1 |
I hooked up my old server box today so that I could update the software, |
2 |
only to find that I could not ssh over to it: |
3 |
|
4 |
michael@camille ~ $ ssh bullet |
5 |
Permission denied (publickey,keyboard-interactive). |
6 |
|
7 |
There were no 'official' logs, but a website I found on google suggested |
8 |
running |
9 |
|
10 |
/usr/sbin/sshd -ddd -p 2202 |
11 |
|
12 |
and then trying to shell over with |
13 |
|
14 |
ssh -p 2202 <boxname> |
15 |
|
16 |
Here's the output. I piped it to a file: |
17 |
|
18 |
michael@camille ~ $ cat sshd.log |
19 |
debug2: load_server_config: filename /etc/ssh/sshd_config |
20 |
debug2: load_server_config: done config len = 237 |
21 |
debug2: parse_server_config: config /etc/ssh/sshd_config len 237 |
22 |
debug3: /etc/ssh/sshd_config:21 setting Protocol 2 |
23 |
debug3: /etc/ssh/sshd_config:60 setting PasswordAuthentication no |
24 |
debug3: /etc/ssh/sshd_config:87 setting UsePAM yes |
25 |
debug3: /etc/ssh/sshd_config:91 setting X11Forwarding yes |
26 |
debug3: /etc/ssh/sshd_config:127 setting Subsystem |
27 |
sftp /usr/lib/misc/sftp-server |
28 |
debug1: sshd version OpenSSH_4.7p1 |
29 |
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. |
30 |
debug1: read PEM private key done: type RSA |
31 |
debug1: private host key: #0 type 1 RSA |
32 |
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. |
33 |
debug1: read PEM private key done: type DSA |
34 |
debug1: private host key: #1 type 2 DSA |
35 |
debug1: rexec_argv[0]='/usr/sbin/sshd' |
36 |
debug1: rexec_argv[1]='-ddd' |
37 |
debug1: rexec_argv[2]='-p' |
38 |
debug1: rexec_argv[3]='2202' |
39 |
debug2: fd 3 setting O_NONBLOCK |
40 |
debug1: Bind to port 2202 on 0.0.0.0. |
41 |
Server listening on 0.0.0.0 port 2202. |
42 |
socket: Address family not supported by protocol |
43 |
debug3: fd 4 is not O_NONBLOCK |
44 |
debug1: Server will not fork when running in debugging mode. |
45 |
debug3: send_rexec_state: entering fd = 7 config len 237 |
46 |
debug3: ssh_msg_send: type 0 |
47 |
debug3: send_rexec_state: done |
48 |
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7 |
49 |
debug1: inetd sockets after dupping: 3, 3 |
50 |
Connection from 192.168.1.2 port 57643 |
51 |
debug1: Client protocol version 2.0; client software version OpenSSH_4.7 |
52 |
debug1: match: OpenSSH_4.7 pat OpenSSH* |
53 |
debug1: Enabling compatibility mode for protocol 2.0 |
54 |
debug1: Local version string SSH-2.0-OpenSSH_4.7 |
55 |
debug2: fd 3 setting O_NONBLOCK |
56 |
debug3: privsep user:group 22:22 |
57 |
debug1: permanently_set_uid: 22/22 |
58 |
debug1: list_hostkey_types: ssh-rsa,ssh-dss |
59 |
debug1: SSH2_MSG_KEXINIT sent |
60 |
debug1: SSH2_MSG_KEXINIT received |
61 |
debug2: kex_parse_kexinit: |
62 |
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 |
63 |
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss |
64 |
debug2: kex_parse_kexinit: |
65 |
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-ctr,aes192-ctr,aes256-ctr |
66 |
debug2: kex_parse_kexinit: |
67 |
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-ctr,aes192-ctr,aes256-ctr |
68 |
debug2: kex_parse_kexinit: |
69 |
hmac-md5,hmac-sha1,umac-64@×××××××.com,hmac-ripemd160,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96 |
70 |
debug2: kex_parse_kexinit: |
71 |
