From owner-freebsd-stable Tue May 22 13:20:12 2001 Delivered-To: freebsd-stable@freebsd.org Received: from search.sparks.net (search.sparks.net [208.5.188.60]) by hub.freebsd.org (Postfix) with ESMTP id 4EDD737B424 for ; Tue, 22 May 2001 13:20:06 -0700 (PDT) (envelope-from dmiller@sparks.net) Received: by search.sparks.net (Postfix, from userid 100) id E6677DB49; Tue, 22 May 2001 16:18:36 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by search.sparks.net (Postfix) with ESMTP id D248EDB48 for ; Tue, 22 May 2001 16:18:36 -0400 (EDT) Date: Tue, 22 May 2001 16:18:36 -0400 (EDT) From: David Miller To: stable@freebsd.org Subject: 4.3R and ssh problems Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I've got a pair of 4.3R systems which can't ssh to each other without using passwords. hq is the server and a debug session gives me: su-2.05# sshd -d -d -d debug1: sshd version OpenSSH_2.3.0 green@FreeBSD.org 20010321 debug1: read DSA private key done debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from rs-1.mainexp.net port 1056 Connection from 192.168.1.2 port 1056 debug1: Client protocol version 1.5; client software version OpenSSH_2.3.0 green@FreeBSD.org 20010321 debug1: match: OpenSSH_2.3.0 green@FreeBSD.org 20010321 pat ^OpenSSH[-_]2\.3 debug1: Local version string SSH-1.99-OpenSSH_2.3.0 green@FreeBSD.org 20010321 debug1: Sent 768 bit public key and 1024 bit host key. debug1: Encryption type: blowfish debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Starting up PAM with username "dmiller" debug1: Attempting authentication for dmiller. ssh -v from rs-1 for the same session gives me: bash-2.05$ ssh -v hq.mainexp.net SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0. Compiled with SSL (0x0090600f). debug: Reading configuration data /etc/ssh/ssh_config debug: ssh_connect: getuid 100 geteuid 100 anon 1 debug: Connecting to hq.mainexp.net [192.168.1.7] port 22. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0 green@FreeBSD.org 20010321 debug: match: OpenSSH_2.3.0 green@FreeBSD.org 20010321 pat ^OpenSSH[-_]2\.3 debug: Local version string SSH-1.5-OpenSSH_2.3.0 green@FreeBSD.org 20010321 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'hq.mainexp.net' is known and matches the RSA host key. debug: Encryption type: blowfish debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Doing password authentication. dmiller@hq.mainexp.net's password: So why can't I connect without a password? Machine 1 is: su-2.05# uname -a FreeBSD hq.mainexp.net 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Tue May 15 09:41:16 EDT 2001 dmiller@hq.sparks.net:/usr/src/sys/compile/HQ i386 machine 2 is rs-1.mainexp.net and the same version. hq has sshd_configured with: IgnoreRhosts no RhostsAuthentication no RhostsRSAAuthentication yes RSAAuthentication yes For the sake of completeness, pam.conf has the stock sshd entries: # OpenSSH with PAM support requires similar modules. The session one is # a bit strange, though... sshd auth sufficient pam_skey.so #sshd auth sufficient pam_kerberosIV.so try_first_pass sshd auth required pam_unix.so try_first_pass sshd session required pam_permit.so The known_hosts files should be all set on both systems as I've ssh'd repeatedly between them and have all variations of the hostname and ip address included. DNS matches both forwards and backwards. hq:~dmiller/.shosts is mode 600 and contains: rs-1.mainexp.net dmiller 192.168.1.2 dmiller Any pointers welcome, I've been pulling my hair out all afternoon on this. Surely something trivial? --- David To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message