Strange problems with sshd under fc3 - Rejecting all users but one

Eric Vought, Technical Director evought at diversityink.com
Wed Feb 2 23:24:19 UTC 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am having an odd problem with OpenSSH sshd on FC3. I am asking about
the problem here because I think the problem may be outside of sshd
itself. In the end, I am sure I have caused the problem myself, but am
hoping someone else has seen it.

Symptoms:
sshd rejects all users but one (my account) with "*user* rejected
because not in AllowUsers". This message appears in /var/log/secure.
When logging in with ssh, it asks for and appears to reject the
password (even though a public key is configured). The funny thing is
that AllowUsers is *empty*.

Background:
When I installed the server, I immediately created a new user account,
added it to AllowUsers, and turned off root login. I reloaded the
server (service reload sshd) and began connecting as this user. It
worked. Root was, correctly, denied. Now I have added more accounts
and wish to  allow login for some of them. In fact, I want to allow
all users and let the shell setting disallow the users it should
(shell=/dev/null). Most of the users have been created by
Webmin/Virtualmin. Two were created with useradd at the prompt
(including the one that *is* allowed to ssh).

At first, I went into Webmin and added another user to the AllowUsers
list and saved it. No effect. I verified that I have set the user's
shell (/bin/zsh,which is in /etc/shells). I forced a reload of sshd. I
verified that the AllowUsers field had been updated in
/etc/ssh/sshd_config.

Next, I went back to Webmin/SSH module and set it to allow all logins
(the ones I do not want have shells set to /dev/null). I looked at
sshd_config and verified that AllowUsers had been removed from the
file (the man page says that it defaults to allow all). No good. I
reloaded sshd and still no good.

The original user account is still let in. No new account, whether
created in Webmin or by useradd can log in. The original account has
its personal group and wheel. Of the other accounts being rejected, at
least one is also in wheel. I do not see any other related messages in
the logs.

I have also tried setting AllowUsers to "*" and I have tried replacing
the *original config file* from the RPM with *no change*.

Questions:
1) Why is sshd not allowing all users with an empty AllowUsers?
2) If it is not defaulting to allow all, why let the original account in?
3) Why did the original config file not reset the behavior (!)?

I am forced to conclude that sshd is simply not reading
/etc/ssh/sshd_config, though it is reloading (I get disconnected each
time) and I can find no other file on the system which it might be
reading instead. In particular, I have gone through every file on the
system in which the original account name appears looking for a ghost
allow list somewhere with no result. Now I am getting very confused.

- --
- --------------
Eric Vought

Technical Director,
Diversity Ink
Morgan Family Enterprises
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCAWEiGqlqMhx2Xb0RArsAAJ9HFba4ck8Qv7tzXn/OW0Exqmz5MgCgjpxG
/BS1nDgf6ldW3aT1fsHEouI=
=S53U
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: evought.vcf
Type: text/x-vcard
Size: 223 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050202/a8d16636/attachment-0001.vcf>

More information about the fedora-list mailing list