hmac-md5,hmac-sha1,umac-64@×××××××.com,hmac-ripemd160,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96 |
72 |
debug2: kex_parse_kexinit: none,zlib@×××××××.com |
73 |
debug2: kex_parse_kexinit: none,zlib@×××××××.com |
74 |
debug2: kex_parse_kexinit: |
75 |
debug2: kex_parse_kexinit: |
76 |
debug2: kex_parse_kexinit: first_kex_follows 0 |
77 |
debug2: kex_parse_kexinit: reserved 0 |
78 |
debug2: kex_parse_kexinit: |
79 |
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 |
80 |
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss |
81 |
debug2: kex_parse_kexinit: |
82 |
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-ctr,aes192-ctr,aes256-ctr |
83 |
debug2: kex_parse_kexinit: |
84 |
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-ctr,aes192-ctr,aes256-ctr |
85 |
debug2: kex_parse_kexinit: |
86 |
hmac-md5,hmac-sha1,umac-64@×××××××.com,hmac-ripemd160,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96 |
87 |
debug2: kex_parse_kexinit: |
88 |
hmac-md5,hmac-sha1,umac-64@×××××××.com,hmac-ripemd160,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96 |
89 |
debug2: kex_parse_kexinit: zlib@×××××××.com,zlib,none |
90 |
debug2: kex_parse_kexinit: zlib@×××××××.com,zlib,none |
91 |
debug2: kex_parse_kexinit: |
92 |
debug2: kex_parse_kexinit: |
93 |
debug2: kex_parse_kexinit: first_kex_follows 0 |
94 |
debug2: kex_parse_kexinit: reserved 0 |
95 |
debug2: mac_setup: found hmac-md5 |
96 |
debug1: kex: client->server aes128-cbc hmac-md5 zlib@×××××××.com |
97 |
debug2: mac_setup: found hmac-md5 |
98 |
debug1: kex: server->client aes128-cbc hmac-md5 zlib@×××××××.com |
99 |
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received |
100 |
debug3: mm_request_send entering: type 0 |
101 |
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI |
102 |
debug3: mm_request_receive_expect entering: type 1 |
103 |
debug3: mm_request_receive entering |
104 |
debug2: Network child is on pid 8390 |
105 |
debug3: preauth child monitor started |
106 |
debug3: mm_request_receive entering |
107 |
debug3: monitor_read: checking request 0 |
108 |
debug3: mm_answer_moduli: got parameters: 1024 1024 8192 |
109 |
debug3: mm_request_send entering: type 1 |
110 |
debug3: mm_choose_dh: remaining 0 |
111 |
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent |
112 |
debug2: dh_gen_key: priv key bits set: 126/256 |
113 |
debug2: bits set: 519/1024 |
114 |
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT |
115 |
debug2: bits set: 533/1024 |
116 |
debug2: monitor_read: 0 used once, disabling now |
117 |
debug3: mm_request_receive entering |
118 |
debug3: mm_key_sign entering |
119 |
debug3: mm_request_send entering: type 4 |
120 |
debug3: monitor_read: checking request 4 |
121 |
debug3: mm_answer_sign |
122 |
debug3: mm_answer_sign: signature 0x80a9fd8(143) |
123 |
debug3: mm_request_send entering: type 5 |
124 |
debug2: monitor_read: 4 used once, disabling now |
125 |
debug3: mm_request_receive entering |
126 |
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN |
127 |
debug3: mm_request_receive_expect entering: type 5 |
128 |
debug3: mm_request_receive entering |
129 |
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent |
130 |
debug2: kex_derive_keys |
131 |
debug2: set_newkeys: mode 1 |
132 |
debug1: SSH2_MSG_NEWKEYS sent |
133 |
debug1: expecting SSH2_MSG_NEWKEYS |
134 |
debug2: set_newkeys: mode 0 |
