Re: [gentoo-hardened] SSH nolonger works after update - gentoo-hardened

From:	brant williams <brant@×××××.net>
To:	gentoo-hardened@l.g.o
Cc:	"Reidy, Daniel" <dubkat@×××××.com>
Subject:	Re: [gentoo-hardened] SSH nolonger works after update
Date:	Fri, 07 Mar 2008 22:16:34
Message-Id:	`Pine.LNX.4.64.0803071614500.4360@nerv.tnarb.net`
In Reply to:	[gentoo-hardened] SSH nolonger works after update by Dan Reidy

1

-----BEGIN PGP SIGNED MESSAGE-----

2

Hash: SHA256

3

4

5

What kind of 'update' did you run?  Can you detail what you did before the 

6

change ocurred?

7

8

You might need to update sshd_config or /etc/init.d/sshd... weird, though.

9

10

brant williams

11

FCAA CDCA 20BC 3925 D634  F5C4 7420 6784 4DEB 6002

On Fri, 7 Mar 2008, Dan Reidy wrote:

16

17

> Date: Fri, 7 Mar 2008 14:06:11 -0500

18

> From: Dan Reidy <dubkat@×××××.com>

19

> Reply-To: gentoo-hardened@l.g.o

20

> To: gentoo-hardened@l.g.o

21

> Cc: "Reidy, Daniel" <dubkat@×××××.com>

22

> Subject: [gentoo-hardened] SSH nolonger works after update

23

>

24

> Hello Ladies and Gentlemen,

25

> Forgive me if this is an innapropriate topic for this list, but I figured

26

> it's full of people with know-how, and also the most active of the lists

27

> I'm subscribed to.

28

>

29

> The Scenerio:

30

> I have crappy bandwidth at home, so I use a headless, gentoo-hardened server

31

> at a family members house who travels alot and not using their bandwidth.

32

> After running an update yesterday, I can no longer login to the machine.

33

> Log pasted below. Before my family member left for a trip, I had them reboot

34

> the machine, but that didn't solve it... Nor could they login from the

35

> local network. I am completely at a loss as to how to fix this. Hooking up

36

> a monitor and keyboard is not an option.

37

>

38

> Any ideas?

39

>

40

> dubkat@synergy ~ $ ssh -vv HOST.SCRUBBED

41

> OpenSSH_4.7p1, OpenSSL 0.9.8g 19 Oct 2007

42

> debug1: Reading configuration data /home/dubkat/.ssh/config

43

> debug1: Applying options for *

44

> debug1: Reading configuration data /etc/ssh/ssh_config

45

> debug2: ssh_connect: needpriv 0

46

> debug1: Connecting to SCRUBBED [xx.xx.xx.xx] port 22.

47

> debug1: Connection established.

48

> debug1: identity file /home/dubkat/.ssh/identity type -1

49

> debug1: identity file /home/dubkat/.ssh/id_rsa type 1

50

> debug2: key_type_from_name: unknown key type '-----BEGIN'

51

> debug2: key_type_from_name: unknown key type '-----END'

52

> debug1: identity file /home/dubkat/.ssh/id_dsa type 2

53

> debug1: Remote protocol version 2.0, remote software version OpenSSH_4.7

54

> debug1: match: OpenSSH_4.7 pat OpenSSH*

55

> debug1: Enabling compatibility mode for protocol 2.0

56

> debug1: Local version string SSH-2.0-OpenSSH_4.7

57

> debug2: fd 3 setting O_NONBLOCK

58

> debug1: SSH2_MSG_KEXINIT sent

59

> debug1: SSH2_MSG_KEXINIT received

60

> debug2: kex_parse_kexinit:

61

> diffie-hellman-group-exchange-sha256,diffie-hellman-g

62

> roup-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

63

> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

64

> debug2: kex_parse_kexinit:

65

> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,

66

> aes192-cbc,aes256-cbc

67

> debug2: kex_parse_kexinit:

68

> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,

69

> aes192-cbc,aes256-cbc

70

> debug2: kex_parse_kexinit:

71

> hmac-md5,hmac-sha1,umac-64@×××××××.com,hmac-ripemd160

72

> ,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96

73

> debug2: kex_parse_kexinit:

74

> hmac-md5,hmac-sha1,umac-64@×××××××.com,hmac-ripemd160

75

> ,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96

76

> debug2: kex_parse_kexinit: none,zlib@×××××××.com,zlib

77

> debug2: kex_parse_kexinit: none,zlib@×××××××.com,zlib

78

> debug2: kex_parse_kexinit:

79

> debug2: kex_parse_kexinit:

80

> debug2: kex_parse_kexinit: first_kex_follows 0

81

> debug2: kex_parse_kexinit: reserved 0

82

> debug2: kex_parse_kexinit:

