[PLUG] SSH authentication problem

CurtisE CurtisE at CurtisE.net
Mon Jun 24 09:00:20 UTC 2002


I think the sshd_config file is configured to accept either v1 or v2.  I
also get the same result when trying to authenticate using the ssh client to
connect to the ssh server on the same box.  I would hope that would rule out
a version or compatibility issue.


Here is the verbose output from an authentication attempt:
(I didn't modify anything, because it's just a box I'm using to educate
myself on Linux, it's behind a firewall and does not resolve in the outside
world.)
----------------------------------------------------------------------------
--

[curtise at elvis curtise]$ ssh -v -l curtise elvis.home.curtise.net
OpenSSH_3.2.3p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f
debug1: Reading configuration data /usr/local/ssh/etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 500 geteuid 0 anon 1
debug1: Connecting to elvis.home.curtise.net [127.0.0.1] port 22.
debug1: temporarily_use_uid: 500/500 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 500/500 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /home/curtise/.ssh/identity type -1
debug1: identity file /home/curtise/.ssh/id_rsa type -1
debug1: identity file /home/curtise/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.2.3p1
debug1: match: OpenSSH_3.2.3p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.2.3p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 116/256
debug1: bits set: 1621/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'elvis.home.curtise.net' is known and matches the RSA host key.
debug1: Found key in /home/curtise/.ssh/known_hosts:2
debug1: bits set: 1544/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
publickey,password,keyboard-interacti
ve
debug1: next auth method to try is publickey
debug1: try privkey: /home/curtise/.ssh/identity
debug1: try privkey: /home/curtise/.ssh/id_rsa
debug1: try privkey: /home/curtise/.ssh/id_dsa
debug1: next auth method to try is keyboard-interactive
debug1: authentications that can continue:
publickey,password,keyboard-interacti
ve
debug1: next auth method to try is password
curtise at elvis.home.curtise.net's password:
debug1: authentications that can continue:
publickey,password,keyboard-interacti
ve
Permission denied, please try again.
curtise at elvis.home.curtise.net's password:
debug1: authentications that can continue:
publickey,password,keyboard-interacti
ve
Permission denied, please try again.
curtise at elvis.home.curtise.net's password:
debug1: authentications that can continue:
publickey,password,keyboard-interacti
ve
debug1: no more auth methods to try
Permission denied (publickey,password,keyboard-interactive).
debug1: Calling cleanup 0x8061ad4(0x0)
[curtise at elvis curtise]$

--------------------------------------------------------------------------

Jeme and Matt may be onto something with PAM.  I did not use the
"--with-pam" option with the configure script.  I don't really know what PAM
is, but I noticed I do have a pam.d in /etc.  So I blew away SSH and
reconfigured with the "--with-pam" option and copied
contrib/sshd.pam.generic to /etc/pam.d/sshd.  Then I had some other issues
many of which I resolved by reconfiguring with the "--with-ipv4-default"
option also.  I've also reverted to the stock sshd_config file with the
exception of the "PAMAuthenticationViaKbdInt yes" line which I uncommented
and changed to yes.

Now I cannot connect, but at least I'm getting some clues as to why.  I'm
not sure what to make of the clues though.  Here's what I get when I run
sshd in diagnostic mode:

-----------------------------------------------------------------------

[root at elvis openssh-3.3p1]# sshd -d
debug1: sshd version OpenSSH_3.3
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 127.0.0.1 port 1098
debug1: Client protocol version 2.0; client software version OpenSSH_3.3
debug1: match: OpenSSH_3.3 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.3
mmap(65536): Invalid argument
debug1: Calling cleanup 0x8069218(0x0)

------------------------------------------------------------------------

Notice the "mmap(65536): Invalid argument" message in the second to the last
line.
>From what I can gather from the mmap man page, it's trying to grab some
memory and failing for some mysterious reason.

Here is what I get on the client side when attempting to connect in verbose
mode now:

------------------------------------------------------------------------

[curtise at elvis curtise]$ ssh -v -l curtise elvis
OpenSSH_3.3, SSH protocols 1.5/2.0, OpenSSL 0x0090604f
debug1: Reading configuration data /usr/local/ssh/etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to elvis [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/curtise/.ssh/identity type -1
debug1: identity file /home/curtise/.ssh/id_rsa type -1
debug1: identity file /home/curtise/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.3
debug1: match: OpenSSH_3.3 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.3
debug1: SSH2_MSG_KEXINIT sent
Read from socket failed: Broken pipe
debug1: Calling cleanup 0x80619b8(0x0)

--------------------------------------------------------------------------

Notice the "Read from socket failed: Broken pipe" message in the second to
the last line.

The messages log just gripes about the same mmap issue:
"Jun 24 01:39:33 elvis sshd[32261]: fatal: mmap(65536): Invalid argument"

So, it would appear (to my untrained eyes) that this mmap issue is the
source of my current problem.  Does this ring any bells with you folks.
This is well above my level of Linux knowledge.

The only thing I can think of at this point is so go back to OpenSSH version
3.2.3p1 which is the version I originally used.  The one I have now is from
a fresh download and it looks like it's a newer version (3.3).  Perhaps 3.3
has some sort of memory bug...

I would sure appreciate any additional ideas.

Thanks,
CurtisE




>Can we see the output of a verbose session attempt?

>Use your usual command line, but with the -v flag first.  Paste us the
>output (with any sensitive information modified, of course).

>And while I know diddly about Red Hat, I think I know that 6.2 is kind of
>old and I wonder if the OpenSSH package you installed uses SSH v1 while
>many servers are configured to respond only to v2 connections favorably.

>This could also be a PAM configuration issue, so if you use PAM, you might
>want to share that information as well.





More information about the PLUG mailing list