topic Re: OpenSSH login Issue in Operating System - HP-UX

OpenSSH login Issue

HPP — Mon, 13 Jun 2005 09:08:01 GMT

Hi,
I installed OpenSSH version 4.0 (T1471AA) on one of our HP-UX 11.00. If I ssh from an another server or from local server, it accepts the password but closes the connection immediately. In the syslog it just gives

Jun 13 09:59:46 boxer sshd[2821]: Accepted keyboard-interactive/pam for root from 192.168.32.64 port 61613 ssh2

I tried removing and reinstalling with no luck. I have installed same version on so many other HP-UX 11.00 server and it works fine.

Help Please.
Thanks in advance

Re: OpenSSH login Issue

Sanjay_6 — Mon, 13 Jun 2005 09:18:06 GMT

Hi,

Check the root profile or the /etc/profile on the remote server on which you are trying to login using root id.

It is possible that there is a syntax in the root profile or the /etc/profile that may force the root to logout if the login is not from a specific set of ttys say console only.

Hope this helps.

Regds

Re: OpenSSH login Issue

Rick Garland — Mon, 13 Jun 2005 09:21:06 GMT

You can invoke ssh in a debug mode by using the -v option. This is a verbose mode and will print information. man ssh

As a wild guess, using different protocols? ssh1 vs. ssh2?

Re: OpenSSH login Issue

HPP — Mon, 13 Jun 2005 09:27:32 GMT

Hi,
Thanks for quick response. I tried in debug mode ssh -v, and below is the output:

# ssh -v root@192.168.32.64
OpenSSH_4.1, OpenSSL 0.9.7e 25 Oct 2004
HP-UX Secure Shell-A.04.00.000, HP-UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Connecting to 192.168.32.64 [192.168.32.64] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/3
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.1
debug1: match: OpenSSH_4.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '192.168.32.64' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:38
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
Last login: Mon Jun 13 10:22:40 2005 from atltest
debug1: client_input_channel_req: channel 0 rtype exit-signal reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to 192.168.32.64 closed.
debug1: Transferred: stdin 0, stdout 0, stderr 37 bytes in 1.2 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 31.9
debug1: Exit status -1

Re: OpenSSH login Issue

Patrick Wallek — Mon, 13 Jun 2005 09:33:47 GMT

Check /var/adm/syslog/syslog.log on BOTH the source and destination machines. There should be more information there.

This is sometimes related to permissions on the home directory being too lax.

Re: OpenSSH login Issue

HPP — Mon, 13 Jun 2005 09:45:46 GMT

Checked the /var/adm/syslog/syslog.log on both client and server, no messages for closing the connections.

Thanks

Re: OpenSSH login Issue

Denver Osborn — Mon, 13 Jun 2005 11:31:54 GMT

How about running the ssh with "ssh -vvv" for more debug output and adding something like a "set -x" to root's profile just be sure it's nothing to do w/ root's login closing the connection.

Have also narrowed this down to a root only login problem or does it happen for all users?

-denver

Re: OpenSSH login Issue

HPP — Mon, 13 Jun 2005 12:18:12 GMT

Hi,
Its happening for all users. Below is the output of ssh -vvv.

