From owner-freebsd-questions@freebsd.org Thu Aug 20 21:30:28 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B36D79BFD08 for ; Thu, 20 Aug 2015 21:30:28 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 5D128F50 for ; Thu, 20 Aug 2015 21:30:28 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from liminal.local (liminal.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3636:3bff:fed4:b0d6]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.15.2/8.15.2) with ESMTPSA id t7KLSNTk038707 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Thu, 20 Aug 2015 22:28:24 +0100 (BST) (envelope-from matthew@FreeBSD.org) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org DKIM-Filter: OpenDKIM Filter v2.10.3 smtp.infracaninophile.co.uk t7KLSNTk038707 Authentication-Results: smtp.infracaninophile.co.uk/t7KLSNTk038707; dkim=none; dkim-atps=neutral X-Authentication-Warning: lucid-nonsense.infracaninophile.co.uk: Host liminal.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3636:3bff:fed4:b0d6] claimed to be liminal.local Subject: Re: Strange SFTP and PAM failure To: freebsd-questions@freebsd.org References: From: Matthew Seaman X-Enigmail-Draft-Status: N1110 Message-ID: <55D6466F.9070200@FreeBSD.org> Date: Thu, 20 Aug 2015 22:28:15 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ae89lq8DLlrhIJxD5FjcA0Xv7RD2eL5o2" X-Virus-Scanned: clamav-milter 0.98.7 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on lucid-nonsense.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Aug 2015 21:30:28 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --ae89lq8DLlrhIJxD5FjcA0Xv7RD2eL5o2 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 20/08/2015 21:50, Jaime Kikpole wrote: > When I tried to make one of these failed connections, I saw this in > /var/log/messages: >=20 > Aug 20 16:37:48 apps sshd[564]: error: PAM: authentication error for > <> from <> > Aug 20 16:37:48 apps sshd[564]: error: Received disconnect from < of PowerSchool>>: 3: com.jcraft.jsch.JSchException: Auth cancel > [preauth] >=20 > Any idea what might be causing this? Do you know what JDK is being used? IIRC OpenJDK-7 doesn't provide all the up to date and still considered secure ciphers. OpenJDK-8 might work better for you. So, for instance if you look at https://www.ssllabs.com/ssltest/analyze.html?d=3Dforums.freebsd.org&s=3D1= 49.20.54.209 and scroll down to the section showing browser compatibility, you'll see Java 6 and Java 7 won't work. Now, SSH connections do not use TLS per se, but the principle is the same: disabling the older, less secure ciphers can result in older clients being locked out. There's some interesting discussion on https://stribika.github.io/2015/01/04/secure-secure-shell.html about why you might want to do that and how to maximize your security. Note: blindly following the changes given in that blog posting probably *will* *not* help with your problem -- quite the reverse in fact. It's relevant here solely because of the explanations about what ciphers can still be trusted. Cheers, Matthew --ae89lq8DLlrhIJxD5FjcA0Xv7RD2eL5o2 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 iQJ8BAEBCgBmBQJV1kZ3XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATA14QAJjBWLXlbHFIxnpZnviPkM98 DC17Pf4Jge8tlY63zCqfbFE2CYNc5Lltd6FTX2ydFKkRVj5Y9R8IJ0AXklEaDy6l KsAJBr02tkyQvBdWfVZE4COLePUAchkHNXPs6bQjKGhSD3hCDv9AIiN8P/XDWmo1 c8aHLFj1fvNsxWp9N8BzLexyqYYL6bcXBTZaGYuZxPgH+yqVOFj0cnD/ODDM/wJY O9F94G3GigWjWfgAKV4/ekk12KeZKtuVUkBptYu0WNxeZ64UcTdbjtoWSu49ET7w Wb1SOrA7G9UGxly78LKUb6cT/bEGqO5sw+4flpwyAE6bs3wYz7fcMWO527sW1vD2 KyMjbG9QSBquWFO0a8ISoWeSb+NiE9oYvua5TdmEdeCQC8My/A533111jJx0KVkA Ma14TRQEuNxMj51ZTC6AxZAmWyqlhVvGShHeY24U/FwPPkTWFqQJ97QoTkaFU+Lz SbzEMD1LV+iiyp5FSpV78EZJV9VJyUcZ0OgdkZnlXR8O98QCRKw+Xv4CPjHY+A94 I96RgAOdrKYRlq0zYWwgPbwQ5K2f9M4aDMXf7jhKFsnGxDm+uxg91IMN1uIjw30L +fXbsLh3hA/mXSwU8GBzME5DiXePxQ+HSc110bCFAmtcoQddmizdiPROwT8Le81C bGs0RS5F/rxJn5S7hC2S =755h -----END PGP SIGNATURE----- --ae89lq8DLlrhIJxD5FjcA0Xv7RD2eL5o2--