password fails over ssh, works locally












4















This weekend I really dove into unix and got a Arch installed on an old computer and got it to serve my website.



Today I went to copy a database file from my Mac laptop to my newfangled server with scp and when I tried to log into the user that manages Nginx, I got a password failure. I'm sure I'm typing the password correctly, but just to be sure I opened up a separate terminal window, logged into my regular user, and changed the Nginx user's password from su. scp still rejected the simplified password.



I became more intrigued. I tried to ssh directly into my Nginx user with the simplified password, but it still rejected it. So I logged into my regular user again and then used su - to login to the other user. And that worked.



So why does the password work locally, when I'm logged in as another user, but not over ssh or scp?



NB: both of the users are enabled for ssh in the sshd_config file. But that's really all I know.



Here's a printout from ssh -vv, mildly edited for anonymity:



11:User-~$ ssh rserver@example.com -p 2602 -vv

OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011

debug1: Reading configuration data /Users/User/.ssh/config

debug1: Reading configuration data /etc/ssh_config

debug1: /etc/ssh_config line 20: Applying options for *

debug2: ssh_connect: needpriv 0

debug1: Connecting to example.com [67.190.118.135] port 2602.

debug1: Connection established.

debug1: identity file /Users/User/.ssh/id_rsa type 1

debug1: identity file /Users/User/.ssh/id_rsa-cert type -1

debug1: identity file /Users/User/.ssh/id_dsa type -1

debug1: identity file /Users/User/.ssh/id_dsa-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.2

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2

debug1: match: OpenSSH_7.2 pat OpenSSH*

debug2: fd 3 setting O_NONBLOCK

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-dss

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: first_kex_follows 0 

debug2: kex_parse_kexinit: reserved 0 

debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

debug2: kex_parse_kexinit: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519

debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: first_kex_follows 0 

debug2: kex_parse_kexinit: reserved 0 

debug2: mac_setup: found hmac-sha1-etm@openssh.com

debug1: kex: server->client aes128-ctr hmac-sha1-etm@openssh.com none

debug2: mac_setup: found hmac-sha1-etm@openssh.com

debug1: kex: client->server aes128-ctr hmac-sha1-etm@openssh.com none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug2: dh_gen_key: priv key bits set: 158/320

debug2: bits set: 994/2048

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Server host key: RSA {KEY}

debug1: Host '[example.com]:2602' is known and matches the RSA host key.

debug1: Found key in /Users/User/.ssh/known_hosts:9

debug2: bits set: 999/2048

debug1: ssh_rsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /Users/User/.ssh/id_rsa (0x7fb818416130),

debug2: key: /Users/User/.ssh/id_dsa (0x0),

debug1: Authentications that can continue: publickey,password

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /Users/User/.ssh/id_rsa

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue: publickey,password

debug1: Trying private key: /Users/User/.ssh/id_dsa

debug2: we did not send a packet, disable method

debug1: Next authentication method: password

rserver@example.com's password: 

debug2: we sent a password packet, wait for reply

debug1: Authentications that can continue: publickey,password

Permission denied, please try again.

rserver@example.com's password: 

debug2: we sent a password packet, wait for reply

debug1: Authentications that can continue: publickey,password

Permission denied, please try again.

rserver@example.com's password: 

debug2: we sent a password packet, wait for reply

debug1: Authentications that can continue: publickey,password

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

Permission denied (publickey,password).





ssh arch-linux scp







share|improve this question

























  • Do you have password authentication enabled in sshd_config?

    – Satō Katsura
    Jun 27 '16 at 7:26











  • @SatoKatsura yes, my regular user has a password as well.

    – Polyov
    Jun 27 '16 at 7:37











  • Then perhaps your sshd uses some PAM modules that apply additional restrictions on who can log in and how. shrug

    – Satō Katsura
    Jun 27 '16 at 8:42











  • A simple ssh -v or ssh -vv will help us better.

    – anonimal
    Jul 1 '16 at 12:19











  • @anonimal I've added the log, although I don't know if it contains much relevant information.

    – Polyov
    Jul 4 '16 at 16:28
















4















This weekend I really dove into unix and got a Arch installed on an old computer and got it to serve my website.



