Date: Sat, 8 Dec 2001 22:07:19 +0100 (CET) From: "Hartmann, O." <ohartman@klima.physik.uni-mainz.de> To: Harald Schmalzbauer <H@Schmalzbauer.de> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: SSHD problems on P4 Message-ID: <20011208214546.C15492-100000@klima.physik.uni-mainz.de> In-Reply-To: <1007841058.618.6.camel@adm01.belenus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8 Dec 2001, Harald Schmalzbauer wrote: And again ... The client I try to connect from is a client I have no admin rights on so I do not know what OpenSSH they use (the OS is OSF/1 5.0 on DEC AlphaAXP). I try the same between two FreeBSD machines, cvsupdated today 3 hours ago and they seem to be up to date. Starting sshd on the failing machine: --- root: /etc: sshd -d -D debug1: sshd version OpenSSH_2.9 FreeBSD localisations 20011202 debug1: read PEM private key done: type DSA debug1: private host key: #0 type 2 DSA debug1: private host key: #1 type 0 RSA1 debug1: Forcing server key to 1152 bits to make it differ from host key. debug1: Bind to port 22 on XX.XX.XX.XX. Server listening on XX.XX.XX.XX port 22. Generating 1152 bit RSA key. RSA key generation complete. --- Try to connect the machine with ssh client from another machine: --- ohartman: /homes/ohartman: ssh -v server OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 1000 geteuid 1000 anon 1 debug1: Connecting to server.local.domain.de [XX.XX.XX.XX] port 22. debug1: temporarily_use_uid: 1000/1000 (e=1000) debug1: restore_uid debug1: temporarily_use_uid: 1000/1000 (e=1000) debug1: restore_uid debug1: Connection established. debug1: identity file $HOME/.ssh/identity type -1 debug1: identity file $HOME/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9 FreeBSD localisations 20011202 debug1: match: OpenSSH_2.9 FreeBSD localisations 20011202 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.9 FreeBSD localisations 20011202 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client 3des-cbc hmac-md5 none debug1: kex: client->server 3des-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 186/384 debug1: bits set: 1054/2049 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'server.local.domain.de' is known and matches the DSA host key. debug1: Found key in /homes/ohartman/.ssh/known_hosts2:9 debug1: bits set: 1001/2049 debug1: len 55 datafellows 0 debug1: ssh_dss_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT Received disconnect from XX.XX.XX.XX: 2: Sorry, you are not allowed to connect. debug1: Calling cleanup 0x805a67c(0x0) -- When I try to connect from the failing machine to itself, I get the same message ... I'm 'in sync' with the code, I think. I exchanged the config with the config offered by 'mergemaster', which is out from the source tree and I created all host key again - but with no effect ... CFLAGS=-O -pipe ... thats the only config option :>Hello, perhaps stupid, but have you checked hosts.allow? :>Strange is that your machines decided to use 3des. With OpenSSH2.9, :>afaik, the default is AES (Rijndael). Did you compile it with special :>CFLAGS? Are you out of sync with OpenSSL?. :> :>Viel Spass, :> :>-Harry :> :>Am Sa , 2001-12-08 um 19.59 schrieb Hartmann, O.: :>> Dear Sirs. :>> :>> We installed a new 2GHz P4 system with FreeBSD 4.4-RELEASE, the we :>> cvsupdated the code to FreeBSD 4.4-STABLE and made a world. This :>> machine, a new Dell PrecisionWorkstation 340 with 512MB RIMM and 2 GHz :>> Intel P4 CPU works finde with FreeBSD 4.4-STABLE (the systems has at :>> boottime some problems to bootstrap, but this problem is not reproduceable :>> and has not been gone while enabling options PNPBIOS in the kernel, I :>> think this is a BIOS issue ...). :>> :>> Parallel to this machine we installed several other systems the same :>> way but only on the Dell system sshd is not willing to allow :>> connections but the ssh client allows connects to the outer world. :>> :>> I switched sshd on the specific machine to debugging mode and got this: :>> :>> --- :>> root: /root: sshd -d -D :>> debug1: sshd version OpenSSH_2.9 FreeBSD localisations 20011202 :>> debug1: read PEM private key done: type DSA :>> debug1: private host key: #0 type 2 DSA :>> debug1: private host key: #1 type 0 RSA1 :>> debug1: Forcing server key to 1152 bits to make it differ from host key. :>> debug1: Bind to port 22 on XX.XX.XX.XX. :>> Server listening on XX.XX.XX.XX port 22. :>> Generating 1152 bit RSA key. :>> RSA key generation complete. :>> --- :>> :>> Then I try to connect from a client ( a machine of our computer center) :>> and use ssh2 -vv destination.machine.de :>> :>> --- :>> debug: connecting to client01.physik.uni-mainz.de... :>> debug: entering event loop :>> debug: ssh_client_wrap: creating transport protocol :>> debug: SshAuthMethodClient/sshauthmethodc.c:116: Added "publickey" to usable methods. :>> debug: SshAuthMethodClient/sshauthmethodc.c:116: Added "password" to usable methods. :>> debug: Ssh2Client/sshclient.c:1142: creating userauth protocol :>> debug: Ssh2Common/sshcommon.c:501: local ip = XX.XX.XX.XX, local port = 4039 :>> debug: Ssh2Common/sshcommon.c:503: remote ip = XX.XX.XX.XX, remote