RE: Keyboard-interactive authentication refused?
From: Schubert, John [NTWK SVCS] (jschub01_at_sprintspectrum.com)
Date: 07/30/03
- Previous message: Greg Wooledge: "Re: Problems with passwordless ssh/scp (W2K client , Solaris 8 server)."
- Maybe in reply to: Dan Gapinski: "Keyboard-interactive authentication refused?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Jul 2003 11:15:03 -0500 To: "Dan Gapinski" <dan.gapinski@qsi-r2.com>, <secureshell@securityfocus.com>
This sounds similar to a problem we have as we are migrating from FTP/Telnet to SFTP/SSH. If you closed down clear text modes of transport, you were forced to use SSH and the earlier versions of SSh Clients would bomb if your account had an expired password. So Telnet would prompt for changing to a new password, but SSH would just refuse the connection. Being a large enterprise, we still are using the older version of SSH, so we still have the problem.
Before the issue was only for a handful of us who managed servers that crossed between out "backoffice" network, and the "Customer Data Network". Being the sys admin, I had backdoors to get around the problem. Now all of our servers are SSH only. However we haven't had TELNET shutdown long enough for password aging to kick in on servers with large numbers of users. I'm thinking in another couple of weeks there will be a huge push when they get hundreds of phone calls saying they can't log in.
I may be making an assumption here, but doesn't SSH2.0 rectify this problem? Is it a bug on the client or server side? I think it's client, but figured I'd ask the informed audience here.
Thanks!
John
-----Original Message-----
From: Dan Gapinski [mailto:dan.gapinski@qsi-r2.com]
Sent: Tuesday, July 29, 2003 12:38 PM
To: secureshell@securityfocus.com
Subject: Re: Keyboard-interactive authentication refused?
I figured it out. My account expired. Sorry to make a big deal out of
nothing! I just did not understand the error message.
My best,
Dan
----- Original Message -----
From: "Dan Gapinski" <dan.gapinski@qsi-r2.com>
To: <secureshell@securityfocus.com>
Sent: Monday, July 28, 2003 9:07 AM
Subject: Keyboard-interactive authentication refused?
> Hello,
>
> I could connect to my OpenSSH server (3.6.1 on Redhat 9) on the LAN, and
> just recently got my firewall to forward the port to it successfully. Now
> when I try to connect (from the internet as well as from the LAN) I get
> access granted, then failed authentication messages in my WinSCP client
log.
> What can I check now? I am using a SCPonly shell in a chrooted
environment,
> which again worked fin on the LAN.
>
> Here is the client's logfile entry:
> . Looking up host "192.168.0.13"
> . Connecting to 192.168.0.13 port 49813
> . Server version: SSH-2.0-OpenSSH_3.5p1
> . We claim version: SSH-2.0-PuTTY-Local: Apr 23 2003 11:38:40
> . Using SSH protocol version 2
> . Doing Diffie-Hellman group exchange
> . Doing Diffie-Hellman key exchange
> . Host key fingerprint is:
> . ssh-rsa 1024 eb:76:a9:59:32:c8:2d:83:7f:b4:d8:a2:3d:ac:66:9e
> . Initialised zlib (RFC1950) compression
> . Initialised zlib (RFC1950) decompression
> . Initialised Blowfish client->server encryption
> . Initialised Blowfish server->client encryption
> ! Using username "jailbird2".
> . Keyboard-interactive authentication refused
> . Sent password
> . Access granted
> . Network error: Connection reset by peer
> * (ESshFatal) Authentication failed.
>
> The fact that local connections could be made before the firewall began
> forwarding remote connections has me a little confused. Any thoughts?
>
> Many thanks,
> Dan Gapinski
>
- Previous message: Greg Wooledge: "Re: Problems with passwordless ssh/scp (W2K client , Solaris 8 server)."
- Maybe in reply to: Dan Gapinski: "Keyboard-interactive authentication refused?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
