After upgrading to openssh-3.4p1, password authentication is no longer working on my system. I'm running Linux RedHat 6.2 with: kernel 2.2.20 openssh-3.4p1 openssl-0.9.6 pam-0.72-6 pwdb-0.61-0 I've tried it with and without compression, with and without priv sep, and I always get errors like this: Jun 30 19:07:48 sugarfreejazz sshd[1344]: Failed password for randy from 10.10.10.2 port 4320 ssh2 It worked with openssh-2.9p2. I upgraded because of the CERT advisory. I've double, triple, and quadruple checked my userid, password, SSH client (SecureCRT on Windows 2000), etc. and everything seems to be in order. I did see this comment in the ChangeLog: http://www.rpmfind.net//linux/RPM/PLD/dists/nest/test/i386/openssh-3.4p1-2.i 386.html "Revision 1.125 2002/06/26 15:42:57 misiek - 3.4 (pam still not working)" Is there a known problem with openssh 3.4 and PAM? Also I tried compiling openssh without PAM by passing in the "--without-pam" flag to configure but that did not seem to do anything -- "strings /usr/local/sbin/sshd | grep pam" still reveals that it is compiled in. Is there a way to disable or compile without PAM? Below is the output from sshd -d -d -d. Thanks in advance for any tips/info/advice. Randy Tidd rtidd at speakeasy.net debug1: sshd version OpenSSH_3.4p1 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Server will not fork when running in debugging mode. Connection from 10.10.10.2 port 4351 debug1: Client protocol version 2.0; client software version 3.4 SecureCRT debug1: no match: 3.4 SecureCRT Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r ijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r ijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss,ssh-rsa debug2: kex_parse_kexinit: aes128-cbc,aes192-cbc,aes256-cbc,twofish-cbc,blowfish-cbc,3des-cbc,arcfour debug2: kex_parse_kexinit: aes128-cbc,aes192-cbc,aes256-cbc,twofish-cbc,blowfish-cbc,3des-cbc,arcfour debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 126/256 debug1: bits set: 512/1026 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 515/1026 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user randy service ssh-connection method none debug1: attempt 0 failures 0 debug3: allowed_user: today 11868 sp_expire -1 sp_lstchg 11868 sp_max 99999 debug3: Trying to reverse map address 10.10.10.2. debug2: input_userauth_request: setting up authctxt for randy debug2: input_userauth_request: try method none Failed none for randy from 10.10.10.2 port 4351 ssh2 debug1: userauth-request for user randy service ssh-connection method password debug1: attempt 1 failures 1 debug2: input_userauth_request: try method password Failed password for randy from 10.10.10.2 port 4351 ssh2 debug1: userauth-request for user randy service ssh-connection method password debug1: attempt 2 failures 2 debug2: input_userauth_request: try method password Failed password for randy from 10.10.10.2 port 4351 ssh2 Received disconnect from 10.10.10.2: 13: The user canceled authentication. debug1: Calling cleanup 0x80683fc(0x0)
Ben Lindstrom
2002-Jun-30 23:33 UTC
Password auth problem with openssh 3.4 and Linux 2.2.20
It works under Mandrake and Rehdat 7.x series. The only thing that is currently broken is password changing. So if the password expires it will not allow them to login. I have not clue what the PLD people are talk about. I do know that they do some pretty incorrect things in their patches. Much like their patch to allow 2.2. kernels to use compression (openssh-pseudo-mmap.patch). Which is incorrect. - Ben On Sun, 30 Jun 2002, Randy Tidd wrote:> After upgrading to openssh-3.4p1, password authentication is no longer > working on my system. I'm running Linux RedHat 6.2 with: > > kernel 2.2.20 > openssh-3.4p1 > openssl-0.9.6 > pam-0.72-6 > pwdb-0.61-0 > > I've tried it with and without compression, with and without priv sep, and I > always get errors like this: > > Jun 30 19:07:48 sugarfreejazz sshd[1344]: Failed password for randy from > 10.10.10.2 port 4320 ssh2 > > It worked with openssh-2.9p2. I upgraded because of the CERT advisory. > I've double, triple, and quadruple checked my userid, password, SSH client > (SecureCRT on Windows 2000), etc. and everything seems to be in order. > > I did see this comment in the ChangeLog: > > http://www.rpmfind.net//linux/RPM/PLD/dists/nest/test/i386/openssh-3.4p1-2.i > 386.html > > "Revision 1.125 2002/06/26 15:42:57 misiek > - 3.4 (pam still not working)" > > Is there a known problem with openssh 3.4 and PAM? > > Also I tried compiling openssh without PAM by passing in the "--without-pam" > flag to configure but that did not seem to do anything -- "strings > /usr/local/sbin/sshd | grep pam" still reveals that it is compiled in. Is > there a way to disable or compile without PAM? > > Below is the output from sshd -d -d -d. Thanks in advance for any > tips/info/advice. > > Randy Tidd > rtidd at speakeasy.net > > > > debug1: sshd version OpenSSH_3.4p1 > debug1: private host key: #0 type 0 RSA1 > debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key. > debug1: read PEM private key done: type RSA > debug1: private host key: #1 type 1 RSA > debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key. > debug1: read PEM private key done: type DSA > debug1: private host key: #2 type 2 DSA > debug1: Bind to port 22 on 0.0.0.0. > Server listening on 0.0.0.0 port 22. > debug1: Server will not fork when running in debugging mode. > Connection from 10.10.10.2 port 4351 > debug1: Client protocol version 2.0; client software version 