Gentoo Archives: gentoo-user

From: Michael Sullivan <michael@××××××××××××.com>
To: gentoo-user@l.g.o
Subject: [gentoo-user] SSHd: Permission denied (publickey,keyboard-interactive).
Date: Fri, 12 Sep 2008 02:46:31
Message-Id: 1221187575.15782.55.camel@camille.espersunited.com
1 I hooked up my old server box today so that I could update the software,
2 only to find that I could not ssh over to it:
3
4 michael@camille ~ $ ssh bullet
5 Permission denied (publickey,keyboard-interactive).
6
7 There were no 'official' logs, but a website I found on google suggested
8 running
9
10 /usr/sbin/sshd -ddd -p 2202
11
12 and then trying to shell over with
13
14 ssh -p 2202 <boxname>
15
16 Here's the output. I piped it to a file:
17
18 michael@camille ~ $ cat sshd.log
19 debug2: load_server_config: filename /etc/ssh/sshd_config
20 debug2: load_server_config: done config len = 237
21 debug2: parse_server_config: config /etc/ssh/sshd_config len 237
22 debug3: /etc/ssh/sshd_config:21 setting Protocol 2
23 debug3: /etc/ssh/sshd_config:60 setting PasswordAuthentication no
24 debug3: /etc/ssh/sshd_config:87 setting UsePAM yes
25 debug3: /etc/ssh/sshd_config:91 setting X11Forwarding yes
26 debug3: /etc/ssh/sshd_config:127 setting Subsystem
27 sftp /usr/lib/misc/sftp-server
28 debug1: sshd version OpenSSH_4.7p1
29 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
30 debug1: read PEM private key done: type RSA
31 debug1: private host key: #0 type 1 RSA
32 debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
33 debug1: read PEM private key done: type DSA
34 debug1: private host key: #1 type 2 DSA
35 debug1: rexec_argv[0]='/usr/sbin/sshd'
36 debug1: rexec_argv[1]='-ddd'
37 debug1: rexec_argv[2]='-p'
38 debug1: rexec_argv[3]='2202'
39 debug2: fd 3 setting O_NONBLOCK
40 debug1: Bind to port 2202 on 0.0.0.0.
41 Server listening on 0.0.0.0 port 2202.
42 socket: Address family not supported by protocol
43 debug3: fd 4 is not O_NONBLOCK
44 debug1: Server will not fork when running in debugging mode.
45 debug3: send_rexec_state: entering fd = 7 config len 237
46 debug3: ssh_msg_send: type 0
47 debug3: send_rexec_state: done
48 debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
49 debug1: inetd sockets after dupping: 3, 3
50 Connection from 192.168.1.2 port 57643
51 debug1: Client protocol version 2.0; client software version OpenSSH_4.7
52 debug1: match: OpenSSH_4.7 pat OpenSSH*
53 debug1: Enabling compatibility mode for protocol 2.0
54 debug1: Local version string SSH-2.0-OpenSSH_4.7
55 debug2: fd 3 setting O_NONBLOCK
56 debug3: privsep user:group 22:22
57 debug1: permanently_set_uid: 22/22
58 debug1: list_hostkey_types: ssh-rsa,ssh-dss
59 debug1: SSH2_MSG_KEXINIT sent
60 debug1: SSH2_MSG_KEXINIT received
61 debug2: kex_parse_kexinit:
62 diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
63 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
64 debug2: kex_parse_kexinit:
65 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-ctr,aes192-ctr,aes256-ctr
66 debug2: kex_parse_kexinit:
67 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-ctr,aes192-ctr,aes256-ctr
68 debug2: kex_parse_kexinit:
69 hmac-md5,hmac-sha1,umac-64@×××××××.com,hmac-ripemd160,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96
70 debug2: kex_parse_kexinit:
71 hmac-md5,hmac-sha1,umac-64@×××××××.com,hmac-ripemd160,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96
72 debug2: kex_parse_kexinit: none,zlib@×××××××.com
73 debug2: kex_parse_kexinit: none,zlib@×××××××.com
