1

I'm running Fedora 36 Workstation with OpenSSH server 8.8p1. I want to log on a single remote user and authenticate with their password, but OpenSSH seems determined not to let me. I've tried every solution I can find online. Most of them seem to come down to "edit the password authentication line in /etc/ssh/sshd_config so that it reads as follows:

PasswordAuthentication yes

Done. I've also set the following:

PubkeyAuthentication no

KerberosAuthentication no

GSSAPIAuthentication no

I've tried connecting from Putty on Windows and through the terminal on another Fedora 36 Workstation. No luck. Same errors. I tried setting up keys, and I couldn't ssh-copy-id to the server because I haven't been able to authenticate a user yet.

At this point, my login attempt looks like this:

ssh -vv user@server.ip

and always spits back

user@server.ip: Permission denied (gssapi-keyex,gssapi-with-mic).

In the debug log, I also see

Authentications that can continue: gssapi-keyex,gssapi-with-mic

I'm sure I've restarted sshd. I'm sure that I'm editing the correct config file on the server. I've also tried to ssh with options set on the client side:

ssh -o [relevant options, etc.]

Why, if password authentication is set to yes, is it not showing up as an authentication method that can continue? Why, if GSSAPI is set to no, are those options showing as available? I've also tried removing openssh-server from the server and cleared out all ssh config files, then reinstalled and reset the options.

What else can I try?

I've seen references to UsePAM and ChallengeResponseAuthentication, but I've tried every combination of values for those, as well, and I keep ending up in the same place. The fact that I'm getting the same errors on both clients says that it's something on the server. Is there something that could be overriding my config file?

tmoore82
  • 111
  • 5
  • 1
    You say you tried setting up keys but couldn't, since you haven't been able to authenticate a user yet. How did you change the sshd config? – jabbson Nov 16 '22 at 03:41
  • 1
    are you doing changes in client side or server side? it seems you are doing client side only can you confirm? – asktyagi Nov 16 '22 at 04:13
  • 1
    If Fedora is like RHEL it may be setting options/features in the sshd start-up command line that override settings form /etc/ssh/sshd_config ; check those commandline arguments with for example `systemctl status sshd` and/or the contents `EnvironmentFile` referenced in the systemd sshd.service unit file – diya Nov 17 '22 at 13:09
  • @asktyagi I am making the changes on the server. – tmoore82 Nov 17 '22 at 15:35
  • @jabbson I edited /etc/ssh/sshd_config with `sudo vi /etc/ssh/sshd_config` – tmoore82 Nov 17 '22 at 15:36
  • @diya thank you! I found the problem. you pointed me in the right direction. – tmoore82 Nov 17 '22 at 15:51

1 Answers1

0

Turns out there was a local config file I had missed. Thanks to @diya's comment above, I went looking for another conf file.

/etc/ssh/sshd_config.d/01-local.conf

It contained one line

PasswordAuthentication no

Changed this to yes, restarted sshd, had immediate success logging in from the client.

I'm glad it's working, but I would still be interested to know if anyone has any insight into why this extra config file was tucked away, overriding my sshd_config. I didn't see any reference to this in any of the troubleshooting materials I found on ssh login issues.

tmoore82
  • 111
  • 5
  • 1
    It is probably included from `/etc/ssh/sshd_config` by `Include /etc/ssh/sshd_config.d/*.conf` (or something similar), likely close to the top of the file. – Tomek Nov 17 '22 at 19:35