83

> diffie-hellman-group-exchange-sha256,diffie-hellman-g

84

> roup-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

85

> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

86

> debug2: kex_parse_kexinit:

87

> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1

88

> 28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-c

89

> tr,aes192-ctr,aes256-ctr

90

> debug2: kex_parse_kexinit:

91

> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1

92

> 28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-c

93

> tr,aes192-ctr,aes256-ctr

94

> debug2: kex_parse_kexinit:

95

> hmac-md5,hmac-sha1,umac-64@×××××××.com,hmac-ripemd160

96

> ,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96

97

> debug2: kex_parse_kexinit:

98

> hmac-md5,hmac-sha1,umac-64@×××××××.com,hmac-ripemd160

99

> ,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96

100

> debug2: kex_parse_kexinit: none,zlib@×××××××.com

101

> debug2: kex_parse_kexinit: none,zlib@×××××××.com

102

> debug2: kex_parse_kexinit:

103

> debug2: kex_parse_kexinit:

104

> debug2: kex_parse_kexinit: first_kex_follows 0

105

> debug2: kex_parse_kexinit: reserved 0

106

> debug2: mac_setup: found hmac-md5

107

> debug1: kex: server->client aes128-cbc hmac-md5 none

108

> debug2: mac_setup: found hmac-md5

109

> debug1: kex: client->server aes128-cbc hmac-md5 none

110

> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

111

> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

112

> debug2: dh_gen_key: priv key bits set: 118/256

113

> debug2: bits set: 521/1024

114

> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

115

> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

116

> debug1: Host 'HOSTNAME.SCRUBBED' is known and matches the RSA host key.

117

> debug1: Found key in /home/dubkat/.ssh/known_hosts:19

118

> debug2: bits set: 523/1024

119

> debug1: ssh_rsa_verify: signature correct

120

> debug2: kex_derive_keys

121

> debug2: set_newkeys: mode 1

122

> debug1: SSH2_MSG_NEWKEYS sent

123

> debug1: expecting SSH2_MSG_NEWKEYS

124

> debug2: set_newkeys: mode 0

125

> debug1: SSH2_MSG_NEWKEYS received

126

> debug1: SSH2_MSG_SERVICE_REQUEST sent

127

> debug2: service_accept: ssh-userauth

128

> debug1: SSH2_MSG_SERVICE_ACCEPT received

129

> debug2: key: /home/dubkat/.ssh/identity ((nil))

130

> debug2: key: /home/dubkat/.ssh/id_rsa (0x6656a0)

131

> debug2: key: /home/dubkat/.ssh/id_dsa (0x669db0)

132

>

133

>

134

>       *** WARNING ***       *** WARNING ***       *** WARNING ***

135

>

136

>                     THIS IS A PRIVATE MACHINE.

137

>                  NO UNAUTHORIZED ACCESS PERMITTED.

138

>           BRUTE FORCE ATTEMPTS WILL BE REPORTED TO YOUR ISP

139

>

140

>       *** WARNING ***       *** WARNING ***       *** WARNING ***

141

>

142

>

143

> debug1: Authentications that can continue: publickey,keyboard-interactive

144

> debug1: Next authentication method: publickey

145

> debug1: Trying private key: /home/dubkat/.ssh/identity

146

> debug1: Offering public key: /home/dubkat/.ssh/id_rsa

147

> debug2: we sent a publickey packet, wait for reply

148

> debug1: Authentications that can continue: publickey,keyboard-interactive

149

> debug1: Offering public key: /home/dubkat/.ssh/id_dsa

150

> debug2: we sent a publickey packet, wait for reply

151

> debug1: Authentications that can continue: publickey,keyboard-interactive

152

> debug2: we did not send a packet, disable method

153

> debug1: Next authentication method: keyboard-interactive

154

> debug2: userauth_kbdint

155

> debug2: we sent a keyboard-interactive packet, wait for reply

156

> debug1: Authentications that can continue: publickey,keyboard-interactive

157

> debug2: we did not send a packet, disable method

158

> debug1: No more authentication methods to try.

159

> Permission denied (publickey,keyboard-interactive).

160

>

161

>

162

>

163

> --

164

> -==========================================-

165

>

166

>    Avoid the Gates of Hell. Use Linux.

167

>      The choice of a GNU Generation.

