.ssh/known_hosts:1 debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey out after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey in after 134217728 blocks debug1: Will attempt key: /home/shervleradvm/.ssh/id_rsa RSA SHA256:WfkneDotRaioAvWLHi+4L0CpHg+EZ8cWMPPGbx/jUXQ debug1: Will attempt key: /home/shervleradvm/.ssh/id_dsa debug1: Will attempt key: /home/shervleradvm/.ssh/id_ecdsa debug1: Will attempt key: /home/shervleradvm/.ssh/id_ecdsa_sk debug1: Will attempt key: /home/shervleradvm/.ssh/id_ed25519 debug1: Will attempt key: /home/shervleradvm/.ssh/id_ed25519_sk debug1: Will attempt key: /home/shervleradvm/.ssh/id_xmss debug2: pubkey_prepare: done debug3: send packet: type 5 debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs= debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 53 debug3: input_userauth_banner *************************************************************************** NOTICE TO USERS This computer system is the private property of its owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. **************************************************************************** debug3: receive packet: type 51 debug1: Authentications that can continue: publickey debug3: start over, passed a different list publickey debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /home/shervleradvm/.ssh/id_rsa RSA SHA256:WfkneDotRaioAvWLHi+4L0CpHg+EZ8cWMPPGbx/jUXQ debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey debug1: Trying private key: /home/shervleradvm/.ssh/id_dsa debug3: no such identity: /home/shervleradvm/.ssh/id_dsa: No such file or directory debug1: Trying private key: /home/shervleradvm/.ssh/id_ecdsa debug3: no such identity: /home/shervleradvm/.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /home/shervleradvm/.ssh/id_ecdsa_sk debug3: no such identity: /home/shervleradvm/.ssh/id_ecdsa_sk: No such file or directory debug1: Trying private key: /home/shervleradvm/.ssh/id_ed25519 debug3: no such identity: /home/shervleradvm/.ssh/id_ed25519: No such file or directory debug1: Trying private key: /home/shervleradvm/.ssh/id_ed25519_sk debug3: no such identity: /home/shervleradvm/.ssh/id_ed25519_sk: No such file or directory debug1: Trying private key: /home/shervleradvm/.ssh/id_xmss debug3: no such identity: /home/shervleradvm/.ssh/id_xmss: No such file or directory debug2: we did not send a packet, disable method debug1: No more authentication methods to try. shervleradvm@localhost: Permission denied (publickey). **UPDATE 3**: I just tried ssh -i id_rsa localhost from ~/.ssh dir of shervleradvm user to try defining private_key to use. That didn't work. So I did touch config && vim config then I defined the private key for the localhost: Host localhost HostName localhost User shervleradvm IdentityFile ~/.ssh/id_rsa and then ran ssh localhost. The error presists. **UPDATE 4**: I changed the owner of the private key to shervleradvm and gave the following permissions: -rw------- 1 shervleradvm shervleradvm 2610 Nov 18 13:17 id_rsa -r-------- 1 shervleradvm shervleradvm 577 Nov 18 13:17 id_rsa.pub didn't help.

I'm working from the URL I found here: http://web.archive.org/web/20160404025901/http://jaybyjayfresh.com/2009/02/04/logging-in-without-a-password-certificates-ssh/ My ssh client is Ubuntu 64 bit 11.10 desktop and my server is Centos 6.2 64 bit. I have followed the directions. I still get a password prompt on ssh and I'm not sure what to do next.

I'm trying to connect to a RHEL9 VM using ssh. When attempting, it gives the error: Connection closed by xxx.xxx.xxx.xxx port 22 I checked the /var/logs/secure log and found the following error Connection from xxx.xxx.xxx.xxx port 65527 on xxx.xxx.xxx.xxx port 22 rdomain input_kex_gen_init: key exchange type c25519 is not allowed in FIPS mode [preauth] ssh_dispatch_run_fatal: Connection from xxx.xxx.xxx.xxx port 65527: invalid argument [preauth] I've checked the firewall to allow port 22, I've checked the sshd_config and it matched a known good. I have no idea what could be blocking me. Any help would be greatly appreciated.

