FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 09-12-2008, 02:46 AM
Michael Sullivan
 
Default SSHd: Permission denied (publickey,keyboard-interactive).

I hooked up my old server box today so that I could update the software,
only to find that I could not ssh over to it:

michael@camille ~ $ ssh bullet
Permission denied (publickey,keyboard-interactive).

There were no 'official' logs, but a website I found on google suggested
running

/usr/sbin/sshd -ddd -p 2202

and then trying to shell over with

ssh -p 2202 <boxname>

Here's the output. I piped it to a file:

michael@camille ~ $ cat sshd.log
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 237
debug2: parse_server_config: config /etc/ssh/sshd_config len 237
debug3: /etc/ssh/sshd_config:21 setting Protocol 2
debug3: /etc/ssh/sshd_config:60 setting PasswordAuthentication no
debug3: /etc/ssh/sshd_config:87 setting UsePAM yes
debug3: /etc/ssh/sshd_config:91 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:127 setting Subsystem
sftp /usr/lib/misc/sftp-server
debug1: sshd version OpenSSH_4.7p1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='2202'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 2202 on 0.0.0.0.
Server listening on 0.0.0.0 port 2202.
socket: Address family not supported by protocol
debug3: fd 4 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 237
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.1.2 port 57643
debug1: Client protocol version 2.0; client software version OpenSSH_4.7
debug1: match: OpenSSH_4.7 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7
debug2: fd 3 setting O_NONBLOCK
debug3: privsep user:group 22:22
debug1: permanently_set_uid: 22/22
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none
debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 zlib@openssh.com
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 zlib@openssh.com
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug3: mm_request_send entering: type 0
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
debug3: mm_request_receive_expect entering: type 1
debug3: mm_request_receive entering
debug2: Network child is on pid 8390
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug3: monitor_read: checking request 0
debug3: mm_answer_moduli: got parameters: 1024 1024 8192
debug3: mm_request_send entering: type 1
debug3: mm_choose_dh: remaining 0
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug2: dh_gen_key: priv key bits set: 126/256
debug2: bits set: 519/1024
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug2: bits set: 533/1024
debug2: monitor_read: 0 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 4
debug3: monitor_read: checking request 4
debug3: mm_answer_sign
debug3: mm_answer_sign: signature 0x80a9fd8(143)
debug3: mm_request_send entering: type 5
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: mm_request_receive_expect entering: type 5
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user michael service ssh-connection method
none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 7
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow
debug3: Trying to reverse map address 192.168.1.2.
debug2: parse_server_config: config reprocess config len 237
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: mm_request_receive entering
debug2: input_userauth_request: setting up authctxt for michael
debug3: mm_start_pam entering
debug3: mm_request_send entering: type 47
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug2: input_userauth_request: try method none
debug3: monitor_read: checking request 47
debug1: PAM: initializing for "michael"
debug1: PAM: setting PAM_RHOST to "192.168.1.2"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 47 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug1: userauth-request for user michael service ssh-connection method
keyboard-interactive
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=michael devs=
debug1: kbdint_alloc: devices 'pam'
debug2: auth2_challenge_start: devices pam
debug2: kbdint_next_device: devices <empty>
debug1: auth2_challenge_start: trying authentication method 'pam'
debug3: mm_sshpam_init_ctx
debug3: mm_request_send entering: type 50
debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX
debug3: mm_request_receive_expect entering: type 51
debug3: mm_request_receive entering
debug3: monitor_read: checking request 50
debug3: mm_answer_pam_init_ctx
debug3: PAM: sshpam_init_ctx entering
debug3: ssh_msg_send: type 7
debug3: mm_request_send entering: type 51
debug3: mm_request_receive entering
debug3: mm_sshpam_query
debug3: mm_request_send entering: type 52
debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY
debug3: mm_request_receive_expect entering: type 53
debug3: mm_request_receive entering
debug3: monitor_read: checking request 52
debug3: mm_answer_pam_query
debug3: PAM: sshpam_query entering
debug3: ssh_msg_recv entering
debug3: PAM: Authentication failure
PAM: Authentication failure for michael from 192.168.1.2
debug3: mm_request_send entering: type 53
debug3: mm_request_receive entering
debug3: mm_sshpam_query: pam_query returned -1
debug3: mm_sshpam_free_ctx
debug3: mm_request_send entering: type 56
debug3: mm_sshpam_free_ctx: waiting for MONITOR_ANS_PAM_FREE_CTX
debug3: mm_request_receive_expect entering: type 57
debug3: mm_request_receive entering
debug3: monitor_read: checking request 56
debug3: mm_answer_pam_free_ctx
debug3: PAM: sshpam_free_ctx entering
debug3: PAM: sshpam_thread_cleanup entering
debug3: mm_request_send entering: type 57
debug2: monitor_read: 56 used once, disabling now
Failed keyboard-interactive/pam for michael from 192.168.1.2 port 57643
ssh2
debug1: Unable to open the btmp file /var/log/btmp: No such file or
directory
debug3: mm_request_receive entering
Connection closed by 192.168.1.2
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering


