login about faq

While a client try to establich a connection with our Tectia Server it is not able to Login and below are the logs which i can see.

Can someone please have a look and provide their expert guidance to me.

From the logs I can see that No User is used but the more worried part which I see from the logs is << [Feb 17 16:41:47] 11452 debug[11452]: 17/02/2014 16:41:47:315 SecShHostKeyStore/secsh_hostkeystore.c:211: Host key storage contains 2 keys [Feb 17 16:41:47] 11452 debug[11452]: 17/02/2014 16:41:47:331 SecShHostKeyStore/secsh_hostkeystore.c:220: Failed to insert key to host key store

Is it normal? or there is some discrepancy the way Client trying to access our Tectia Server.

Many Thanks.

[Feb 17 16:41:28] 10636 debug[10636]: 17/02/2014 16:41:28:159 SecShKexDH/kexdh.c:1238: Running Diffie-Hellman key exchange with predefined group ietf-ike-grp-modp-1024. [Feb 17 16:41:28] 10636 debug[10636]: 17/02/2014 16:41:28:252 SecShConnection/secsh_connection.c:369: Connection 122b680 disconnected. [Feb 17 16:41:28] 10636 debug[10636]: 17/02/2014 16:41:28:252 SecShConnection/secsh_connection.c:388: Calling disconnection callback for 122b680 [Feb 17 16:41:28] 10636 debug[10636]: LOG EVENT (normal,security-failure): 411 Login_failure, Username: , Reason: Host not allowed to connect, Src IP: x.x.x.x, Dst IFace: listener, Dst IP: xx.xx.xx.xx, Src Port: xxxx, Dst Port: 22, "ssh disconnect host not allowed to connect, Remote Disconnect", Session-Id: 172 [Feb 17 16:41:28] 10636 debug[10636]: LOG EVENT (normal,informational): 402 Disconnect, Reason: Host not allowed to connect, Src IP: 164.140.194.141, Dst IFace: listener, Dst IP: 10.21.221.13, Src Port: 55254, Dst Port: 22, "ssh disconnect host not allowed to connect, Remote Disconnect", Session-Id: 172 [Feb 17 16:41:28] 10636 debug[10636]: 17/02/2014 16:41:28:299 SecShFastPathTransport/secsh_fastpath_transport.c:553: Shutting down transport handle 1226fe8 for conn 1202a10. [Feb 17 16:41:28] 10636 debug[10636]: 17/02/2014 16:41:28:299 SecShConnection/secsh_connection.c:1243: Destroy notification. [Feb 17 16:41:28] 10636 debug[10636]: 17/02/2014 16:41:28:315 SecShConnection/secsh_connection.c:1321: Destroying connection 122b680 (Connections still left 0) [Feb 17 16:41:28] 10636 debug[10636]: 17/02/2014 16:41:28:315 SecShConnection/secsh_connection.c:1647: Uninitializing methods... [Feb 17 16:41:28] 10636 debug[10636]: 17/02/2014 16:41:28:315 SecShConnection/secsh_connection.c:1670: done. [Feb 17 16:41:28] 10636 debug[10636]: 17/02/2014 16:41:28:315 SecShConnection/secsh_connection.c:1677: Uninitializing kbdint submethods... [Feb 17 16:41:28] 10636 debug[10636]: 17/02/2014 16:41:28:330 SecShConnection/secsh_connection.c:1700: done. [Feb 17 16:41:47] 11452 debug[11452]: 17/02/2014 16:41:47:300 SecShServerHooks/secsh_server_hooks.c:2288: Connection from xx.xx.xx.xx:xxxxx. [Feb 17 16:41:47] 11452 debug[11452]: 17/02/2014 16:41:47:315 SecShHostKeyStore/secsh_hostkeystore.c:211: Host key storage contains 2 keys [Feb 17 16:41:47] 11452 debug[11452]: 17/02/2014 16:41:47:331 SecShHostKeyStore/secsh_hostkeystore.c:220: Failed to insert key to host key store [Feb 17 16:41:47] 11452 debug[11452]: 17/02/2014 16:41:47:331 SecShConnection/secsh_connection.c:258: Connection 10a6e00 created, connection count now 1. [Feb 17 16:41:47] 11452 debug[11452]: 17/02/2014 16:41:47:347 SecShConnection/secsh_connection.c:1647: Uninitializing methods...

asked Feb 18 '14 at 15:58

varun's gravatar image

varun
1111


What is the client software and version being used? Is the client getting promoted to save the host key?

