cannot SSH to pfSense with correct password

shushko1 · Jul 6, 2020, 9:37 AM

Hi there!

This is my setup: pfSense 2.5.0-DEVELOPMENT, putty 0.71 for windows, username = mypfsenseadmin(has "WebCfg - All pages", "User - System: Shell account access")
I enabled SSH access to my pfSense and cannot login neither with the correct password, nor with the authorized key.
In putty I get the "login as:"-prompt
I am using mypfsenseadmin to login to WebUI sucessfully, and for SSH(unsuccessful).
When I enter the correct password(which I am using to enter the WebUI), I get "access denied".
When I use an authorized SSH key, I get "Server refused our key".
I don't have access to local console, only to WebUI.

I have another test pfSense, same version, SSH access works fine.
How can I troubleshoot this issue? Log files?

stephenw10 · Jul 6, 2020, 9:41 AM

Do you see the failed SSH login attempts in the pfSense system log?

If not you are are probably trying to SSH into something else. Maybe there's a port forward in there for example.

Steve

shushko1 · Jul 6, 2020, 10:13 AM

There is no port forward for port 22 (checked Firewall > NAT > Port Forward).
In the log "Status > System logs > Authentication > General" I don't see unsuccessful logins for SSH.

I forgot to mention something which might help in troubleshooting: when I initiate the SSH connection with putty, I get a "Putty Security Alert", saying "The first key-exchange algorithm supported by the server is diffie-hellman-group1-sha1, which is below the configured warning threshold.".
Also after this warning and after I type the username and press Enter, I don't get the message "Keyboard-interactive authentication prompts from server:", and am presented directly with "Password for mypfsenseadmin@<FQDN>:".

Also at some point previously I noticed a strange record in "Status > System logs > Authentication > General":
Jul 2 02:26:14 sshguard 95093 Attack from "<my-IP-address>" on service unknown service with danger 10.

stephenw10 · Jul 6, 2020, 10:32 AM

Not entirely sure where you're looking there but I would expect to see errors in the main system log like:

Jul 6 11:27:39 	sshd 	45015 	user admin login class [preauth]
Jul 6 11:27:41 	sshd 	45015 	error: PAM: Authentication error for admin from 172.21.16.5
Jul 6 11:27:41 	sshd 	45015 	user admin login class [preauth]
Jul 6 11:27:41 	sshguard 	12570 	Attack from "172.21.16.5" on service SSH with danger 10.

That should be logged on every failed attempt.

The sshguard logs are expected. SSHGuard will block your source IP if you fail to login correctly enough times. But it would also block you from the GUI too.

The algorithm error could be an old putty version or an old pfSense version.

Steve

shushko1 · Jul 9, 2020, 12:57 PM

Many thanks for your help, Steve!
After speaking to the network administrator, I learned that in my connection path to the pfSense there was another network device(Cisco), and I was actually connecting to it via SSH! After that, I tried connecting from another host(different source subnet) and it worked!
Cheers :)

stephenw10 · Jul 9, 2020, 1:29 PM

Ah, that would do it!