74 debug2: kex_parse_kexinit:
75 debug2: kex_parse_kexinit:
76 debug2: kex_parse_kexinit: first_kex_follows 0
77 debug2: kex_parse_kexinit: reserved 0
78 debug2: kex_parse_kexinit:
79 diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
80 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
81 debug2: kex_parse_kexinit:
82 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-ctr,aes192-ctr,aes256-ctr
83 debug2: kex_parse_kexinit:
84 aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@×××××××××××.se,aes128-ctr,aes192-ctr,aes256-ctr
85 debug2: kex_parse_kexinit:
86 hmac-md5,hmac-sha1,umac-64@×××××××.com,hmac-ripemd160,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96
87 debug2: kex_parse_kexinit:
88 hmac-md5,hmac-sha1,umac-64@×××××××.com,hmac-ripemd160,hmac-ripemd160@×××××××.com,hmac-sha1-96,hmac-md5-96
89 debug2: kex_parse_kexinit: zlib@×××××××.com,zlib,none
90 debug2: kex_parse_kexinit: zlib@×××××××.com,zlib,none
91 debug2: kex_parse_kexinit:
92 debug2: kex_parse_kexinit:
93 debug2: kex_parse_kexinit: first_kex_follows 0
94 debug2: kex_parse_kexinit: reserved 0
95 debug2: mac_setup: found hmac-md5
96 debug1: kex: client->server aes128-cbc hmac-md5 zlib@×××××××.com
97 debug2: mac_setup: found hmac-md5
98 debug1: kex: server->client aes128-cbc hmac-md5 zlib@×××××××.com
99 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
100 debug3: mm_request_send entering: type 0
101 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
102 debug3: mm_request_receive_expect entering: type 1
103 debug3: mm_request_receive entering
104 debug2: Network child is on pid 8390
105 debug3: preauth child monitor started
106 debug3: mm_request_receive entering
107 debug3: monitor_read: checking request 0
108 debug3: mm_answer_moduli: got parameters: 1024 1024 8192
109 debug3: mm_request_send entering: type 1
110 debug3: mm_choose_dh: remaining 0
111 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
112 debug2: dh_gen_key: priv key bits set: 126/256
113 debug2: bits set: 519/1024
114 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
115 debug2: bits set: 533/1024
116 debug2: monitor_read: 0 used once, disabling now
117 debug3: mm_request_receive entering
118 debug3: mm_key_sign entering
119 debug3: mm_request_send entering: type 4
120 debug3: monitor_read: checking request 4
121 debug3: mm_answer_sign
122 debug3: mm_answer_sign: signature 0x80a9fd8(143)
123 debug3: mm_request_send entering: type 5
124 debug2: monitor_read: 4 used once, disabling now
125 debug3: mm_request_receive entering
126 debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
127 debug3: mm_request_receive_expect entering: type 5
128 debug3: mm_request_receive entering
129 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
130 debug2: kex_derive_keys
131 debug2: set_newkeys: mode 1
132 debug1: SSH2_MSG_NEWKEYS sent
133 debug1: expecting SSH2_MSG_NEWKEYS
134 debug2: set_newkeys: mode 0
135 debug1: SSH2_MSG_NEWKEYS received
136 debug1: KEX done
137 debug1: userauth-request for user michael service ssh-connection method
138 none
139 debug1: attempt 0 failures 0
140 debug3: mm_getpwnamallow entering
141 debug3: mm_request_send entering: type 6
142 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
143 debug3: mm_request_receive_expect entering: type 7
144 debug3: mm_request_receive entering
145 debug3: monitor_read: checking request 6
146 debug3: mm_answer_pwnamallow
147 debug3: Trying to reverse map address 192.168.1.2.
