Im having a very strange issue with the system. I want to give another user SFTP access and I can´t. I enabled bash or sh and it still does not work. I can log in as a root just fine via SSH console or SFTP, but not with the user I enable SFTP. In Virtualmin it shows email, FTP, and SSH, in Webmin its also shell access enabled.
I even changed the password twice and I always get authentication failed. If I try to log in via SFTP it rejects my logins, if I try the same user via SSH in putty it also rejects it.
What can be possible wrong? As I know that the SSH service is working fine, as I used it every day but I cannot use it as another user that is not root.
The user was migrated from cPanel, that is the only thing I can think about, I want to use SFTP instead of FTP because even after I configure FTP with SSL and it works, its a mess, it constantly dies and gives port problems so I decided to completely drop FTP for my own use. Except that I can´t. And uploading files as root is not a choice as the files would have the wrong permissions and groups when I upload them to an account.
And yes, I can even log in with that user to email, Virtualmin and every other service, just not SSH or SFTP, it rejects the authentication exactly for the same password and username.
Howdy,
What output does this command give:
grep USERNAME /etc/passwd
Substituting the user's actual "username" above.
That will show what shell that user currently has set. If for some reason it's not a valid shell, that could cause the problem you're seeing.
-Eric
It currently outputs
/bin/bash
But I also tried to set it to: /bin/sh
And same issue. Very strange, its like the user does work, and so does its password, because when I changed it, you need to input the old one first.
But it cannot access SSH, not for file transfer in SFTP, and neither on a console. I also tried to restart the sshd service several times.
This is strange, as usually sometimes root direct login is restricted and you need to sudo to root but this is exactly the other way around. Only root seems to be able to log in and not less privileged users.
I think the problem is probably related to the domain itself, for example in Virtualmin if I go to the add users, it only has the option of Email and Email and FTP, no SSH there.
I cannot find any setting on the domain where its suppose to grant this. Can it be that the user actually does have SSH access, but the domain is not allowed to use SSH and so since the user belongs to that account it makes sense that its denied from using SSH. But if this is the case where im suppose to check this?
Anyone? Is there some other way I can grant shell access to the account? Where does Virtualmin check for PAM access? Something must be wrong for it to deny me the login as the it says username or password is wrong while they are fine.
Well, if you have a shell of /bin/bash or /bin/sh, Virtualmin isn't the issue... Virtualmin isn't consulted during the login process. Having a shell like what you described is usually all you need.
What you may want to do is check your log files to see what sorts of errors show up when you try to login.
If you aren't sure where to look, let us know which distro you're using and we can offer some advice as to where to look.
-Eric
Well, its CenOS 6. What you are saying is that the layer of the problem is in the OS outside Webmin/Virtualmin?
I rather think its something in Virtualmin blocking it, this is why I posted here.
You are right about that if I create the user directly in my shell, and then try to log in I get the same error. So creating a user directly in the OS does not work either.
You would assume, ok then its not a virtualmin issue, but how can I explain to myself that the same procedure in other CenOS 6 machine works, and the only difference with this server is that it has Virtualmin installed. Virtualmin must have changed something or is somehow blocking some which I cannot figure out.
Now I do have activated Ip control for Webmin and I also have IP control in the TCP wrappers for SSHD, but I don´t see anywhere there it says only for root, so SSHD means the whole service, so I cannot make sense out of it, why its blocking any user I created from accessing via SSH but not root.
If I check var/log/audit
All I can find of the user is that it fails with the message: terminal=ssh res=failed
As with root its: terminal=? res=success'
I also noticed that the lines with root start with: type=CRYPTO_KEY_USER
And with the user it starts with: type=USER_ERR
By the way, I can log in with the user just fine directly on the console. But not from the Internet via SSH, im started to think that im correct here that Virtualmin or Webmin is somehow blocking port 22 only for root, is this even possible? Its restricted by IP, yes, but only for root as well? I never configured it that way, but could it be some settings in the software is blocking this or does the local console does not use SSH at all? If so, them its seems SSHD is somehow broken as the if I use a local console I can get it without troubles.
SOLVED:
It seems that by default Webmin configured the SSH server only to allow "root" login. Just go to the SSH Server and check under "Access Control" which users are listed.
I did not configure this, so this was a default setting. Now I set it to all and it works. But I would suggest probably not leave it like that, and just the users you need to log in.
Great! Its a security feature and it makes sense. We don´t want to allow everyone to log in, in particular if you don´t know which users accounts where migrated, so it makes sense to have by default more tight security. Otherwise if its set to ALL, by default, it could lead to security troubles. Not sure if this is a default CentOS setting which Webmin just reads or if Webmin configured this.
But either way, for others reading just check that setting.
It seems that by default Webmin configured the SSH server only to allow "root" login. Just go to the SSH Server and check under "Access Control" which users are listed.
Webmin/Virtualmin does not configure that by default... otherwise the forums here would be flooded with people asking the same question you are :-)
It maintains the SSH settings provided by your distro.
Are you by chance using a VPS? If so, it's possible your VPS provider configured that setting by default.
-Eric