168

>

169

>   Daniel J Reidy       RipeID:  DJR9-RIPE

170

>   dubkat@×××××.com    GPG Key: 0x36833401

171

>             http://sigterm.us/

172

>

173

> -==========================================-

174

>

175

-----BEGIN PGP SIGNATURE-----

176

Version: GnuPG v2.0.7 (GNU/Linux)

177

178

iD8DBQFH0b64dCBnhE3rYAIRCJM+AJ43qgEUm9xvUnn2z8ki2FLxnLyQCACgkSsd

179

9Odcs5PRasZY4ilMPqtp4r8=

180

=+RVk

181

-----END PGP SIGNATURE-----

182

--

183

gentoo-hardened@l.g.o mailing list

Gentoo Archives: gentoo-hardened

Replies

1	-----BEGIN PGP SIGNED MESSAGE-----
2	Hash: SHA256
3
4
5	What kind of 'update' did you run? Can you detail what you did before the
6	change ocurred?
7
8	You might need to update sshd_config or /etc/init.d/sshd... weird, though.
9
10	brant williams
11	FCAA CDCA 20BC 3925 D634 F5C4 7420 6784 4DEB 6002
12
13
14
15	On Fri, 7 Mar 2008, Dan Reidy wrote:
16
17	> Date: Fri, 7 Mar 2008 14:06:11 -0500
18	> From: Dan Reidy <dubkat@×××××.com>
19	> Reply-To: gentoo-hardened@l.g.o
20	> To: gentoo-hardened@l.g.o
21	> Cc: "Reidy, Daniel" <dubkat@×××××.com>
22	> Subject: [gentoo-hardened] SSH nolonger works after update
23	>
24	> Hello Ladies and Gentlemen,
25	> Forgive me if this is an innapropriate topic for this list, but I figured
26	> it's full of people with know-how, and also the most active of the lists
27	> I'm subscribed to.
28	>
29	> The Scenerio:
30	> I have crappy bandwidth at home, so I use a headless, gentoo-hardened server
31	> at a family members house who travels alot and not using their bandwidth.
32	> After running an update yesterday, I can no longer login to the machine.
33	> Log pasted below. Before my family member left for a trip, I had them reboot
34	> the machine, but that didn't solve it... Nor could they login from the
35	> local network. I am completely at a loss as to how to fix this. Hooking up
36	> a monitor and keyboard is not an option.
37	>
38	> Any ideas?
39	>
40	> dubkat@synergy ~ $ ssh -vv HOST.SCRUBBED
41	> OpenSSH_4.7p1, OpenSSL 0.9.8g 19 Oct 2007
42	> debug1: Reading configuration data /home/dubkat/.ssh/config
43	> debug1: Applying options for *
44	> debug1: Reading configuration data /etc/ssh/ssh_config
45	> debug2: ssh_connect: needpriv 0
46	> debug1: Connecting to SCRUBBED [xx.xx.xx.xx] port 22.
47	> debug1: Connection established.
48	> debug1: identity file /home/dubkat/.ssh/identity type -1
49	> debug1: identity file /home/dubkat/.ssh/id_rsa type 1
50	> debug2: key_type_from_name: unknown key type '-----BEGIN'
51	> debug2: key_type_from_name: unknown key type '-----END'
52	> debug1: identity file /home/dubkat/.ssh/id_dsa type 2
53	> debug1: Remote protocol version 2.0, remote software version OpenSSH_4.7
54	> debug1: match: OpenSSH_4.7 pat OpenSSH*
55	> debug1: Enabling compatibility mode for protocol 2.0
56	> debug1: Local version string SSH-2.0-OpenSSH_4.7
57	> debug2: fd 3 setting O_NONBLOCK
58	> debug1: SSH2_MSG_KEXINIT sent
59	> debug1: SSH2_MSG_KEXINIT received
60	> debug2: kex_parse_kexinit:
61	> diffie-hellman-group-exchange-sha256,diffie-hellman-g
62	> roup-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
63	> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
64	> debug2: kex_parse_kexinit:
65	> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
66	> aes192-cbc,aes256-cbc
67	> debug2: kex_parse_kexinit:
68	> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
69	> aes192-cbc,aes256-cbc
70	> debug2: kex_parse_kexinit:
71	> hmac-md5,hmac-sha1,umac-64@×××××××.com,hmac-ripemd160
72	> ,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96
73	> debug2: kex_parse_kexinit:
74	> hmac-md5,hmac-sha1,umac-64@×××××××.com,hmac-ripemd160
75	> ,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96
76	> debug2: kex_parse_kexinit: none,zlib@×××××××.com,zlib
77	> debug2: kex_parse_kexinit: none,zlib@×××××××.com,zlib
78	> debug2: kex_parse_kexinit:
79	> debug2: kex_parse_kexinit:
80	> debug2: kex_parse_kexinit: first_kex_follows 0
81	> debug2: kex_parse_kexinit: reserved 0
82	> debug2: kex_parse_kexinit:
83	> diffie-hellman-group-exchange-sha256,diffie-hellman-g
84	> roup-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