135 |
debug1: SSH2_MSG_NEWKEYS received |
136 |
debug1: KEX done |
137 |
debug1: userauth-request for user michael service ssh-connection method |
138 |
none |
139 |
debug1: attempt 0 failures 0 |
140 |
debug3: mm_getpwnamallow entering |
141 |
debug3: mm_request_send entering: type 6 |
142 |
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM |
143 |
debug3: mm_request_receive_expect entering: type 7 |
144 |
debug3: mm_request_receive entering |
145 |
debug3: monitor_read: checking request 6 |
146 |
debug3: mm_answer_pwnamallow |
147 |
debug3: Trying to reverse map address 192.168.1.2. |
148 |
debug2: parse_server_config: config reprocess config len 237 |
149 |
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 |
150 |
debug3: mm_request_send entering: type 7 |
151 |
debug2: monitor_read: 6 used once, disabling now |
152 |
debug3: mm_request_receive entering |
153 |
debug2: input_userauth_request: setting up authctxt for michael |
154 |
debug3: mm_start_pam entering |
155 |
debug3: mm_request_send entering: type 47 |
156 |
debug3: mm_inform_authserv entering |
157 |
debug3: mm_request_send entering: type 3 |
158 |
debug2: input_userauth_request: try method none |
159 |
debug3: monitor_read: checking request 47 |
160 |
debug1: PAM: initializing for "michael" |
161 |
debug1: PAM: setting PAM_RHOST to "192.168.1.2" |
162 |
debug1: PAM: setting PAM_TTY to "ssh" |
163 |
debug2: monitor_read: 47 used once, disabling now |
164 |
debug3: mm_request_receive entering |
165 |
debug3: monitor_read: checking request 3 |
166 |
debug3: mm_answer_authserv: service=ssh-connection, style= |
167 |
debug2: monitor_read: 3 used once, disabling now |
168 |
debug3: mm_request_receive entering |
169 |
debug1: userauth-request for user michael service ssh-connection method |
170 |
keyboard-interactive |
171 |
debug1: attempt 1 failures 1 |
172 |
debug2: input_userauth_request: try method keyboard-interactive |
173 |
debug1: keyboard-interactive devs |
174 |
debug1: auth2_challenge: user=michael devs= |
175 |
debug1: kbdint_alloc: devices 'pam' |
176 |
debug2: auth2_challenge_start: devices pam |
177 |
debug2: kbdint_next_device: devices <empty> |
178 |
debug1: auth2_challenge_start: trying authentication method 'pam' |
179 |
debug3: mm_sshpam_init_ctx |
180 |
debug3: mm_request_send entering: type 50 |
181 |
debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX |
182 |
debug3: mm_request_receive_expect entering: type 51 |
183 |
debug3: mm_request_receive entering |
184 |
debug3: monitor_read: checking request 50 |
185 |
debug3: mm_answer_pam_init_ctx |
186 |
debug3: PAM: sshpam_init_ctx entering |
187 |
debug3: ssh_msg_send: type 7 |
188 |
debug3: mm_request_send entering: type 51 |
189 |
debug3: mm_request_receive entering |
190 |
debug3: mm_sshpam_query |
191 |
debug3: mm_request_send entering: type 52 |
192 |
debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY |
193 |
debug3: mm_request_receive_expect entering: type 53 |
194 |
debug3: mm_request_receive entering |
195 |
debug3: monitor_read: checking request 52 |
196 |
debug3: mm_answer_pam_query |
197 |
debug3: PAM: sshpam_query entering |
198 |
debug3: ssh_msg_recv entering |
199 |
debug3: PAM: Authentication failure |
200 |
PAM: Authentication failure for michael from 192.168.1.2 |
201 |
debug3: mm_request_send entering: type 53 |