I installed OpenSSH on my Windows 7 system so I could tunnel my VNC into it from my Arch machine. However, when I run /usr/sbin/sshd -D on the W7 machine, I get the error: /var/empty must be owned by root and not group or world-writable. This is the output of the ls -All /var: $ ls -All /var total 0 drwxr-xr-x+ 1 {my_usrnm} None 0 Jul 15 21:39 cache drw-------+ 1 cyg_server Administrators 0 Jul 15 21:43 empty drwxr-xr-x+ 1 {my_usrnm} None 0 Jul 15 21:39 lib drwxrwxrwt+ 1 {my_usrnm} None 0 Jul 15 21:45 log drwxrwxrwt+ 1 {my_usrnm} None 0 Jul 15 23:36 run drwxrwxrwt+ 1 {my_usrnm} None 0 Jul 15 21:39 tmp I've tried a few of the permissions fixes and rebooted and reinstalled OpenSSH (by running ssh-host-config) at least 10 times, but nothing had fixed it. How do I fix this error? Thanks!

I have an issue where older clients aren't able to connect to current (v8.x) versions of openssh server. I'm familiar with adding ssh-rsa,ssh-dss to the list of available key types but that doesn't seem to work for this issue. One of our vendors is the client and there's no option of passing flags. When they try and connect, I get the following:

Apr 16 20:57:13 server sshd: Unable to negotiate with 10.0.3.39 port 49100: no matching host key type found. Their offer: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss [preauth]

I've added the following to /etc/ssh/sshd_config.d/10-test.conf

KexAlgorithms=+diffie-hellman-group1-sha1
HostKeyAlgorithms=+ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa,ssh-dss
PubkeyAcceptedAlgorithms=+ssh-rsa,ssh-dss

As well as having no '=' but it has no effect. Here's the debug output:

[centos@ip-10-0-3-39 ~]$ ssh -vv -i test test@10.0.3.225
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.0.3.225 [10.0.3.225] port 22.
debug1: Connection established.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file test type -1
debug1: identity file test-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.7
debug1: match: OpenSSH_8.7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96
debug2: kex_parse_kexinit: hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,kex-strict-s-v00@openssh.com
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256,ssh-ed25519
debug2: kex_parse_kexinit: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: kex_parse_kexinit: aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes128-gcm@openssh.com,aes128-ctr
debug2: kex_parse_kexinit: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: kex_parse_kexinit: hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes128-ctr hmac-sha1 none
no hostkey alg

Does anyone have any ideas here as I'm at a loss. Thanks!

I made the changes in /etc/security/limits.conf test hard maxlogins 2 sftptest hard maxlogins 2 - After above entries I have tested below scenarios 1. Open 2 putty sessions when I tried to open 3rd sessions it disconnect automatically (Working fine with ssh user not for sftp user ) 2. Open 2 putty sessions when I am trying to open 3rd session from the filezilla / winscp connection disconnected automatically (Working fine with ssh user ) 3.When I am trying to open 3 sessions in filezilla/winscp I am able to open 3 sessions ( Not working) 4. when I am trying to open 3 sessions in filezilla/winscp with sftp users I am able to open all three sessions -Is there any difference in putty client and winscp/filezilla ? -SSH users having shell login but sftp users don't have shell login - Is there any chance to limit the connections 2 for sftp users? I am pretty new to Linux.

