SSH access is not enabled for users even thought MAIL FTP & SSH is selected

When creating a new virtual domain the administration user is created with SSH MAIl & FTP access. This is fine although this user cannot log in via SSH as the username is not added to the allowed users list in the SSH server access control. Manually entering it there allows the user to log in.

However when I create another user and set the other permissions to EMAIL FTP & SSH I cannot log in via SSH even if the user details are manually entered into the allowed users Access Control section of the SSH server.

This is very frustrating. How can I enable SSH login for a user? The only user that works for SSH is the administration user that is created when the domain is created! I have edited the custom shell in the system customisation so that the option for MAIL FTP & SSH is available when creating the user to no avail it seems.

I have checked all the config files I can think of and everything looks correct. The only thing I can think of is that the username which in my domains case is user.name@domain.co.uk is somehow not ok somewhere.

Status: 
Active

Comments

Howdy -- what error do you receive in your logs when trying to log in as "user.name@domain.co.uk"? Take a peek in both /var/log/auth.log and /var/log/syslog, and see if it shows any relevant information.

Auth.log Dec 10 17:43:04 vps1 sshd[25933]: Invalid user my.user from 192.168.0.254 Dec 10 17:43:04 vps1 sshd[25933]: input_userauth_request: invalid user my.user [preauth] Dec 10 17:43:11 vps1 sshd[25933]: pam_unix(sshd:auth): check pass; user unknown Dec 10 17:43:11 vps1 sshd[25933]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.254 Dec 10 17:43:13 vps1 sshd[25933]: Failed password for invalid user my.user from 192.168.0.254 port 58440 ssh2

Nothing in syslog.

The username is in the form my.username@my.domain however in the logs it seems to have stripped off the @my.domain part. In the user and groups list I have 2 entries created by Virtualmin one is my.user@my.domain and the other is my.user-my.domain

I can login to mail using the correct long form of my.user@my.domain and also webdav. FTP logs in but fails to display directory contents. And SSH simply fails with:

Permission denied, please try again.

I am baffled by this behaviour as the admin user is created perfectly and works fine. Any other user created with supposedly the same permission and capabilities does not work.

Really stuck now!

I'm curious if it works when being accessed from your own server.

That is, now that you got SSH working for the Virtual Server owner, log in as that Virtual Server owner, and then run this command:

ssh localhost

And when you do that, try logging in as the my.user@my.domain account that you were having a problem with. When doing that, does it work properly?

I can login as localhost using the virtual server owners password. BUt I cannot log in as the user.

I am still getting invalid user messages in the auth log.

Cannot understand this issue. Any help appreciated.

System has been runing for over a year without this type of issue.

Ubuntu 12.04 fully upto date.

Cheers Spart

Update.

OK any user that I have in the my.user@my.domain format doea not work with ssh. I edited the domain template to not add the domain name to the username. I had to add it manually to the allowed users list in the SSH server access control list and restart the SSH server. The new user in the format my.user worked fine and SSH login worked normally.

Obviously this is not ideal as I want various users to have the same name across multiple domains with the full my.user@my.domain format making them unique per server.

I have no idea why it is not working but any user crated with the full format will not work with SSH.

Please advise a workaround or fix, maybe it is a config setting somewhere. I also d o nto know why the allowed users is not being update when a new SSH enabled user is created. I have to add them manually and restart the SSH server to allow access.

Cheers Spart

It looks like it can be problematic to have an "@" symbol in an SSH username, as when using SSH the @ means something special (it's a way of specifying the hostname).

It does seem to work when I use this syntax:

ssh user.name\@domain.tld hostname

It also works when using a -, rather than an @, in the username:

ssh user.name-domain.tld hostname

I don't know that there will be a better way than those two options though.

As far as SSH user access goes -- you may want to try going into System Settings -> Virtualmin Config -> Actions upon user and server creation, and there, set "Add users with no SSH access to deniedssh group?" to "No". After doing that, are users able to log in without having to change the config?

The second format seems to be automatically created by virtualmin/webmin i.e. my.user-my.domain for all of the users accounts that were created in the my.user@my.domain format. so each user seems to have 2 account names!

I cannot get any of these approached to work. I have tried the following:

ssh my.user@my.domain@my.domain ssh 'my.user@my.domain'@my.domain ssh my.user\@my.domain@my.domain ssh my.user-my.domain@my.domain ssh -l my.user@my.domain my.domain

none work I can confirm that my.user@my.domain is added to the allowed users access control list in the SSH server.

This answer on the ubuntu forums seems to suggest that this approach should work but it does not work with virtualmin/webmin.

Re: SSH - logging in with "username@domain.tld" format username

Problem solved!

ssh -l daz@mydomain.com someserver.com

The SSH server responds so it can obviously work out the domain/hostname we are interesested in but then it asks for the password for my.user@my.domain@my.domain and of course that user does not exist.

The implications for this are far reaching as it would effectively mean that I could only have one john.smith@first.domain in virtualmin because the next john.smith@second.domain would conflict as the usernames would be indentical without the @my.domain part. This all works fine for email and ftp but not for SSH.

Obviously telling my user he cannot have his username because someone else on another domain has it is a non starter.

There must be an issue somewhere in the configs because google is full of people saying that ssh -l my.user@my.domain my.domain is working for them.

Please help!

Cheers Spart

Eureka!

I finally got this solved maybe :)

I had to enter the my.user-my.domain@my.domain in to the allowed users list in the SSH server client access settings.

Then I used:

ssh my.user-my.domain@my.domain and finally got a login. I have no idea what the implications of using my.user-my.domain instead of my.user@my.domain they both seem to point to the same userID home etc. Essentially an alias I think.

A workable workaround.

It would be great for virtualmin to automatically populate the allowed users in the SSH server client access settings with the my.user-my.domain@my.domain username. It is exactly the opposite of the option to add users without SSH access to the denied list.

Is there a way to do this from Virtualmin on creation of a new user. Can you advise please.

Cheers Spart