202 |
debug3: mm_request_receive entering |
203 |
debug3: mm_sshpam_query: pam_query returned -1 |
204 |
debug3: mm_sshpam_free_ctx |
205 |
debug3: mm_request_send entering: type 56 |
206 |
debug3: mm_sshpam_free_ctx: waiting for MONITOR_ANS_PAM_FREE_CTX |
207 |
debug3: mm_request_receive_expect entering: type 57 |
208 |
debug3: mm_request_receive entering |
209 |
debug3: monitor_read: checking request 56 |
210 |
debug3: mm_answer_pam_free_ctx |
211 |
debug3: PAM: sshpam_free_ctx entering |
212 |
debug3: PAM: sshpam_thread_cleanup entering |
213 |
debug3: mm_request_send entering: type 57 |
214 |
debug2: monitor_read: 56 used once, disabling now |
215 |
Failed keyboard-interactive/pam for michael from 192.168.1.2 port 57643 |
216 |
ssh2 |
217 |
debug1: Unable to open the btmp file /var/log/btmp: No such file or |
218 |
directory |
219 |
debug3: mm_request_receive entering |
220 |
Connection closed by 192.168.1.2 |
221 |
debug1: do_cleanup |
222 |
debug1: PAM: cleanup |
223 |
debug3: PAM: sshpam_thread_cleanup entering |
224 |
debug1: do_cleanup |
225 |
debug1: PAM: cleanup |
226 |
debug3: PAM: sshpam_thread_cleanup entering |
227 |
|
228 |
|
229 |
Here's the /etc/sshd_config: |
230 |
|
231 |
michael@camille ~ $ cat sshd_config |
232 |
# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $ |
233 |
|
234 |
# This is the sshd server system-wide configuration file. See |
235 |
# sshd_config(5) for more information. |
236 |
|
237 |
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin |
238 |
|
239 |
# The strategy used for options in the default sshd_config shipped with |
240 |
# OpenSSH is to specify options with their default value where |
241 |
# possible, but leave them commented. Uncommented options change a |
242 |
# default value. |
243 |
|
244 |
#Port 22 |
245 |
#AddressFamily any |
246 |
#ListenAddress 0.0.0.0 |
247 |
#ListenAddress :: |
248 |
|
249 |
# Disable legacy (protocol version 1) support in the server for new |
250 |
# installations. In future the default will change to require explicit |
251 |
# activation of protocol 1 |
252 |
Protocol 2 |
253 |
|
254 |
# HostKey for protocol version 1 |
255 |
#HostKey /etc/ssh/ssh_host_key |
256 |
# HostKeys for protocol version 2 |
257 |
#HostKey /etc/ssh/ssh_host_rsa_key |
258 |
#HostKey /etc/ssh/ssh_host_dsa_key |
259 |
|
260 |
# Lifetime and size of ephemeral version 1 server key |
261 |
#KeyRegenerationInterval 1h |
262 |
#ServerKeyBits 768 |
263 |
|
264 |
# Logging |
265 |
# obsoletes QuietMode and FascistLogging |
266 |
#SyslogFacility AUTH |
267 |
#LogLevel INFO |
268 |
|
269 |
# Authentication: |
270 |
|
271 |
#LoginGraceTime 2m |
272 |
#PermitRootLogin yes |
273 |
#StrictModes yes |
274 |
#MaxAuthTries 6 |
275 |
|
276 |
#RSAAuthentication yes |
277 |
#PubkeyAuthentication yes |
278 |
#AuthorizedKeysFile .ssh/authorized_keys |
279 |
|
280 |
# For this to work you will also need host keys |
281 |
in /etc/ssh/ssh_known_hosts |
282 |
#RhostsRSAAuthentication no |
283 |
# similar for protocol version 2 |
284 |
#HostbasedAuthentication no |
285 |
# Change to yes if you don't trust ~/.ssh/known_hosts for |
286 |
# RhostsRSAAuthentication and HostbasedAuthentication |
287 |
#IgnoreUserKnownHosts no |
288 |
# Don't read the user's ~/.rhosts and ~/.shosts files |
289 |
#IgnoreRhosts yes |
290 |
|
291 |