148 debug2: parse_server_config: config reprocess config len 237
149 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
150 debug3: mm_request_send entering: type 7
151 debug2: monitor_read: 6 used once, disabling now
152 debug3: mm_request_receive entering
153 debug2: input_userauth_request: setting up authctxt for michael
154 debug3: mm_start_pam entering
155 debug3: mm_request_send entering: type 47
156 debug3: mm_inform_authserv entering
157 debug3: mm_request_send entering: type 3
158 debug2: input_userauth_request: try method none
159 debug3: monitor_read: checking request 47
160 debug1: PAM: initializing for "michael"
161 debug1: PAM: setting PAM_RHOST to "192.168.1.2"
162 debug1: PAM: setting PAM_TTY to "ssh"
163 debug2: monitor_read: 47 used once, disabling now
164 debug3: mm_request_receive entering
165 debug3: monitor_read: checking request 3
166 debug3: mm_answer_authserv: service=ssh-connection, style=
167 debug2: monitor_read: 3 used once, disabling now
168 debug3: mm_request_receive entering
169 debug1: userauth-request for user michael service ssh-connection method
170 keyboard-interactive
171 debug1: attempt 1 failures 1
172 debug2: input_userauth_request: try method keyboard-interactive
173 debug1: keyboard-interactive devs
174 debug1: auth2_challenge: user=michael devs=
175 debug1: kbdint_alloc: devices 'pam'
176 debug2: auth2_challenge_start: devices pam
177 debug2: kbdint_next_device: devices <empty>
178 debug1: auth2_challenge_start: trying authentication method 'pam'
179 debug3: mm_sshpam_init_ctx
180 debug3: mm_request_send entering: type 50
181 debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX
182 debug3: mm_request_receive_expect entering: type 51
183 debug3: mm_request_receive entering
184 debug3: monitor_read: checking request 50
185 debug3: mm_answer_pam_init_ctx
186 debug3: PAM: sshpam_init_ctx entering
187 debug3: ssh_msg_send: type 7
188 debug3: mm_request_send entering: type 51
189 debug3: mm_request_receive entering
190 debug3: mm_sshpam_query
191 debug3: mm_request_send entering: type 52
192 debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY
193 debug3: mm_request_receive_expect entering: type 53
194 debug3: mm_request_receive entering
195 debug3: monitor_read: checking request 52
196 debug3: mm_answer_pam_query
197 debug3: PAM: sshpam_query entering
198 debug3: ssh_msg_recv entering
199 debug3: PAM: Authentication failure
200 PAM: Authentication failure for michael from 192.168.1.2
201 debug3: mm_request_send entering: type 53
202 debug3: mm_request_receive entering
203 debug3: mm_sshpam_query: pam_query returned -1
204 debug3: mm_sshpam_free_ctx
205 debug3: mm_request_send entering: type 56
206 debug3: mm_sshpam_free_ctx: waiting for MONITOR_ANS_PAM_FREE_CTX
207 debug3: mm_request_receive_expect entering: type 57
208 debug3: mm_request_receive entering
209 debug3: monitor_read: checking request 56
210 debug3: mm_answer_pam_free_ctx
211 debug3: PAM: sshpam_free_ctx entering
212 debug3: PAM: sshpam_thread_cleanup entering
213 debug3: mm_request_send entering: type 57
214 debug2: monitor_read: 56 used once, disabling now
215 Failed keyboard-interactive/pam for michael from 192.168.1.2 port 57643
216 ssh2
217 debug1: Unable to open the btmp file /var/log/btmp: No such file or
218 directory
219 debug3: mm_request_receive entering
220 Connection closed by 192.168.1.2
221 debug1: do_cleanup
222 debug1: PAM: cleanup
223 debug3: PAM: sshpam_thread_cleanup entering
224 debug1: do_cleanup
225 debug1: PAM: cleanup
226 debug3: PAM: sshpam_thread_cleanup entering
227
228
229 Here's the /etc/sshd_config:
230
231 michael@camille ~ $ cat sshd_config
232 # $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $
233
234 # This is the sshd server system-wide configuration file. See
235 # sshd_config(5) for more information.
236
237 # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
238
239 # The strategy used for options in the default sshd_config shipped with
240 # OpenSSH is to specify options with their default value where
241 # possible, but leave them commented. Uncommented options change a
242 # default value.
243
244 #Port 22
245 #AddressFamily any
246 #ListenAddress 0.0.0.0
247 #ListenAddress ::
248
249 # Disable legacy (protocol version 1) support in the server for new
250 # installations. In future the default will change to require explicit
251 # activation of protocol 1
252 Protocol 2
253
254 # HostKey for protocol version 1
255 #HostKey /etc/ssh/ssh_host_key
256 # HostKeys for protocol version 2
257 #HostKey /etc/ssh/ssh_host_rsa_key
258 #HostKey /etc/ssh/ssh_host_dsa_key
259
260 # Lifetime and size of ephemeral version 1 server key
261 #KeyRegenerationInterval 1h
262 #ServerKeyBits 768
263
264 # Logging
265 # obsoletes QuietMode and FascistLogging
266 #SyslogFacility AUTH
267 #LogLevel INFO
268
269 # Authentication:
270
271 #LoginGraceTime 2m
272 #PermitRootLogin yes
273 #StrictModes yes
274 #MaxAuthTries 6
275
276 #RSAAuthentication yes
277 #PubkeyAuthentication yes
278 #AuthorizedKeysFile .ssh/authorized_keys
279
280 # For this to work you will also need host keys
281 in /etc/ssh/ssh_known_hosts
282 #RhostsRSAAuthentication no
283 # similar for protocol version 2
284 #HostbasedAuthentication no
285 # Change to yes if you don't trust ~/.ssh/known_hosts for
286 # RhostsRSAAuthentication and HostbasedAuthentication
287 #IgnoreUserKnownHosts no
288 # Don't read the user's ~/.rhosts and ~/.shosts files
289 #IgnoreRhosts yes
290
291 # To disable tunneled clear text passwords, change to no here!