I am trying to run a program after enabling X windows port forwarding. My sshd_config file in /etc/ssh/sshd_config is configured such that: X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost yes and my ssh_config file in /etc/ssh/ssh_config has: Host * ForwardAgent yes ForwardX11 yes I try to enable X Windows port forwarding with lemon:~ # ssh -X localhost lemon:~ # echo $DISPLAY lemon:~ # /usr/bin/SMclient xdpyinfo: unable to open display "". Unable to launch GUI due to X server display setting problem, Exiting . So $DISPLAY is set to nothing. I have tried everything I've seen online. Originally there was no .Xauthority file so I copied from /var/run/gdm/auth-for--/database and renamed the file .Xauthority I then tried lemon:~ # xauth generate :0 . trusted Invalid MIT-MAGIC-COOKIE-1 keyxauth: (argv):1: unable to open display ":0". When this didn't work, I deleted the old .Xauthority file and then: lemon:~ # touch ~/.Xauthority lemon:~ # xauth generate :0 . trusted No protocol specified xauth: (argv):1: unable to open display ":0". And many others suggested to run host + which just leads to lemon:~ # xhost + xhost: unable to open display ""

I want to disable all ssh connection from both IPv4 and IPv6 except certain IPs. I can set /etc/hosts.deny to deny all IPv4 ssh connection:

sshd: ALL

How to apply to IPv6? I tried below, and fail:

sshd: [*]

and

sshd: [ALL]

My sshd server version: PKIX-SSH 12.1, OpenSSH_8.0p1, OpenSSL 1.0.2g-fips 1 Mar 2016 And PKIX is configured with --with-tcp-wrappers

Apparently Fedora 35 does not list ssh-rsa in HostKeyAlgorithms or PubkeyAcceptedKeyTypes so trying to ssh from an old CentOS 6 machine yielded an error: $ ssh as1s16.intra.corp.us no hostkey alg So I added options after the Include in /etc/ssh/sshd_config: Include /etc/ssh/sshd_config.d/*.conf HostKeyAlgorithms +ssh-rsa PubkeyAcceptedKeyTypes +ssh-rsa but same error. Then I ran sshd like this: # /usr/sbin/sshd -ddd ... debug3: /etc/ssh/sshd_config:20 setting HostKeyAlgorithms +ssh-rsa debug3: /etc/ssh/sshd_config:21 setting PubkeyAcceptedKeyTypes +ssh-rsa ... debug1: SELinux support disabled [preauth] ... debug3: append_hostkey_type: ssh-rsa key not permitted by HostkeyAlgorithms [preauth] debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] but same error. Then I removed the options ran sshd like this: # /usr/sbin/sshd -ddd -oHostKeyAlgorithms=ssh-rsa and it worked. I was able to successfully ssh in from the CentOS 6 client. So then I put the options BEFORE the Include: HostKeyAlgorithms +ssh-rsa PubkeyAcceptedKeyTypes +ssh-rsa # To modify the system-wide sshd configuration, create a *.conf file under # /etc/ssh/sshd_config.d/ which will be automatically included below Include /etc/ssh/sshd_config.d/*.conf and it worked. Why would I need to put these directives BEFORE the Include? Shouldn't they go after to override the defaults?

I have 2 RHEL machines . I am attempting to login via ssh with publickeyauthentication from 1 machine (say Machine A) to the other (say machine B) both of which are in the same network. For that first i created a .ssh folder in the home directory of an account which happens to be a domain account. Then i created a file "authorized_keys" wher i added the public key generated in the machine B. I gave appropriate permissions to the ".ssh" folder ( 700 ) and the "authorized_keys" file (600). I also made necessary changes in the /etc/ssh/sshd_config file and restarted sshd service . When i tried to login from machine B via ssh it is still prompting for password. My /etc/pam.d/sshd file looks like below

`
#### Google OS Login control. Do not edit this section. ####
auth       [default=ignore] pam_group.so
#### End Google OS Login control section. ####
#%PAM-1.0
auth       substack     password-auth
auth       include      postlogin
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so
session    include      password-auth
session    include      postlogin

` and the password-auth file in /etc/pam.d/ looks like below

`# This file is used for both password-auth and system-auth and is statically managed by Salt

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok try_first_pass
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     [success=2 default=ignore]                   pam_succeed_if.so service in su:su-l:sudo:sudo-i:login:systemd-user:crond quiet
account     [success=1 default=ignore]                   pam_oslogin_login.so
account     substack                                     gmi-policy
account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_usertype.so issystem
account     [default=bad success=ok user_unknown=ignore] pam_sss.so quiet
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so try_first_pass local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     optional                                     pam_oddjob_mkhomedir.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so

` Can someone plz tell me where in the configuration do i have to make changes for successful ssh publickeyauthentication?