# To disable tunneled clear text passwords, change to no here! |
292 |
PasswordAuthentication no |
293 |
#PermitEmptyPasswords no |
294 |
|
295 |
# Change to no to disable s/key passwords |
296 |
#ChallengeResponseAuthentication yes |
297 |
|
298 |
# Kerberos options |
299 |
#KerberosAuthentication no |
300 |
#KerberosOrLocalPasswd yes |
301 |
#KerberosTicketCleanup yes |
302 |
#KerberosGetAFSToken no |
303 |
|
304 |
# GSSAPI options |
305 |
#GSSAPIAuthentication no |
306 |
#GSSAPICleanupCredentials yes |
307 |
#GSSAPIStrictAcceptorCheck yes |
308 |
#GSSAPIKeyExchange no |
309 |
|
310 |
# Set this to 'yes' to enable PAM authentication, account processing, |
311 |
# and session processing. If this is enabled, PAM authentication will |
312 |
# be allowed through the ChallengeResponseAuthentication and |
313 |
# PasswordAuthentication. Depending on your PAM configuration, |
314 |
# PAM authentication via ChallengeResponseAuthentication may bypass |
315 |
# the setting of "PermitRootLogin without-password". |
316 |
# If you just want the PAM account and session checks to run without |
317 |
# PAM authentication, then enable this but set PasswordAuthentication |
318 |
# and ChallengeResponseAuthentication to 'no'. |
319 |
UsePAM yes |
320 |
|
321 |
#AllowTcpForwarding yes |
322 |
#GatewayPorts no |
323 |
X11Forwarding yes |
324 |
#X11DisplayOffset 10 |
325 |
#X11UseLocalhost yes |
326 |
#PrintMotd yes |
327 |
#PrintLastLog yes |
328 |
#TCPKeepAlive yes |
329 |
#UseLogin no |
330 |
#UsePrivilegeSeparation yes |
331 |
#PermitUserEnvironment no |
332 |
#Compression delayed |
333 |
#ClientAliveInterval 0 |
334 |
#ClientAliveCountMax 3 |
335 |
#UseDNS yes |
336 |
#PidFile /var/run/sshd.pid |
337 |
#MaxStartups 10 |
338 |
#PermitTunnel no |
339 |
|
340 |
# no default banner path |
341 |
#Banner /some/path |
342 |
|
343 |
# here are the new patched ldap related tokens |
344 |
# entries in your LDAP must have posixAccount & ldapPublicKey |
345 |
objectclass |
346 |
#UseLPK yes |
347 |
#LpkLdapConf /etc/ldap.conf |
348 |
#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ |
349 |
#LpkUserDN ou=users,dc=phear,dc=org |
350 |
#LpkGroupDN ou=groups,dc=phear,dc=org |
351 |
#LpkBindDN cn=Manager,dc=phear,dc=org |
352 |
#LpkBindPw secret |
353 |
#LpkServerGroup mail |
354 |
#LpkFilter (hostAccess=master.phear.org) |
355 |
#LpkForceTLS no |
356 |
#LpkSearchTimelimit 3 |
357 |
#LpkBindTimelimit 3 |
358 |
|
359 |
# override default of no subsystems |
360 |
Subsystem sftp /usr/lib/misc/sftp-server |
361 |
|
362 |
# Example of overriding settings on a per-user basis |
363 |
#Match User anoncvs |
364 |
# X11Forwarding no |
365 |
# AllowTcpForwarding no |
366 |
# ForceCommand cvs server |
367 |
|
368 |
And here's the emerge information for ssh: |
369 |
|
370 |
michael@camille ~ $ cat emerge-openssh.log |
371 |
|
372 |
These are the packages that would be merged, in order: |
373 |
|
374 |
Calculating dependencies ... done! |
375 |
[ebuild R ] net-misc/openssh-4.7_p1-r6 USE="kerberos pam tcpd -X |
376 |
-X509 -chroot -hpn -ldap -libedit (-selinux) -skey -smartcard -static" 0 |
377 |
kB |
378 |
|
379 |
Total: 1 package (1 reinstall), Size of downloads: 0 kB |
380 |
|
381 |
|
382 |
I tried upgrading PAM and rebooting, but it didn't solve the problem. |
383 |
I'm running pam-1.0.1, if that matters... |