From owner-freebsd-stable Sat Dec 8 15:27:37 2001 Delivered-To: freebsd-stable@freebsd.org Received: from klima.physik.uni-mainz.de (klima.Physik.Uni-Mainz.DE [134.93.180.162]) by hub.freebsd.org (Postfix) with ESMTP id A81D237B417 for ; Sat, 8 Dec 2001 15:27:26 -0800 (PST) Received: from klima.Physik.Uni-Mainz.DE (klima.Physik.Uni-Mainz.DE [134.93.180.162]) by klima.physik.uni-mainz.de (8.11.6/8.11.4) with ESMTP id fB8NRPX18390; Sun, 9 Dec 2001 00:27:25 +0100 (CET) (envelope-from ohartman@klima.physik.uni-mainz.de) Date: Sun, 9 Dec 2001 00:27:25 +0100 (CET) From: "Hartmann, O." To: Harald Schmalzbauer Cc: freebsd-stable@FreeBSD.ORG Subject: Re: SSHD problems on P4 In-Reply-To: <1007848327.618.14.camel@adm01.belenus.com> Message-ID: <20011209002215.O18147-100000@klima.physik.uni-mainz.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 8 Dec 2001, Harald Schmalzbauer wrote: Well, the file /etc/hosts.allow is a copy of that we use on all the other systems, but I checked it again and I tried a version with a first line like ALL:ALL:allow, but that doesn't help. /etc/pam.conf is the original one we all get with FreeBSD 4.4-STABLE and it is also a unchanged version like on all the other systems. If it is buggy, it shouldn't work on all the other machines, too. Well, the point is: when connecting two working machines with ssh, I definitely see a auth method, but this P4 system show metho: none whenever I try to connect it :-( I also have no glue at this moment :-( I will recompile the whole FBSD with CPUTYPE=p4, then p3 and then with nothing. The only CFLAGS option will be -O -pipe. Hope I'll get results from doing that ... Oliver :>Am Sa , 2001-12-08 um 22.07 schrieb Hartmann, O.: :>*snip* :>> debug1: Found key in /homes/ohartman/.ssh/known_hosts2:9 :>> debug1: bits set: 1001/2049 :>> debug1: len 55 datafellows 0 :>> debug1: ssh_dss_verify: signature correct :>> debug1: kex_derive_keys :>> debug1: newkeys: mode 1 :>> debug1: SSH2_MSG_NEWKEYS sent :>> debug1: waiting for SSH2_MSG_NEWKEYS :>> debug1: newkeys: mode 0 :>> debug1: SSH2_MSG_NEWKEYS received :>> debug1: done: ssh_kex2. :>> debug1: send SSH2_MSG_SERVICE_REQUEST :>> debug1: service_accept: ssh-userauth :>> debug1: got SSH2_MSG_SERVICE_ACCEPT :> :>Ok: Problem is that the server doesn't know/suggest any authentication :>mode. Watch /etc/pam.conf *. But this doesn't explain why it's not :>accepting/trying PK. Probably missing .ssh in home? hosts.allow is :>correct too? :> :>Right now, I have no more ideas. :> :>-Harry :> :>*: :># OpenSSH with PAM support requires similar modules. The session one is :># a bit strange, though... :>sshd auth sufficient pam_skey.so :>#sshd auth sufficient pam_kerberosIV.so :>try_first_pass :>sshd auth required pam_unix.so :>try_first_pass :>sshd account required pam_unix.so :>sshd password required pam_permit.so :>sshd session required pam_permit.so :># "csshd" is for challenge-based authentication with sshd (TIS auth, :>etc.) :>csshd auth required pam_skey.so :> :>> Received disconnect from XX.XX.XX.XX: 2: Sorry, you are not allowed to connect. :>> debug1: Calling cleanup 0x805a67c(0x0) :>> -- :>> :>> When I try to connect from the failing machine to itself, I get the same message ... :>> :>> I'm 'in sync' with the code, I think. I exchanged the config with the config offered by :>> 'mergemaster', which is out from the source tree and I created all host key again - but :>> with no effect ... :>> :>> :>> CFLAGS=-O -pipe ... thats the only config option :>> :>> :>> :>Hello, perhaps stupid, but have you checked hosts.allow? :>> :>Strange is that your machines decided to use 3des. With OpenSSH2.9, :>> :>afaik, the default is AES (Rijndael). Did you compile it with special :>> :>CFLAGS? Are you out of sync with OpenSSL?. :>> :> :>> :>Viel Spass, :>> :> :>> :>-Harry :>> :> :>> :>Am Sa , 2001-12-08 um 19.59 schrieb Hartmann, O.: :>> :>> Dear Sirs. :>> :>> :>> :>> We installed a new 2GHz P4 system with FreeBSD 4.4-RELEASE, the we :>> :>> cvsupdated the code to FreeBSD 4.4-STABLE and made a world. This :>> :>> machine, a new Dell PrecisionWorkstation 340 with 512MB RIMM and 2 GHz :>> :>> Intel P4 CPU works finde with FreeBSD 4.4-STABLE (the systems has at :>> :>> boottime some problems to bootstrap, but this problem is not reproduceable :>> :>> and has not been gone while enabling options PNPBIOS in the kernel, I :>> :>> think this is a BIOS issue ...). :>> :>> :>> :>> Parallel to this machine we installed several other systems the same :>> :>> way but only on the Dell system sshd is not willing to allow :>> :>> connections but the ssh client allows connects to the outer world. :>> :>> :>> :>> I switched sshd on the specific machine to debugging mode and got this: :>> :>> :>> :>> --- :>> :>> root: /root: sshd -d -D :>> :>> debug1: sshd version OpenSSH_2.9 FreeBSD localisations 20011202 :>> :>> debug1: read PEM private key done: type DSA :>> :>> debug1: private host key: #0 type 2 DSA :>> :>> debug1: private host key: #1 type 0 RSA1 :>> :>> debug1: Forcing server key to 1152 bits to make it differ from host key. :>> :>> debug1: Bind to port 22 on XX.XX.XX.XX. :>> :>> Server listening on XX.XX.XX.XX port 22. :>> :>> Generating 1152 bit RSA key. :>> :>> RSA key generation complete. :>> :>> --- :>> :>> :>> :>> Then I try to connect from a client ( a machine of our computer center) :>> :>> and use ssh2 -vv destination.machine.de :>> :>> :>> :>> --- :>> :>> debug: connecting to client01.physik.uni-mainz.de... :>> :>> debug: entering event loop :>> :>> debug: ssh_client_wrap: creating transport protocol :>> :>> debug: SshAuthMethodClient/sshauthmethodc.c:116: Added "publickey" to usable methods. :>> :>> debug: SshAuthMethodClient/sshauthmethodc.c:116: Added "password" to usable methods. :>> :>> debug: Ssh2Client/sshclient.c:1142: creating userauth protocol :>> :>> debug: Ssh2Common/sshcommon.c:501: local ip = XX.XX.XX.XX, local port = 4039 :>> :>> debug: Ssh2Common/sshcommon.c:503: remote ip = XX.XX.XX.XX, remote port = 22 :>> :>> debug: SshConnection/sshconn.c:1866: Wrapping... :>> :>> warning: Warning: Need basic cursor movement capablity, using vt100 :>> :>> debug: Ssh2Transport/trcommon.c:599: Remote version: SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20011202 :>> :>> debug: Ssh2Transport/trcommon.c:789: Remote version has rekey incompatibility bug. :>> :>> debug: Ssh2Transport/trcommon.c:1118: c_to_s: cipher 3des-cbc, mac hmac-sha1, compression none :>> :>> debug: Ssh2Transport/trcommon.c:1121: s_to_c: cipher 3des-cbc, mac hmac-sha1, compression none :>> :>> debug: Ssh2Client/sshclient.c:406: Host key found from database. :>> :>> debug: Ssh2Common/sshcommon.c:305: Received SSH_CROSS_STARTUP packet from connection protocol. :>> :>> debug: Ssh2Common/sshcommon.c:355: Received SSH_CROSS_ALGORITHMS packet from connection protocol. :>> :>> debug: Ssh2Common/sshcommon.c:137: DISCONNECT received: Sorry, you are not allowed to connect. :>> :>> warning: Authentication failed. :>> :>> debug: Ssh2/ssh2.c:84: locally_generated = FALSE :>> :>> Disconnected; protocol error (Sorry, you are not allowed to connect.). :>> :>> debug: uninitializing event loop :>> :>> --- :>> :>> :>> :>> This is the output of the daemon on the server side: :>> :>> :>> :>> --- :>> :>> root: /root: sshd -d -D :>> :>> debug1: sshd version OpenSSH_2.9 FreeBSD localisations 20011202 :>> :>> debug1: read PEM private key done: type DSA :>> :>> debug1: private host key: #0 type 2 DSA :>> :>> debug1: private host key: #1 type 0 RSA1 :>> :>> debug1: Forcing server key to 1152 bits to make it differ from host key. :>> :>> debug1: Bind to port 22 on XX.XX.XX.XX. :>> :>> Server listening on XX.XX.XX.XX port 22. :>> :>> Generating 1152 bit RSA key. :>> :>> RSA key generation complete. :>> :>> debug1: Server will not fork when running in debugging mode. :>> :>> Connection from client1.zdv.Uni-Mainz.DE port 4039 :>> :>> Connection from XX.XX.XX.XX port 4039 :>> :>> debug1: Client protocol version 1.99; client software version 2.4.0 SSH Secure Shell (non-commercial) :>> :>> debug1: match: 2.4.0 SSH Secure Shell (non-commercial) pat ^2\.