can't connect after update to openssh-portable 3.6.1p2-5

Jon Noack noackjr at alumni.rice.edu
Fri Sep 26 09:49:22 PDT 2003 

Well, actually it doesn't work on 5.1-RELEASE-p8 either.  I tested it last
night on 5.1-RELEASE-p8 using a public key.  This was fine.  Password
authentication did not work.  I did get a look at the machines, though:

4.8-RELEASE-p10:
Right after giving username, sshd dies, logging the following:
sshd[293]: pam_set_item: NULL pam handle passed
/kernel: pid 293 (sshd), uid 0: exited on signal 11

5.1-RELEASE-p8:
Always gives an "access denied" message when using password authentication.

My sshd_config is below.  I was able to get it working on 5.1-RELEASE-p8
by commenting out the ChallengeResponseAuthentication line.  This
effectively turns on PAM, according to the sshd_config man page.  This
solution did not work for 4.8-RELEASE-p10 (same messages logged as above).

I have tried "portupgrade -rRf openssh-portable", by the way.

So it seems the PAM fix broke password authentication when not using PAM
under 5.1-RELEASE-p8 and everything on 4.8-RELEASE-p10.  Considering
people were instructed to disable PAM when the advisory came out (which is
done with ChallengeResponseAuthentication in FreeBSD according to the man
page), this might break things for a lot of people.

Any enlightenment would be appreciated.

Jon Noack

Jon Noack wrote:
> On 4.8-RELEASE-p10 machines I can't connect after updating to
> openssh-portable 3.6.1p2-5.  Updating steps:
>
> 1) cvsup
> 2) portupgrade -ar
> 3) /usr/local/bin/rc.d/sshd.sh stop
> 4) /usr/local/bin/rc.d/sshd.sh start
>
> This worked fine on 5.1-RELEASE-p8 machines and has worked for several
> years now (since 4.4 days, I think).  There was nothing in the CVS
> commit description that said I needed to recompile anything else.
>
> I do not have access to the machines right now (I was updating all the
> machines at once over SSH (I tested on a 5.1-RELEASE-p8 machine so I
> thought I was OK -- I'll test on every version in the future) -- steps 3
> and 4 are done with a shell script that doesn't result in termination of
> the current connection), but the output when trying to connect (scrubbed
> of identifying info) is below and the current sshd_config is at the
> bottom:
>
> ********************** debug output ***********************
> $ ssh -vvv my.server.example.com
> debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
> debug1: Rhosts Authentication disabled, originating port will not be
> trusted.
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to my.server.example.com [xxx.xxx.xxx.xxx] port 22.
> debug1: Connection established.
> debug1: identity file /home/username/.ssh/identity type -1
> debug1: identity file /home/username/.ssh/id_rsa type -1
> debug1: identity file /home/username/.ssh/id_dsa type -1
> debug1: Remote protocol version 2.0, remote software version
> OpenSSH_3.6.1p2
> debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit: none,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_init: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug2: mac_init: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug2: dh_gen_key: priv key bits set: 131/256
> debug2: bits set: 1577/3191
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug3: check_host_in_hostfile: filename /home/username/.ssh/known_hosts2
> debug3: check_host_in_hostfile: filename
> /usr/local/etc/ssh/ssh_known_hosts2
> debug3: check_host_in_hostfile: filename /home/username/.ssh/known_hosts2
> debug3: check_host_in_hostfile: filename
> /usr/local/etc/ssh/ssh_known_hosts2
> debug3: check_host_in_hostfile: filename /home/username/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 9
> debug3: check_host_in_hostfile: filename /home/username/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 9
> debug1: Host 'my.server.example.com' is known and matches the RSA host
> key.
> debug1: Found key in /home/username/.ssh/known_hosts:9
> debug2: bits set: 1590/3191
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> Connection closed by xxx.xxx.xxx.xxx
> debug1: Calling cleanup 0x8061dc0(0x0)
> ******************** end debug output *********************
>
> *********************** sshd_config ***********************
> Port 22
> Protocol 2
>
> HostKey /usr/local/etc/ssh/ssh_host_rsa_key
>
> #PasswordAuthentication no
> PermitRootLogin no
> ChallengeResponseAuthentication no
> PAMAuthenticationViaKbdInt no
> UsePrivilegeSeparation yes
>
> Subsystem       sftp    /usr/local/libexec/sftp-server
> ******************** end sshd_config **********************
>
> Thanks for any help and/or suggestions,
> Jon Noack
>
>

More information about the freebsd-questions mailing list