Re: OpenSSH 3.8p1 Privilege Separation and "connection closed" error at KEXINIT
From: Nico Kadel-Garcia (nkadel_at_comcast.net)
Date: 03/31/04
- Previous message: Nico Kadel-Garcia: "It's a troll, guys, was Re: National security backdoor."
- In reply to: Val: "OpenSSH 3.8p1 Privilege Separation and "connection closed" error at KEXINIT"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 31 Mar 2004 09:03:17 -0500
"Val" <vbaranov@nc.rr.com> wrote in message
news:sEjac.1364$w84.157385@twister.southeast.rr.com...
> Hi All!
>
> I'm experiecing a problem on AIX 4.3.3 ML11 with OpenSSH 3.8p1 compiled
with
> all the default flags, the "prefix" ONLY has been defined as
> "/usr/local/openssh":
> If enable "PrivilegeSeparation" to "yes", the session ends with an error.
> With "Privilege Separation no" everything works normal. "sshd" user has
all
> the attributes required, home directory is "/var/empty", and shell is
> "/usr/bin/false" (chown root:sys /var/empty; chmod 755 /var/empty); the
only
> member of "sshd" group is "sshd" user; both private and public keys are in
> place for participating user IDs, and premissions on "./ssh" directory and
> all the files underneath are correct. Below is the output from both client
> and server side - evidently, the reply didn't received while sending
> SSH2_MSG_KEXINIT (wait approx. 2 seconds at this point until closing
> connection).
>
> Does anybody have an idea what's wrong (permissions? ownership? what
else?)
> and how to fix it? Txs.
> ____________________________________________________________
>
> # ssh -vvv -p 2022 anywhere
> OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004
> debug1: Reading configuration data /usr/local/openssh/etc/ssh_config
> debug3: Seeding PRNG from /usr/local/openssh/libexec/ssh-rand-helper
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to anywhere [169.205.106.119] port 22.
> debug1: Connection established.
> debug1: identity file /.ssh/identity type -1
> debug1: identity file /.ssh/id_rsa type -1
> debug3: Not a RSA1 key file /.ssh/id_dsa.
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug3: key_read: missing keytype
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug2: key_type_from_name: unknown key type '-----END'
> debug3: key_read: missing keytype
> debug1: identity file /.ssh/id_dsa type 2
> debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8p1
> debug1: match: OpenSSH_3.8p1 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.8p1
> debug3: RNG is ready, skipping seeding
> debug1: SSH2_MSG_KEXINIT sent (no reply - !!!!!!!!!!!!!)
> Connection closed by 10.1.1.23
>
> # ./sshd -ddd -p 2022
> debug3: Seeding PRNG from /usr/local/openssh/libexec/ssh-rand-helper
> debug2: read_server_config: filename /usr/local/openssh/etc/sshd_config
> debug1: sshd version OpenSSH_3.8p1
> debug3: Not a RSA1 key file /usr/local/openssh/etc/ssh_host_rsa_key.
> debug1: read PEM private key done: type RSA
> debug1: private host key: #0 type 1 RSA
> debug3: Not a RSA1 key file /usr/local/openssh/etc/ssh_host_dsa_key.
> debug1: read PEM private key done: type DSA
> debug1: private host key: #1 type 2 DSA
> debug1: Bind to port 2022 on 0.0.0.0.
> Server listening on 0.0.0.0 port 2022.
> debug1: Server will not fork when running in debugging mode.
> Connection from 169.205.101.219 port 34340
> debug1: Client protocol version 2.0; client software version OpenSSH_3.5p1
> debug1: match: OpenSSH_3.5p1 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.8p1
> debug2: Network child is on pid 30772
> debug3: preauth child monitor started
> debug3: mm_request_receive entering
> debug3: privsep user:group 202:343
> debug1: permanently_set_uid: 202/343
> debug1: do_cleanup
> __________________________________________________________
>
> SSHD Config:
>
> # cat sshd_config
> # $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $
>
> # This is the sshd server system-wide configuration file. See
> # sshd_config(5) for more information.
>
> # This sshd was compiled with
> PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/openssh/bin
>
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented. Uncommented options change a
> # default value.
>
> #Port 22
> #Protocol 2,1
> Protocol 2
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
> # HostKey for protocol version 1
> #HostKey /usr/local/openssh/etc/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey /usr/local/openssh/etc/ssh_host_rsa_key
> #HostKey /usr/local/openssh/etc/ssh_host_dsa_key
>
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 1h
> #ServerKeyBits 768
>
> # Logging
> #obsoletes QuietMode and FascistLogging
> #SyslogFacility AUTH
> #LogLevel INFO
>
> # Authentication:
>
> #LoginGraceTime 2m
> #PermitRootLogin yes
> #StrictModes yes
>
> #RSAAuthentication yes
> #PubkeyAuthentication yes
> #AuthorizedKeysFile .ssh/authorized_keys
>
> # For this to work you will also need host keys in
> /usr/local/openssh/etc/ssh_known_hosts
> #RhostsRSAAuthentication no
> # similar for protocol version 2
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
>
> # To disable tunneled clear text passwords, change to no here!
> #PasswordAuthentication yes
> #PermitEmptyPasswords no
>
> # Change to no to disable s/key passwords
> #ChallengeResponseAuthentication yes
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> #KerberosGetAFSToken no
>
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCredentials yes
>
> # Set this to 'yes' to enable PAM authentication (via challenge-response)
> # and session processing. Depending on your PAM configuration, this may
> # bypass the setting of 'PasswordAuthentication' and
'PermitEmptyPasswords'
> #UsePAM no
>
> #AllowTcpForwarding yes
> #GatewayPorts no
> X11Forwarding yes
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PrintMotd yes
> #PrintLastLog yes
> #TCPKeepAlive yes
> #UseLogin no
> UsePrivilegeSeparation yes
> #PermitUserEnvironment no
> #Compression yes
> #ClientAliveInterval 0
> #ClientAliveCountMax 3
> #UseDNS yes
> #PidFile /usr/local/openssh/etc/sshd.pid
> #MaxStartups 10
>
> # no default banner path
> #Banner /some/path
>
> # override default of no subsystems
> Subsystem sftp /usr/local/openssh/libexec/sftp-server
>
>
- Previous message: Nico Kadel-Garcia: "It's a troll, guys, was Re: National security backdoor."
- In reply to: Val: "OpenSSH 3.8p1 Privilege Separation and "connection closed" error at KEXINIT"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
