SSH allowing login but not starting command prompt

Question

Using AlmaLinux release 9.5 (Teal Serval).

When a user attempts to login via SSH, the system accepts the login and then hangs before disconnecting. Even the root user (which we have strictly permitted)

If I use Bitvise SSH Client, establish a connection, open an SFTP session, close it, and then attempt a terminal connection, the login works without issue.


# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.
This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
The strategy used for options in the default sshd_config shipped with
OpenSSH is to specify options with their default value where
possible, but leave them commented.  Uncommented options override the
default value.
To modify the system-wide sshd configuration, create a  *.conf  file under
/etc/ssh/sshd_config.d/  which will be automatically included below
Include /etc/ssh/sshd_config.d/*.conf
If you want to change the port on a SELinux system, you have to tell
SELinux about this change.
semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
Ciphers and keying
#RekeyLimit default none
Logging
#SyslogFacility AUTH
#LogLevel INFO
Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile  .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
Change to yes if you don't trust ~/.ssh/known_hosts for
HostbasedAuthentication
#IgnoreUserKnownHosts no
Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
Change to no to disable s/key passwords
#KbdInteractiveAuthentication yes
Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
Set this to 'yes' to enable PAM authentication, account processing,
and session processing. If this is enabled, PAM authentication will
be allowed through the KbdInteractiveAuthentication and
PasswordAuthentication.  Depending on your PAM configuration,
PAM authentication via KbdInteractiveAuthentication may bypass
the setting of "PermitRootLogin without-password".
If you just want the PAM account and session checks to run without
PAM authentication, then enable this but set PasswordAuthentication
and KbdInteractiveAuthentication to 'no'.
WARNING: 'UsePAM no' is not supported in RHEL and may cause several
problems.
#UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
no default banner path
#Banner none
override default of no subsystems
Subsystem   sftp    /usr/libexec/openssh/sftp-server
Example of overriding settings on a per-user basis
#Match User anoncvs
X11Forwarding no
AllowTcpForwarding no
PermitTTY no
ForceCommand cvs server

This system provides control for an emergency communications group's radio repeater.

SSH allowing login but not starting command prompt

This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options override the

default value.

To modify the system-wide sshd configuration, create a *.conf file under

/etc/ssh/sshd_config.d/ which will be automatically included below

If you want to change the port on a SELinux system, you have to tell

SELinux about this change.

semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

Ciphers and keying

Logging

Authentication:

The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

but this is overridden so installations will only check .ssh/authorized_keys

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

Change to yes if you don't trust ~/.ssh/known_hosts for

HostbasedAuthentication

Don't read the user's ~/.rhosts and ~/.shosts files

To disable tunneled clear text passwords, change to no here!

Change to no to disable s/key passwords

Kerberos options

GSSAPI options

Set this to 'yes' to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the KbdInteractiveAuthentication and

PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via KbdInteractiveAuthentication may bypass

the setting of "PermitRootLogin without-password".

If you just want the PAM account and session checks to run without

PAM authentication, then enable this but set PasswordAuthentication

and KbdInteractiveAuthentication to 'no'.

WARNING: 'UsePAM no' is not supported in RHEL and may cause several

problems.

no default banner path

override default of no subsystems

Example of overriding settings on a per-user basis

X11Forwarding no

AllowTcpForwarding no

PermitTTY no

ForceCommand cvs server

0 Answers0