Date: 08 Dec 2001 20:52:07 -0100 From: Harald Schmalzbauer <H@Schmalzbauer.de> To: "Hartmann, O." <ohartman@klima.physik.uni-mainz.de> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: SSHD problems on P4 Message-ID: <1007848327.618.14.camel@adm01.belenus.com> In-Reply-To: <20011208214546.C15492-100000@klima.physik.uni-mainz.de> References: <20011208214546.C15492-100000@klima.physik.uni-mainz.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Am Sa , 2001-12-08 um 22.07 schrieb Hartmann, O.: *snip* > debug1: Found key in /homes/ohartman/.ssh/known_hosts2:9 > debug1: bits set: 1001/2049 > debug1: len 55 datafellows 0 > debug1: ssh_dss_verify: signature correct > debug1: kex_derive_keys > debug1: newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: waiting for SSH2_MSG_NEWKEYS > debug1: newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: done: ssh_kex2. > debug1: send SSH2_MSG_SERVICE_REQUEST > debug1: service_accept: ssh-userauth > debug1: got SSH2_MSG_SERVICE_ACCEPT Ok: Problem is that the server doesn't know/suggest any authentication mode. Watch /etc/pam.conf *. But this doesn't explain why it's not accepting/trying PK. Probably missing .ssh in home? hosts.allow is correct too? Right now, I have no more ideas. -Harry *: # OpenSSH with PAM support requires similar modules. The session one is # a bit strange, though... sshd auth sufficient pam_skey.so #sshd auth sufficient pam_kerberosIV.so try_first_pass sshd auth required pam_unix.so try_first_pass sshd account required pam_unix.so sshd password required pam_permit.so sshd session required pam_permit.so # "csshd" is for challenge-based authentication with sshd (TIS auth, etc.) csshd auth required pam_skey.so > Received disconnect from XX.XX.XX.XX: 2: Sorry, you are not allowed to connect. > debug1: Calling cleanup 0x805a67c(0x0) > -- > > When I try to connect from the failing machine to itself, I get the same message ... > > I'm 'in sync' with the code, I think. I exchanged the config with the config offered by > 'mergemaster', which is out from the source tree and I created all host key again - but > with no effect ... > > > CFLAGS=-O -pipe ... thats the only config option > > > :>Hello, perhaps stupid, but have you checked hosts.allow? > :>Strange is that your machines decided to use 3des. With OpenSSH2.9, > :>afaik, the default is AES (Rijndael). Did you compile it with special > :>CFLAGS? Are you out of sync with OpenSSL?. > :> > :>Viel Spass, > :> > :>-Harry > :> > :>Am Sa , 2001-12-08 um 19.59 schrieb Hartmann, O.: > :>> Dear Sirs. > :>> > :>> We installed a new 2GHz P4 system with FreeBSD 4.4-RELEASE, the we > :>> cvsupdated the code to FreeBSD 4.4-STABLE and made a world. This > :>> machine, a new Dell PrecisionWorkstation 340 with 512MB RIMM and 2 GHz > :>> Intel P4 CPU works finde with FreeBSD 4.4-STABLE (the systems has at > :>> boottime some problems to bootstrap, but this problem is not reproduceable > :>> and has not been gone while enabling options PNPBIOS in the kernel, I > :>> think this is a BIOS issue ...). > :>> > :>> Parallel to this machine we installed several other systems the same > :>> way but only on the Dell system sshd is not willing to allow > :>> connections but the ssh client allows connects to the outer world. > :>> > :>> I switched sshd on the specific machine to debugging mode and got this: > :>> > :>> --- > :>> root: /root: sshd -d -D > :>> debug1: sshd version OpenSSH_2.9 FreeBSD localisations 20011202 > :>> debug1: read PEM private key done: type DSA > :>> debug1: private host key: #0 type 2 DSA > :>> debug1: private host key: #1 type 0 RSA1 > :>> debug1: Forcing server key to 1152 bits to make it differ from host key. > :>> debug1: Bind to port 22 on XX.XX.XX.XX. > :>> Server listening on XX.XX.XX.XX port 22. > :>> Generating 1152 bit RSA key. > :>> RSA key generation complete. > :>> --- > :>> > :>> Then I try to connect from a client ( a machine of our computer center) > :>> and use ssh2 -vv destination.machine.de > :>> > :>> --- > :>> debug: connecting to client01.physik.uni-mainz.de... > :>> debug: entering event loop > :>> debug: ssh_client_wrap: creating transport protocol > :>> debug: SshAuthMethodClient/sshauthmethodc.c:116: Added "publickey" to usable methods. > :>> debug: SshAuthMethodClient/sshauthmethodc.c:116: Added "password" to usable methods. > :>> debug: Ssh2Client/sshclient.c:1142: creating userauth protocol > :>> debug: Ssh2Common/sshcommon.c:501: local ip = XX.XX.XX.XX, local port = 4039 > :>> debug: Ssh2Common/sshcommon.c:503: remote ip = XX.XX.XX.XX, remote port = 22 > :>> debug: SshConnection/sshconn.c:1866: Wrapping... > :>> warning: Warning: Need basic cursor movement capablity, using vt100 > :>> debug: Ssh2Transport/trcommon.c:599: Remote version: SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20011202 > :>> debug: Ssh2Transport/trcommon.c:789: Remote version has rekey incompatibility bug. > :>> debug: Ssh2Transport/trcommon.c:1118: c_to_s: cipher 