Problem with start Session - Linux Cent OS 9

PAM Core
,
1

Hi, i have a problem with start session with linux Cent OS 9, jumpserver and multhop works good, but in Pam Core when try start session in browser show this error

COnnection error

The remote desktop server encountered an error and has closed the connection. Please try again or contact your system adiministrator.

i try adjust sshd and selinux but dont work. firewalld is disabled, dont have any block in iptables

2

Hi Ruter,

Have you tried to execute the SSH changes of this article link to the article ? Can you please, share with us the content of the sshd_config file?

3

Hi Felipe, i trying this but dont work.

$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $

This is the sshd server system-wide configuration file. See

sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options override the

default value.

To modify the system-wide sshd configuration, create a *.conf file under

/etc/ssh/sshd_config.d/ which will be automatically included below

Include /etc/ssh/sshd_config.d/*.conf

If you want to change the port on a SELinux system, you have to tell

SELinux about this change.

semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKeyAlgorithms=ssh-rsa,[email protected]
PubkeyAcceptedAlgorithms=+ssh-rsa,[email protected]

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

Ciphers and keying

#RekeyLimit default none

Logging

#SyslogFacility AUTH
#LogLevel INFO

Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

but this is overridden so installations will only check .ssh/authorized_keys

AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#HostbasedAuthentication no

Change to yes if you don’t trust ~/.ssh/known_hosts for

HostbasedAuthentication

#IgnoreUserKnownHosts no

Don’t read the user’s ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

To disable tunneled clear text passwords, change to no here!

PasswordAuthentication yes
#PermitEmptyPasswords no

Change to no to disable s/key passwords

#KbdInteractiveAuthentication yes

Kerberos options

#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

GSSAPI options

#GSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

Set this to ‘yes’ to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the KbdInteractiveAuthentication and

PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via KbdInteractiveAuthentication may bypass

the setting of “PermitRootLogin without-password”.

If you just want the PAM account and session checks to run without

PAM authentication, then enable this but set PasswordAuthentication

and KbdInteractiveAuthentication to ‘no’.

WARNING: ‘UsePAM no’ is not supported in Fedora and may cause several

problems.

#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

no default banner path

#Banner none

4

TKS help, after update patch to fix problem with cipher every things works now

1 Like