Re: OpenSSH and

In article <1168545415.674920.181610@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> "Dave
Isaacs" <dave.isaacs@xxxxxxxxx> writes:
I am running RedHat EL3 with OpenSSH OpenSSH_3.6.1p2.

That is a pretty ancient version, but it might work...

But for OpenSSH, this is not what is happening. When I try to ssh into
the computer, I get

# ssh tucker@xxxxxxxxxxx
tucker@xxxxxxxxxxx's password:
Permission denied, please try again.
tucker@xxxxxxxxxxx's password:

If I look at the /var/log/security file, I find
Jan 10 11:30:36 dpiems sshd[23804]: Failed password for tucker from port 35617 ssh ^^^^^^^^

This indicates that password authentication was attempted.

By looking at the logs on my RADIUS server, I can see that the password
is being successfully authenticated, and then a second-factor challenge
is being sent. It appears as if sshd is (1) not displaying the second
factor authentication to the user, and (2) responding to the challenge
with some other piece of information. This of course fails, and the
RADIUS server tries again 2 more times before giving up.

Right, see my post the other day about the difference between password
and keyboard-interactive authentication, and how sshd tries to map the
non-interactiveness of password to the interactiveness of PAM.

I then discovered the PAMAuthenticationViaKbdInt entry in the
sshd_config file, and set it to yes (it was commented out previously)
and restarted the sshd service.

This option doesn't exist in current versions (probably replaced by the
combination of ChallengeResponseAuthentication and UsePAM), but you will
most likely need it on. However as a general principle (and mentioned at
the top of your file), as shipped the OpenSSH config files have the
default settings, but commented out - i.e. uncommenting an option
without changing it should be a no-op. If in doubt, consult the man page
(and hope that your Linux distributor hasn't changed the code w/o
changing the man page, which unfortunately is common among them).

This made no difference.

If it made no difference *at all*, i.e. the log still says "Failed
password", the most likely problem is that your SSH *client* isn't
*attempting* keyboard-interactive authentication. The server can't force
it to... The format of the prompt above is another hint in that

$ ssh -o PreferredAuthentications=password somehost
per@somehost's password:

$ ssh -o PreferredAuthentications=keyboard-interactive somehost

If your OpenSSH client is as old as the server, I'm not sure if it has
the PreferredAuthentications option, otherwise you can obviously try the
second variant above - and then update your ssh_config or
~/.ssh/config. Another possibility may be to disallow password
authentication on the server - your sshd_config seems to indicate that
PasswordAuthentication has the default value of 'no', but it's pretty
mangled by your news-posting program, and the comment above it doesn't
make sense - plus of course all the evidence from your failed attempts
indicate that it is *not* disabled.

--Per Hedeland


Relevant Pages

  • Slow sftp transfer speed vs ftp
    ... with Solaris 9) I am transfering at 300 kb/sec. ... on both client and server. ... # The sshd shipped in this release of Solaris has support for major versions ... # Banner to be printed before authentication starts. ...
  • Re: Trouble with X11 over SSH on Mandriva 2010.0
    ... If next clean install/update causes ssh to break, ... installed the sshd daemon/service package (OpenSSH Server) on the server. ... correct values for client and server. ...
  • remote administration of upgrades
    ... server that I administer runs FreeBSD 4.8, ... have ssh access to ... don't want to fubar sshd and then not be able to ... kill only the ...
  • Re: ssh going zombie
    ... on the server kill the ssh server then restart it with the -d flag to put ... it into debug mode. ... and the ssh process hogs the processor on the server. ... subprocess is removed from the sshd config file the a sub sshd process ...
  • RE: sshd / ssh setup
    ... USA server and his windows/xp notebook to use SSH. ... followed sshd instruction and built ... and require users to submit keys. ...