I had to do some security hardening on a host and now I cannot ssh into it. I can revert what I have done, but I want to pinpoint what line in the sshd_config file is causing this. I'll list out what I have:
The SSH Server is checked and running under Firewall, and ssh and ESXi shell is running on the host under Security Profile
I can login to the host via the HP Onboard Administrator, both to the DCUI and the shell
I am using putty and I set the Encryption cipher selection policy to 3DES and I tried to say the SSH protocol version was 2 only, I went back and forth with 2 only and just selecting 2
I can login to the host directly with root and with an admin account I setup, and to the shell and DCUI
I know that root is not permitted to ssh into the host since PermitRootLogin is set to no, I am trying my secondary account
I immediately receive an error "Server unexpectedly closed the network connection", so it's stopping me before I can input anything.
Lastly the ESXishelltimeout is at 900 seconds
I'm sure it's the sshd_config fie since I edited it right before I had this issue.
Thanks for any input.
sshd file:
# running from inetd
# Port 2200
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes
SyslogFacility auth
LogLevel info
PermitRootLogin no
PrintMotd yes
PrintLastLog no
TCPKeepAlive yes
X11Forwarding no
Ciphers 3des-ctr,aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha1
AllowTCPForwarding no
GatewayPorts no
AllowGroups
GSSAPIAuthentication no
KerberosAuthentication no
AcceptEnv LOCALE
PermitUserEnvironment no
PermitTunnel no
MaxSessions 1
StrictModes yes
RhostsRSAAuthentication no
Compression no
UsePAM yes
# only use PAM challenge-response (keyboard-interactive)
PasswordAuthentication no
Banner /etc/issue
Subsystem sftp /usr/lib/vmware/openssh/bin/sftp-server
AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys
#ListenAddress
# Timeout value of 10 mins. The default value of ClientAliveCountMax is 3.
# Hence, we get a 3 * 200 = 600 seconds timeout if the client has been
# unresponsive.
ClientAliveInterval 200
I think I may have figured it out, I think the "UsePrivilegeSeparation yes" line is causing the issue, I tried it on another host, and that seems to be it. I will verify just in case someone has the issue in the future.
I think I may have figured it out, I think the "UsePrivilegeSeparation yes" line is causing the issue, I tried it on another host, and that seems to be it. I will verify just in case someone has the issue in the future.
I ran into this also and was trying to figure out why that setting was causing the problem...did you ever find anything else out?
Hi
The problem is caused by UsePrivilegeSeperation in the sshd_config.
By default this option is set to no.
If UsePrivilegeSeparation is specified, it will be disabled after authentication.
You can get more info about this option here.
I am sure setting this option to no will resolve your issue unless firewall is not blocking the ssh service.
Regards,
SatyS
If you find this useful,mark the answer as correct/helpful
Check on host Lock down mode enabled or disabled.. you can check this in host console and from vcenter also.
Your Oscar
This issue is definitely not related to lockdown mode as he is able to login through esxi shell.
-SatyS
My issue was definitely related to "UsePrivilegeSeparation yes", changing it to "no" allowed me in. I just updated the post to reflect that.
If you find the answer as useful,please mark as helpful/correct.
-SatyS