From owner-freebsd-questions Mon Mar 17 11:20: 1 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BB4A37B401 for ; Mon, 17 Mar 2003 11:19:52 -0800 (PST) Received: from mx1.clickcom.com (mx2.clickcom.com [209.198.22.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id B3B0243F75 for ; Mon, 17 Mar 2003 11:19:49 -0800 (PST) (envelope-from jsmailing@clickcom.com) Received: from aesop (calefaction.clickcom.com [209.198.22.19]) by mx1.clickcom.com (email) with ESMTP id 3BDD655C4F for ; Mon, 17 Mar 2003 14:19:49 -0500 (EST) From: "John Straiton" To: Subject: RE: SSH woes Date: Mon, 17 Mar 2003 14:14:28 -0500 Message-ID: <004c01c2ecb9$7174a550$1916c60a@win2k.clickcom.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 In-Reply-To: <001d01c2eca2$e82410d0$1916c60a@win2k.clickcom.com> Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG (Problem solved, still confused as to why it didn't work) As a follow up to my own post, I created a new user "testing" and tried this thing again. The user "testing" has never existed in the past however after adding this user to both machines, then copying /root/.ssh/known_hosts to /home/testing/.ssh/ then doing a # su testing % ssh 209.198.xxx.xxx Permission denied, please try again. Permission denied, please try again. Permission denied (publickey,password,keyboard-interactive). $ Again, no prompting for password. So I tried something else: # ssh localhost -l testuser Password: Last login: Mon Mar 17 13:31:08 2003 from MYWORKSTATION Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 5.0-RELEASE (MACHINE1) #0: Sun Mar 16 21:05:33 EST 2003 %ssh 209.198.xxx.xxx Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.8-RC (MACHINE2) #0: Sun Mar 16 21:05:33 EST 2003 % WOW! It works, but not if I # su testuser, only if I'm truly logged in as that user. I figured then it must be some enviroment variable that's getting set but the difference between the logged in enviroment vs the su'ed enviroment is as follows: +LOGNAME=testuser -LOGNAME=jks +GROUP=testuser -GROUP=unknown Doesn't look like enough to keep the connection from working. When root connects the GROUP is set to unkown as well. Then I tried #su - testuser %env And got the same results as when I logged in via ssh (as shown above). So basically what this is telling me was that I fixed the problem long ago but my use of su username for testing as opposed to acutally logging in as that user has kept it from working all this time. *sigh* Talk about chasing my own tail... I still don't understand why even doing a #su - testuser Doesn't work, but it's now my curiosity feeding further research as opposed to necessity. John Straiton jks@clickcom.com Clickcom, Inc 704-365-9970x101 > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG] On Behalf Of > John Straiton > Sent: Monday, March 17, 2003 11:33 AM > To: freebsd-questions@FreeBSD.ORG > Subject: SSH woes > > > I continue to have problems with SSH authentication. The behavior is > outside the normal I'm used to. Here's what's going on: > > I'm trying to ssh from MACHINE1 to MACHINE2 as user "testuser". > > Now here's the funny thing: > > su > Password: > MACHINE1# ssh 209.198.xxx.xxx -l testuser > Password: > Last login: Mon Mar 17 11:17:05 2003 from chasm > Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 > The Regents of the University of California. All rights > reserved. > > > > Now on the same machine: > >exit > #su testuser > %ssh 209.198.xxx.xxx > Permission denied, please try again. > Permission denied, please try again. > Permission denied (publickey,password,keyboard-interactive). > % > > Why in the world would the login prompted for a password when I'm as > root specifying a login, and then I wouldn't even be prompted for a > password when I'm su'ed as the user? > > I thought at first maybe it was because this account *used > to* auto-login, however if you look at the remote machine's > /home/testuser/.ssh directory, it's empty (ie , no > authorized_keys). On the client machine, it's only got > "known_hosts" in there. > > Thoughts? I'm attaching the verbose debug for the client side as the > user & as root > > John Straiton > jks@clickcom.com > Clickcom, Inc > 704-365-9970x101 > > > > > > %ssh -vvv MACHINE2 > OpenSSH_3.5p1 FreeBSD-20021029, SSH protocols 1.5/2.0, OpenSSL > 0x0090607f > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug3: cipher ok: aes128-cbc > [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c > bc,aes256- > cbc] > debug3: cipher ok: 3des-cbc > [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c > bc,aes256- > cbc] > debug3: cipher ok: blowfish-cbc > [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c > bc,aes256- > cbc] > debug3: cipher ok: cast128-cbc > [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c > bc,aes256- > cbc] > debug3: cipher ok: arcfour > [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c > bc,aes256- > cbc] > debug3: cipher ok: aes192-cbc > [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c > bc,aes256- > cbc] > debug3: cipher ok: aes256-cbc > [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c > bc,aes256- > cbc] > debug3: ciphers ok: > [aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-c > bc,aes256- > cbc] > debug1: Rhosts Authentication disabled, originating port will > not be trusted. > debug1: ssh_connect: needpriv 0 > debug1: Connecting to MACHINE2 [209.198.xxx.xxx] port 22. > debug1: Connection established. > debug1: identity file /home/testuser/.ssh/identity type -1 > debug1: identity file /home/testuser/.ssh/id_rsa type -1 > debug1: identity file /home/testuser/.ssh/id_dsa type -1 > debug1: Remote protocol version 1.99, remote software version > OpenSSH_3.5p1 FreeBSD-20030201 > debug1: match: OpenSSH_3.5p1 FreeBSD-20030201 pat OpenSSH* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_3.5p1 FreeBSD-20021029 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-dss,ssh-rsa > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cb > c,aes256-c > bc > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cb > c,aes256-c > bc > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,h > mac-sha1-9 > 6,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,h > mac-sha1-9 > 6,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-dss > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cb > c,aes256-c > bc,rijndael-cbc@lysator.liu.se > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cb > c,aes256-c > bc,rijndael-cbc@lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,h > mac-sha1-9 > 6,hmac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,h > mac-sha1-9 > 6,hmac-md5-96 > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: none,zlib > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_init: found hmac-md5 > debug1: kex: server->client aes128-cbc hmac-md5 none > debug2: mac_init: found hmac-md5 > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: dh_gen_key: priv key bits set: 133/256 > debug1: bits set: 1630/3191 > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug3: check_host_in_hostfile: filename > /home/testuser/.ssh/known_hosts > debug3: check_host_in_hostfile: match line 1 > debug1: Host '209.198.xxx.xxx' is known and matches the DSA host key. > debug1: Found key in /home/testuser/.ssh/known_hosts:1 > debug1: bits set: 1566/3191 > debug1: ssh_dss_verify: signature correct > debug1: kex_derive_keys > debug1: newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: waiting for SSH2_MSG_NEWKEYS > debug1: newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: done: ssh_kex2. > debug1: send SSH2_MSG_SERVICE_REQUEST > debug1: service_accept: ssh-userauth > debug1: got SSH2_MSG_SERVICE_ACCEPT > debug1: authentications that can continue: > publickey,password,keyboard-interactive > debug3: start over, passed a different list > publickey,password,keyboard-interactive > debug3: preferred publickey,keyboard-interactive,password > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive,password > debug3: authmethod_is_enabled publickey > debug1: next auth method to try is publickey > debug1: try privkey: /home/testuser/.ssh/identity > debug3: no such identity: /home/testuser/.ssh/identity > debug1: try privkey: /home/testuser/.ssh/id_rsa > debug3: no such identity: /home/testuser/.ssh/id_rsa > debug1: try privkey: /home/testuser/.ssh/id_dsa > debug3: no such identity: /home/testuser/.ssh/id_dsa > debug2: we did not send a packet, disable method > debug3: authmethod_lookup keyboard-interactive > debug3: remaining preferred: password > debug3: authmethod_is_enabled keyboard-interactive > debug1: next auth method to try is keyboard-interactive > debug2: userauth_kbdint > debug2: we sent a keyboard-interactive packet, wait for reply > debug2: input_userauth_info_req > debug2: input_userauth_info_req: num_prompts 1 > debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64) > debug1: authentications that can continue: > publickey,password,keyboard-interactive > debug2: userauth_kbdint > debug2: we sent a keyboard-interactive packet, wait for reply > debug2: input_userauth_info_req > debug2: input_userauth_info_req: num_prompts 1 > debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64) > debug1: authentications that can continue: > publickey,password,keyboard-interactive > debug2: userauth_kbdint > debug2: we sent a keyboard-interactive packet, wait for reply > debug2: input_userauth_info_req > debug2: input_userauth_info_req: num_prompts 1 > debug3: packet_send2: adding 32 (len 14 padlen 18 extra_pad 64) > debug1: authentications that can continue: > publickey,password,keyboard-interactive > debug2: we did not send a packet, disable method > debug3: authmethod_lookup password > debug3: remaining preferred: > debug3: authmethod_is_enabled password > debug1: next auth method to try is password > debug3: packet_send2: adding 64 (len 53 padlen 11 extra_pad 64) > debug2: we sent a password packet, wait for reply > debug1: authentications that can continue: > publickey,password,keyboard-interactive > Permission denied, please try again. > debug3: packet_send2: adding 64 (len 53 padlen 11 extra_pad 64) > debug2: we sent a password packet, wait for reply > debug1: authentications that can continue: > publickey,password,keyboard-interactive > Permission denied, please try again. > debug3: packet_send2: adding 64 (len 53 padlen 11 extra_pad 64) > debug2: we sent a password packet, wait for reply > debug1: authentications that can continue: > publickey,password,keyboard-interactive > debug2: we did not send a packet, disable method > debug1: no more auth methods to try > Permission denied (publickey,password,keyboard-interactive). > debug1: Calling cleanup 0x804c704(0x0) > % > > I'll just show where it gets interesting on this one: > > #ssh -vvv 209.198.xxx.xxx -l testuser > debug1: authentications that can continue: > publickey,password,keyboard-interactive > debug3: start over, passed a different list > publickey,password,keyboard-interactive > debug3: preferred publickey,keyboard-interactive,password > debug3: authmethod_lookup publickey > debug3: remaining preferred: keyboard-interactive,password > debug3: authmethod_is_enabled publickey > debug1: next auth method to try is publickey > debug1: try privkey: /root/.ssh/identity > debug3: no such identity: /root/.ssh/identity > debug1: try privkey: /root/.ssh/id_rsa > debug3: no such identity: /root/.ssh/id_rsa > debug1: try privkey: /root/.ssh/id_dsa > debug3: no such identity: /root/.ssh/id_dsa > debug2: we did not send a packet, disable method > debug3: authmethod_lookup keyboard-interactive > debug3: remaining preferred: password > debug3: authmethod_is_enabled keyboard-interactive > debug1: next auth method to try is keyboard-interactive > debug2: userauth_kbdint > debug2: we sent a keyboard-interactive packet, wait for reply > debug2: input_userauth_info_req > debug2: input_userauth_info_req: num_prompts 1 > Password: > debug3: packet_send2: adding 32 (len 22 padlen 10 extra_pad 64) > debug2: input_userauth_info_req > debug2: input_userauth_info_req: num_prompts 0 > debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64) > debug1: ssh-userauth2 successful: method keyboard-interactive > debug1: channel 0: new [client-session] > debug3: ssh_session2_open: channel_new: 0 > debug1: send channel open 0 > debug1: Entering interactive session. > debug2: callback start > debug1: ssh_session2_setup: id 0 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message