OpenSSH 3.8p1 Privilege Separation and "connection closed" error at KEXINIT
From: Val (vbaranov_at_nc.rr.com)
Date: 03/30/04
- Next message: Shampoo: "National security backdoor."
- Previous message: Mark Riemann: "Re: putty and ssh_init problem"
- Next in thread: Darren Tucker: "Re: OpenSSH 3.8p1 Privilege Separation and "connection closed" error at KEXINIT"
- Reply: Darren Tucker: "Re: OpenSSH 3.8p1 Privilege Separation and "connection closed" error at KEXINIT"
- Reply: Nico Kadel-Garcia: "Re: OpenSSH 3.8p1 Privilege Separation and "connection closed" error at KEXINIT"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Mar 2004 19:12:24 GMT
Hi All!
I'm experiecing a problem on AIX 4.3.3 ML11 with OpenSSH 3.8p1 compiled with
all the default flags, the "prefix" ONLY has been defined as
"/usr/local/openssh":
If enable "PrivilegeSeparation" to "yes", the session ends with an error.
With "Privilege Separation no" everything works normal. "sshd" user has all
the attributes required, home directory is "/var/empty", and shell is
"/usr/bin/false" (chown root:sys /var/empty; chmod 755 /var/empty); the only
member of "sshd" group is "sshd" user; both private and public keys are in
place for participating user IDs, and premissions on "./ssh" directory and
all the files underneath are correct. Below is the output from both client
and server side - evidently, the reply didn't received while sending
SSH2_MSG_KEXINIT (wait approx. 2 seconds at this point until closing
connection).
Does anybody have an idea what's wrong (permissions? ownership? what else?)
and how to fix it? Txs.
____________________________________________________________
# ssh -vvv -p 2022 anywhere
OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /usr/local/openssh/etc/ssh_config
debug3: Seeding PRNG from /usr/local/openssh/libexec/ssh-rand-helper
debug2: ssh_connect: needpriv 0
debug1: Connecting to anywhere [169.205.106.119] port 22.
debug1: Connection established.
debug1: identity file /.ssh/identity type -1
debug1: identity file /.ssh/id_rsa type -1
debug3: Not a RSA1 key file /.ssh/id_dsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8p1
debug1: match: OpenSSH_3.8p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8p1
debug3: RNG is ready, skipping seeding
debug1: SSH2_MSG_KEXINIT sent (no reply - !!!!!!!!!!!!!)
Connection closed by 10.1.1.23
# ./sshd -ddd -p 2022
debug3: Seeding PRNG from /usr/local/openssh/libexec/ssh-rand-helper
debug2: read_server_config: filename /usr/local/openssh/etc/sshd_config
debug1: sshd version OpenSSH_3.8p1
debug3: Not a RSA1 key file /usr/local/openssh/etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /usr/local/openssh/etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: Bind to port 2022 on 0.0.0.0.
Server listening on 0.0.0.0 port 2022.
debug1: Server will not fork when running in debugging mode.
Connection from 169.205.101.219 port 34340
debug1: Client protocol version 2.0; client software version OpenSSH_3.5p1
debug1: match: OpenSSH_3.5p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8p1
debug2: Network child is on pid 30772
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: privsep user:group 202:343
debug1: permanently_set_uid: 202/343
debug1: do_cleanup
__________________________________________________________
SSHD Config:
# cat sshd_config
# $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/openssh/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /usr/local/openssh/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /usr/local/openssh/etc/ssh_host_rsa_key
#HostKey /usr/local/openssh/etc/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in
/usr/local/openssh/etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords'
#UsePAM no
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /usr/local/openssh/etc/sshd.pid
#MaxStartups 10
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/local/openssh/libexec/sftp-server
- Next message: Shampoo: "National security backdoor."
- Previous message: Mark Riemann: "Re: putty and ssh_init problem"
- Next in thread: Darren Tucker: "Re: OpenSSH 3.8p1 Privilege Separation and "connection closed" error at KEXINIT"
- Reply: Darren Tucker: "Re: OpenSSH 3.8p1 Privilege Separation and "connection closed" error at KEXINIT"
- Reply: Nico Kadel-Garcia: "Re: OpenSSH 3.8p1 Privilege Separation and "connection closed" error at KEXINIT"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
