ubuntu/debian - found reason for login failures that display error msg: "Access denied. Authentication that can continue: publickey, keyboard-interactive"
In the past I and others have had no problem with x2go client logins to Ubuntu/Debian x2goservers.
However, sometime n the past year or two of Ubuntu & Debian OS updates something changed which caused the normal x2goclient session profile that requires the UserID -and- Password to be entered would fail giving an error message on the client that says:
*Access denied. Authentication that can continue: publickey,keyboard-interactive*
I finally found out the reason for this change in behavior and here's how to fix it.
Get a terminal session with your x2goserver and edit */etc/ssh/sshd_config*
*sudo nano /etc/ssh/sshd_config*
in /etc/ssh/sshd_config (example was copied from Ubuntu 12.04) you will see the following entries:
*# Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthenticatio**n yes
# Change to no to disable tunnelled clear text passwords PasswordAuthentication no*
To fix this CHANGE *PasswordAuthentication* to "*yes*" and save the file and restart ssh
*sudo /etc/init.d/ssh restart*
*REASON for the failure & change of behavior from previous/older versions of Ubuntu.* I installed several older versions of Ubuntu going back to Ubuntu 9.10 and found that the installations of the Ubuntu Server changed the content of the /etc/ssh/sshd_config file!
In older systems the entry for PasswordAuthentication either said:
*# Change to no to disable tunnelled clear text passwords # PasswordAuthentication no*
where the PasswordAuthentication line *was commented out* ... which then defaulted it to "YES" *-or-* the Password Authentication line was actually uncommented BUT set to "YES"
*# Change to no to disable tunnelled clear text passwords PasswordAuthentication yes*
So those older OS versions and x2go *would work* using login ID's and Passwords.
Sometime during one of the Ubuntu 11.x releases the PasswordAuthentication entry was actually changed to "no" as is the case in Ubuntu 12.04 servers and the line was left not commented out so it was active...
*# Change to no to disable tunnelled clear text passwords PasswordAuthentication no *
That is what caused the failure of x2go logins using passwords and would present the user with that error message:
*Access denied. Authentication that can continue: publickey,keyboard-interactive*
I've made this change now and no longer see the problem on my servers so I wanted to share this info.
Brian
Op 25-04-12 16:47, brian mullan schreef:
*Access denied. Authentication that can continue: publickey,keyboard-interactive*
To fix this CHANGE */PasswordAuthentication/* to "*/yes/*" and save the file and restart ssh
Really great, this works for me!
With "PasswordAuthentication = no" I can use password authentication without any problems, but X2goclient does not work. When I turn it on it works fine. I've just test it on several machines.
_*REASON for the failure & change of behavior from previous/older versions of Ubuntu.*_
I don't use Ubuntu server, on Debian Squeeze the default is "yes".
Thank you Brian for sharing this information!
With reagards, Paul.
-- Paul van der Vlis Linux systeembeheer, Groningen http://www.vandervlis.nl
Hi Brian,
thanks for digging this out. Most of us devs are not using Ubuntu as
server OS and if we do, it is still an Ubuntu lucid.
So, please... could you put this into the X2Go wiki?
Thanks, Mike
On Mi 25 Apr 2012 16:47:53 CEST brian mullan wrote:
In the past I and others have had no problem with x2go client logins to Ubuntu/Debian x2goservers.
However, sometime n the past year or two of Ubuntu & Debian OS updates something changed which caused the normal x2goclient session profile that requires the UserID -and- Password to be entered would fail giving an error message on the client that says:
*Access denied. Authentication that can continue: publickey,keyboard-interactive*
I finally found out the reason for this change in behavior and here's how to fix it.
Get a terminal session with your x2goserver and edit */etc/ssh/sshd_config*
*sudo nano /etc/ssh/sshd_config*
in /etc/ssh/sshd_config (example was copied from Ubuntu 12.04) you will see the following entries:
*# Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthenticatio**n yes
# Change to no to disable tunnelled clear text passwords PasswordAuthentication no*
To fix this CHANGE *PasswordAuthentication* to "*yes*" and save the file and restart ssh
*sudo /etc/init.d/ssh restart*
*REASON for the failure & change of behavior from previous/older versions of Ubuntu.* I installed several older versions of Ubuntu going back to Ubuntu 9.10 and found that the installations of the Ubuntu Server changed the content of the /etc/ssh/sshd_config file!
In older systems the entry for PasswordAuthentication either said:
*# Change to no to disable tunnelled clear text passwords # PasswordAuthentication no*
where the PasswordAuthentication line *was commented out* ... which then defaulted it to "YES" *-or-* the Password Authentication line was actually uncommented BUT set to "YES"
*# Change to no to disable tunnelled clear text passwords PasswordAuthentication yes*
So those older OS versions and x2go *would work* using login ID's and Passwords.
Sometime during one of the Ubuntu 11.x releases the PasswordAuthentication entry was actually changed to "no" as is the case in Ubuntu 12.04 servers and the line was left not commented out so it was active...
*# Change to no to disable tunnelled clear text passwords PasswordAuthentication no *
That is what caused the failure of x2go logins using passwords and would present the user with that error message:
*Access denied. Authentication that can continue: publickey,keyboard-interactive*
I've made this change now and no longer see the problem on my servers so I wanted to share this info.
Brian
--
DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419
GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
-
brian mullan -
Mike Gabriel -
Paul van der Vlis