Linux – RedHat Linux – ssh shows “connection refused” using one user and also root, but another user can connect

linuxnetworkingssh

From server Y, user A tries to ssh to server X and gets Connection Refused.
From server Y, user B tries to ssh to server X and is allowed through.
From server Y, root tries to ssh and gets Connection Refused.
The issue is 100% repeatable and 100% consistent.

The first two would suggest an issue with the ACL, but I'm told the settings are the same for both users although I don't have permission to view them. They have also been deleted and readded without success. However, root isn't affected by the ACL and also cannot connect.

There are two servers with this problem, and many other servers with identical settings in ifconfig (except IP addresses etc) and routing tables that do not suffer this issue.

A tcpdump on server X looking for connections from server Y shows nothing when user A tries to connect, but produces reams of information when user B tries to connect. This shows that server X is receiving nothing when user A is trying to ssh.

All servers are running RedHat

I'm assuming the problem is on server Y, but what should I look for?
Could a username based connectivity issue appear in firewalls in between the servers, or are such firewalls not based on username?

Edit –
Both users A and B can ssh from server Y to many other servers in the group. It is just server X that has the problem. Ssh-ing does not use RSA, although logging in to server Y in the first place does.

Best Answer

Check user A's .ssh/config file. He may have a Host entry in that file for the hostname at issue, which is causing ssh to try a different port or IP address for that hostname. For example, if .ssh/config had these lines:

Host a.example.com
    Hostname b.example.com
    Port 42

Then running "ssh a.example.com" would try try to connect to b.example.com port 42.

Another (unlikely) possibility is that user A is running a different "ssh" program for some reason, e.g. because his command path is different, and the alternate program is not behaving as expected.

Edit: Another unlikely possibility is that you have two hosts on the network answering to the same IP address. The failed connection requests are going to and being answered by the wrong server. This would cause connections to fail randomly, rather than consistently per user, so it doesn't really match the behavior that you describe.

Related Solutions

Linux – ssh private key works for root, but not for normal user

As per question ~/.ssh/authorized_keys not working properly, the .ssh directory needs to have 700 permissions.

The reason, it works for root even without the permissions set properly, is that root has implicit permissions for everything.

Linux – SSH :connect to host localhost port 22: Connection refused

Your netstat output shows that there's no process listening to port 22, and that would explain why you get a Connection refused when trying to SSH.

Your status info about the sshd daemon shows running, however no listening port is associated with it (or doesn't seem to).

Further, as you were told in the comments, your sshd_config file seem to be incorrect. You say you want to disable root login, so I'll propose a configuration for your SSH daemon.

Edit the /etc/ssh/sshd_config file and put the following content in it:

Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
ClientAliveInterval 30
ClientAliveCountMax 99999

If you're worried about security, you can restrict SSH only to the users you want. For example, if you want to restrict that only user vignesh can SSH, you can add another directive like this:

AllowUsers vignesh

After that, simply restart the sshd service. Once done, if you run netstat -atpn | grep 22 you should see the port 22 listening for everybody.

Best Answer

Related Solutions

Linux – ssh private key works for root, but not for normal user

Linux – SSH :connect to host localhost port 22: Connection refused

Related Question