Assistence with OpenSSH build/config on Red Hat 7.2

From: Brian (brianm_at_fsg1.nws.noaa.gov)
Date: 02/13/04

  • Next message: Richard E. Silverman: "Re: run ssh in background" 
    Date: Fri, 13 Feb 2004 11:20:32 -0500
To:  brianm@fsg1.nws.noaa.gov

    Hello Folks!
       I've been working with OpenSSH for several years now and find it
    incredibly useful! Typically, installs and source builds go fairly
    smoothly, but I've run into a snag on a Red Hat 7.2 workstation. If you
    have any hints or ideas, please let me know! I have Googled and searched
    OpenSSH mail archives at length but have not found the solution yet.

       Project requirements mandate that we run a locally built version of
    OpenSSH in /usr/local/openssh.

       This RH7.2 host is fully patched with the latest Redhat security
    errata RPM releases and has the following RPMs installed:

    openssl-perl-0.9.6b-35.7
    openssl096-0.9.6-23.7
    openssl095a-0.9.5a-23.7.3
    openssl-0.9.6b-35.7
    openssl-devel-0.9.6b-35.7
    openssh-server-3.1p1-14
    openssh-askpass-3.1p1-14
    openssh-askpass-gnome-3.1p1-14
    openssh-clients-3.1p1-14
    openssh-3.1p1-14
    zlib-1.1.4-8.7x

       I cannot remove the installed OpenSSH RPMs to due to project
    requirements, however, editing PATH and custom start-up scripts, we want
    to call:
       /usr/local/openssh/sbin/sshd -f /usr/local/openssh/etc/sshd_config

       Interestingly, if I manually call the RPM provided sshd, users can
    connect and authenticate fine. So I know NIS and OpenSSH and regular
    user accounts can work fine on this computer, I just haven't been able
    to pinpoint the build parameters or system configuration details that
    allow the RPM version to work but prevent the source built version from
    working correctly.

       I built and installed openssh-3.7.1p2 and the ssh client works for
    connecting to other hosts. Users cannot connect in to this host's sshd
    daemon remotely or via the loop back address. Root CAN connect via ssh.

       The system is part of an NIS group and regular users can successfully
    telnet, authenticate, and connect to the system.

       When they try to connect via ssh, they get a password prompt and
    then, after carefully typing their correct password, get the following
    error message:
       Permission denied, please try again.

       If users set up public key authentication, so that they are not
    prompted for a password, they CAN successfully connect via sshd. So this
    problem seems to be keyboard-interactive password login related.

       Here is the sshd -ddd output from the previously mentioned failed
    user connection attempt:

    [...]
    debug1: attempt 2 failures 2
    debug2: input_userauth_request: try method keyboard-interactive
    debug1: keyboard-interactive devs
    debug1: auth2_challenge: user=beetle devs=
    debug1: kbdint_alloc: devices ''
    debug2: auth2_challenge_start: devices
    Failed keyboard-interactive for beetle from 192.168.1.103 port 57168 ssh2

    debug1: userauth-request for user beetle service ssh-connection method
    password
    debug1: attempt 3 failures 3
    debug2: input_userauth_request: try method password
    debug3: mm_auth_password entering
    debug3: mm_request_send entering: type 10
    debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
    debug3: mm_request_receive_expect entering: type 11
    debug3: mm_request_receive entering
    debug3: monitor_read: checking request 10
    debug3: mm_answer_authpassword: sending result 0
    debug3: mm_request_send entering: type 11
    Failed password for beetle from 192.168.1.103 port 57168 ssh2
    debug3: mm_request_receive entering
    debug3: mm_auth_password: user not authenticated
    Failed password for beetle from 192.168.1.103 port 57168 ssh2

    Here are some thing's I've already checked/tried:
       - /etc/pam.d/sshd is identical to the openssh-3.7.1p2 provided
    contrib/redhat/sshd.pam version
       - Building --with-pam
       - Building --without-pam --with-md5-passwords
       - This seems NIS related, if I create a new user in the local
    /etc/password file and set the password, I am able to connect to this
    host via ssh with that user id and password.

    I'm just about out of ideas. If you have any experience with this issue,
    please let me know.

    Thanks a bunch!
       Brian

  • Next message: Richard E. Silverman: "Re: run ssh in background"

    Relevant Pages

    • Re: ssh/sshd cores dump
      ... debug1: sshd version OpenSSH_4.5p1 FreeBSD-20061110 ... debug2: fd 3 setting O_NONBLOCK ... debug3: preauth child monitor started ... debug3: mm_request_receive entering ...
      (freebsd-questions)
    • Re: Confounded by PAM and OpenSSH on Solaris 10
      ... If anyone can help me understand OpenSSH and PAM and the various ... debug1: read PEM private key done: type RSA ... debug3: Trying to reverse map address 127.0.0.1. ... debug3: PAM: sshpam_query entering ...
      (comp.security.ssh)
    • HostbasedAuthentication, followed snailbook but not working! :-(
      ... debug1: read PEM private key done: type RSA ... debug2: kex_parse_kexinit: ... debug3: preauth child monitor started ... debug3: mm_request_send entering: type 0 ...
      (comp.security.ssh)
    • Unable to get shell prompt after logon
      ... debug1: Reading configuration data /etc/ssh/ssh_config ... debug1: Entering interactive session. ... debug2: Network child is on pid 950 ... debug3: preauth child monitor started ...
      (SSH)
    • Re: openssh 3.4p1
      ... debug1: read PEM private key done: type RSA ... debug3: preauth child monitor started ... debug3: mm_request_receive entering ... debug2: kex_parse_kexinit: ...
      (comp.security.ssh)