What version of Tectia Server is being used? Also can you provide the ssh-server-config.xml file? (Make sure you clean out or change the IP's and/or usernames/etc in the config)

link

answered Feb 18 '14 at 17:14

Joe%20-%20Tectia%20Support's gravatar image

Joe - Tectia Support ♦♦
55215

Client is using Synchrony gateway to place the file the on our Server. We are version 6.4.4.60.

Please find below the Server Config file :-

<secsh-server> <params> <crypto-lib mode="fips"/> <address-family type="inet"/> <settings user-config-dir="xxxxx/SSH/KEYS/%username-without-domain%" windows-logon-type="interactive" windows-terminal-mode="console" resolve-client-hostname="no" terminate-user-processes="no"/> <password-cache file="xxxxx\SSH Tectia Server\sshpwcache.db"/> <hostkey> <private file="xxxxx"/> <public file="xxxxx"/> </hostkey> <listener id="listener" port="22"/> <domain-policy windows-domain-precedence="%default%,xxxxx"/> <limits max-connections="256" max-processes="40"> </limits> <cert-validation> </cert-validation> </params> <connections> <connection name="Default-Connection" action="allow" tcp-keepalive="no"> <rekey seconds="3600" bytes="1000000000"/> <cipher name="aes128-cbc"/> <cipher name="aes192-cbc"/> <cipher name="aes256-cbc"/> <cipher name="3des-cbc"/> <mac name="hmac-sha1"/> </connection> </connections> <authentication-methods login-grace-time="600"> <authentication name="Default-Authentication" action="allow" password-cache="no"> <auth-publickey authorized-keys-directory="xxxxxx/SSH/KEYS/%username-without-domain%" require-dns-match="no"/> </authentication> </authentication-methods> <services> <group name="xxxx"> <selector> <user name="xxxxxx" allow-undefined="no"/> </selector> </group>

<rule group="xxxx" idle-timeout="0"> <environment allowed-case-sensitive="TERM,PATH,TZ,LANG,LC_*"/> <terminal action="deny"/> <subsystem type="sftp" action="allow" application="sft-server-g3"> <attribute name="home" value="%USERPROFILE%"/> <attribute name="virtual-folder" value="xxxxx"/> <attribute name="virtual-folder" value="xxxxx"/> <attribute name="virtual-folder" value="xxxxx"/> </subsystem> <command action="deny"/> <tunnel-local action="deny"> </tunnel-local> <tunnel-remote action="deny"> </tunnel-remote> </rule>

</services> </secsh-server>

link

answered Feb 18 '14 at 18:20

varun's gravatar image

varun
1111

I don't see anything in the config that looks like it would prevent a particular another server from connecting.

In the logs it mentions you have 2 host keys, if you have recently changed you host keys its possible that the Synchrony gateway has the old host key saved, and you would need to update the public host key on the client side.

Are you able to manually trigger an SFTP connection from the gateway to see if you get prompted to save the new host key?

Also it looks like you are limiting only one user from being able to login, but the "Host not allowed to connect" points to a connection issue and doesn't even get to the authentication or services provided (SFTP).

link

answered Feb 18 '14 at 19:33

Joe%20-%20Tectia%20Support's gravatar image

Joe - Tectia Support ♦♦
55215

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×19
×3

Asked: Feb 18 '14 at 15:58

Seen: 4,486 times

Last updated: Feb 18 '14 at 19:33

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.