The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ssh failing

Discussion in 'General Discussion' started by anand, May 5, 2004.

  1. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    I have this strange problem on a server today. This started when we had to reboot the server 2-3 times to gain control, some guy was like hitting apache 100+ per sec and server load was going sky rocket. Anyways it was resolved and this problem appeared.

    The ssh session whenever we try to login it just closes off. Temporary solution is to restart ssh from whm and then we can login. But after sometime we can't ssh and we need to restart ssh. This is kinda odd, and i can't seem to figure out what caused this.
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Some ideas:

    1. Have you check disk space, especially the partition that the root account , the /var partitiion and, if they have one, the /tmp partition?

    2. Have you run a security sweep on the server using chkrootkit and/or rootkit hunter?

    3. Have you tried compiling a new sshd daemon, not installing it into place, but running it up from the distribution directory?

    4. You could also try uploading a statically compiled sshd daemon to the server and running that.

    5. Have you done an ifconfig and looked for network/card errors?

    6. Did it boot into a different kernel?
     
  3. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    Everything is just fine. Nothing was wrong untill suddenly this started up.

    All i can remember last was running chkrootkit and securing tmp. The box has been running without any probs and so are others sitting next to it. Suddenly out of nowhere this just popped in, thats what i don't understand.
     
  4. unter

    unter Member

    Joined:
    Oct 27, 2003
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    It's quite possible that there were too many maxfiles open or maxfileperproc which caused a local DOS and not allowing you to spawn your sh/bash shell after you logged in via ssh.
     
  5. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    ok thx to cyberspirit for this.

    I started ssh with debug mode and looked at /var/log/secure, and here is what i got:

    PHP:
    May  6 08:58:02 servername sshd[20677]: debug1Forked child 30594.
    May  6 08
    :58:02 servername sshd[30594]: Connection from x.x.x.x port 60954
    May  6 08
    :58:03 servername sshd[30594]: debug1Client protocol version 1.5client software version PuTTY-Release-0.53b
    May  6 08
    :58:03 servername sshd[30594]: debug1no matchPuTTY-Release-0.53b
    May  6 08
    :58:03 servername sshd[30594]: debug1Local version string SSH-1.99-OpenSSH_3.6.1p2
    May  6 08
    :58:07 servername xinetd[1350]: STARTimap pid=32713 from=127.0.0.1
    May  6 08
    :58:09 servername sshd[30594]: debug1Starting up PAM with username "user"
    May  6 08:58:09 servername sshd[30594]: debug1PAM setting rhost to "x.x.x.x"
    May  6 08:58:11 servername sshd[30594]: debug1PAM password authentication failed for userAuthentication failure
    May  6 08
    :58:11 servername sshd[30594]: Failed none for user from x.x.x.x port 60954
    May  6 08
    :58:22 servername sshd[30594]: debug1PAM password authentication accepted for user
    May  6 08
    :58:22 servername sshd[30594]: Accepted password for user from x.x.x.x port 60954
    May  6 08
    :58:22 servername sshd[30594]: debug1monitor_child_preauthuser has been authenticated by privileged process
    May  6 08
    :58:22 servername sshd[32733]: debug1PAM establishing creds
    May  6 08
    :58:22 servername sshd[32733]: debug1permanently_set_uid32704/32704
    May  6 08
    :58:22 servername sshd[32733]: debug1session_newinit
    May  6 08
    :58:22 servername sshd[32733]: debug1session_newsession 0
    May  6 08
    :58:22 servername sshd[32733]: debug1Installing crc compensation attack detector.
    May  6 08:58:22 servername sshd[32733]: debug1Allocating pty.
    May  6 08:58:22 servername sshd[30594]: debug1session_newinit
    May  6 08
    :58:22 servername sshd[30594]: debug1session_newsession 0
    May  6 08
    :58:22 servername sshd[32733]: debug1session_pty_reqsession 0 alloc /dev/pts/1
    May  6 08
    :58:23 servername sshd[32733]: debug1PAM setting tty to "/dev/pts/1"
    May  6 08:58:23 servername sshd[32733]: fatalPAM session setup failed[6]: Permission denied
    May  6 08
    :58:23 servername sshd[32733]: debug1Calling cleanup 0x8059c20(0x8090c20)
    May  6 08:58:23 servername sshd[32733]: debug1Calling cleanup 0x806f3a0(0x0)
    May  6 08:58:23 servername sshd[30594]: debug1session_by_ttysession 0 tty /dev/pts/1
    May  6 08
    :58:23 servername sshd[30594]: debug1session_pty_cleanupsession 0 release /dev/pts/1
    May  6 08
    :58:23 servername sshd[32733]: debug1Calling cleanup 0x8063d50(0x0)
    May  6 08:58:23 servername sshd[30594]: debug1Calling cleanup 0x8063d50(0x0)
    Take a look at this line here:

