From owner-freebsd-stable Fri Sep 14 13:48:20 2001 Delivered-To: freebsd-stable@freebsd.org Received: from smtp-3.ig.com.br (smtp-3.ig.com.br [200.226.132.152]) by hub.freebsd.org (Postfix) with SMTP id 1D1A037B40C for ; Fri, 14 Sep 2001 13:48:11 -0700 (PDT) Received: (qmail 5293 invoked from network); 14 Sep 2001 20:32:29 -0000 Received: from adsl-fnsbnu-209-a.brt.telesc.net.br (HELO conrado) (@200.193.25.209) by smtp-3.ig.com.br with SMTP; 14 Sep 2001 20:32:29 -0000 From: "Conrado Vardanega" To: Cc: Subject: Re: Disallowed any service (not ssh), part III Date: Fri, 14 Sep 2001 17:34:47 -0300 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal In-Reply-To: <20010914192732.A15392@walton.maths.tcd.ie> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Here is the outputs. Please be aware this problem isn't related to ssh/ssl, because same problems applies to ftp/telnet. Follows debug for both version 1 and 2 ssh versions. --- SSHD DEBUG | client: "ssh ..." # sshd -d debug1: sshd version OpenSSH_2.3.0 FreeBSD localisations 20010713 debug1: read DSA private key done debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from rock port 1029 Connection from 192.168.3.1 port 1029 debug1: Client protocol version 1.5; client software version OpenSSH_2.3.0 FreeBSD localisations 20010713 debug1: match: OpenSSH_2.3.0 FreeBSD localisations 20010713 pat ^OpenSSH[-_]2\.3 debug1: Local version string SSH-1.99-OpenSSH_2.3.0 FreeBSD localisations 20010713 debug1: Sent 768 bit public key and 1024 bit host key. debug1: Encryption type: 3des debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Starting up PAM with username "cvarda" debug1: Attempting authentication for cvarda. Denied connection for cvarda from rock [192.168.3.1]. Disconnecting: Sorry, you are not allowed to connect. debug1: Calling cleanup 0x8058314(0x0) debug1: Calling cleanup 0x805e70c(0x0) --- SSHD DEBUG | client: "ssh -2 ..." debug1: sshd version OpenSSH_2.3.0 FreeBSD localisations 20010713 debug1: read DSA private key done debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from rock port 1030 Connection from 192.168.3.1 port 1030 debug1: Client protocol version 2.0; client software version OpenSSH_2.3.0 FreeBSD localisations 20010713 debug1: match: OpenSSH_2.3.0 FreeBSD localisations 20010713 pat ^OpenSSH[-_]2\.3 Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_2.3.0 FreeBSD localisations 20010713 debug1: send KEXINIT debug1: done debug1: wait KEXINIT debug1: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug1: got kexinit: ssh-dss debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,r ijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,r ijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160@openssh.com debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160@openssh.com debug1: got kexinit: none debug1: got kexinit: none debug1: got kexinit: debug1: got kexinit: debug1: first kex follow: 0 debug1: reserved: 0 debug1: done debug1: kex: client->server 3des-cbc hmac-sha1 none debug1: kex: server->client 3des-cbc hmac-sha1 none debug1: Wait SSH2_MSG_KEX_DH_GEX_REQUEST. /etc/ssh/primes: No such file or directory WARNING: /etc/ssh/primes does not exist, using old prime debug1: bits set: 503/1024 debug1: Sending SSH2_MSG_KEX_DH_GEX_GROUP. debug1: Wait SSH2_MSG_KEX_DH_GEX_INIT. debug1: bits set: 504/1024 debug1: sig size 20 20 debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: Wait SSH2_MSG_NEWKEYS. debug1: GOT SSH2_MSG_NEWKEYS. debug1: done: KEX2. debug1: userauth-request for user cvarda service ssh-connection method none debug1: attempt #1 debug1: Starting up PAM with username "cvarda" Denied connection for cvarda from rock [192.168.3.1]. Disconnecting: Sorry, you are not allowed to connect. debug1: Calling cleanup 0x8058314(0x0) debug1: Calling cleanup 0x805e70c(0x0) --- Conrado Vardanega cvarda@ig.com.br http://go.to/conrado > -----Mensagem original----- > De: dwmalone@maths.tcd.ie [mailto:dwmalone@maths.tcd.ie] > Enviada em: sexta-feira, 14 de setembro de 2001 15:28 > Para: Conrado Vardanega > Assunto: Re: Disallowed any service (not ssh), part III > > > On Fri, Sep 14, 2001 at 01:44:59AM -0300, Conrado Vardanega wrote: > > Hi there. > > > > My machine (192.168.3.5) accesses FTP, Telnet and SSH on the server > > (192.168.3.1), with any user account. The same accounts, from any other > > machine, has access denied (they begin the login proccess and > fails login > > after password). > > > > Why only from my workstation I can get access to services > (ssh/ftp/telnet > > etc.)? > > You could try the following: > > Kill sshd on 192.168.3.1 and then run "sshd -d". This will run sshd > in the foreground and only allow one login while outputting debugging > information. First log in using ssh from 192.168.3.5 and record > the output. Then run "sshd -d" again and log in from another machine. > Record the output of this and diff it with the first output you > collected. Seeing where they differ should give you some clue as > to what is happening. If you send me the output of both then I'll > try to see where in sshd the difference could arise. > > David. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message