Today I went to copy a database file from my Mac laptop to my newfangled server with scp and when I tried to log into the user that manages Nginx, I got a password failure. I'm sure I'm typing the password correctly, but just to be sure I opened up a separate terminal window, logged into my regular user, and changed the Nginx user's password from su. scp still rejected the simplified password.



I became more intrigued. I tried to ssh directly into my Nginx user with the simplified password, but it still rejected it. So I logged into my regular user again and then used su - to login to the other user. And that worked.



So why does the password work locally, when I'm logged in as another user, but not over ssh or scp?



NB: both of the users are enabled for ssh in the sshd_config file. But that's really all I know.



Here's a printout from ssh -vv, mildly edited for anonymity:



11:User-~$ ssh rserver@example.com -p 2602 -vv

OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011

debug1: Reading configuration data /Users/User/.ssh/config

debug1: Reading configuration data /etc/ssh_config

debug1: /etc/ssh_config line 20: Applying options for *

debug2: ssh_connect: needpriv 0

debug1: Connecting to example.com [67.190.118.135] port 2602.

debug1: Connection established.

debug1: identity file /Users/User/.ssh/id_rsa type 1

debug1: identity file /Users/User/.ssh/id_rsa-cert type -1

debug1: identity file /Users/User/.ssh/id_dsa type -1

debug1: identity file /Users/User/.ssh/id_dsa-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.2

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2

debug1: match: OpenSSH_7.2 pat OpenSSH*

debug2: fd 3 setting O_NONBLOCK

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-dss

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: first_kex_follows 0 

debug2: kex_parse_kexinit: reserved 0 

debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

debug2: kex_parse_kexinit: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519

debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: first_kex_follows 0 

debug2: kex_parse_kexinit: reserved 0 

debug2: mac_setup: found hmac-sha1-etm@openssh.com

debug1: kex: server->client aes128-ctr hmac-sha1-etm@openssh.com none

debug2: mac_setup: found hmac-sha1-etm@openssh.com

debug1: kex: client->server aes128-ctr hmac-sha1-etm@openssh.com none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug2: dh_gen_key: priv key bits set: 158/320

debug2: bits set: 994/2048

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Server host key: RSA {KEY}

debug1: Host '[example.com]:2602' is known and matches the RSA host key.

debug1: Found key in /Users/User/.ssh/known_hosts:9

debug2: bits set: 999/2048

debug1: ssh_rsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /Users/User/.ssh/id_rsa (0x7fb818416130),

debug2: key: /Users/User/.ssh/id_dsa (0x0),

debug1: Authentications that can continue: publickey,password

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /Users/User/.ssh/id_rsa

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue: publickey,password

debug1: Trying private key: /Users/User/.ssh/id_dsa

debug2: we did not send a packet, disable method

debug1: Next authentication method: password

rserver@example.com's password: 

debug2: we sent a password packet, wait for reply

debug1: Authentications that can continue: publickey,password

Permission denied, please try again.

rserver@example.com's password: 

debug2: we sent a password packet, wait for reply

debug1: Authentications that can continue: publickey,password

Permission denied, please try again.

rserver@example.com's password: 

debug2: we sent a password packet, wait for reply

debug1: Authentications that can continue: publickey,password

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

Permission denied (publickey,password).





ssh arch-linux scp







share|improve this question

























  • Do you have password authentication enabled in sshd_config?

    – Satō Katsura
    Jun 27 '16 at 7:26











  • @SatoKatsura yes, my regular user has a password as well.

    – Polyov
    Jun 27 '16 at 7:37











  • Then perhaps your sshd uses some PAM modules that apply additional restrictions on who can log in and how. shrug

    – Satō Katsura
    Jun 27 '16 at 8:42











  • A simple ssh -v or ssh -vv will help us better.

    – anonimal
    Jul 1 '16 at 12:19











  • @anonimal I've added the log, although I don't know if it contains much relevant information.

    – Polyov
    Jul 4 '16 at 16:28














4












4








4








This weekend I really dove into unix and got a Arch installed on an old computer and got it to serve my website.



