Re: Public key Authentication broken under HP-UX?

From: Ted Pardike (tpardike_at_utah.gov)
Date: 09/24/03

  • Next message: Darren Tucker: "Re: Public key Authentication broken under HP-UX?"
    Date: Wed, 24 Sep 2003 10:29:34 -0600
    To: <dtucker@zip.com.au>
    
    

    Darren,

    Thank-you for the reply.

    By the way, I tried 3.7.1p2 yesterday, and things are just getting
    worse (I think it may be a PAM issue).
    Messages found in syslog:
      sshd[985]: User tpardike not allowed because account is locked
      sshd[985]: input_userauth_request: illegal user tpardike

    config.h from 3.7.1p1
      #define HAVE_BASENAME 1

    Debug information as requested from 3.7.1p1:
    # /opt/openssh/sbin/sshd -ddd -p 2022
    debug2: read_server_config: filename /etc/ssh/sshd_config
    debug3: cipher ok: arcfour
    [arcfour,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
    debug3: cipher ok: blowfish-cbc
    [arcfour,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
    debug3: cipher ok: aes128-cbc
    [arcfour,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
    debug3: cipher ok: 3des-cbc
    [arcfour,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
    debug3: cipher ok: cast128-cbc
    [arcfour,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
    debug3: cipher ok: aes192-cbc
    [arcfour,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
    debug3: cipher ok: aes256-cbc
    [arcfour,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
    debug3: ciphers ok:
    [arcfour,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,aes192-cbc,aes256-cbc]
    debug1: sshd version OpenSSH_3.7.1p1
    debug1: private host key: #0 type 0 RSA1
    debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
    debug1: read PEM private key done: type DSA
    debug1: private host key: #1 type 2 DSA
    debug1: Bind to port 2022 on 0.0.0.0.
    Server listening on 0.0.0.0 port 2022.
    debug1: Server will not fork when running in debugging mode.
    Connection from 127.0.0.1 port 65029
    debug1: Client protocol version 2.0; client software version
    OpenSSH_3.7.1p1
    debug1: match: OpenSSH_3.7.1p1 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_3.7.1p1
    debug1: list_hostkey_types: ssh-dss
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug2: kex_parse_kexinit:
    diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-dss
    debug2: kex_parse_kexinit:
    arcfour,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,aes192-cbc,aes256-cbc
    debug2: kex_parse_kexinit:
    arcfour,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,aes192-cbc,aes256-cbc
    debug2: kex_parse_kexinit:
    hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

    debug2: kex_parse_kexinit:
    hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: kex_parse_kexinit:
    diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit:
    arcfour,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,aes192-cbc,aes256-cbc
    debug2: kex_parse_kexinit:
    arcfour,blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,aes192-cbc,aes256-cbc
    debug2: kex_parse_kexinit:
    hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

