SSH - Roaming not allowed/Permission denied

Support for security such as Firewalls and securing linux

SSH - Roaming not allowed/Permission denied

Postby tenfoot » 2011/04/04 21:00:59

This is a double post/new thread because an admin locked the other thread referencing a very similar issue.

I've tried various permutations of the configuration, regenerated keys, tried different clients....still nothing. Per reply on other thread, checked all permissions for .ssh and authorized keys...both owned by user and chmod 700.

Where to next?

eric@LABDSKTP:~$ ssh -p 443 -v
OpenSSH_5.5p1 Debian-4ubuntu5, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to [] port 443.
debug1: Connection established.
debug1: identity file /home/xxx/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/xxx/.ssh/id_rsa-cert type -1
debug1: identity file /home/xxx/.ssh/id_dsa type -1
debug1: identity file /home/xxx/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu5
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '[]:443' is known and matches the RSA host key.
debug1: Found key in /home/xxx/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/xxx/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/xxx/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey).

Here's the sshd_config:
# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

Port 443
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

LoginGraceTime 30s
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6

RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
#PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
GSSAPIAuthentication no
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
UsePAM no
#UsePAM yes

# Accept locale-related environment variables
#AllowTcpForwarding yes
GatewayPorts yes
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

Edit: from
Information for general problems.
Code: Select all
== BEGIN uname -rmi ==
2.6.18-194.32.1.el5 x86_64 x86_64
== END   uname -rmi ==

== BEGIN rpm -qa \*-release\* ==
== END   rpm -qa \*-release\* ==

== BEGIN cat /etc/redhat-release ==
CentOS release 5.5 (Final)
== END   cat /etc/redhat-release ==

== BEGIN getenforce ==
== END   getenforce ==

== BEGIN rpm -q yum rpm python ==
== END   rpm -q yum rpm python ==

== BEGIN ls /etc/yum.repos.d ==
== END   ls /etc/yum.repos.d ==

== BEGIN cat /etc/yum.conf ==

# Note: yum-RHN-plugin doesn't honor this.

# Default.
# installonly_limit = 3

# PUT YOUR REPOS HERE OR IN separate files named file.repo
# in /etc/yum.repos.d
== END   cat /etc/yum.conf ==

== BEGIN yum repolist all ==
Loaded plugins: fastestmirror
repo id                      repo name                            status
addons                       CentOS-5 - Addons                    enabled:     0
base                         CentOS-5 - Base                      enabled: 3,434
c5-media                     CentOS-5 - Media                     disabled
centosplus                   CentOS-5 - Plus                      disabled
contrib                      CentOS-5 - Contrib                   disabled
extras                       CentOS-5 - Extras                    enabled:   296
updates                      CentOS-5 - Updates                   enabled: 1,137
repolist: 4,867
== END   yum repolist all ==

== BEGIN egrep 'include|exclude' /etc/yum.repos.d/*.repo ==
== END   egrep 'include|exclude' /etc/yum.repos.d/*.repo ==

== BEGIN sed -n -e "/^\[/h; /priority *=/{ G; s/\n/ /; s/ity=/ity = /; p }" /etc/yum.repos.d/*.repo | sort -k3n ==
== END   sed -n -e "/^\[/h; /priority *=/{ G; s/\n/ /; s/ity=/ity = /; p }" /etc/yum.repos.d/*.repo | sort -k3n ==

== BEGIN cat /etc/fstab ==
/dev/VolGroup00/LogVol00 /                       ext3    defaults        1 1
LABEL=/boot             /boot                   ext3    defaults        1 2
tmpfs                   /dev/shm                tmpfs   defaults        0 0
devpts                  /dev/pts                devpts  gid=5,mode=620  0 0
sysfs                   /sys                    sysfs   defaults        0 0
proc                    /proc                   proc    defaults        0 0
/dev/VolGroup00/LogVol01 swap                    swap    defaults        0 0
== END   cat /etc/fstab ==

== BEGIN df -h ==
Filesystem            Size  Used Avail Use% Mounted on
                       11G  2.5G  7.6G  25% /
/dev/hda1              99M   19M   75M  21% /boot
tmpfs                 250M     0  250M   0% /dev/shm
== END   df -h ==

== BEGIN blkid ==
/dev/mapper/VolGroup00-LogVol01: TYPE="swap"
/dev/mapper/VolGroup00-LogVol00: UUID="5e7267d8-272c-4952-9b76-24a8b77af7ba" TYPE="ext3"
/dev/hdc: LABEL="CentOS_5.5_Final" TYPE="iso9660"
/dev/hda1: LABEL="/boot" UUID="57638b71-7d18-4893-b79c-465e28a05503" TYPE="ext3" SEC_TYPE="ext2"
/dev/VolGroup00/LogVol00: UUID="5e7267d8-272c-4952-9b76-24a8b77af7ba" TYPE="ext3"
/dev/VolGroup00/LogVol01: TYPE="swap"
== END   blkid ==

