Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 39 subscribers
  • Views 19703 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSH - Access Denied - Wrong Credentials (but they're the right ones)

dma0

Experiencing an odd problem when trying to access XG through SSH from the LAN. When I try to login, I get "Access Denied". In the logs, it says "User 'bob' failed to login from 'IP ADDRESS' using ssh because of wrong credentials".

I'm using the exact same credentials that I use to log in to the web UI for XG. I checked the settings for the user and there doesn't seem to be anything amiss. It is an Administrator user. Thought it might be a restriction on simultaneous logins, so changed that to unlimited. Double checked to make sure that SSH was enabled for access from the LAN on the ACL (though I think if that was not enabled I wouldn't even get the login prompt). I've double checked the user name and password, and even reset the password just to be doubly sure. I can logon to the web UI using the very same credentials. 

Any suggestions would be most appreciated.



This thread was automatically locked due to age.
  • 0

    Hi, 

    Have you given Administrative Rights to the user? Alongside, what is the version of firmware on the XG, there is a known issue related to Administrative Right started from MR-3 or MR-4. 

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi - thanks for the note and yes I have given the user admin rights. I'm using MR-6. Glad to hear about the known issue.

    As an aside, I was able to resolve this somewhat - I forgot that there was a default user called admin (that can't be turned off, but that's another issue) which allows access to the CLI.

  • 0 in reply to sachingurung

    Hi Sachin,

    I've never had any luck with successful ssh authing except from the admin account. We use ssh keys to allow for different users without handing out the password.

    Regards,

    Peter Tiggerdine.

  • 0

    I am having the same issue with MR6.  This is a problem as the owner of the firewall would like us to always use our (MSP) credentials when connecting.

  • 0 in reply to sachingurung

    Hey Sophos!!!!

    Can you answer and close this question?

    Is this problem solved??

    I am also unable to connect with ssh with every superadmin accounts but admin.

  • 0 in reply to Jiri Hadamek

    Hi Jiri,

    Can you please describe which Super Admin accounts are you referring to? The SSH access will be allowed for Admin accounts which will act as a Super Admin with all access to the console and shell. 

    Thanks,

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi sachingurung.

     

    We have several Administrators (user type Administrator, sorry for confusion, in Sophos Cloud this users are SuperAdmins) in our Sophos XG version  SFOS 17.1.3 MR-3

     

    We tried in many way to connect by ssh protocol to our Sophos firewall. Only success for us was to connect as admin with password that was set-up when Sophos FW was installed.

    Connection trough GUI is for every "superdamin" without problem.

    I think that our ssh problem lies in fact, that all our Administrators are imported from Active Directory and used LDAP authentication.

     

    For us will be superior to have all "admis ssh conection" made with certificates, but we wasn´t able to manage this since now.

     

     

Unfiltered HTML