    debug2: kex_parse_kexinit:
    hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit: none,zlib
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: mac_init: found hmac-md5
    debug1: kex: client->server arcfour hmac-md5 none
    debug2: mac_init: found hmac-md5
    debug1: kex: server->client arcfour hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
    debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
    debug2: dh_gen_key: priv key bits set: 138/256
    debug2: bits set: 1012/2049
    debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
    debug2: bits set: 1024/2049
    debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
    debug2: kex_derive_keys
    debug2: set_newkeys: mode 1
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug2: set_newkeys: mode 0
    debug1: SSH2_MSG_NEWKEYS received
    debug1: KEX done
    debug1: userauth-request for user tpardike service ssh-connection
    method none
    debug1: attempt 0 failures 0
    debug2: input_userauth_request: setting up authctxt for tpardike
    debug1: PAM: initializing for "tpardike"
    debug3: Trying to reverse map address 127.0.0.1.
    debug1: PAM: setting PAM_RHOST to "localhost"
    debug2: input_userauth_request: try method none
    debug1: userauth_banner: sent
    Failed none for tpardike from 127.0.0.1 port 65029 ssh2
    debug1: userauth-request for user tpardike service ssh-connection
    method keyboard-interactive
    debug1: attempt 1 failures 1
    debug2: input_userauth_request: try method keyboard-interactive
    debug1: keyboard-interactive devs
    debug1: auth2_challenge: user=tpardike devs=
    debug1: kbdint_alloc: devices 'pam'
    debug2: auth2_challenge_start: devices pam
    debug2: kbdint_next_device: devices <empty>
    debug1: auth2_challenge_start: trying authentication method 'pam'
    debug3: ssh_msg_recv entering
    debug3: ssh_msg_send: type 1
    Postponed keyboard-interactive for tpardike from 127.0.0.1 port 65029
    ssh2
    debug3: ssh_msg_recv entering
    debug2: PAM: sshpam_respond
    debug3: ssh_msg_send: type 6
    debug3: ssh_msg_send: type 0
    debug3: ssh_msg_recv entering
    Postponed keyboard-interactive/pam for tpardike from 127.0.0.1 port
    65029 ssh2
    debug2: PAM: sshpam_respond
    debug3: do_pam_account: pam_acct_mgmt = 0
    Accepted keyboard-interactive/pam for tpardike from 127.0.0.1 port
    65029 ssh2
    debug1: Entering interactive session for SSH2.
    debug2: fd 9 setting O_NONBLOCK
    debug2: fd 10 setting O_NONBLOCK
    debug1: server_init_dispatch_20
    debug1: server_input_channel_open: ctype session rchan 0 win 65536 max
    16384
    debug1: input_session_request
    debug1: channel 0: new [server-session]
    debug1: session_new: init
    debug1: session_new: session 0
    debug1: session_open: channel 0
    debug1: session_open: session 0: link with channel 0
    debug1: server_input_channel_open: confirm session
    debug1: server_input_channel_req: channel 0 request pty-req reply 0
    debug1: session_by_channel: session 0 channel 0
    debug1: session_input_channel_req: session 0 req pty-req
    debug1: Allocating pty.
    debug1: session_pty_req: session 0 alloc /dev/pts/2
    debug3: tty_parse_modes: SSH2 n_bytes 256
    debug3: tty_parse_modes: ospeed 300
    debug3: tty_parse_modes: ispeed 0
    debug3: tty_parse_modes: 1 3
    debug3: tty_parse_modes: 2 28
    debug3: tty_parse_modes: 3 127
    debug3: tty_parse_modes: 4 21
    debug3: tty_parse_modes: 5 4
    debug3: tty_parse_modes: 6 0
    debug3: tty_parse_modes: 7 255
    debug3: tty_parse_modes: 8 17
    debug3: tty_parse_modes: 9 19
    debug3: tty_parse_modes: 10 26
    debug3: tty_parse_modes: 11 255
    debug3: tty_parse_modes: 13 255
    debug3: tty_parse_modes: 14 255
    debug3: tty_parse_modes: 16 255
    debug3: tty_parse_modes: 30 0
    debug3: tty_parse_modes: 31 0
    debug3: tty_parse_modes: 32 0
    debug3: tty_parse_modes: 33 1
    debug3: tty_parse_modes: 34 0
    debug3: tty_parse_modes: 35 0
    debug3: tty_parse_modes: 36 1
    debug3: tty_parse_modes: 37 0
    debug3: tty_parse_modes: 38 1
    debug3: tty_parse_modes: 39 1
    debug3: tty_parse_modes: 40 1
    debug3: tty_parse_modes: 41 0
    debug3: tty_parse_modes: 50 1
    debug3: tty_parse_modes: 51 1
    debug3: tty_parse_modes: 52 0
    debug3: tty_parse_modes: 53 1
    debug3: tty_parse_modes: 54 1
    debug3: tty_parse_modes: 55 1
    debug3: tty_parse_modes: 56 0
    debug3: tty_parse_modes: 57 0
    debug3: tty_parse_modes: 58 0
    debug3: tty_parse_modes: 59 0
    debug3: tty_parse_modes: 60 0
    debug3: tty_parse_modes: 61 0
    debug3: tty_parse_modes: 62 0
    debug3: tty_parse_modes: 70 1
    debug3: tty_parse_modes: 71 0
    debug3: tty_parse_modes: 72 1
    debug3: tty_parse_modes: 73 0
    debug3: tty_parse_modes: 74 0
    debug3: tty_parse_modes: 75 0
    debug3: tty_parse_modes: 90 1
    debug3: tty_parse_modes: 91 1
    debug3: tty_parse_modes: 92 0
    debug3: tty_parse_modes: 93 0
    debug1: server_input_channel_req: channel 0 request x11-req reply 0
    debug1: session_by_channel: session 0 channel 0
    debug1: session_input_channel_req: session 0 req x11-req
    debug2: bind port 6010: Address already in use
    debug2: bind port 6011: Address already in use
    debug2: fd 13 setting O_NONBLOCK
    debug2: fd 13 is O_NONBLOCK
    debug1: channel 1: new [X11 inet listener]
    debug1: server_input_channel_req: channel 0 request shell reply 0
    debug1: session_by_channel: session 0 channel 0
    debug1: session_input_channel_req: session 0 req shell
    debug1: PAM: setting PAM_TTY to "/dev/pts/2"
    debug1: PAM: establishing credentials
    debug2: fd 4 setting TCP_NODELAY
    debug2: fd 12 setting O_NONBLOCK
    debug2: fd 11 is O_NONBLOCK
    debug2: channel 0: read<=0 rfd 12 len 0
    debug2: channel 0: read failed
    debug2: channel 0: close_read
    debug2: channel 0: input open -> drain
    debug2: channel 0: ibuf empty
    debug2: channel 0: send eof
    debug2: channel 0: input drain -> closed
    debug1: Received SIGCHLD.
    debug1: session_by_pid: pid 15485
    debug1: session_exit_message: session 0 channel 0 pid 15485
    debug2: channel 0: request exit-status
    debug1: session_exit_message: release channel 0
    debug2: channel 0: write failed
    debug2: channel 0: close_write
    debug2: channel 0: output open -> closed
    debug1: session_close: session 0 pid 15485
    debug1: session_pty_cleanup: session 0 release /dev/pts/2
    debug2: channel 0: send close
    debug3: channel 0: will not send data after close
    debug2: notify_done: reading
    debug3: channel 0: will not send data after close
    debug2: channel 0: rcvd close
    debug3: channel 0: will not send data after close
    debug2: channel 0: is dead
    debug2: channel 0: garbage collecting
    debug1: channel 0: free: server-session, nchannels 2
    debug3: channel 0: status: The following connections are open:
      #0 server-session (t4 r0 i3/0 o3/0 fd -1/-1)
     