Current config (reboot was also done): root@ubi:~# grep Port /etc/ssh/sshd_config Port 30000 root@ubi:~# root@ubi:~# grep ListenAddress /etc/ssh/sshd_config ListenAddress 0.0.0.0 root@ubi:~# root@ubi:~# netstat -tulpn|grep 30000 tcp6 0 0 :::30000 :::* LISTEN 1/init root@ubi:~# root@ubi:~# ss -tulpn|grep 30000 tcp LISTEN 0 4096 *:30000 *:* users:(("sshd",pid=38048,fd=3),("systemd",pid=1,fd=251)) root@ubi:~# root@ubi:~# grep PRETTY_NAME= /etc/os-release PRETTY_NAME="Ubuntu 24.04.1 LTS" root@ubi:~# Question: Is this a bug? I set sshd to listen on only IPv4, why is it listening on IPv6?

I connect with my server via ssh and always it shows the last log: Last login: Sat Mar 19 14:05:17 2016 from... but that login is my actual login. What's the utility of this info? It should print the previous connection. ---------- Gentoo 64 bits Openssh v7.2

At this moment i have installed freeradius and PAM radius properly. When i create an account on the system and set a password in /etc/raddb/users.conf the user can login. Sudo also works great with PAM radius. What i want to achieve is when i create a user in /etc/raddb/users.conf and reload the config. That the account and home dir will be created if the authentication for Radius succeeds. I tried many things including session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 The last log lines from the login without a system user account. Feb 23 18:59:17 localhost sshd: pam_unix(sshd:auth): check pass; user unknown Feb 23 18:59:18 localhost sshd: Failed password for invalid user pop from 192.168.0.115 port 53608 ssh2 Feb 23 18:59:18 localhost sshd: Connection closed by 192.168.0.115 [preauth] Feb 23 18:59:18 localhost sshd: PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=danys-mbp.fritz.box Feb 23 18:59:18 localhost sshd: PAM service(sshd) ignoring max retries; 4 > 3 Feb 23 18:59:18 localhost sshd: Invalid user pop from 192.168.0.115 Feb 23 18:59:18 localhost sshd: input_userauth_request: invalid user pop [preauth] Feb 23 18:59:21 localhost sshd: pam_unix(sshd:auth): check pass; user unknown Feb 23 18:59:21 localhost sshd: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=danys-mbp.fritz.box Feb 23 18:59:22 localhost sshd: Failed password for invalid user pop from 192.168.0.115 port 53609 ssh2 My config for PAM sshd #%PAM-1.0 auth required pam_sepermit.so auth sufficient pam_radius_auth.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare #account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare Is it possible to create the system account and home directory on login when using freeradius and PAM radius? If so, how does this work? ps : I am using CentOS 7. Edit : I have tried with a bash script to check if the user exists. Then to create it if it does not exist, but this will not work and i do not see any log output for pam_exec.so failing. Edit : radtest tells me the username and password are correct

Right now, sshd is using the authpriv facility. The level of logging is fine, but I don't want it in the syslog, I want it to go to /var/log/sshd (which doesn't yet exist) on Red Hat Linux/Enterprise Linux. authpriv is configured to go to syslog by syslogd.conf. Do I need to change the facility on sshd to local2 (or any other unused local) for instance, and then direct local2 to /var/log/sshd or is there a better way?