85	> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
86	> debug2: kex_parse_kexinit:
87	> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1
88	> 28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-c
89	> tr,aes192-ctr,aes256-ctr
90	> debug2: kex_parse_kexinit:
91	> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour1
92	> 28,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-c
93	> tr,aes192-ctr,aes256-ctr
94	> debug2: kex_parse_kexinit:
95	> hmac-md5,hmac-sha1,umac-64@×××××××.com,hmac-ripemd160
96	> ,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96
97	> debug2: kex_parse_kexinit:
98	> hmac-md5,hmac-sha1,umac-64@×××××××.com,hmac-ripemd160
99	> ,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96
100	> debug2: kex_parse_kexinit: none,zlib@×××××××.com
101	> debug2: kex_parse_kexinit: none,zlib@×××××××.com
102	> debug2: kex_parse_kexinit:
103	> debug2: kex_parse_kexinit:
104	> debug2: kex_parse_kexinit: first_kex_follows 0
105	> debug2: kex_parse_kexinit: reserved 0
106	> debug2: mac_setup: found hmac-md5
107	> debug1: kex: server->client aes128-cbc hmac-md5 none
108	> debug2: mac_setup: found hmac-md5
109	> debug1: kex: client->server aes128-cbc hmac-md5 none
110	> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
111	> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
112	> debug2: dh_gen_key: priv key bits set: 118/256
113	> debug2: bits set: 521/1024
114	> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
115	> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
116	> debug1: Host 'HOSTNAME.SCRUBBED' is known and matches the RSA host key.
117	> debug1: Found key in /home/dubkat/.ssh/known_hosts:19
118	> debug2: bits set: 523/1024
119	> debug1: ssh_rsa_verify: signature correct
120	> debug2: kex_derive_keys
121	> debug2: set_newkeys: mode 1
122	> debug1: SSH2_MSG_NEWKEYS sent
123	> debug1: expecting SSH2_MSG_NEWKEYS
124	> debug2: set_newkeys: mode 0
125	> debug1: SSH2_MSG_NEWKEYS received
126	> debug1: SSH2_MSG_SERVICE_REQUEST sent
127	> debug2: service_accept: ssh-userauth
128	> debug1: SSH2_MSG_SERVICE_ACCEPT received
129	> debug2: key: /home/dubkat/.ssh/identity ((nil))
130	> debug2: key: /home/dubkat/.ssh/id_rsa (0x6656a0)
131	> debug2: key: /home/dubkat/.ssh/id_dsa (0x669db0)
132	>
133	>
134	> * WARNING * * WARNING * * WARNING *
135	>
136	> THIS IS A PRIVATE MACHINE.
137	> NO UNAUTHORIZED ACCESS PERMITTED.
138	> BRUTE FORCE ATTEMPTS WILL BE REPORTED TO YOUR ISP
139	>
140	> * WARNING * * WARNING * * WARNING *
141	>
142	>
143	> debug1: Authentications that can continue: publickey,keyboard-interactive
144	> debug1: Next authentication method: publickey
145	> debug1: Trying private key: /home/dubkat/.ssh/identity
146	> debug1: Offering public key: /home/dubkat/.ssh/id_rsa
147	> debug2: we sent a publickey packet, wait for reply
148	> debug1: Authentications that can continue: publickey,keyboard-interactive
149	> debug1: Offering public key: /home/dubkat/.ssh/id_dsa
150	> debug2: we sent a publickey packet, wait for reply
151	> debug1: Authentications that can continue: publickey,keyboard-interactive
152	> debug2: we did not send a packet, disable method
153	> debug1: Next authentication method: keyboard-interactive
154	> debug2: userauth_kbdint
155	> debug2: we sent a keyboard-interactive packet, wait for reply
156	> debug1: Authentications that can continue: publickey,keyboard-interactive
157	> debug2: we did not send a packet, disable method
158	> debug1: No more authentication methods to try.
159	> Permission denied (publickey,keyboard-interactive).
160	>
161	>
162	>
163	> --
164	> -==========================================-
165	>
166	> Avoid the Gates of Hell. Use Linux.
167	> The choice of a GNU Generation.
168	>
169	> Daniel J Reidy RipeID: DJR9-RIPE
170	> dubkat@×××××.com GPG Key: 0x36833401
171	> http://sigterm.us/
172	>
173	> -==========================================-
174	>
175	-----BEGIN PGP SIGNATURE-----
176	Version: GnuPG v2.0.7 (GNU/Linux)
177
178	iD8DBQFH0b64dCBnhE3rYAIRCJM+AJ43qgEUm9xvUnn2z8ki2FLxnLyQCACgkSsd
179	9Odcs5PRasZY4ilMPqtp4r8=
180	=+RVk
181	-----END PGP SIGNATURE-----
182	--
183	gentoo-hardened@l.g.o mailing list