== BEGIN rpm -qa kernel\* | sort ==
== END   rpm -qa kernel\* | sort ==

== BEGIN lspci ==
00:00.0 Host bridge: Intel Corporation 440FX - 82441FX PMC [Natoma] (rev 02)
00:01.0 ISA bridge: Intel Corporation 82371SB PIIX3 ISA [Natoma/Triton II]
00:01.1 IDE interface: Intel Corporation 82371SB PIIX3 IDE [Natoma/Triton II]
00:01.2 USB Controller: Intel Corporation 82371SB PIIX3 USB [Natoma/Triton II] (rev 01)
00:01.3 Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 03)
00:02.0 VGA compatible controller: Technical Corp. Unknown device 1111
00:03.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+ (rev 20)
00:04.0 Multimedia audio controller: Intel Corporation 82801AA AC'97 Audio Controller (rev 01)
00:05.0 RAM memory: Qumranet, Inc. Virtio memory balloon
== END   lspci ==

== BEGIN lspci -n ==
00:00.0 0600: 8086:1237 (rev 02)
00:01.0 0601: 8086:7000
00:01.1 0101: 8086:7010
00:01.2 0c03: 8086:7020 (rev 01)
00:01.3 0680: 8086:7113 (rev 03)
00:02.0 0300: 1234:1111
00:03.0 0200: 10ec:8139 (rev 20)
00:04.0 0401: 8086:2415 (rev 01)
00:05.0 0500: 1af4:1002
== END   lspci -n ==

== BEGIN ifconfig -a ==
eth0      Link encap:Ethernet  HWaddr 52:54:00:4F:7A:EE 
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::5054:ff:fe4f:7aee/64 Scope:Link
          RX packets:88450 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18192 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:15695285 (14.9 MiB)  TX bytes:1484999 (1.4 MiB)
          Interrupt:11 Base address:0x4000

lo        Link encap:Local Loopback 
          inet addr:  Mask:
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1529 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1529 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4740789 (4.5 MiB)  TX bytes:4740789 (4.5 MiB)

sit0      Link encap:IPv6-in-IPv4 
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

== END   ifconfig -a ==

== BEGIN route -n ==
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface   U     0      0        0 eth0     U     0      0        0 eth0         UG    0      0        0 eth0
== END   route -n ==

== BEGIN cat /etc/resolv.conf ==
; generated by /sbin/dhclient-script
== END   cat /etc/resolv.conf ==

== BEGIN grep net /etc/nsswitch.conf ==
#networks:   nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files     
netmasks:   files
networks:   files
netgroup:   nisplus
== END   grep net /etc/nsswitch.conf ==

== BEGIN chkconfig --list | grep -Ei 'network|wpa' ==
NetworkManager    0:off   1:off   2:off   3:off   4:off   5:off   6:off
network           0:off   1:off   2:on   3:on   4:on   5:on   6:off
wpa_supplicant    0:off   1:off   2:off   3:off   4:off   5:off   6:off
== END   chkconfig --list | grep -Ei 'network|wpa' ==

[Moderator edit: Add link to other thread.]
Posts: 3
Joined: 2011/04/01 15:08:42

Re: SSH - Roaming not allowed/Permission denied

Postby TrevorH » 2011/04/04 22:29:39

Do you have messages in /var/log/secure (assuming a centos machine is the server) on the ssh server machine?
User avatar
Forum Moderator
Posts: 9147
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SSH - Roaming not allowed/Permission denied

Postby tenfoot » 2011/04/05 17:26:21

Only a sshd[6838]: connection closed by 192.168.x.x in /var/log/secure
Posts: 3
Joined: 2011/04/01 15:08:42

Re: SSH - Roaming not allowed/Permission denied

Postby r_hartman » 2011/05/09 11:17:26

Wonder where the 'roaming' message comes from.
Does it work when you use the ssh port instead of the https port (i.e. port 22 i.o. port 443)?

I'd try to get it working with a standard setup first, then start changing ports etc.
Posts: 701
Joined: 2009/03/23 15:08:11
Location: Netherlands

SSH - Roaming not allowed/Permission denied

Postby pschaff » 2011/05/09 18:38:00

Using the https port 443 may not be the best choice for an alternate port. Is there a web server running on the same system?

There are quite a few other changes to /etc/ssh/sshd_conf as well. "<" are yours and ">" are defaults.
Code: Select all
# diff -bw T1 T2
< Port 443
< LoginGraceTime 30s
< PermitRootLogin no
< RSAAuthentication yes
< PasswordAuthentication no
> PasswordAuthentication yes
< GSSAPIAuthentication no
> GSSAPIAuthentication yes
< UsePAM no
> UsePAM yes
< GatewayPorts yes

If just changing the port back to 22 does not work, revert to the original configuration and make incremental changes, restarting sshd and testing after each.
Retired Moderator
Posts: 18277
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America

Return to CentOS 5 - Security Support

Who is online

Users browsing this forum: No registered users and 2 guests