Date: Thu, 20 Aug 2015 22:30:37 +0100 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: Strange SFTP and PAM failure Message-ID: <55D646FD.7030203@FreeBSD.org> In-Reply-To: <CA%2Bsg5RQ-yMgsbq5VA-SNDDkUaYcVJUEPAe-iqfDLR1EFuVyCTg@mail.gmail.com> References: <CA%2Bsg5RQ-yMgsbq5VA-SNDDkUaYcVJUEPAe-iqfDLR1EFuVyCTg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --l8PJHCPW3FgtftVoqm71H5ra8QvDFgOH0 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 20/08/2015 21:50, Jaime Kikpole wrote: > When I tried to make one of these failed connections, I saw this in > /var/log/messages: >=20 > Aug 20 16:37:48 apps sshd[564]: error: PAM: authentication error for > <<username>> from <<IP of PowerSchool>> > Aug 20 16:37:48 apps sshd[564]: error: Received disconnect from <<IP > of PowerSchool>>: 3: com.jcraft.jsch.JSchException: Auth cancel > [preauth] >=20 > Any idea what might be causing this? Do you know what JDK is being used? IIRC OpenJDK-7 doesn't provide all the up to date and still considered secure ciphers. OpenJDK-8 might work better for you. So, for instance if you look at https://www.ssllabs.com/ssltest/analyze.html?d=3Dforums.freebsd.org&s=3D1= 49.20.54.209 and scroll down to the section showing browser compatibility, you'll see Java 6 and Java 7 won't work. Now, SSH connections do not use TLS per se, but the principle is the same: disabling the older, less secure ciphers can result in older clients being locked out. There's some interesting discussion on https://stribika.github.io/2015/01/04/secure-secure-shell.html about why you might want to do that and how to maximize your security. Note: blindly following the changes given in that blog posting probably *will* *not* help with your problem -- quite the reverse in fact. It's relevant here solely because of the explanations about what ciphers can still be trusted. Cheers, Matthew --l8PJHCPW3FgtftVoqm71H5ra8QvDFgOH0 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2 iQJ8BAEBCgBmBQJV1kb9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkATzFYP/jVnmGHsLiJpW+QznW8OL3BO 5vNSrQZS+H4g3yi+hrn0HbrzNcmD8TEPcR6MDzW2AWWhm2SwB6pOlp8/q/2C6mQf pfdzjzHbcLrkhjjWWp3CIRG5AfoBpMTSWdXcet5kCKiNhtmtXJqwNJRabMJarXBu /LX/LK3G56saZ6+ZerV7C361sNQSCw29/6FlFQRBkvtSFySQGRZJ4GT9wF2IeUiW uR3ibBwjNhWz+0cr1Ej1bnCHOodWPVT+xaw2eSx8Md0R6/T7thhr7UIlV4hda2F0 Y2nVNL92gJmOON0onsUoIYcJ07xk/9ueVZl4Y+n6Rgv86pzsGjJPU/rVV1VWqKOZ CbQY85JQEIrfcV4hQxcdqqt4hmKgjf8v+8XKN52zJ2cyIFPBlP8X2E/HapGwmlTQ qdL5eHPDQQNIfK2YWFLxDOGxoMF9M1jbX/HO6j0A2KsqGVcufdBxz08PCQli9vga IrDi4WIcwNMQNjYCMiKKyal0FIorBFZJHtoPRi4/mhc0tqz/UB6epnwIc/CtPztc A4Fjtj4Kfh7kZdOsBp5EOZ9820UH5BaYOLmzqlHA74RFnUGfB2ChOiLwKamj9YT6 wxe9jkb4quIdNK+Da50mF1u2XiYjJ927yusLz0pFCCMFZsArCpsVzSAzaH5WQj2N rT6pu11g9DaQ3sEUsYsM =21// -----END PGP SIGNATURE----- --l8PJHCPW3FgtftVoqm71H5ra8QvDFgOH0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?55D646FD.7030203>