port = 22 :>> debug: SshConnection/sshconn.c:1866: Wrapping... :>> warning: Warning: Need basic cursor movement capablity, using vt100 :>> debug: Ssh2Transport/trcommon.c:599: Remote version: SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20011202 :>> debug: Ssh2Transport/trcommon.c:789: Remote version has rekey incompatibility bug. :>> debug: Ssh2Transport/trcommon.c:1118: c_to_s: cipher 3des-cbc, mac hmac-sha1, compression none :>> debug: Ssh2Transport/trcommon.c:1121: s_to_c: cipher 3des-cbc, mac hmac-sha1, compression none :>> debug: Ssh2Client/sshclient.c:406: Host key found from database. :>> debug: Ssh2Common/sshcommon.c:305: Received SSH_CROSS_STARTUP packet from connection protocol. :>> debug: Ssh2Common/sshcommon.c:355: Received SSH_CROSS_ALGORITHMS packet from connection protocol. :>> debug: Ssh2Common/sshcommon.c:137: DISCONNECT received: Sorry, you are not allowed to connect. :>> warning: Authentication failed. :>> debug: Ssh2/ssh2.c:84: locally_generated = FALSE :>> Disconnected; protocol error (Sorry, you are not allowed to connect.). :>> debug: uninitializing event loop :>> --- :>> :>> This is the output of the daemon on the server side: :>> :>> --- :>> root: /root: sshd -d -D :>> debug1: sshd version OpenSSH_2.9 FreeBSD localisations 20011202 :>> debug1: read PEM private key done: type DSA :>> debug1: private host key: #0 type 2 DSA :>> debug1: private host key: #1 type 0 RSA1 :>> debug1: Forcing server key to 1152 bits to make it differ from host key. :>> debug1: Bind to port 22 on XX.XX.XX.XX. :>> Server listening on XX.XX.XX.XX port 22. :>> Generating 1152 bit RSA key. :>> RSA key generation complete. :>> debug1: Server will not fork when running in debugging mode. :>> Connection from client1.zdv.Uni-Mainz.DE port 4039 :>> Connection from XX.XX.XX.XX port 4039 :>> debug1: Client protocol version 1.99; client software version 2.4.0 SSH Secure Shell (non-commercial) :>> debug1: match: 2.4.0 SSH Secure Shell (non-commercial) pat ^2\.[2-9]\. :>> Enabling compatibility mode for protocol 2.0 :>> debug1: Local version string SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20011202 :>> debug1: Rhosts Authentication disabled, originating port not trusted. :>> debug1: list_hostkey_types: ssh-dss :>> debug1: SSH2_MSG_KEXINIT sent :>> debug1: SSH2_MSG_KEXINIT received :>> debug1: kex: client->server 3des-cbc hmac-sha1 none :>> debug1: kex: server->client 3des-cbc hmac-sha1 none :>> debug1: dh_gen_key: priv key bits set: 187/384 :>> debug1: bits set: 512/1024 :>> debug1: expecting SSH2_MSG_KEXDH_INIT :>> debug1: bits set: 503/1024 :>> debug1: sig size 20 20 :>> debug1: kex_derive_keys :>> debug1: newkeys: mode 1 :>> debug1: SSH2_MSG_NEWKEYS sent :>> debug1: waiting for SSH2_MSG_NEWKEYS :>> debug1: newkeys: mode 0 :>> debug1: SSH2_MSG_NEWKEYS received :>> debug1: KEX done :>> debug1: userauth-request for user ohartman service ssh-connection method none :>> debug1: attempt 0 failures 0 :>> debug1: Starting up PAM with username "ohartman" :>> Denied connection for ohartman from client1.zdv.uni-mainz.de [XX.XX.XX.XX]. :>> Disconnecting: Sorry, you are not allowed to connect. :>> debug1: Calling cleanup 0x8059ba0(0x0) :>> debug1: Calling cleanup 0x8060c54(0x0) :>> --- :>> :>> The frustrating thing is that I did a parallel installation with an older :>> system based on a AMD K6-2/550 and it works! It is always on all machines :>> the same ssh-configuration and I copy a sshd_config file on each machine :>> and replace the interface part by the appropriate IP, that's it. A check by :>> a diff on a working and non working config showed this line as the only one that :>> differs. :>> :>> On a working sshd (switched to sshd -d -D) I see another :>> :>> 'userauth-request for user ohartman service ssh-connection method none' :>> :>> line, it shows a kind of protocoll and so on. :>> :>> I tried to disable SSE in the kernel, but that did not help. :>> :>> Well, it looks strange to me .. :-( :>> :>> Thanks in advance for your comments and help. :>> :>> Oliver :>> :>> :>> -- :>> MfG :>> O. Hartmann :>> :>> ohartman@klima.physik.uni-mainz.de :>> ---------------------------------------------------------------- :>> IT-Administration des Institutes fuer Physik der Atmosphaere (IPA) :>> ---------------------------------------------------------------- :>> Johannes Gutenberg Universitaet Mainz :>> Becherweg 21 :>> 55099 Mainz :>> :>> Tel: +496131/3924662 (Maschinenraum) :>> Tel: +496131/3924144 :>> FAX: +496131/3923532 :>> :>> :>> To Unsubscribe: send mail to majordomo@FreeBSD.org :>> with "unsubscribe freebsd-stable" in the body of the message :>> :>> :>> :> :> :> :> :> :> -- MfG O. Hartmann ohartman@klima.physik.uni-mainz.de ------------------------------------------------------------------ IT-Administration des Institutes fuer Physik der Atmosphaere (IPA) ------------------------------------------------------------------ Johannes Gutenberg Universitaet Mainz Becherweg 21 55099 Mainz Tel: +496131/3924662 (Maschinenraum) Tel: +496131/3924144 (Buero) FAX: +496131/3923532 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011208214546.C15492-100000>