VMware Cloud Community
DZ1
Hot Shot
Hot Shot
‎08-22-2013 09:08 AM
Jump to solution

Cannot ssh into ESXi 5 host

I had to do some security hardening on a host and now I cannot ssh into it.  I can revert what I have done, but I want to pinpoint what line in the sshd_config file is causing this.  I'll list out what I have:

The SSH Server is checked and running under Firewall, and ssh and ESXi shell is running on the host under Security Profile

I can login to the host via the HP Onboard Administrator, both to the DCUI and the shell

I am using putty and I set the Encryption cipher selection policy to 3DES and I tried to say the SSH protocol version was 2 only, I went back and forth with 2 only and just selecting 2

I can login to the host directly with root and with an admin account I setup, and to the shell and DCUI

I know that root is not permitted to ssh into the host since PermitRootLogin is set to no, I am trying my secondary account

I immediately receive an error "Server unexpectedly closed the network connection", so it's stopping me before I can input anything.

Lastly the ESXishelltimeout is at 900 seconds

I'm sure it's the sshd_config fie since I edited it right before I had this issue.

Thanks for any input.

sshd file:

# running from inetd

# Port 2200

Protocol 2

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

UsePrivilegeSeparation yes

SyslogFacility auth

LogLevel info

PermitRootLogin no

PrintMotd yes

PrintLastLog no

TCPKeepAlive yes

X11Forwarding no

Ciphers 3des-ctr,aes128-ctr,aes192-ctr,aes256-ctr

MACs hmac-sha1

AllowTCPForwarding no

GatewayPorts no

AllowGroups

GSSAPIAuthentication no

KerberosAuthentication no

AcceptEnv LOCALE

PermitUserEnvironment no

PermitTunnel no

MaxSessions 1

StrictModes yes

RhostsRSAAuthentication no

Compression no

UsePAM yes

# only use PAM challenge-response (keyboard-interactive)

PasswordAuthentication no

Banner /etc/issue

Subsystem sftp /usr/lib/vmware/openssh/bin/sftp-server

AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys

#ListenAddress

# Timeout value of 10 mins. The default value of ClientAliveCountMax is 3.

# Hence, we get a  3 * 200 = 600 seconds timeout if the client has been

# unresponsive.

ClientAliveInterval 200

sshd_config
0 Kudos
1 Solution

Accepted Solutions
DZ1
Hot Shot
Hot Shot
‎08-22-2013 10:18 AM
Jump to solution

I think I may have figured it out, I think the "UsePrivilegeSeparation yes" line is causing the issue, I tried it on another host, and that seems to be it.  I will verify just in case someone has the issue in the future.

View solution in original post

0 Kudos
7 Replies
DZ1
Hot Shot
Hot Shot
‎08-22-2013 10:18 AM
Jump to solution

I think I may have figured it out, I think the "UsePrivilegeSeparation yes" line is causing the issue, I tried it on another host, and that seems to be it.  I will verify just in case someone has the issue in the future.

0 Kudos
lakey81
Enthusiast
Enthusiast
‎09-20-2013 08:56 AM
Jump to solution

I ran into this also and was trying to figure out why that setting was causing the problem...did you ever find anything else out? 

0 Kudos
SatyS
Hot Shot
Hot Shot
‎09-22-2013 11:10 PM
Jump to solution

Hi

The problem is caused by UsePrivilegeSeperation in the sshd_config.

By default this option is set to no.

If UsePrivilegeSeparation is specified, it will be disabled after authentication.

You can get more info about this option here.

I am sure setting this option to no will resolve your issue unless firewall is not blocking the ssh service.

Regards,

SatyS

If you find this useful,mark the answer as correct/helpful

If you find this useful,please mark the answer as correct/helpful

Regards,
SatyS
http://myvirtuallearning.wordpress.com/

0 Kudos
OscarDavey
Hot Shot
Hot Shot
‎09-23-2013 01:29 AM
Jump to solution

Check on host Lock down mode enabled or disabled.. you can check this in host console and from vcenter also.

Your Oscar

0 Kudos
SatyS
Hot Shot
Hot Shot
‎09-23-2013 02:57 AM
Jump to solution

This issue is definitely not related to lockdown mode as he is able to login through esxi shell.

-SatyS

If you find this useful,please mark the answer as correct/helpful

Regards,
SatyS
http://myvirtuallearning.wordpress.com/

0 Kudos
DZ1
Hot Shot
Hot Shot
‎09-23-2013 11:55 AM
Jump to solution

My issue was definitely related to "UsePrivilegeSeparation yes", changing it to "no" allowed me in.  I just updated the post to reflect that.

0 Kudos
SatyS
Hot Shot
Hot Shot
‎09-23-2013 09:48 PM
Jump to solution

If you find the answer as useful,please mark as helpful/correct.

-SatyS

If you find this useful,please mark the answer as correct/helpful

Regards,
SatyS
http://myvirtuallearning.wordpress.com/

0 Kudos