From owner-freebsd-questions Mon Mar 17 8:38:34 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A7EF937B401 for ; Mon, 17 Mar 2003 08:38:27 -0800 (PST) Received: from mx1.clickcom.com (mx2.clickcom.com [209.198.22.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF40043F3F for ; Mon, 17 Mar 2003 08:38:24 -0800 (PST) (envelope-from jsmailing@clickcom.com) Received: from aesop (calefaction.clickcom.com [209.198.22.19]) by mx1.clickcom.com (email) with ESMTP id 2CA2FCB2EF for ; Mon, 17 Mar 2003 11:38:24 -0500 (EST) From: "John Straiton" To: Subject: SSH woes Date: Mon, 17 Mar 2003 11:33:09 -0500 Message-ID: <001d01c2eca2$e82410d0$1916c60a@win2k.clickcom.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I continue to have problems with SSH authentication. The behavior is outside the normal I'm used to. Here's what's going on: I'm trying to ssh from MACHINE1 to MACHINE2 as user "testuser". Now here's the funny thing: > su Password: MACHINE1# ssh 209.198.xxx.xxx -l testuser Password: Last login: Mon Mar 17 11:17:05 2003 from chasm Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. > Now on the same machine: >exit #su testuser %ssh 209.198.xxx.xxx Permission denied, please try again. Permission denied, please try again. Permission denied (publickey,password,keyboard-interactive). % Why in the world would the login prompted for a password when I'm as root specifying a login, and then I wouldn't even be prompted for a password when I'm su'ed as the user? I thought at first maybe it was because this account *used to* auto-login, however if you look at the remote machine's /home/testuser/.ssh directory, it's empty (ie , no authorized_keys). On the client machine, it's only got "known_hosts" in there. Thoughts? I'm attaching the verbose debug for the client side as the user & as root John Straiton jks@clickcom.com Clickcom, Inc 704-365-9970x101 %ssh -vvv MACHINE2 OpenSSH_3.5p1 FreeBSD-20021029, SSH protocols 1.5/2.0, OpenSSL 0x0090607f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug3: cipher ok: aes128-cbc [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256- cbc] debug3: cipher ok: 3des-cbc [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256- cbc] debug3: cipher ok: blowfish-cbc [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256- cbc] debug3: cipher ok: cast128-cbc [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256- cbc] debug3: cipher ok: arcfour [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256- cbc] debug3: cipher ok: aes192-cbc [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256- cbc] debug3: cipher ok: aes256-cbc [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256- cbc] debug3: ciphers ok: [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256- cbc] debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to MACHINE2 [209.198.xxx.xxx] port 22. debug1: Connection established. debug1: identity file /home/testuser/.ssh/identity type -1 debug1: identity file /home/testuser/.ssh/id_rsa type -1 debug1: identity file /home/testuser/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1 FreeBSD-20030201 debug1: match: OpenSSH_3.5p1 FreeBSD-20030201 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.5p1 FreeBSD-20021029 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss,ssh-rsa debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-c bc debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-c bc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-9 6,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-9 6,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-c bc,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-c bc,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-9 6,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-9 6,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 133/256 debug1: bits set: 1630/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/testuser/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host '209.198.xxx.xxx' is known and matches the DSA host key. debug1: Found key in /home/testuser/.ssh/known_hosts:1 debug1: bits set: 1566/3191 debug1: ssh_dss_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug1: try privkey: /home/testuser/.ssh/identity debug3: no such identity: /home/testuser/.ssh/identity debug1: try privkey: /home/testuser/.ssh/id_rsa debug3: no such identity: /home/testuser/.ssh/id_rsa debug1: try privkey: /home/testuser/.ssh/id_dsa debug3: no such identity: /home/testuser/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: next auth method to try is keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64) debug1: authentications that can continue: publickey,password,keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64) debug1: authentications that can continue: publickey,password,keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64) debug1: authentications that can continue: publickey,password,keyboard-interactive debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: next auth method to try is password debug3: packet_send2: adding 64 (len 53 padlen 11 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: authentications that can continue: publickey,password,keyboard-interactive Permission denied, please try again. debug3: packet_send2: adding 64 (len 53 padlen 11 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: authentications that can continue: publickey,password,keyboard-interactive Permission denied, please try again. debug3: packet_send2: adding 64 (len 53 padlen 11 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: authentications that can continue: publickey,password,keyboard-interactive debug2: we did not send a packet, disable method debug1: no more auth methods to try Permission denied (publickey,password,keyboard-interactive). debug1: Calling cleanup 0x804c704(0x0) % I'll just show where it gets interesting on this one: #ssh -vvv 209.198.xxx.xxx -l testuser debug1: authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug1: try privkey: /root/.ssh/identity debug3: no such identity: /root/.ssh/identity debug1: try privkey: /root/.ssh/id_rsa debug3: no such identity: /root/.ssh/id_rsa debug1: try privkey: /root/.ssh/id_dsa debug3: no such identity: /root/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: next auth method to try is keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password: debug3: packet_send2: adding 32 (len 22 padlen 10 extra_pad 64) debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 0 debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64) debug1: ssh-userauth2 successful: method keyboard-interactive debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug1: send channel open 0 debug1: Entering interactive session. debug2: callback start debug1: ssh_session2_setup: id 0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message