3.4 SecureCRT > debug1: no match: 3.4 SecureCRT > Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_3.4p1 > debug1: list_hostkey_types: ssh-rsa,ssh-dss > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r > ijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r > ijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm > ac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm > ac-md5-96 > debug2: kex_parse_kexinit: none > debug2: kex_parse_kexinit: none > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-dss,ssh-rsa > debug2: kex_parse_kexinit: > aes128-cbc,aes192-cbc,aes256-cbc,twofish-cbc,blowfish-cbc,3des-cbc,arcfour > debug2: kex_parse_kexinit: > aes128-cbc,aes192-cbc,aes256-cbc,twofish-cbc,blowfish-cbc,3des-cbc,arcfour > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none > debug2: kex_parse_kexinit: none > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_init: found hmac-md5 > debug1: kex: client->server aes128-cbc hmac-md5 none > debug2: mac_init: found hmac-md5 > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > debug1: dh_gen_key: priv key bits set: 126/256 > debug1: bits set: 512/1026 > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT > debug1: bits set: 515/1026 > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > debug1: kex_derive_keys > debug1: newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: waiting for SSH2_MSG_NEWKEYS > debug1: newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: KEX done > debug1: userauth-request for user randy service ssh-connection method none > debug1: attempt 0 failures 0 > debug3: allowed_user: today 11868 sp_expire -1 sp_lstchg 11868 sp_max 99999 > debug3: Trying to reverse map address 10.10.10.2. > debug2: input_userauth_request: setting up authctxt for randy > debug2: input_userauth_request: try method none > Failed none for randy from 10.10.10.2 port 4351 ssh2 > debug1: userauth-request for user randy service ssh-connection method > password > debug1: attempt 1 failures 1 > debug2: input_userauth_request: try method password > Failed password for randy from 10.10.10.2 port 4351 ssh2 > debug1: userauth-request for user randy service ssh-connection method > password > debug1: attempt 2 failures 2 > debug2: input_userauth_request: try method password > Failed password for randy from 10.10.10.2 port 4351 ssh2 > Received disconnect from 10.10.10.2: 13: The user canceled authentication. > > debug1: Calling cleanup 0x80683fc(0x0) > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >
Circa 2002-Jun-30 19:27:56 -0400 dixit Randy Tidd: : After upgrading to openssh-3.4p1, password authentication is no longer : working on my system. I'm running Linux RedHat 6.2 with: : : kernel 2.2.20 : openssh-3.4p1 : openssl-0.9.6 : pam-0.72-6 You should upgrade to pam-0.72-20.6.x (from RH's FTP site). : pwdb-0.61-0 : : I've tried it with and without compression, with and without priv sep, and I : always get errors like this: : : Jun 30 19:07:48 sugarfreejazz sshd[1344]: Failed password for randy from : 10.10.10.2 port 4320 ssh2 Questions: - Did you build your openssh-3.4p1 by hand, or did you build an RPM package from the source RPM at ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/rpm/SRPMS/ ? - Is your system configured to use MD5 passwords (via /usr/sbin/authconfig)? If so, and if you built OpenSSH by hand, did you configure OpenSSH with support for MD5 passwords? - Did you have 'StrictModes no' in your old sshd_config? Do you have 'StrictModes yes' in the new one (or is it commented out, since 'yes' is the default)? Have you double-checked the permissions on your home directory and your ~/.ssh/ directory on the server you're trying to log into? - Set up a dummy (i.e., temporary) user account on the server, making sure the home directory is created and has mode 0700 (drwx------). Are you able to successfully log in as the dummy user? : It worked with openssh-2.9p2.[...] : : I did see this comment in the ChangeLog: : : http://www.rpmfind.net//linux/RPM/PLD/dists/nest/test/i386/openssh-3.4p1-2.i : 386.html : : "Revision 1.125 2002/06/26 15:42:57 misiek : - 3.4 (pam still not working)" That changelog appears to be from an RPM package built by PLD (the Polish Linux Distribution). Is that where you got the new OpenSSH you installed that isn't working? I'd recommend you get it from the ftp.openssh.com site rather than somewhere else. : Is there a known problem with openssh 3.4 and PAM? Not on Red Hat Linux 6.2. It's working fine at three or four different installations that i'm aware of at this very moment, including the machine i'm writing this from. : Also I tried compiling openssh without PAM by passing in the : "--without-pam" flag to configure but that did not seem to do : anything -- "strings /usr/local/sbin/sshd | grep pam" still reveals : that it is compiled in. Is there a way to disable or compile : without PAM? Are you certain that /usr/local/sbin/sshd is the freshly installed sshd? Or did it get installed somewhere else? If you were using the PLD RPM package, it is quite likely that sshd ended up as /usr/sbin/sshd instead. Unless you have unusual requirements (e.g., special patches, AFS libraries, etc.) i would very much recommend rebuilding from the source RPM from ftp.openssh.com as follows: rpm --rebuild --define='build_6x=1' openssh-3.4p1-1.src.rpm Then you can install the resulting binary RPM packages. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 249 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020701/9c9d4ed2/attachment.bin