- mkpasswd does not generate correct group number for domain users
mkpasswd -d <domain-name>This will add one line of the domain user in /etc/passwd. But be careful the group number may not be correspondent with /etc/group. So the following error will likely be seen when ssh -v localhost:-p /home -u <username> >> /etc/passwd
sshd: PID 2584: fatal: initgroups: <username>
After manually correcting the group number in /etc/passwd, we should be able to use ssh locally.
- hosts.allow - enable remote users
ALL : localhost 127.0.0.1/32 : allow
ALL : PARANOID : deny
sshd: ALL
However, this won't get us through if we connect from another machine.sshd: PID 3904: refused connect from 10.8.8.8.
We could modify hosts.allow and make it look like:
sshd: ALL : spawn (echo "Attempt from %h %a to %d at `date` by %u" | tee -a /var/log/sshd.log)
This will allow connections and add 1 line in sshd.log for each connection.or simply:
sshd: ALL : allow
or more restrictive:sshd: 10.8.0.0/255.255.0.0 : allow
- /etc/hosts - if sshd cannot verify hostname
This slows SSH client's connection. One work around is to add the host in /etc/hosts file which speeds connection up:
10.8.8.8 <hostname>