Today I went to copy a database file from my Mac laptop to my newfangled server with scp and when I tried to log into the user that manages Nginx, I got a password failure. I'm sure I'm typing the password correctly, but just to be sure I opened up a separate terminal window, logged into my regular user, and changed the Nginx user's password from su. scp still rejected the simplified password.



I became more intrigued. I tried to ssh directly into my Nginx user with the simplified password, but it still rejected it. So I logged into my regular user again and then used su - to login to the other user. And that worked.



So why does the password work locally, when I'm logged in as another user, but not over ssh or scp?



NB: both of the users are enabled for ssh in the sshd_config file. But that's really all I know.



Here's a printout from ssh -vv, mildly edited for anonymity:



11:User-~$ ssh rserver@example.com -p 2602 -vv

OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011

debug1: Reading configuration data /Users/User/.ssh/config

debug1: Reading configuration data /etc/ssh_config

debug1: /etc/ssh_config line 20: Applying options for *

debug2: ssh_connect: needpriv 0

debug1: Connecting to example.com [67.190.118.135] port 2602.

debug1: Connection established.

debug1: identity file /Users/User/.ssh/id_rsa type 1

debug1: identity file /Users/User/.ssh/id_rsa-cert type -1

debug1: identity file /Users/User/.ssh/id_dsa type -1

debug1: identity file /Users/User/.ssh/id_dsa-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.2

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2

debug1: match: OpenSSH_7.2 pat OpenSSH*

debug2: fd 3 setting O_NONBLOCK

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-dss

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: first_kex_follows 0 

debug2: kex_parse_kexinit: reserved 0 

debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

debug2: kex_parse_kexinit: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519

debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: first_kex_follows 0 

debug2: kex_parse_kexinit: reserved 0 

debug2: mac_setup: found hmac-sha1-etm@openssh.com

debug1: kex: server->client aes128-ctr hmac-sha1-etm@openssh.com none

debug2: mac_setup: found hmac-sha1-etm@openssh.com

debug1: kex: client->server aes128-ctr hmac-sha1-etm@openssh.com none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug2: dh_gen_key: priv key bits set: 158/320

debug2: bits set: 994/2048

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Server host key: RSA {KEY}

debug1: Host '[example.com]:2602' is known and matches the RSA host key.

debug1: Found key in /Users/User/.ssh/known_hosts:9

debug2: bits set: 999/2048

debug1: ssh_rsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /Users/User/.ssh/id_rsa (0x7fb818416130),

debug2: key: /Users/User/.ssh/id_dsa (0x0),

debug1: Authentications that can continue: publickey,password

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /Users/User/.ssh/id_rsa

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue: publickey,password

debug1: Trying private key: /Users/User/.ssh/id_dsa

debug2: we did not send a packet, disable method

debug1: Next authentication method: password

rserver@example.com's password: 

debug2: we sent a password packet, wait for reply

debug1: Authentications that can continue: publickey,password

Permission denied, please try again.

rserver@example.com's password: 

debug2: we sent a password packet, wait for reply

debug1: Authentications that can continue: publickey,password

Permission denied, please try again.

rserver@example.com's password: 

debug2: we sent a password packet, wait for reply

debug1: Authentications that can continue: publickey,password

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

Permission denied (publickey,password).





ssh arch-linux scp







share|improve this question
















This weekend I really dove into unix and got a Arch installed on an old computer and got it to serve my website.



Today I went to copy a database file from my Mac laptop to my newfangled server with scp and when I tried to log into the user that manages Nginx, I got a password failure. I'm sure I'm typing the password correctly, but just to be sure I opened up a separate terminal window, logged into my regular user, and changed the Nginx user's password from su. scp still rejected the simplified password.



I became more intrigued. I tried to ssh directly into my Nginx user with the simplified password, but it still rejected it. So I logged into my regular user again and then used su - to login to the other user. And that worked.



So why does the password work locally, when I'm logged in as another user, but not over ssh or scp?



NB: both of the users are enabled for ssh in the sshd_config file. But that's really all I know.



