Gui Shell tab denied

I

ieronymous

Well-Known Member
Apr 1, 2019
285
21
58
45
Hello

I have 2 nodes in a cluster (if for any reason this matters, but not HA -except if the HA auto configures itself upon joining a node to the cluster) So
...in both nodes I have changed port 22 to a custom one (yes I know the other ways to keep the same port but reduce attempts with fail2ban, have both 22 and custom one and deny access to all except from specific ips ..etc) but I have setup a custom port in each node.
Weird thing is that on the second node I can autologin to the shell page and do cli stuff but on the first one with exact same options like the second one it doesn t let me with message Permission denied User is root and port has been changed in the following paths
/etc/ssh/ssh_conf
/etc/ssh/sshd.conf
and PermitRootLogin has been set to yes (or probably was setup by itself)

Also getting this log error
Code: 
failed reading ticket: connection closed before authentication
TASK ERROR: command '/usr/bin/termproxy 5900 --path /nodes/myservername1 --perm Sys.Console -- /bin/login -f root' failed: exit code 1

Any thoughts?
 
Last edited:
hi,

ieronymous said:
except if the HA auto configures itself upon joining a node to the cluster
Click to expand...
it doesn't

ieronymous said:
Weird thing is that on the second node I can autologin to the shell page and do cli stuff but on the first one with exact same options like the second one it doesn t let me with message Permission denied User is root and port has been changed in the following paths
Click to expand...
can you confirm that you made the port change in both machines and restarted sshd.service?
 
oguz said:
can you confirm that you made the port change in both machines and restarted sshd.service?
Click to expand...
I have already since yesterday restarted more that 3 times so sshd.service wont do anything more at this point and since I can t log in ssh mode no more from gui the only way to check if the port has changed is to ssh-remote into it. with root@ip_address I am getting message connection refused while with root@ip_address -p custom_port I get the password phrase and the cursor waiting to fill in the name and then connection denied

PS Remembered that I had set up another user (sudoer) and tried connecting with him instead with same message

New Edit: Tried with putty as well and for both root and custom_user I got message
<<<<no supported authentication methods available (server sent)>>>
 
Last edited:
from the machine that you can access, can you try ssh from there to the other node? it should work without any interaction, e.g. ssh root@your.other.ip.address should login immediately

if not, please send output of pvecm status
 
oguz said:
from the machine that you can access, can you try ssh from there to the other node? it should work without any interaction, e.g. ssh root@your.other.ip.address should login immediately

if not, please send output of pvecm status
Click to expand...
Yes it did (probably because upon joining the second node I had to enter except from the joining info hexacode the root's password as well) after accepting the ecdsa key. Can I check anything for that no available authentication method now?

As for pvecm status
Code: 
Cluster information
-------------------
Name:             PROXMOXNETWORK
Config Version:   2
Transport:        knet
Secure auth:      on

Quorum information
------------------
Date:             Thu Jan 21 15:28:59 2021
Quorum provider:  corosync_votequorum
Nodes:            2
Node ID:          0x00000002
Ring ID:          1.40
Quorate:          Yes

Votequorum information
----------------------
Expected votes:   2
Highest expected: 2
Total votes:      2
Quorum:           2
Flags:            Quorate

Membership information
----------------------
    Nodeid      Votes Name
0x00000001          1 192.168.15.79
0x00000002          1 192.168.15.80 (local)

Which brings me of course to another kind of error which now stopped and cant remember it right now . It had to do with quorum flood messages because I had online the second server without the first one. I thought that it didnt matter which of the two I have online each time but it seems that it does matter.... Do they act the same way as if I had setup HA and the setup needs to have a Master node in order to accomplish something?

Edit Changed Cluster info name and ip addresses but you get the point
 
Last edited:
ieronymous said:
I thought that it didnt matter which of the two I have online each time but it seems that it does matter.... Do they act the same way as if I had setup HA and the setup needs to have a Master node in order to accomplish something?
Click to expand...
there's no "master" node in pve cluster, all nodes are equal.

so when you have 2 nodes, putting one of them online will bring the cluster down -- since quorum will be lost (1/2 votes is not majority!) this is why you should have 3 nodes, or you can try using a qdevice setup [0]

back to the original problem;
if the ssh connection between nodes is working then it might not be so bad.

can you please try the following from outside the cluster:
ssh root@ip.of.affected.node -p yourcustomport -vv and post the output here?



