Date: Mon, 17 Mar 2003 14:35:07 -0500 From: "John Straiton" <jsmailing@clickcom.com> To: <freebsd-questions@FreeBSD.ORG> Subject: RE: SSH woes Message-ID: <005901c2ecbc$5441f250$1916c60a@win2k.clickcom.com> In-Reply-To: <004c01c2ecb9$7174a550$1916c60a@win2k.clickcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Last followup to myself ( I can only hope these followups will save someone else from wasting most of their Sunday as well ) If I log in as myself, then %su testuser Password: %ssh 209.198.xxx.xxx It works fine. It was ONLY if I logged in as myself then: %su Password: #su testuser %ssh 209.198.xxx.xxx That it wouldn't ask for the password and would fail. I guess something is very special about "root" 's interaction with the client connections. Maybe config or enviroment that I'm missing? John Straiton jks@clickcom.com Clickcom, Inc 704-365-9970x101 > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG] On Behalf Of > John Straiton > Sent: Monday, March 17, 2003 2:14 PM > To: freebsd-questions@FreeBSD.ORG > Subject: RE: SSH woes > > > (Problem solved, still confused as to why it didn't work) > > As a follow up to my own post, I created a new user "testing" > and tried this thing again. The user "testing" has never > existed in the past however after adding this user to both > machines, then copying /root/.ssh/known_hosts to > /home/testing/.ssh/ then doing a > # su testing > % ssh 209.198.xxx.xxx > Permission denied, please try again. > Permission denied, please try again. > Permission denied (publickey,password,keyboard-interactive). > $ > > Again, no prompting for password. So I tried something else: > > # ssh localhost -l testuser > Password: > Last login: Mon Mar 17 13:31:08 2003 from MYWORKSTATION > Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 > The Regents of the University of California. All > rights reserved. > > FreeBSD 5.0-RELEASE (MACHINE1) #0: Sun Mar 16 21:05:33 EST > 2003 %ssh 209.198.xxx.xxx Copyright (c) 1980, 1983, 1986, > 1988, 1990, 1991, 1993, 1994 > The Regents of the University of California. All > rights reserved. > > FreeBSD 4.8-RC (MACHINE2) #0: Sun Mar 16 21:05:33 EST 2003 > % > > WOW! It works, but not if I # su testuser, only if I'm truly > logged in as that user. I figured then it must be some > enviroment variable that's getting set but the difference > between the logged in enviroment vs the su'ed enviroment is > as follows: > > +LOGNAME=testuser > -LOGNAME=jks > +GROUP=testuser > -GROUP=unknown > > Doesn't look like enough to keep the connection from working. > When root connects the GROUP is set to unkown as well. Then I tried > > #su - testuser > %env > > And got the same results as when I logged in via ssh (as > shown above). > > So basically what this is telling me was that I fixed the > problem long ago but my use of su username for testing as > opposed to acutally logging in as that user has kept it from > working all this time. *sigh* Talk about chasing my own tail... > > I still don't understand why even doing a > #su - testuser > Doesn't work, but it's now my curiosity feeding further > research as opposed to necessity. > > John Straiton > jks@clickcom.com > Clickcom, Inc > 704-365-9970x101 > > -----Original Message----- > > From: owner-freebsd-questions@FreeBSD.ORG > > [mailto:owner-freebsd-questions@FreeBSD.ORG] On Behalf Of John > > Straiton > > Sent: Monday, March 17, 2003 11:33 AM > > To: freebsd-questions@FreeBSD.ORG > > Subject: SSH woes > > > > > > I continue to have problems with SSH authentication. The behavior is > > outside the normal I'm used to. Here's what's going on: > > > > I'm trying to ssh from MACHINE1 to MACHINE2 as user "testuser". > > > > Now here's the funny thing: > > > su > > Password: > > MACHINE1# ssh 209.198.xxx.xxx -l testuser > > Password: > > Last login: Mon Mar 17 11:17:05 2003 from chasm > > Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 > > The Regents of the University of California. All rights > > reserved. > > > > > > > Now on the same machine: > > >exit > > #su testuser > > %ssh 209.198.xxx.xxx > > Permission denied, please try again. > > Permission denied, please try again. > > Permission denied (publickey,password,keyboard-interactive). > > % > > > > Why in the world would the login prompted for a password when I'm as > > root specifying a login, and then I wouldn't even be prompted for a > > password when I'm su'ed as the user? > > > > I thought at first maybe it was because this account *used > > to* auto-login, however if you look at the remote machine's > > /home/testuser/.ssh directory, it's empty (ie , no > authorized_keys). > > On the client machine, it's only got "known_hosts" in there. > > > > Thoughts? I'm attaching the verbose debug for the client side as the > > user & as root > > > > John Straiton > > jks@clickcom.com > > Clickcom, Inc > > 704-365-9970x101 > > > > > > > > > > > > %ssh -vvv MACHINE2 > > OpenSSH_3.5p1 FreeBSD-20021029, SSH protocols 1.5/2.0, OpenSSL > > 0x0090607f > > debug1: Reading configuration data /etc/ssh/ssh_config > > debug1: Applying options for * > > debug3: cipher ok: aes128-cbc > > [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c > > bc,aes256- > > cbc] > > debug3: cipher ok: 3des-cbc > > [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c > > bc,aes256- > > cbc] > > debug3: cipher ok: blowfish-cbc > > [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c > > bc,aes256- > > cbc] > > debug3: cipher ok: cast128-cbc > > [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c > > bc,aes256- > > cbc] > > debug3: cipher ok: arcfour > > [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c > > bc,aes256- > > cbc] > > debug3: cipher ok: aes192-cbc > > [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c > > bc,aes256- > > cbc] > > debug3: cipher ok: aes256-cbc > > [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c > > bc,aes256- > > cbc] > > debug3: ciphers ok: > > [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c > > bc,aes256- > > cbc] > > debug1: Rhosts Authentication disabled, originating port will > > not be trusted. > > debug1: ssh_connect: needpriv 0 > > debug1: Connecting to MACHINE2 [209.198.xxx.xxx] port 22. > > debug1: Connection established. > > debug1: identity file /home/testuser/.ssh/identity type -1 > > debug1: identity file /home/testuser/.ssh/id_rsa type -1 > > debug1: identity file /home/testuser/.ssh/id_dsa type -1 > > debug1: Remote protocol version 1.99, remote software version > > OpenSSH_3.5p1 FreeBSD-20030201 > > debug1: match: OpenSSH_3.5p1 FreeBSD-20030201 pat OpenSSH* > > debug1: Enabling compatibility mode for protocol 2.0 > > debug1: Local version string SSH-2.0-OpenSSH_3.5p1 FreeBSD-20021029 > > debug1: SSH2_MSG_KEXINIT sent > > debug1: SSH2_MSG_KEXINIT received > > debug2: kex_parse_kexinit: > > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > > debug2: kex_parse_kexinit: ssh-dss,ssh-rsa > > debug2: kex_parse_kexinit: > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cb > > c,aes256-c > > bc > > debug2: kex_parse_kexinit: > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cb > > c,aes256-c > > bc > > debug2: kex_parse_kexinit: > > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,h > > mac-sha1-9 > > 6,hmac-md5-96 > > debug2: kex_parse_kexinit: > > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,h > > mac-sha1-9 > > 6,hmac-md5-96 > > debug2: kex_parse_kexinit: none,zlib > > debug2: kex_parse_kexinit: none,zlib > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: first_kex_follows 0 > > debug2: kex_parse_kexinit: reserved 0 > > debug2: kex_parse_kexinit: > > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > > debug2: kex_parse_kexinit: ssh-dss > > debug2: kex_parse_kexinit: > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cb > > c,aes256-c > > bc,rijndael-cbc@lysator.liu.se > > debug2: kex_parse_kexinit: > > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cb > > c,aes256-c > > bc,rijndael-cbc@lysator.liu.se > > debug2: kex_parse_kexinit: > > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,h > > mac-sha1-9 > > 6,hmac-md5-96 > > debug2: kex_parse_kexinit: > > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,h > > mac-sha1-9 > > 6,hmac-md5-96 > > debug2: kex_parse_kexinit: none,zlib > > debug2: kex_parse_kexinit: none,zlib > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: > > debug2: kex_parse_kexinit: first_kex_follows 0 > > debug2: kex_parse_kexinit: reserved 0 > > debug2: mac_init: found hmac-md5 > > debug1: kex: server->client aes128-cbc hmac-md5 none > > debug2: mac_init: found hmac-md5 > > debug1: kex: client->server aes128-cbc hmac-md5 none > > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent > > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > > debug1: dh_gen_key: priv key bits set: 133/256 > > debug1: bits set: 1630/3191 > > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > > debug3: check_host_in_hostfile: filename > > /home/testuser/.ssh/known_hosts > > debug3: check_host_in_hostfile: match line 1 > > debug1: Host '209.198.xxx.xxx' is known and matches the DSA > host key. > > debug1: Found key in /home/testuser/.ssh/known_hosts:1 > > debug1: bits set: 1566/3191 > > debug1: ssh_dss_verify: signature correct > > debug1: kex_derive_keys > > debug1: newkeys: mode 1 > > debug1: SSH2_MSG_NEWKEYS sent > > debug1: waiting for SSH2_MSG_NEWKEYS > > debug1: newkeys: mode 0 > > debug1: SSH2_MSG_NEWKEYS received > > debug1: done: ssh_kex2. > > debug1: send SSH2_MSG_SERVICE_REQUEST > > debug1: service_accept: ssh-userauth > > debug1: got SSH2_MSG_SERVICE_ACCEPT > > debug1: authentications that can continue: > > publickey,password,keyboard-interactive > > debug3: start over, passed a different list > > publickey,password,keyboard-interactive > > debug3: preferred publickey,keyboard-interactive,password > > debug3: authmethod_lookup publickey > > debug3: remaining preferred: keyboard-interactive,password > > debug3: authmethod_is_enabled publickey > > debug1: next auth method to try is publickey > > debug1: try privkey: /home/testuser/.ssh/identity > > debug3: no such identity: /home/testuser/.ssh/identity > > debug1: try privkey: /home/testuser/.ssh/id_rsa > > debug3: no such identity: /home/testuser/.ssh/id_rsa > > debug1: try privkey: /home/testuser/.ssh/id_dsa > > debug3: no such identity: /home/testuser/.ssh/id_dsa > > debug2: we did not send a packet, disable method > > debug3: authmethod_lookup keyboard-interactive > > debug3: remaining preferred: password > > debug3: authmethod_is_enabled keyboard-interactive > > debug1: next auth method to try is keyboard-interactive > > debug2: userauth_kbdint > > debug2: we sent a keyboard-interactive packet, wait for reply > > debug2: input_userauth_info_req > > debug2: input_userauth_info_req: num_prompts 1 > > debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64) > > debug1: authentications that can continue: > > publickey,password,keyboard-interactive > > debug2: userauth_kbdint > > debug2: we sent a keyboard-interactive packet, wait for reply > > debug2: input_userauth_info_req > > debug2: input_userauth_info_req: num_prompts 1 > > debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64) > > debug1: authentications that can continue: > > publickey,password,keyboard-interactive > > debug2: userauth_kbdint > > debug2: we sent a keyboard-interactive packet, wait for reply > > debug2: input_userauth_info_req > > debug2: input_userauth_info_req: num_prompts 1 > > debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64) > > debug1: authentications that can continue: > > publickey,password,keyboard-interactive > > debug2: we did not send a packet, disable method > > debug3: authmethod_lookup password > > debug3: remaining preferred: > > debug3: authmethod_is_enabled password > > debug1: next auth method to try is password > > debug3: packet_send2: adding 64 (len 53 padlen 11 extra_pad 64) > > debug2: we sent a password packet, wait for reply > > debug1: authentications that can continue: > > publickey,password,keyboard-interactive > > Permission denied, please try again. > > debug3: packet_send2: adding 64 (len 53 padlen 11 extra_pad 64) > > debug2: we sent a password packet, wait for reply > > debug1: authentications that can continue: > > publickey,password,keyboard-interactive > > Permission denied, please try again. > > debug3: packet_send2: adding 64 (len 53 padlen 11 extra_pad 64) > > debug2: we sent a password packet, wait for reply > > debug1: authentications that can continue: > > publickey,password,keyboard-interactive > > debug2: we did not send a packet, disable method > > debug1: no more auth methods to try > > Permission denied (publickey,password,keyboard-interactive). > > debug1: Calling cleanup 0x804c704(0x0) > > % > > > > I'll just show where it gets interesting on this one: > > > > #ssh -vvv 209.198.xxx.xxx -l testuser > > debug1: authentications that can continue: > > publickey,password,keyboard-interactive > > debug3: start over, passed a different list > > publickey,password,keyboard-interactive > > debug3: preferred publickey,keyboard-interactive,password > > debug3: authmethod_lookup publickey > > debug3: remaining preferred: keyboard-interactive,password > > debug3: authmethod_is_enabled publickey > > debug1: next auth method to try is publickey > > debug1: try privkey: /root/.ssh/identity > > debug3: no such identity: /root/.ssh/identity > > debug1: try privkey: /root/.ssh/id_rsa > > debug3: no such identity: /root/.ssh/id_rsa > > debug1: try privkey: /root/.ssh/id_dsa > > debug3: no such identity: /root/.ssh/id_dsa > > debug2: we did not send a packet, disable method > > debug3: authmethod_lookup keyboard-interactive > > debug3: remaining preferred: password > > debug3: authmethod_is_enabled keyboard-interactive > > debug1: next auth method to try is keyboard-interactive > > debug2: userauth_kbdint > > debug2: we sent a keyboard-interactive packet, wait for reply > > debug2: input_userauth_info_req > > debug2: input_userauth_info_req: num_prompts 1 > > Password: > > debug3: packet_send2: adding 32 (len 22 padlen 10 extra_pad 64) > > debug2: input_userauth_info_req > > debug2: input_userauth_info_req: num_prompts 0 > > debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64) > > debug1: ssh-userauth2 successful: method keyboard-interactive > > debug1: channel 0: new [client-session] > > debug3: ssh_session2_open: channel_new: 0 > > debug1: send channel open 0 > > debug1: Entering interactive session. > > debug2: callback start > > debug1: ssh_session2_setup: id 0 > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005901c2ecbc$5441f250$1916c60a>