Here's a printout from ssh -vv, mildly edited for anonymity:



11:User-~$ ssh rserver@example.com -p 2602 -vv

OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011

debug1: Reading configuration data /Users/User/.ssh/config

debug1: Reading configuration data /etc/ssh_config

debug1: /etc/ssh_config line 20: Applying options for *

debug2: ssh_connect: needpriv 0

debug1: Connecting to example.com [67.190.118.135] port 2602.

debug1: Connection established.

debug1: identity file /Users/User/.ssh/id_rsa type 1

debug1: identity file /Users/User/.ssh/id_rsa-cert type -1

debug1: identity file /Users/User/.ssh/id_dsa type -1

debug1: identity file /Users/User/.ssh/id_dsa-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.2

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2

debug1: match: OpenSSH_7.2 pat OpenSSH*

debug2: fd 3 setting O_NONBLOCK

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-dss

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: first_kex_follows 0 

debug2: kex_parse_kexinit: reserved 0 

debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

debug2: kex_parse_kexinit: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519

debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: kex_parse_kexinit: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: 

debug2: kex_parse_kexinit: first_kex_follows 0 

debug2: kex_parse_kexinit: reserved 0 

debug2: mac_setup: found hmac-sha1-etm@openssh.com

debug1: kex: server->client aes128-ctr hmac-sha1-etm@openssh.com none

debug2: mac_setup: found hmac-sha1-etm@openssh.com

debug1: kex: client->server aes128-ctr hmac-sha1-etm@openssh.com none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug2: dh_gen_key: priv key bits set: 158/320

debug2: bits set: 994/2048

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Server host key: RSA {KEY}

debug1: Host '[example.com]:2602' is known and matches the RSA host key.

debug1: Found key in /Users/User/.ssh/known_hosts:9

debug2: bits set: 999/2048

debug1: ssh_rsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /Users/User/.ssh/id_rsa (0x7fb818416130),

debug2: key: /Users/User/.ssh/id_dsa (0x0),

debug1: Authentications that can continue: publickey,password

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /Users/User/.ssh/id_rsa

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue: publickey,password

debug1: Trying private key: /Users/User/.ssh/id_dsa

debug2: we did not send a packet, disable method

debug1: Next authentication method: password

rserver@example.com's password: 

debug2: we sent a password packet, wait for reply

debug1: Authentications that can continue: publickey,password

Permission denied, please try again.

rserver@example.com's password: 

debug2: we sent a password packet, wait for reply

debug1: Authentications that can continue: publickey,password

Permission denied, please try again.

rserver@example.com's password: 

debug2: we sent a password packet, wait for reply

debug1: Authentications that can continue: publickey,password

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

Permission denied (publickey,password).





ssh arch-linux scp




ssh arch-linux scp






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Aug 25 '18 at 21:50









Rui F Ribeiro

40.4k1479137




40.4k1479137










asked Jun 27 '16 at 7:02









PolyovPolyov

1213




1213













  • Do you have password authentication enabled in sshd_config?

    – Satō Katsura
    Jun 27 '16 at 7:26











  • @SatoKatsura yes, my regular user has a password as well.

    – Polyov
    Jun 27 '16 at 7:37











  • Then perhaps your sshd uses some PAM modules that apply additional restrictions on who can log in and how. shrug

    – Satō Katsura
    Jun 27 '16 at 8:42











  • A simple ssh -v or ssh -vv will help us better.

    – anonimal
    Jul 1 '16 at 12:19











  • @anonimal I've added the log, although I don't know if it contains much relevant information.

    – Polyov
    Jul 4 '16 at 16:28



















  • Do you have password authentication enabled in sshd_config?

    – Satō Katsura
    Jun 27 '16 at 7:26











  • @SatoKatsura yes, my regular user has a password as well.

    – Polyov
    Jun 27 '16 at 7:37











  • Then perhaps your sshd uses some PAM modules that apply additional restrictions on who can log in and how. shrug

    – Satō Katsura
    Jun 27 '16 at 8:42











  • A simple ssh -v or ssh -vv will help us better.

    – anonimal
    Jul 1 '16 at 12:19











  • @anonimal I've added the log, although I don't know if it contains much relevant information.

    – Polyov
    Jul 4 '16 at 16:28

















Do you have password authentication enabled in sshd_config?

– Satō Katsura
Jun 27 '16 at 7:26





Do you have password authentication enabled in sshd_config?