    debug3: channel 0: close_fds r -1 w -1 e -1
    Connection closed by 127.0.0.1
    debug1: channel 1: free: X11 inet listener, nchannels 1
    debug3: channel 1: status: The following connections are open:
     
    debug3: channel 1: close_fds r 13 w 13 e -1
    Closing connection to 127.0.0.1
    debug1: PAM: cleanup

    Thanks,
    Ted

    >>> Darren Tucker <dtucker@zip.com.au> 9/24/2003 4:39:20 AM >>>
    Ted Pardike wrote:
    >
    > I was just wondering if anyone else was having problems with public
    key
    > authentication with ssh (not sshd) since version 3.7p1 under HP-UX
    > 11.00?
    >
    > Versions I have experienced this problem with:
    > 3.7p1
    > 3.7.1p1
    > SNAP-20030921
    >
    > If I swap in the binaries for 3.6.1p1 (using the same config files),
    > public key authentication works as expected.
    >
    > The reason why I think it is a problem with HP-UX, is due to the
    fact
    > that 3.7.1p1 appears to work fine under Cygwin.

    Do you have HAVE_BASENAME defined in config.h?

    You can get more info by running a server-side debug (eg "sshd -ddd -p
    2022" then "ssh -p 2022 localhost").

    -- 
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
        Good judgement comes with experience. Unfortunately, the
    experience
    usually comes from bad judgement.
    

  • Next message: Darren Tucker: "Re: Public key Authentication broken under HP-UX?"

    Relevant Pages

    • openssh3.7p1 chroot patch not work on solaris 7
      ... debug1: monitor_child_preauth: test has been authenticated by privileged process ... debug3: mm_get_keystate: Waiting for new keys ... debug2: mac_init: found hmac-sha1 ... debug1: channel 0: new ...
      (comp.unix.solaris)
    • openssh3.7p1 chroot patch not work on solaris 7
      ... debug1: monitor_child_preauth: test has been authenticated by privileged process ... debug3: mm_get_keystate: Waiting for new keys ... debug2: mac_init: found hmac-sha1 ... debug1: channel 0: new ...
      (comp.security.ssh)
    • openssh3.7p1 chroot patch not work on solaris 7
      ... debug1: monitor_child_preauth: test has been authenticated by privileged process ... debug3: mm_get_keystate: Waiting for new keys ... debug2: mac_init: found hmac-sha1 ... debug1: channel 0: new ...
      (comp.security.ssh)
    • Problem with some user autentification error on sshd
      ... debug1: Reading configuration data /etc/ssh/ssh_config ... debug2: kex_parse_kexinit: none,zlib ... debug3: check_host_in_hostfile: match line 3 ... debug1: Next authentication method: keyboard-interactive ...
      (SSH)
    • Re: ssh xterm -> HPUX fails
      ... debug1: read PEM private key done: type RSA ... debug3: preauth child monitor started ... debug2: monitor_read: 0 used once, ... debug2: channel 0: sent ext data 106 ...
      (comp.security.ssh)