OpenSSH denying connections from some networks

From: Adam Theo (adamtheo_at_new.theoretic.com)
Date: 01/04/04

Next message: Caron, Jim: "SFTP Issue"

Previous message: Matt Howard: "Re: "Corrupted MAC on input""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 4 Jan 2004 02:01:50 +0000
To: secureshell@securityfocus.com

Hello, all.

I had OpenSSH working fine except for connecting to LDAP through PAM,
but now another problem has started up.

I used to be able to connect from my work, but now I'm being denied, and
I have to log into another server from work, and then ssh over to the
intended server in order to get in. I have only been messing around with
the OpenSSH config files, nothing directly with PAM. All attempts to
reverse these config changes have not made the situation better.

Unfortunately, while I'm learning alot about system admin, I still have
little idea about openssh and debugging pam. Any help would be
appreciated. Thanks.

Here are the logs from using the proxy server:

Jan 4 01:52:10 new sshd[3751]: debug1: server_input_channel_req:
channel 0 request shell reply 0
Jan 4 01:52:10 new sshd[3751]: debug1: session_by_channel: session 0
channel 0
Jan 4 01:52:10 new sshd[3751]: debug1: session_input_channel_req:
session 0 req shell
Jan 4 01:52:10 new sshd[3751]: debug1: PAM: setting PAM_TTY to
"/dev/pts/2"
Jan 4 01:52:10 new sshd[3751]: debug1: PAM: establishing credentials
Jan 4 01:52:10 new sshd[3751]: debug2: fd 4 setting TCP_NODELAY
Jan 4 01:52:10 new sshd[3751]: debug2: channel 0: rfd 8 isatty
Jan 4 01:52:10 new sshd[3751]: debug2: fd 8 setting O_NONBLOCK
Jan 4 01:52:10 new sshd[3751]: debug2: fd 7 is O_NONBLOCK
Jan 4 01:52:10 new sshd[3754]: debug1: Setting controlling tty using
TIOCSCTTY.
Jan 4 01:52:10 new sshd(pam_unix)[3754]: session opened for user root
by root(uid=0)
Jan 4 01:52:10 new sshd[3754]: debug1: PAM: reinitializing credentials
Jan 4 01:52:10 new sshd[3754]: debug1: permanently_set_uid: 0/0
Jan 4 01:52:10 new sshd[3754]: debug1: PAM: retrieving environment
Jan 4 01:52:10 new sshd[3754]: debug3: channel 0: close_fds r -1 w -1 e
-1
Jan 4 01:52:13 new sshd[3709]: debug2: channel 0: rcvd adjust 32774

And here are the debug from trying to log in from work directly:

Jan 4 01:47:24 new sshd[3744]: Connection from ::ffff:68.240.34.230
port 37299
Jan 4 01:47:24 new sshd[2629]: debug1: Forked child 3744.
Jan 4 01:47:24 new sshd[3744]: debug1: Client protocol version 1.5;
client software version pilotSSH-1.0
Jan 4 01:47:24 new sshd[3744]: debug1: no match: pilotSSH-1.0
Jan 4 01:47:24 new sshd[3744]: debug1: Local version string
SSH-1.99-OpenSSH_3.7.1p2
Jan 4 01:47:24 new sshd[3744]: debug2: Network child is on pid 3745
Jan 4 01:47:24 new sshd[3744]: debug3: preauth child monitor started
Jan 4 01:47:24 new sshd[3744]: debug3: mm_request_receive entering
Jan 4 01:47:27 new sshd[3744]: debug3: monitor_read: checking request
28
Jan 4 01:47:27 new sshd[3744]: debug3: mm_request_send entering: type
29
Jan 4 01:47:27 new sshd[3744]: debug2: monitor_read: 28 used once,
disabling now
Jan 4 01:47:27 new sshd[3744]: debug3: mm_request_receive entering
Jan 4 01:47:27 new sshd[3744]: debug3: monitor_read: checking request
30
Jan 4 01:47:27 new sshd[3744]: debug3: mm_answer_sessid entering
Jan 4 01:47:27 new sshd[3744]: debug2: monitor_read: 30 used once,
disabling now
Jan 4 01:47:27 new sshd[3744]: debug3: mm_request_receive entering
Jan 4 01:47:27 new sshd[3744]: debug3: monitor_read: checking request 6
Jan 4 01:47:27 new sshd[3744]: debug3: mm_answer_pwnamallow
Jan 4 01:47:27 new sshd[3744]: debug3: mm_answer_pwnamallow: sending
MONITOR_ANS_PWNAM: 1
Jan 4 01:47:27 new sshd[3744]: debug3: mm_request_send entering: type 7
Jan 4 01:47:27 new sshd[3744]: debug2: monitor_read: 6 used once,
disabling now
Jan 4 01:47:27 new sshd[3744]: debug3: mm_request_receive entering
Jan 4 01:47:27 new sshd[3744]: debug3: monitor_read: checking request
43
Jan 4 01:47:27 new sshd[3744]: debug1: PAM: initializing for "root"
Jan 4 01:47:27 new sshd[3744]: debug3: Trying to reverse map address
68.240.34.230.
Jan 4 01:47:33 new sshd[3744]: debug1: PAM: setting PAM_RHOST to
"014-220-039.area5.spcsdns.net"
Jan 4 01:47:33 new sshd[3744]: debug1: PAM: setting PAM_TTY to "ssh"
Jan 4 01:47:33 new sshd[3744]: debug2: monitor_read: 43 used once,
disabling now
Jan 4 01:47:33 new sshd[3744]: debug3: mm_request_receive entering

I notice that when logging in directly from work, sshd sets PAM_TTY to
"ssh", but sets it to "/dev/pts/2" when logging in via the proxy. Does
this have anything to do with it?

Next message: Caron, Jim: "SFTP Issue"

Previous message: Matt Howard: "Re: "Corrupted MAC on input""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Authentication to SSHd server
... private key used had password protection or not. ... You can however, use pam, ... I wanna know if it is possible to force authentication to a OpenSSH ... server by a password and by a RSA Key. ...
(SSH)
Re: [OpenSSH 3.5] Unable to login
... > After upgrading to OpenSSH 3.5 I am unable to login to my server. ... The problem was in pam. ...
(comp.security.ssh)
Re: [OpenSSH 3.5] Unable to login
... >> After upgrading to OpenSSH 3.5 I am unable to login to my server. ... What have you done with pam? ...
(comp.security.ssh)
FreeBSD Security Advisory FreeBSD-SA-06:09.openssh
... For general information regarding FreeBSD Security Advisories, ... Privilege separation is a mechanism used by OpenSSH to protect itself ... OpenSSH to fork a child process to handle calls to the PAM framework. ... The following command will show a list of orphaned PAM processes: ...
(FreeBSD-Security)
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-06:09.openssh
... For general information regarding FreeBSD Security Advisories, ... Privilege separation is a mechanism used by OpenSSH to protect itself ... OpenSSH to fork a child process to handle calls to the PAM framework. ... The following command will show a list of orphaned PAM processes: ...
(freebsd-announce)