Date: Thu, 20 Aug 2015 22:28:15 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: Strange SFTP and PAM failure Message-ID: <55D6466F.9070200@FreeBSD.org> In-Reply-To: <CA%2Bsg5RQ-yMgsbq5VA-SNDDkUaYcVJUEPAe-iqfDLR1EFuVyCTg@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On 20/08/2015 21:50, Jaime Kikpole wrote: > When I tried to make one of these failed connections, I saw this in > /var/log/messages: > > Aug 20 16:37:48 apps sshd[564]: error: PAM: authentication error for > <<username>> from <<IP of PowerSchool>> > Aug 20 16:37:48 apps sshd[564]: error: Received disconnect from <<IP > of PowerSchool>>: 3: com.jcraft.jsch.JSchException: Auth cancel > [preauth] > > Any idea what might be causing this? Do you know what JDK is being used? IIRC OpenJDK-7 doesn't provide all the up to date and still considered secure ciphers. OpenJDK-8 might work better for you. So, for instance if you look at https://www.ssllabs.com/ssltest/analyze.html?d=forums.freebsd.org&s=149.20.54.209 and scroll down to the section showing browser compatibility, you'll see Java 6 and Java 7 won't work. Now, SSH connections do not use TLS per se, but the principle is the same: disabling the older, less secure ciphers can result in older clients being locked out. There's some interesting discussion on https://stribika.github.io/2015/01/04/secure-secure-shell.html about why you might want to do that and how to maximize your security. Note: blindly following the changes given in that blog posting probably *will* *not* help with your problem -- quite the reverse in fact. It's relevant here solely because of the explanations about what ciphers can still be trusted. Cheers, Matthew [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 iQJ8BAEBCgBmBQJV1kZ3XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATA14QAJjBWLXlbHFIxnpZnviPkM98 DC17Pf4Jge8tlY63zCqfbFE2CYNc5Lltd6FTX2ydFKkRVj5Y9R8IJ0AXklEaDy6l KsAJBr02tkyQvBdWfVZE4COLePUAchkHNXPs6bQjKGhSD3hCDv9AIiN8P/XDWmo1 c8aHLFj1fvNsxWp9N8BzLexyqYYL6bcXBTZaGYuZxPgH+yqVOFj0cnD/ODDM/wJY O9F94G3GigWjWfgAKV4/ekk12KeZKtuVUkBptYu0WNxeZ64UcTdbjtoWSu49ET7w Wb1SOrA7G9UGxly78LKUb6cT/bEGqO5sw+4flpwyAE6bs3wYz7fcMWO527sW1vD2 KyMjbG9QSBquWFO0a8ISoWeSb+NiE9oYvua5TdmEdeCQC8My/A533111jJx0KVkA Ma14TRQEuNxMj51ZTC6AxZAmWyqlhVvGShHeY24U/FwPPkTWFqQJ97QoTkaFU+Lz SbzEMD1LV+iiyp5FSpV78EZJV9VJyUcZ0OgdkZnlXR8O98QCRKw+Xv4CPjHY+A94 I96RgAOdrKYRlq0zYWwgPbwQ5K2f9M4aDMXf7jhKFsnGxDm+uxg91IMN1uIjw30L +fXbsLh3hA/mXSwU8GBzME5DiXePxQ+HSc110bCFAmtcoQddmizdiPROwT8Le81C bGs0RS5F/rxJn5S7hC2S =755h -----END PGP SIGNATURE-----help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55D6466F.9070200>