From owner-freebsd-questions@FreeBSD.ORG  Tue Jan 13 13:56:05 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 030CF16A4CE
	for <questions@freebsd.org>; Tue, 13 Jan 2004 13:56:05 -0800 (PST)
Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk
	[81.2.69.218])	by mx1.FreeBSD.org (Postfix) with ESMTP id 425BF43D2F
	for <questions@freebsd.org>; Tue, 13 Jan 2004 13:56:02 -0800 (PST)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk
	(localhost.infracaninophile.co.uk [IPv6:::1])i0DLtpfn070064
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Tue, 13 Jan 2004 21:55:51 GMT
	(envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk)
Received: (from matthew@localhost)id i0DLtpNh070063;
	Tue, 13 Jan 2004 21:55:51 GMT	(envelope-from matthew)
Date: Tue, 13 Jan 2004 21:55:51 +0000
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
To: Rishi Chopra <rchopra@cal.berkeley.edu>
Message-ID: <20040113215551.GA69353@happy-idiot-talk.infracaninophile.co.uk>
Mail-Followup-To: Matthew Seaman <m.seaman@infracaninophile.co.uk>,
	Rishi Chopra <rchopra@cal.berkeley.edu>,
	Ruben de Groot <mail25@bzerk.org>, questions@freebsd.org
References: <4003126E.5030107@cal.berkeley.edu>
	<20040113115550.GB23956@happy-idiot-talk.infracaninophile.co.uk>
	<20040113122853.GD57681@ei.bzerk.org> <40046367.3050305@cal.berkeley.edu>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="ew6BAiZeqk4r7MaW"
Content-Disposition: inline
In-Reply-To: <40046367.3050305@cal.berkeley.edu>
User-Agent: Mutt/1.5.5.1i
X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham 
	version=2.61
X-Spam-Checker-Version: SpamAssassin 2.61 (1.212.2.1-2003-12-09-exp) on 
	happy-idiot-talk.infracaninophile.co.uk
cc: Ruben de Groot <mail25@bzerk.org>
cc: questions@freebsd.org
Subject: Re: FreeBSD, SSH and "Enter Authentication Response"
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jan 2004 21:56:05 -0000


--ew6BAiZeqk4r7MaW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jan 13, 2004 at 01:30:15PM -0800, Rishi Chopra wrote:
> I've included copies of my /etc/ssh/ssh_config file and /etc/pam.d/ssh -=
=20
> I'm running a default minimal installation of FreeBSD 5.2:
=20
> etc/ssh/ssh_config:

Um... /etc/ssh/sshd_config is more to the point -- ssh_config is for
the client side, ssh*d*_config is for the server side.

However if you've just installed the system then chances are the
sshd_config is unmodified from the default settings.

Try turning off the challenge-response stuff as I suggested in my
earlier e-mail. ie. make it so that sshd_config contains:

    ChallengeResponseAuthentication no

> /etc/pam.d/ssh

That looks fine.

Hmmm... This does look like a peculiar interaction of your particular
SSH client software and the OpenSSH server code on FreeBSD.

Normally I'd suggest running the client side connection with debugging
turned up high, eg:

    % ssh -v -v -v host.example.com

but I don't know what the equivalent of that is for the client
software you're using.

A very good diagnostic test though is to run the server side with the
debugging turned up.  A good trick is to run it on an alternative port
so you can run it in parallel with your regular sshd. eg:

    # sshd -d -d -d -p 24

You can then connect to the alternate port by:

    % ssh host.example.com:24

This will produce quite a lot of output, and exit after the ssh
session.  By comparing this output to the equivalent output from a
machine where you don't have the problem you should be able to tell
what the FreeBSD box is doing differently, and maybe work out how to
fix it.  Be aware that the full debug output from sshd should not be
published as it can contain privileged information.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--ew6BAiZeqk4r7MaW
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFABGlndtESqEQa7a0RAqMEAKCEsR6YaoHhngbuiktyOWIOc1xPpgCeIKGr
JfDKMs7NCIw96RgRtaFGwTk=
=ucrF
-----END PGP SIGNATURE-----

--ew6BAiZeqk4r7MaW--