[2-9]\. :>> :>> Enabling compatibility mode for protocol 2.0 :>> :>> debug1: Local version string SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20011202 :>> :>> debug1: Rhosts Authentication disabled, originating port not trusted. :>> :>> debug1: list_hostkey_types: ssh-dss :>> :>> debug1: SSH2_MSG_KEXINIT sent :>> :>> debug1: SSH2_MSG_KEXINIT received :>> :>> debug1: kex: client->server 3des-cbc hmac-sha1 none :>> :>> debug1: kex: server->client 3des-cbc hmac-sha1 none :>> :>> debug1: dh_gen_key: priv key bits set: 187/384 :>> :>> debug1: bits set: 512/1024 :>> :>> debug1: expecting SSH2_MSG_KEXDH_INIT :>> :>> debug1: bits set: 503/1024 :>> :>> debug1: sig size 20 20 :>> :>> debug1: kex_derive_keys :>> :>> debug1: newkeys: mode 1 :>> :>> debug1: SSH2_MSG_NEWKEYS sent :>> :>> debug1: waiting for SSH2_MSG_NEWKEYS :>> :>> debug1: newkeys: mode 0 :>> :>> debug1: SSH2_MSG_NEWKEYS received :>> :>> debug1: KEX done :>> :>> debug1: userauth-request for user ohartman service ssh-connection method none :>> :>> debug1: attempt 0 failures 0 :>> :>> debug1: Starting up PAM with username "ohartman" :>> :>> Denied connection for ohartman from client1.zdv.uni-mainz.de [XX.XX.XX.XX]. :>> :>> Disconnecting: Sorry, you are not allowed to connect. :>> :>> debug1: Calling cleanup 0x8059ba0(0x0) :>> :>> debug1: Calling cleanup 0x8060c54(0x0) :>> :>> --- :>> :>> :>> :>> The frustrating thing is that I did a parallel installation with an older :>> :>> system based on a AMD K6-2/550 and it works! It is always on all machines :>> :>> the same ssh-configuration and I copy a sshd_config file on each machine :>> :>> and replace the interface part by the appropriate IP, that's it. A check by :>> :>> a diff on a working and non working config showed this line as the only one that :>> :>> differs. :>> :>> :>> :>> On a working sshd (switched to sshd -d -D) I see another :>> :>> :>> :>> 'userauth-request for user ohartman service ssh-connection method none' :>> :>> :>> :>> line, it shows a kind of protocoll and so on. :>> :>> :>> :>> I tried to disable SSE in the kernel, but that did not help. :>> :>> :>> :>> Well, it looks strange to me .. :-( :>> :>> :>> :>> Thanks in advance for your comments and help. :>> :>> :>> :>> Oliver :>> :>> :>> :>> :>> :>> -- :>> :>> MfG :>> :>> O. Hartmann :>> :>> :>> :>> ohartman@klima.physik.uni-mainz.de :>> :>> ---------------------------------------------------------------- :>> :>> IT-Administration des Institutes fuer Physik der Atmosphaere (IPA) :>> :>> ---------------------------------------------------------------- :>> :>> Johannes Gutenberg Universitaet Mainz :>> :>> Becherweg 21 :>> :>> 55099 Mainz :>> :>> :>> :>> Tel: +496131/3924662 (Maschinenraum) :>> :>> Tel: +496131/3924144 :>> :>> FAX: +496131/3923532 :>> :>> :>> :>> :>> :>> To Unsubscribe: send mail to majordomo@FreeBSD.org :>> :>> with "unsubscribe freebsd-stable" in the body of the message :>> :>> :>> :>> :>> :>> :>> :> :>> :> :>> :> :>> :> :>> :> :>> :> :>> :>> -- :>> MfG :>> O. Hartmann :>> :>> ohartman@klima.physik.uni-mainz.de :>> ------------------------------------------------------------------ :>> IT-Administration des Institutes fuer Physik der Atmosphaere (IPA) :>> ------------------------------------------------------------------ :>> Johannes Gutenberg Universitaet Mainz :>> Becherweg 21 :>> 55099 Mainz :>> :>> Tel: +496131/3924662 (Maschinenraum) :>> Tel: +496131/3924144 (Buero) :>> FAX: +496131/3923532 :>> :>> :>> :>> :> :> :> :> :> -- MfG O. Hartmann ohartman@klima.physik.uni-mainz.de ------------------------------------------------------------------ IT-Administration des Institutes fuer Physik der Atmosphaere (IPA) ------------------------------------------------------------------ Johannes Gutenberg Universitaet Mainz Becherweg 21 55099 Mainz Tel: +496131/3924662 (Maschinenraum) Tel: +496131/3924144 (Buero) FAX: +496131/3923532 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message