[0]: https://pve.proxmox.com/pve-docs/chapter-pvecm.html#_qdevice_technical_overview
 
oguz said:
can you please try the following from outside the cluster:
ssh root@ip.of.affected.node -p yourcustomport -vv and post the output here?
Click to expand...
Code: 
 ssh root@192.168.15.79 -p  -vv
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
debug2: resolve_canonicalize: hostname 192.168.15.79 is address
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 192.168.15.79 [192.168.15.79] port 555.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\d_user/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\d_user/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\d_user/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\d_user/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\d_user/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\d_user/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\d_user/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\d_user/.ssh/id_ed25519-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\d_user/.ssh/id_xmss type -1
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\d_user/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10+deb10u2
debug1: match: OpenSSH_7.9p1 Debian-10+deb10u2 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.15.79:555 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:a/rVxWLdOaF4fITSOXYUHbvlF2QAkJeqLbDYakhIDDo
debug1: checking without port identifier
debug1: Host '192.168.2.29' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\d_user/.ssh/known_hosts:2
debug1: found matching key w/out port
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug2: key: C:\\Users\\d_user/.ssh/id_rsa (0000000000000000)
debug2: key: C:\\Users\\d_user/.ssh/id_dsa (0000000000000000)
debug2: key: C:\\Users\\d_user/.ssh/id_ecdsa (0000000000000000)
debug2: key: C:\\Users\\d_user/.ssh/id_ed25519 (0000000000000000)
debug2: key: C:\\Users\\d_user/.ssh/id_xmss (0000000000000000)
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
debug1: Next authentication method: publickey
debug1: Trying private key: C:\\Users\\d_user/.ssh/id_rsa
debug1: Trying private key: C:\\Users\\d_user/.ssh/id_dsa
debug1: Trying private key: C:\\Users\\d_user/.ssh/id_ecdsa
debug1: Trying private key: C:\\Users\\d_user/.ssh/id_ed25519
debug1: Trying private key: C:\\Users\\d_user/.ssh/id_xmss
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue:
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
debug1: read_passphrase: can't open /dev/tty: No such file or directory
root@192.168.15.79's password:
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue:
Permission denied, please try again.
debug1: read_passphrase: can't open /dev/tty: No such file or directory
root@192.168.15.79's password:

Once again took me a while to masquerade some of the data.
 
here in your log i see this:
Code: 
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
debug1: Next authentication method: publickey

but if i try here on my machine, i see this:
Code: 
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password

so, are you sure the ssh config is correct?

can you try with -oPreferredAuthentications=password option in the ssh command? this should force password authentication
 
oguz said:
can you try with -oPreferredAuthentications=password option in the ssh command? this should force password authentication
Click to expand...
Nope.... still getting the same msg Permission Denied

New edit: Changed option PasswordAuthentication to yes and it enterred. PAth /etc/sshd_config
Didnt find a relevant option in /etc/ssh/ssh_config

It enters also from one node to another with the difference: from the first node's gui I can
enter Shell of the node 2 without entering a password just by clicking >_Shell. The other way around it needs
password for node1 if i am from the gui of node2 (trying to ssh access node1)
Thank you @oguz for your info
 
Last edited:
ieronymous said:
The other way around it needs
password for node1 if i am from the gui of node2 (trying to ssh access node1)
Click to expand...
it should work both ways without needing to enter any password.

now i'm very confused about what you did.

could you show the /etc/ssh/sshd_config of both nodes?
 
oguz said:
could you show the /etc/ssh/sshd_config of both nodes?
Click to expand...
Yes here they are ,,,,,

for node1 (main node)
Code: 
NU nano 3.2                             /etc/ssh/sshd_config                                     

#       $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 888888888 (example)
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication no

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS noMaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem       sftp    /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
#PidFile /var/run/sshd.pid

...and for the second node
Code: 
#       $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 88888 (example)
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem       sftp    /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom