Date: Mon, 17 Mar 2003 14:14:28 -0500 From: "John Straiton" <jsmailing@clickcom.com> To: <freebsd-questions@FreeBSD.ORG> Subject: RE: SSH woes Message-ID: <004c01c2ecb9$7174a550$1916c60a@win2k.clickcom.com> In-Reply-To: <001d01c2eca2$e82410d0$1916c60a@win2k.clickcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
(Problem solved, still confused as to why it didn't work)
As a follow up to my own post, I created a new user "testing" and tried
this thing again. The user "testing" has never existed in the past
however after adding this user to both machines, then copying
/root/.ssh/known_hosts to /home/testing/.ssh/ then doing a
# su testing
% ssh 209.198.xxx.xxx
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password,keyboard-interactive).
$
Again, no prompting for password. So I tried something else:
# ssh localhost -l testuser
Password:
Last login: Mon Mar 17 13:31:08 2003 from MYWORKSTATION
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights
reserved.
FreeBSD 5.0-RELEASE (MACHINE1) #0: Sun Mar 16 21:05:33 EST 2003 %ssh
209.198.xxx.xxx Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993,
1994
The Regents of the University of California. All rights
reserved.
FreeBSD 4.8-RC (MACHINE2) #0: Sun Mar 16 21:05:33 EST 2003
%
WOW! It works, but not if I # su testuser, only if I'm truly logged in
as that user. I figured then it must be some enviroment variable that's
getting set but the difference between the logged in enviroment vs the
su'ed enviroment is as follows:
+LOGNAME=testuser
-LOGNAME=jks
+GROUP=testuser
-GROUP=unknown
Doesn't look like enough to keep the connection from working. When root
connects the GROUP is set to unkown as well. Then I tried
#su - testuser
%env
And got the same results as when I logged in via ssh (as shown above).
So basically what this is telling me was that I fixed the problem long
ago but my use of su username for testing as opposed to acutally logging
in as that user has kept it from working all this time. *sigh* Talk
about chasing my own tail...
I still don't understand why even doing a
#su - testuser
Doesn't work, but it's now my curiosity feeding further research as
opposed to necessity.
John Straiton
jks@clickcom.com
Clickcom, Inc
704-365-9970x101
> -----Original Message-----
> From: owner-freebsd-questions@FreeBSD.ORG
> [mailto:owner-freebsd-questions@FreeBSD.ORG] On Behalf Of
> John Straiton
> Sent: Monday, March 17, 2003 11:33 AM
> To: freebsd-questions@FreeBSD.ORG
> Subject: SSH woes
>
>
> I continue to have problems with SSH authentication. The behavior is
> outside the normal I'm used to. Here's what's going on:
>
> I'm trying to ssh from MACHINE1 to MACHINE2 as user "testuser".
>
> Now here's the funny thing:
> > su
> Password:
> MACHINE1# ssh 209.198.xxx.xxx -l testuser
> Password:
> Last login: Mon Mar 17 11:17:05 2003 from chasm
> Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
> The Regents of the University of California. All rights
> reserved.
> >
>
> Now on the same machine:
> >exit
> #su testuser
> %ssh 209.198.xxx.xxx
> Permission denied, please try again.
> Permission denied, please try again.
> Permission denied (publickey,password,keyboard-interactive).
> %
>
> Why in the world would the login prompted for a password when I'm as
> root specifying a login, and then I wouldn't even be prompted for a
> password when I'm su'ed as the user?
>
> I thought at first maybe it was because this account *used
> to* auto-login, however if you look at the remote machine's
> /home/testuser/.ssh directory, it's empty (ie , no
> authorized_keys). On the client machine, it's only got
> "known_hosts" in there.
>
> Thoughts? I'm attaching the verbose debug for the client side as the
> user & as root
>
> John Straiton
> jks@clickcom.com
> Clickcom, Inc
> 704-365-9970x101
>
>
>
>
>
> %ssh -vvv MACHINE2
> OpenSSH_3.5p1 FreeBSD-20021029, SSH protocols 1.5/2.0, OpenSSL
> 0x0090607f
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug3: cipher ok: aes128-cbc
> [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c
> bc,aes256-
> cbc]
> debug3: cipher ok: 3des-cbc
> [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c
> bc,aes256-
> cbc]
> debug3: cipher ok: blowfish-cbc
> [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c
> bc,aes256-
> cbc]
> debug3: cipher ok: cast128-cbc
> [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c
> bc,aes256-
> cbc]
> debug3: cipher ok: arcfour
> [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c
> bc,aes256-
> cbc]
> debug3: cipher ok: aes192-cbc
> [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c
> bc,aes256-
> cbc]
> debug3: cipher ok: aes256-cbc
> [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c
> bc,aes256-
> cbc]
> debug3: ciphers ok:
> [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c
> bc,aes256-
> cbc]
> debug1: Rhosts Authentication disabled, originating port will
> not be trusted.
> debug1: ssh_connect: needpriv 0
> debug1: Connecting to MACHINE2 [209.198.xxx.xxx] port 22.
> debug1: Connection established.
> debug1: identity file /home/testuser/.ssh/identity type -1
> debug1: identity file /home/testuser/.ssh/id_rsa type -1
> debug1: identity file /home/testuser/.ssh/id_dsa type -1
> debug1: Remote protocol version 1.99, remote software version
> OpenSSH_3.5p1 FreeBSD-20030201
> debug1: match: OpenSSH_3.5p1 FreeBSD-20030201 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.5p1 FreeBSD-20021029
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-dss,ssh-rsa
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cb
> c,aes256-c
> bc
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cb
> c,aes256-c
> bc
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,h
> mac-sha1-9
> 6,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,h
> mac-sha1-9
> 6,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cb
> c,aes256-c
> bc,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cb
> c,aes256-c
> bc,rijndael-cbc@lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,h
> mac-sha1-9
> 6,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,h
> mac-sha1-9
> 6,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_init: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug2: mac_init: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: dh_gen_key: priv key bits set: 133/256
> debug1: bits set: 1630/3191
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug3: check_host_in_hostfile: filename
> /home/testuser/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 1
> debug1: Host '209.198.xxx.xxx' is known and matches the DSA host key.
> debug1: Found key in /home/testuser/.ssh/known_hosts:1
> debug1: bits set: 1566/3191
> debug1: ssh_dss_verify: signature correct
> debug1: kex_derive_keys
> debug1: newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: waiting for SSH2_MSG_NEWKEYS
> debug1: newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: done: ssh_kex2.
> debug1: send SSH2_MSG_SERVICE_REQUEST
> debug1: service_accept: ssh-userauth
> debug1: got SSH2_MSG_SERVICE_ACCEPT
> debug1: authentications that can continue:
> publickey,password,keyboard-interactive
> debug3: start over, passed a different list
> publickey,password,keyboard-interactive
> debug3: preferred publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: next auth method to try is publickey
> debug1: try privkey: /home/testuser/.ssh/identity
> debug3: no such identity: /home/testuser/.ssh/identity
> debug1: try privkey: /home/testuser/.ssh/id_rsa
> debug3: no such identity: /home/testuser/.ssh/id_rsa
> debug1: try privkey: /home/testuser/.ssh/id_dsa
> debug3: no such identity: /home/testuser/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup keyboard-interactive
> debug3: remaining preferred: password
> debug3: authmethod_is_enabled keyboard-interactive
> debug1: next auth method to try is keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
> debug1: authentications that can continue:
> publickey,password,keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
> debug1: authentications that can continue:
> publickey,password,keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64)
> debug1: authentications that can continue:
> publickey,password,keyboard-interactive
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred:
> debug3: authmethod_is_enabled password
> debug1: next auth method to try is password
> debug3: packet_send2: adding 64 (len 53 padlen 11 extra_pad 64)
> debug2: we sent a password packet, wait for reply
> debug1: authentications that can continue:
> publickey,password,keyboard-interactive
> Permission denied, please try again.
> debug3: packet_send2: adding 64 (len 53 padlen 11 extra_pad 64)
> debug2: we sent a password packet, wait for reply
> debug1: authentications that can continue:
> publickey,password,keyboard-interactive
> Permission denied, please try again.
> debug3: packet_send2: adding 64 (len 53 padlen 11 extra_pad 64)
> debug2: we sent a password packet, wait for reply
> debug1: authentications that can continue:
> publickey,password,keyboard-interactive
> debug2: we did not send a packet, disable method
> debug1: no more auth methods to try
> Permission denied (publickey,password,keyboard-interactive).
> debug1: Calling cleanup 0x804c704(0x0)
> %
>
> I'll just show where it gets interesting on this one:
>
> #ssh -vvv 209.198.xxx.xxx -l testuser
> debug1: authentications that can continue:
> publickey,password,keyboard-interactive
> debug3: start over, passed a different list
> publickey,password,keyboard-interactive
> debug3: preferred publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: next auth method to try is publickey
> debug1: try privkey: /root/.ssh/identity
> debug3: no such identity: /root/.ssh/identity
> debug1: try privkey: /root/.ssh/id_rsa
> debug3: no such identity: /root/.ssh/id_rsa
> debug1: try privkey: /root/.ssh/id_dsa
> debug3: no such identity: /root/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup keyboard-interactive
> debug3: remaining preferred: password
> debug3: authmethod_is_enabled keyboard-interactive
> debug1: next auth method to try is keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> Password:
> debug3: packet_send2: adding 32 (len 22 padlen 10 extra_pad 64)
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 0
> debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64)
> debug1: ssh-userauth2 successful: method keyboard-interactive
> debug1: channel 0: new [client-session]
> debug3: ssh_session2_open: channel_new: 0
> debug1: send channel open 0
> debug1: Entering interactive session.
> debug2: callback start
> debug1: ssh_session2_setup: id 0
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004c01c2ecb9$7174a550$1916c60a>