292 PasswordAuthentication no
293 #PermitEmptyPasswords no
294
295 # Change to no to disable s/key passwords
296 #ChallengeResponseAuthentication yes
297
298 # Kerberos options
299 #KerberosAuthentication no
300 #KerberosOrLocalPasswd yes
301 #KerberosTicketCleanup yes
302 #KerberosGetAFSToken no
303
304 # GSSAPI options
305 #GSSAPIAuthentication no
306 #GSSAPICleanupCredentials yes
307 #GSSAPIStrictAcceptorCheck yes
308 #GSSAPIKeyExchange no
309
310 # Set this to 'yes' to enable PAM authentication, account processing,
311 # and session processing. If this is enabled, PAM authentication will
312 # be allowed through the ChallengeResponseAuthentication and
313 # PasswordAuthentication. Depending on your PAM configuration,
314 # PAM authentication via ChallengeResponseAuthentication may bypass
315 # the setting of "PermitRootLogin without-password".
316 # If you just want the PAM account and session checks to run without
317 # PAM authentication, then enable this but set PasswordAuthentication
318 # and ChallengeResponseAuthentication to 'no'.
319 UsePAM yes
320
321 #AllowTcpForwarding yes
322 #GatewayPorts no
323 X11Forwarding yes
324 #X11DisplayOffset 10
325 #X11UseLocalhost yes
326 #PrintMotd yes
327 #PrintLastLog yes
328 #TCPKeepAlive yes
329 #UseLogin no
330 #UsePrivilegeSeparation yes
331 #PermitUserEnvironment no
332 #Compression delayed
333 #ClientAliveInterval 0
334 #ClientAliveCountMax 3
335 #UseDNS yes
336 #PidFile /var/run/sshd.pid
337 #MaxStartups 10
338 #PermitTunnel no
339
340 # no default banner path
341 #Banner /some/path
342
343 # here are the new patched ldap related tokens
344 # entries in your LDAP must have posixAccount & ldapPublicKey
345 objectclass
346 #UseLPK yes
347 #LpkLdapConf /etc/ldap.conf
348 #LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/
349 #LpkUserDN ou=users,dc=phear,dc=org
350 #LpkGroupDN ou=groups,dc=phear,dc=org
351 #LpkBindDN cn=Manager,dc=phear,dc=org
352 #LpkBindPw secret
353 #LpkServerGroup mail
354 #LpkFilter (hostAccess=master.phear.org)
355 #LpkForceTLS no
356 #LpkSearchTimelimit 3
357 #LpkBindTimelimit 3
358
359 # override default of no subsystems
360 Subsystem sftp /usr/lib/misc/sftp-server
361
362 # Example of overriding settings on a per-user basis
363 #Match User anoncvs
364 # X11Forwarding no
365 # AllowTcpForwarding no
366 # ForceCommand cvs server
367
368 And here's the emerge information for ssh:
369
370 michael@camille ~ $ cat emerge-openssh.log
371
372 These are the packages that would be merged, in order:
373
374 Calculating dependencies ... done!
375 [ebuild R ] net-misc/openssh-4.7_p1-r6 USE="kerberos pam tcpd -X
376 -X509 -chroot -hpn -ldap -libedit (-selinux) -skey -smartcard -static" 0
377 kB
378
379 Total: 1 package (1 reinstall), Size of downloads: 0 kB
380
381
382 I tried upgrading PAM and rebooting, but it didn't solve the problem.
383 I'm running pam-1.0.1, if that matters...

Replies

Subject Author
Re: [gentoo-user] SSHd: Permission denied (publickey,keyboard-interactive). Iain Buchanan <iaindb@××××××××××××.au>
Re: [gentoo-user] SSHd: Permission denied (publickey,keyboard-interactive). Stroller <stroller@××××××××××××××××××.uk>