Strange SFTP and PAM failure
Matthew Seaman
matthew at FreeBSD.org
Thu Aug 20 21:30:28 UTC 2015
On 20/08/2015 21:50, Jaime Kikpole wrote:
> When I tried to make one of these failed connections, I saw this in
> /var/log/messages:
>
> Aug 20 16:37:48 apps sshd[564]: error: PAM: authentication error for
> <<username>> from <<IP of PowerSchool>>
> Aug 20 16:37:48 apps sshd[564]: error: Received disconnect from <<IP
> of PowerSchool>>: 3: com.jcraft.jsch.JSchException: Auth cancel
> [preauth]
>
> Any idea what might be causing this?
Do you know what JDK is being used? IIRC OpenJDK-7 doesn't provide all
the up to date and still considered secure ciphers. OpenJDK-8 might
work better for you. So, for instance if you look at
https://www.ssllabs.com/ssltest/analyze.html?d=forums.freebsd.org&s=149.20.54.209
and scroll down to the section showing browser compatibility, you'll see
Java 6 and Java 7 won't work. Now, SSH connections do not use TLS per
se, but the principle is the same: disabling the older, less secure
ciphers can result in older clients being locked out.
There's some interesting discussion on
https://stribika.github.io/2015/01/04/secure-secure-shell.html about why
you might want to do that and how to maximize your security. Note:
blindly following the changes given in that blog posting probably *will*
*not* help with your problem -- quite the reverse in fact. It's
relevant here solely because of the explanations about what ciphers can
still be trusted.
Cheers,
Matthew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 957 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20150820/a1415688/attachment.bin>
More information about the freebsd-questions
mailing list