    fatal: PAM session setup failed[6]: Permission denied

    Now this is something very strange.
     
  6. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    googling for error, and i find this in the vserver mailing list:

    http://list.linux-vserver.org/archive/vserver/msg06663.html

    I follow the same thing and the problem is dissapeared.

    Now the irony is the other boxes next to this one with the old config works perfect. Why is this giving problems then ??

    Any inputs ??
     
  7. parasane

    parasane Well-Known Member

    Joined:
    Oct 19, 2003
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Dickson City, Pennsylvania (USA)
    I hate to sound like a broken record, Anand, because I know it sounds like I say the same thing to you here in the forums and on AIM, but try checking the logs. See what happened just before, during, and even right after.

    Code:
    su
    cat /var/log/messages | grep -i sshd
    If it was a permissions problem, you should see something about access deniability. Then grep the logs for changes in ownership (chown), group (chgrp), or mode (chmod). Make sure that if multiple people have access to the SSH (which, on your machine, I know they do) that they didn't change anything.

    Finally, check over your Apache logs to make sure there was no arbitrary code execution. If you find anything that hints to the fact that there may have been, I suggest immediately checking your MySQL logs, as well, and closely-monitoring the server for a while.

    Let me know if you want me to take a look at it. Just send me a message on AIM or call me.

    [Edited because I mistakenly put 'tail' in place of 'cat' above. Oops.]
     
    #7 parasane, May 6, 2004
    Last edited: May 6, 2004
  8. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    Did you read the log extract i posted from /var/log/secure ?

    tail /var/log/messages | grep -i sshd

    results in nothing. All the ssh logging is at /var/log/secure (atleast i think it is)
     
  9. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    hmm silly me, i pasted as you said.

    It should have been

    cat /var/log/messages | grep -i sshd
     
  10. Pollie

    Pollie Active Member

    Joined:
    Jul 18, 2002
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Same glitch here

    Hello,

    I have the same glitch here, however terminal window slams after the wheel user's password is given. Restarting sshd from WHM will grant us a grace period of 10 to 20 minutes before it dies again, and again, and again and again.

    I tried the PAM config fix suggested above but some minutes after I still got the error

    sshd[18284]: fatal: PAM session setup failed[6]: Permission denied

    Interesting enough, it is affecting only my Fedora servers.

    Did you guys happen to get to some fix?

    Thank you!

    Paula
     
  11. Pollie

    Pollie Active Member

    Joined:
    Jul 18, 2002
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    No need to replies. Actually I had edited /etc/pam.d/sshd and system-auth files wrongly. If pam_limits are commented on both files and sshd restarted (from terminal for safety, not from whm because whm kills running sessions while /etc/rc.d/init.d/sshd restart keep them), the glitch will solve away.

    Tks for all
     
  12. MatrixPark

    MatrixPark Member

    Joined:
    Sep 20, 2004
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Same problem here. Here was the resolution.

    Problem:
    Root can allways log in fine but if sshd has not been restarted recently, any non-root attempting to log in gets canned. The following error message is logged:

    /var/log/secure
    PAM session setup failed[6]: Permission denied

    Explanation (after much digging on my part):
    We have installed rfxnetworks.com's spri utility which adjusts NICE level on sshd among other things. NICEing sshd is incompatible with pam_limits.so.

    Solution:
    Either remove sshd from
    /usr/local/spri/*
    or remove pam_limits.so from
    /etc/pam.d/sshd and /etc/pam.d/system-auth

    More Info:
    http://list.linux-vserver.org/archive/vserver/msg06663.html
     
Loading...

Share This Page