Error: "Access denied" when trying to authenticate via SSH and SFTP.

  • Document ID:3990089
  • Creation Date:14-May-2007
  • Modified Date:27-Apr-2012
    • Micro Focus Products:
      NetWare

Environment

Novell NetWare 6.5
Novell OpenSSH
OpenSSH SSH SSHD.NLM SFTP SFTP-SVR.NLM SCP

Situation

Error: "Access denied" when trying to authenticate via SSH and/or SFTP.

Resolution

Possible causes:

  1. There have been numerous very important fixes in SSHD.NLM over time, the minimum level to use is that which comes with NetWare 6.5 SP6.  However, the current recommendation is to use NetWare 6.5 SP8 plus post-SP8 update NWsshd8a.zip (which could incrememt to NWsshd8b.zip or later).
  2. Proper LIBC.NLM functionality is crucial to SSH/SFTP, so this is another reason to insure NetWare 6.5 Support Pack 8.
  3. SYS:\ETC\SSH\SSHD_CONFIG needs to be set to search the contexts for both the user objects AND the servers whose file systems need to be reached. For example, "eDirNameContext o=novell" (without the quotes) will look for objects only at o=novell and not any lower. "eDirNameContext o=novell?scope=subtree" (without the quotes) will search for the objects at or below o=novell. You can put multiple eDirNameContext lines in the SSHD_CONFIG if necessary.
  4. Servers running SSHD.NLM needs to have LDAP (NLDAP.NLM) running.
  5. LDAP needs to be configured to allow anonymous simple binds.
NOTE: Numerous additional LDAP concerns could exist which could further contribute to this symptom. For example, if the NCP Server object does not have an LDAP Server object associated with it, containing necessary LDAP extensions, along with association with a corresponding LDAP group object, certificate objects, and exported certificate file, this problem may continue. All these things would normally be in place with a default server install made directly into a target tree.
 
If issues continue, it may be necessary to change the sshd log level to DEBUG3:

  • Edit the SYS:\ETC\SSH\SSH_CONFIG file.
  • Change the "Loglevel INFO" line to read "LogLevel DEBUG3" (without the quotes).
  • Unload and reload SSHD.NLM (which can also be done by running SYS:\ETC\SSH\UTILS\SSHDRSET.NCF).
  • Reproduce failure and view the SYS:\ETC\SSH\LOGS\SSHD.LOG for more information.
The log may contain many helpful clues. For LDAP problems, there would likely be the error: "Can't contact LDAP server." If so, document 3078774 (https://support.novell.com) will likely be helpful.
 
For general tips on troubleshooting with the sshd.log, see TID 7005537.

Also, DSTRACE.NLM is very helpful in troubleshooting LDAP authentication issues:

  • LOAD DSTRACE.NLM
  • DSTRACE -ALL
  • DSTRACE SCREEN ON FILE ON +TIME +LDAP +AUTH
  • Switch to the DSTrace Console screen to view activity.
  • Alternately, you may view the same information in the SYS:\SYSTEM\DSTRACE.LOG file by first switching FILE OFF on DSTRACE (DSTRACE FILE OFF).

Additional Information

Formerly known as TID# 10092689