localhost attached to 55555, need to changed to regular port 22

General support questions
Post Reply
rahmanmi2
Posts: 7
Joined: 2023/09/27 18:32:18

localhost attached to 55555, need to changed to regular port 22

Post by rahmanmi2 » 2023/12/06 18:20:06

Hi,
We recently changed ssh port from 55555 to 22. After that sshd was restarted,
and we can ssh to server fine, no issue. But when we 'ssh userid@localhost' it showed below error.

# ssh -vvv user1-a@localhost
OpenSSH_8.0p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "localhost" port 55555
debug2: ssh_connect_direct
debug1: Connecting to localhost [::1] port 55555.
debug2: fd 3 setting O_NONBLOCK
debug1: connect to address ::1 port 55555: Connection refused
debug1: Connecting to localhost [127.0.0.1] port 55555.
debug2: fd 3 setting O_NONBLOCK
debug1: connect to address 127.0.0.1 port 55555: Connection refused
ssh: connect to host localhost port 55555: Connection refused

# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ensxxx
sources:
services: dhcpv6-client ntp http https except_hik_opsmgr_agent hik_firewallconfig_service ssh
ports: 8011/tcp 8001/tcp 7003/tcp 7002/tcp 8356/tcp 22/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:


# sestatus
SELinux status: disabled


# cat /etc/resolv.conf
search abc.com
nameserver xx.xx.xxx.xx
nameserver xx.xxx.x.xx
options attempts:1
options timeout:1
options rotate


From /etc/ssh/sshd_config file..

# grep "^[^#;]" /etc/ssh/sshd_config
Port 22
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
PermitRootLogin no
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
UseDNS no
Subsystem sftp /usr/libexec/openssh/sftp-server


# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomaini4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

xx.xx.xx.xxx centserver.abc.com centserver


# netstat -tulpena | grep LISTEN | grep ':22'
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 841475035 4401/sshd
tcp6 0 0 :::22 :::* LISTEN 0 841475037 4401/sshd


#grep -w '22/tcp' /etc/services
ssh 22/tcp # The Secure Shell (SSH) Protocol
#

# cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"


Is there any file or places we need to add/change the new ssh prot 22 ? As it is still showing port 55555 when we are doing ssh userid@localhost.
Please let me know how to fix this.

Thanks.
Miz

User avatar
jlehtone
Posts: 4549
Joined: 2007/12/11 08:17:33
Location: Finland

Re: localhost attached to 55555, need to changed to regular port 22

Post by jlehtone » 2023/12/06 20:42:38

The debug comes from ssh, the client, not from sshd server.
The client says:
Reading configuration data /etc/ssh/ssh_config
What is in that config?

User avatar
TrevorH
Site Admin
Posts: 33267
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: localhost attached to 55555, need to changed to regular port 22

Post by TrevorH » 2023/12/06 20:58:07

Check your user's /home/$user/.ssh/config file for directives like "Host localhost\nport 55555". Also check /etc/ssh/ssh_config on the client side as jlehtone suggests. That is the systemwide version of .ssh/config.

Also, something does not add up., You show that .etc.redhat-release says CentOS 7 but CentOS 7 uses openssh 7.4p1 not 8.0p1. EL8 ships 8.0p1 not EL7.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

rahmanmi2
Posts: 7
Joined: 2023/09/27 18:32:18

Re: localhost attached to 55555, need to changed to regular port 22

Post by rahmanmi2 » 2023/12/07 18:55:27

Thanks for your help with the port issue for localhost.
After I edited the /etc/ssh/ssh.config file with the port 22 it got fixed the 'connection refused' issue.

Now I am having another issue that is, when I tried to do ssh localhost as local user of the server (local_user5), it worked fine without any public key error.

# ssh local_user5@localhost
local_user5@localhost's password:
Last login: Thu Dec 7 22:06:31 2023 from 10.181.52.245
[local_user5@myserver8 ~]$

But if I tried ssh localhost as an ad user which is ad_user1@abc.com@localhost
that is giving 'publickey,password' error.


# ssh -v ad_user1@abc.com@localhost
OpenSSH_8.0p1, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to localhost [::1] port 22.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.0
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0
debug1: match: OpenSSH_8.0 pat OpenSSH* compat 0x04000000
debug1: Authenticating to localhost:22 as 'ad_user1@abc.com'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:ggdfPSbTaf9fyPaZGG6OMDtFmbg/1jDxTCCkV/T/jVA
debug1: Host 'localhost' is known and matches the ECDSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /root/.ssh/id_rsa
debug1: Will attempt key: /root/.ssh/id_dsa
debug1: Will attempt key: /root/.ssh/id_ecdsa
debug1: Will attempt key: /root/.ssh/id_ed25519
debug1: Will attempt key: /root/.ssh/id_xmss
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: Trying private key: /root/.ssh/id_xmss
debug1: Next authentication method: password
ad_user1@abc.com@localhost's password:
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
ad_user1@abc.com@localhost's password:
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
ad_user1@abc.com@localhost's password:
debug1: Authentications that can continue: publickey,password
debug1: No more authentication methods to try.
ad_user1@abc.com@localhost: Permission denied (publickey,password).
[root@myserver8 ~]#

So not sure why AD user not able to do ssh localhost?
We are using realm, sssd, pam

Thanks,
-Miz

User avatar
jlehtone
Posts: 4549
Joined: 2007/12/11 08:17:33
Location: Finland

Re: localhost attached to 55555, need to changed to regular port 22

Post by jlehtone » 2023/12/08 07:36:47

On my CentOS 7:

Code: Select all

$ ssh -v localhost
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
On my AlmaLinux 8:

Code: Select all

$ ssh -v localhost
OpenSSH_8.0p1, OpenSSL 1.1.1k  FIPS 25 Mar 2021
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.0
Your OpenSSH_8.0p1, OpenSSL 1.0.2k-fips 26 Jan 2017 seems very suspicious.