Here's the /etc/sshd_config:

michael@camille ~ $ cat sshd_config
# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys
in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no

# no default banner path
#Banner /some/path

# here are the new patched ldap related tokens
# entries in your LDAP must have posixAccount & ldapPublicKey
objectclass
#UseLPK yes
#LpkLdapConf /etc/ldap.conf
#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/
#LpkUserDN ou=users,dc=phear,dc=org
#LpkGroupDN ou=groups,dc=phear,dc=org
#LpkBindDN cn=Manager,dc=phear,dc=org
#LpkBindPw secret
#LpkServerGroup mail
#LpkFilter (hostAccess=master.phear.org)
#LpkForceTLS no
#LpkSearchTimelimit 3
#LpkBindTimelimit 3

# override default of no subsystems
Subsystem sftp /usr/lib/misc/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server

And here's the emerge information for ssh:

michael@camille ~ $ cat emerge-openssh.log

These are the packages that would be merged, in order:

Calculating dependencies ... done!
[ebuild R ] net-misc/openssh-4.7_p1-r6 USE="kerberos pam tcpd -X
-X509 -chroot -hpn -ldap -libedit (-selinux) -skey -smartcard -static" 0
kB

Total: 1 package (1 reinstall), Size of downloads: 0 kB


I tried upgrading PAM and rebooting, but it didn't solve the problem.
I'm running pam-1.0.1, if that matters...
 
Old 09-12-2008, 05:57 AM
Iain Buchanan
 
Default SSHd: Permission denied (publickey,keyboard-interactive).

Michael Sullivan wrote:

I hooked up my old server box today so that I could update the software,
only to find that I could not ssh over to it:

michael@camille ~ $ ssh bullet
Permission denied (publickey,keyboard-interactive).

There were no 'official' logs, but a website I found on google suggested
running

/usr/sbin/sshd -ddd -p 2202

and then trying to shell over with

ssh -p 2202<boxname>

Here's the output. I piped it to a file:


[snip]


I tried upgrading PAM and rebooting, but it didn't solve the problem.
I'm running pam-1.0.1, if that matters...


what problem? you haven't actually said what is / isn't working! What's
the output from the client when you try and ssh in with the command "ssh
-p 2202 <boxname>"?


--
Iain Buchanan <iaindb at netspace dot net dot au>

Don't go easy on each other just because you're brother and sister. I
want to see you both fighting for your parents' love.

-- Homer Simpson
Lisa on Ice
 
Old 09-12-2008, 10:58 AM
Eric Martin
 
Default SSHd: Permission denied (publickey,keyboard-interactive).

Michael Sullivan wrote:
> On Fri, 2008-09-12 at 15:27 +0930, Iain Buchanan wrote:
>> Michael Sullivan wrote:
>>> I hooked up my old server box today so that I could update the software,
>>> only to find that I could not ssh over to it:
>>>
>>> michael@camille ~ $ ssh bullet
>>> Permission denied (publickey,keyboard-interactive).
>>>
>>> There were no 'official' logs, but a website I found on google suggested
>>> running
>>>
>>> /usr/sbin/sshd -ddd -p 2202
>>>
>>> and then trying to shell over with
>>>
>>> ssh -p 2202<boxname>
>>>
>>> Here's the output. I piped it to a file:
>> [snip]
>>
>>> I tried upgrading PAM and rebooting, but it didn't solve the problem.
>>> I'm running pam-1.0.1, if that matters...
>> what problem? you haven't actually said what is / isn't working! What's
>> the output from the client when you try and ssh in with the command "ssh
>> -p 2202 <boxname>"?
>>
>
> I thought I was pretty clear on that, but here it is again:
>
> michael@camille ~ $ ssh -p 2202 bullet
> Permission denied (publickey,keyboard-interactive).
>
> As you can see, I'm still locked out.
>
>
try

# ssh -p 2202 -vv bullet

or

#ssh -vv bullet

as that will give you debug info from the client side of the connection.
Is it safe to assume that you logged into it via the console to start
SSHd on 2202? Also, does your user exist on the box? It sounds like
'no', especially when btmp is involved.

--
Eric Martin
Key fingerprint = D1C4 086E DBB5 C18E 6FDA B215 6A25 7174 A941 3B9F
 
Old 09-12-2008, 11:46 AM
Stroller
 
Default SSHd: Permission denied (publickey,keyboard-interactive).

On 12 Sep 2008, at 03:46, Michael Sullivan wrote:

...
debug1: sshd version OpenSSH_4.7p1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.


This appears suspicious to me. I would delete that file on the ssh
server & restart ssd - the key will be regenerated (this may take a
minute or two).


If you have previously ssh'd successfully to this from a client then
you may get "incorrect key" errors - just delete the applicable line
from ~/.ssh/known_hosts on that client. If my guess is correct then
you'll be able to log in.


Stroller.
 

Thread Tools




All times are GMT. The time now is 03:00 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org