3des-cbc, mac hmac-sha1, compression none > :>> debug: Ssh2Transport/trcommon.c:1121: s_to_c: cipher 3des-cbc, mac hmac-sha1, compression none > :>> debug: Ssh2Client/sshclient.c:406: Host key found from database. > :>> debug: Ssh2Common/sshcommon.c:305: Received SSH_CROSS_STARTUP packet from connection protocol. > :>> debug: Ssh2Common/sshcommon.c:355: Received SSH_CROSS_ALGORITHMS packet from connection protocol. > :>> debug: Ssh2Common/sshcommon.c:137: DISCONNECT received: Sorry, you are not allowed to connect. > :>> warning: Authentication failed. > :>> debug: Ssh2/ssh2.c:84: locally_generated = FALSE > :>> Disconnected; protocol error (Sorry, you are not allowed to connect.). > :>> debug: uninitializing event loop > :>> --- > :>> > :>> This is the output of the daemon on the server side: > :>> > :>> --- > :>> root: /root: sshd -d -D > :>> debug1: sshd version OpenSSH_2.9 FreeBSD localisations 20011202 > :>> debug1: read PEM private key done: type DSA > :>> debug1: private host key: #0 type 2 DSA > :>> debug1: private host key: #1 type 0 RSA1 > :>> debug1: Forcing server key to 1152 bits to make it differ from host key. > :>> debug1: Bind to port 22 on XX.XX.XX.XX. > :>> Server listening on XX.XX.XX.XX port 22. > :>> Generating 1152 bit RSA key. > :>> RSA key generation complete. > :>> debug1: Server will not fork when running in debugging mode. > :>> Connection from client1.zdv.Uni-Mainz.DE port 4039 > :>> Connection from XX.XX.XX.XX port 4039 > :>> debug1: Client protocol version 1.99; client software version 2.4.0 SSH Secure Shell (non-commercial) > :>> debug1: match: 2.4.0 SSH Secure Shell (non-commercial) pat ^2\.[2-9]\. > :>> Enabling compatibility mode for protocol 2.0 > :>> debug1: Local version string SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20011202 > :>> debug1: Rhosts Authentication disabled, originating port not trusted. > :>> debug1: list_hostkey_types: ssh-dss > :>> debug1: SSH2_MSG_KEXINIT sent > :>> debug1: SSH2_MSG_KEXINIT received > :>> debug1: kex: client->server 3des-cbc hmac-sha1 none > :>> debug1: kex: server->client 3des-cbc hmac-sha1 none > :>> debug1: dh_gen_key: priv key bits set: 187/384 > :>> debug1: bits set: 512/1024 > :>> debug1: expecting SSH2_MSG_KEXDH_INIT > :>> debug1: bits set: 503/1024 > :>> debug1: sig size 20 20 > :>> debug1: kex_derive_keys > :>> debug1: newkeys: mode 1 > :>> debug1: SSH2_MSG_NEWKEYS sent > :>> debug1: waiting for SSH2_MSG_NEWKEYS > :>> debug1: newkeys: mode 0 > :>> debug1: SSH2_MSG_NEWKEYS received > :>> debug1: KEX done > :>> debug1: userauth-request for user ohartman service ssh-connection method none > :>> debug1: attempt 0 failures 0 > :>> debug1: Starting up PAM with username "ohartman" > :>> Denied connection for ohartman from client1.zdv.uni-mainz.de [XX.XX.XX.XX]. > :>> Disconnecting: Sorry, you are not allowed to connect. > :>> debug1: Calling cleanup 0x8059ba0(0x0) > :>> debug1: Calling cleanup 0x8060c54(0x0) > :>> --- > :>> > :>> The frustrating thing is that I did a parallel installation with an older > :>> system based on a AMD K6-2/550 and it works! It is always on all machines > :>> the same ssh-configuration and I copy a sshd_config file on each machine > :>> and replace the interface part by the appropriate IP, that's it. A check by > :>> a diff on a working and non working config showed this line as the only one that > :>> differs. > :>> > :>> On a working sshd (switched to sshd -d -D) I see another > :>> > :>> 'userauth-request for user ohartman service ssh-connection method none' > :>> > :>> line, it shows a kind of protocoll and so on. > :>> > :>> I tried to disable SSE in the kernel, but that did not help. > :>> > :>> Well, it looks strange to me .. :-( > :>> > :>> Thanks in advance for your comments and help. > :>> > :>> Oliver > :>> > :>> > :>> -- > :>> MfG > :>> O. Hartmann > :>> > :>> ohartman@klima.physik.uni-mainz.de > :>> ---------------------------------------------------------------- > :>> IT-Administration des Institutes fuer Physik der Atmosphaere (IPA) > :>> ---------------------------------------------------------------- > :>> Johannes Gutenberg Universitaet Mainz > :>> Becherweg 21 > :>> 55099 Mainz > :>> > :>> Tel: +496131/3924662 (Maschinenraum) > :>> Tel: +496131/3924144 > :>> FAX: +496131/3923532 > :>> > :>> > :>> To Unsubscribe: send mail to majordomo@FreeBSD.org > :>> with "unsubscribe freebsd-stable" in the body of the message > :>> > :>> > :>> > :> > :> > :> > :> > :> > :> > > -- > MfG > O. Hartmann > > ohartman@klima.physik.uni-mainz.de > ------------------------------------------------------------------ > IT-Administration des Institutes fuer Physik der Atmosphaere (IPA) > ------------------------------------------------------------------ > Johannes Gutenberg Universitaet Mainz > Becherweg 21 > 55099 Mainz > > Tel: +496131/3924662 (Maschinenraum) > Tel: +496131/3924144 (Buero) > FAX: +496131/3923532 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1007848327.618.14.camel>