That is not the issue though. Your new issue is about how the server does authentication.
The sshd should pass the password authentication to SSSD, which in turn looks at AD backend.

You could look at files /var/log/messages and /var/log/secure, and output of journalctl.


I have never used AD, but I have seen multiple threads about AD, so apparently SSSD-AD config is not trivial.
I have not seen "user@domain@hostname" syntax either. Is that really what one should use with AD?
(Rhetoric question -- I don't really want to get any closer to AD than I'm now.)

rahmanmi2
Posts: 7
Joined: 2023/09/27 18:32:18

Re: localhost attached to 55555, need to changed to regular port 22

Post by rahmanmi2 » 2023/12/08 13:52:14

Hi,
I only see below entries related to 'ssh ad_user1@localhost'
in /var/log/messages. There is no entries in /var/log/secure file related to this failure.

Dec 8 21:31:09 myserver8 systemd-logind: New session c159 of user root.
Dec 8 21:31:09 myserver8 su: (to root) root on pts/0
Dec 8 21:36:18 myserver8 sshd[468]: Connection from ::1 port 60838 on ::1 port 22
Dec 8 21:36:42 myserver8 sshd[468]: error: Could not get shadow information for ad_user1
Dec 8 21:36:42 myserver8 sshd[468]: Failed password for ad_user1 from ::1 port 60838 ssh2
Dec 8 21:36:45 myserver8 sshd[468]: Failed password for ad_user1 from ::1 port 60838 ssh2
Dec 8 21:36:49 myserver8 sshd[468]: Failed password for ad_user1 from ::1 port 60838 ssh2
Dec 8 21:36:49 myserver8 sshd[468]: Connection closed by authenticating user ad_user1 ::1 port 60838 [preauth]
Dec 8 21:37:09 myserver8 sshd[10901]: Connection from xx.xxx.xx.xxx port 50881 on xx.xx.xx.xxx port 22
[root@myserver8 ~]#

Not sure it gives us any light for troubleshooting this issue.

Thanks again.
-Miz

rahmanmi2
Posts: 7
Joined: 2023/09/27 18:32:18

Re: localhost attached to 55555, need to changed to regular port 22

Post by rahmanmi2 » 2023/12/08 15:42:40

Hi, After hash out 'UsePAM yes'' from /etc/ssh/sshd_config, and restarted sshd, I am seeing below error in /var/log/messages..

Dec 8 23:09:56 myserver08 sshd[25707]: Connection from ::1 port 62240 on ::1 port 22
Dec 8 23:10:10 myserver08 sshd[25707]: Failed password for ad_user1 from ::1 port 62240 ssh2
Dec 8 23:10:15 myserver08 sshd[25707]: Failed password for ad_user1 from ::1 port 62240 ssh2
Dec 8 23:10:17 myserver08 sshd[25707]: Failed password for ad_user1 from ::1 port 62240 ssh2
Dec 8 23:10:17 myserver08 sshd[25707]: Connection closed by authenticating user ad_user1 ::1 port 62240 [preauth]

But I am sure my password is not out dated or expired. I can able to login with it to our other centOS server fine.

Any help will be much appreciated.

Thanks,
-Miz

rahmanmi2
Posts: 7
Joined: 2023/09/27 18:32:18

Re: localhost attached to 55555, need to changed to regular port 22

Post by rahmanmi2 » 2023/12/11 14:58:18

Anyone has any idea how to fix the issue?
Really need to fix the issue. As an AD user I am not able to login to server, even though the server already joined to DOMAIN.
Non-AD user can login fine without any isssue.

When I tried it showed above errors in /var/log/messages.

]# ssh ad_user1@localhost
ad_user1@localhost's password:
Permission denied, please try again.
ad_user1@localhost's password:
Permission denied, please try again.
ad_user1@localhost's password:
ad_user1@localhost: Permission denied (publickey,gssapi-with-mic,password,keyboard-interactive).

Below are few other output from the server, if it helps to figure out the solution.

# cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"


# rpm -qa open*
openssh-clients-8.0p1-1.el7.centos.x86_64
openssh-8.0p1-1.el7.centos.x86_64
openssl-1.0.2k-16.el7.x86_64
open-vm-tools-10.2.5-3.el7.x86_64
openssh-server-8.0p1-1.el7.centos.x86_64
openssl-libs-1.0.2k-16.el7.x86_64
openldap-2.4.44-20.el7.x86_64

# cat /etc/sssd/sssd.conf

[sssd]
domains = abc.com
config_file_version = 2
services = nss, pam

[domain/abc.com]
debug_level = 7
ad_domain = abc.com
krb5_realm = abc.com
ad_enable_gc = false
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
ignore_group_members = True
access_provider = simple
simple_allow_groups = Unix_Admins



Thanks,
-Miz

rahmanmi2
Posts: 7
Joined: 2023/09/27 18:32:18

Re: localhost attached to 55555, need to changed to regular port 22

Post by rahmanmi2 » 2023/12/13 19:47:02

Hi all,
I resolved the issue.
After multiple try and error, and also, compared multiple files with working system, it started working when I added few entries that help to authenticate sss with ssh in /etc/pam.d/sshd , and then restarted sshd and sssd.

Now all AD user can login with their ad id fine, where authentication happened sssd in background.

Thanks all for your co-operation.

-Miz

Post Reply