– Satō Katsura
Jun 27 '16 at 7:26













@SatoKatsura yes, my regular user has a password as well.

– Polyov
Jun 27 '16 at 7:37





@SatoKatsura yes, my regular user has a password as well.

– Polyov
Jun 27 '16 at 7:37













Then perhaps your sshd uses some PAM modules that apply additional restrictions on who can log in and how. shrug

– Satō Katsura
Jun 27 '16 at 8:42





Then perhaps your sshd uses some PAM modules that apply additional restrictions on who can log in and how. shrug

– Satō Katsura
Jun 27 '16 at 8:42













A simple ssh -v or ssh -vv will help us better.

– anonimal
Jul 1 '16 at 12:19





A simple ssh -v or ssh -vv will help us better.

– anonimal
Jul 1 '16 at 12:19













@anonimal I've added the log, although I don't know if it contains much relevant information.

– Polyov
Jul 4 '16 at 16:28





@anonimal I've added the log, although I don't know if it contains much relevant information.

– Polyov
Jul 4 '16 at 16:28










1 Answer
1






active

oldest

votes


















0














I know this is an old post, but I had the same problem and foud the solution so I'll post in case someone has the same issue.



In my case the problem was that I didn't have PAM active on sshd_config file, so adding the next line solved my issue:



UsePAM yes



Remember to restart sshd:



service sshd restart






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "106"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f292316%2fpassword-fails-over-ssh-works-locally%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    I know this is an old post, but I had the same problem and foud the solution so I'll post in case someone has the same issue.



    In my case the problem was that I didn't have PAM active on sshd_config file, so adding the next line solved my issue:



    UsePAM yes



    Remember to restart sshd:



    service sshd restart






    share|improve this answer




























      0














      I know this is an old post, but I had the same problem and foud the solution so I'll post in case someone has the same issue.



      In my case the problem was that I didn't have PAM active on sshd_config file, so adding the next line solved my issue:



      UsePAM yes



      Remember to restart sshd:



      service sshd restart






      share|improve this answer


























        0












        0








        0







        I know this is an old post, but I had the same problem and foud the solution so I'll post in case someone has the same issue.



        In my case the problem was that I didn't have PAM active on sshd_config file, so adding the next line solved my issue:



        UsePAM yes



        Remember to restart sshd:



        service sshd restart






        share|improve this answer













        I know this is an old post, but I had the same problem and foud the solution so I'll post in case someone has the same issue.



        In my case the problem was that I didn't have PAM active on sshd_config file, so adding the next line solved my issue:



        UsePAM yes



        Remember to restart sshd:



        service sshd restart







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Feb 8 at 11:39









        YoMismoYoMismo

        3,0661925




        3,0661925






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f292316%2fpassword-fails-over-ssh-works-locally%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            How to reconfigure Docker Trusted Registry 2.x.x to use CEPH FS mount instead of NFS and other traditional...

            Image
            0 I am having trouble trying to reconfigure my DTR container to try and use a CEPH FS mount we created to act as a storage backend for our image repository. The Docs are very vague on this and nothing exactly explains on how to do it. Has anyone yet connected the dots? linux filesystems mount storage docker share | improve this question asked Feb 1 at 6:40 jRapp3r jRapp3r 1 1 add a comment  | 
            Read more

            is 'sed' thread safe

            Image
            2 If I have a shell/python script that uses sed to modify a file in place based on user inputs, and then two users run the same script at the same time or approx. same time, is 'sed' thread safe ? Or perhaps it is not an issue because the file_descripor that was opened by the first thread will be used to lock the file anyway ? thx linux sed python share | improve this question edited 7 hours ago Jeff Schaller 42.9k 11 59 137 asked 7 hours ago terreys terreys
            Read more

            How to make a Squid Proxy server?

            Image
            1 I want to set up squid proxy server for monitoring user activity in a network and Internet Web URL filtering for user. I also want to configure the user login, user log, user access group, and block unwanted web sites in my network. Please help me and guide me the full process to do this. server proxy squid share | improve this question edited Jul 31 '12 at 14:45 Jorge Castro 37.1k 107 422 617 asked Jul 31 '12 at 5:16 Goivind Tiwari Goivind Tiwari
            Read more