ssh -vvv root@192.168.32.64
OpenSSH_4.1, OpenSSL 0.9.7e 25 Oct 2004
HP-UX Secure Shell-A.04.00.000, HP-UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug3: RNG is ready, skipping seeding
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.32.64 [192.168.32.64] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/3
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.1
debug1: match: OpenSSH_4.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.1
debug2: fd 4 setting O_NONBLOCK
debug3: RNG is ready, skipping seeding
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 144/256
debug2: bits set: 506/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /.ssh/known_hosts
debug3: check_host_in_hostfile: match line 38
debug1: Host '192.168.32.64' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:38
debug2: bits set: 496/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /.ssh/id_rsa (00000000)
debug2: key: /.ssh/id_dsa (00000000)
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/id_rsa
debug3: no such identity: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug3: no such identity: /.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 24 padlen 8 extra_pad 64)
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 0
debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64)
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 0
debug3: tty_make_modes: ospeed 300
debug3: tty_make_modes: ispeed 0
debug3: tty_make_modes: 1 3
debug3: tty_make_modes: 2 28
debug3: tty_make_modes: 3 8
debug3: tty_make_modes: 4 21
debug3: tty_make_modes: 5 4
debug3: tty_make_modes: 6 0
debug3: tty_make_modes: 7 255
debug3: tty_make_modes: 8 17
debug3: tty_make_modes: 9 19
debug3: tty_make_modes: 10 255
debug3: tty_make_modes: 11 255
debug3: tty_make_modes: 13 255
debug3: tty_make_modes: 14 255
debug3: tty_make_modes: 16 255
debug3: tty_make_modes: 30 0
debug3: tty_make_modes: 31 0
debug3: tty_make_modes: 32 0
debug3: tty_make_modes: 33 1
debug3: tty_make_modes: 34 0
debug3: tty_make_modes: 35 0
debug3: tty_make_modes: 36 1
debug3: tty_make_modes: 37 0
debug3: tty_make_modes: 38 1
debug3: tty_make_modes: 39 1
debug3: tty_make_modes: 40 1
debug3: tty_make_modes: 41 0
debug3: tty_make_modes: 50 1
debug3: tty_make_modes: 51 1
debug3: tty_make_modes: 52 0
debug3: tty_make_modes: 53 1
debug3: tty_make_modes: 54 1
debug3: tty_make_modes: 55 1
debug3: tty_make_modes: 56 0
debug3: tty_make_modes: 57 0
debug3: tty_make_modes: 58 0
debug3: tty_make_modes: 59 0
debug3: tty_make_modes: 60 0
debug3: tty_make_modes: 61 0
debug3: tty_make_modes: 62 0
debug3: tty_make_modes: 70 1
debug3: tty_make_modes: 71 0
debug3: tty_make_modes: 72 1
debug3: tty_make_modes: 73 0
debug3: tty_make_modes: 74 0
debug3: tty_make_modes: 75 0
debug3: tty_make_modes: 90 1
debug3: tty_make_modes: 91 1
debug3: tty_make_modes: 92 0
debug3: tty_make_modes: 93 0
debug2: channel 0: request shell confirm 0
debug2: fd 4 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 131072
Last login: Mon Jun 13 10:38:49 2005 from localhost
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-signal reply 0
debug2: channel 0: rcvd close
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug3: channel 0: will not send data after close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1)

debug3: channel 0: close_fds r -1 w -1 e 7 c -1
Connection to 192.168.32.64 closed.
debug1: Transferred: stdin 0, stdout 0, stderr 37 bytes in 1.4 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 26.5
debug1: Exit status -1

Re: OpenSSH login Issue

Denver Osborn — Mon, 13 Jun 2005 13:30:42 GMT

I haven't been able to put my finger on it yet, but it's not using Password Auth when you get the error, it's failing with Keyboard-Interactive. Test your login w/ password auth only to see if it gets you past the ssh exit 255.

ssh -vvv -o PreferredAuthentications=password

-denver

Re: OpenSSH login Issue

RAC_1 — Mon, 13 Jun 2005 13:41:17 GMT

Start the seperate sshd server (sshd -ddd -p "some_random_port")

Now from client try to connect to server ( ssh -vvv -p "random_port"

"the random_port is port that you chose for sarting sshd on server)
Post sshd -ddd output from server

Anil

Re: OpenSSH login Issue

RAC_1 — Mon, 13 Jun 2005 13:58:32 GMT

Usually the error code -1 is fatal error. It is caused by wrong configuration.

Have you set pam=yes in sshd_config (or ssh_config-don't remember exact file)

Anil

Re: OpenSSH login Issue

HPP — Mon, 13 Jun 2005 14:22:35 GMT

Denver,
I used ssh -vvv -o PreferredAuthentications=password

and it worked. Also Made changes sshd_config.

Thanks to all who responded to my questions.

Points will be assigned.

Thank you very much.

Re: OpenSSH login Issue

Denver Osborn — Mon, 13 Jun 2005 14:29:02 GMT

If Password Auth worked then it leads me to belived there's either a problem with PAM or one sshd doesn't like something w/ PAM... maybe LDAP is used on this box??

Anyhow, if you troubleshoot further you should look at pam closer. Other wise set use pam to no in the sshd config.

-denver

Re: OpenSSH login Issue

HPP — Mon, 13 Jun 2005 14:55:50 GMT

I have same version of Openssh on different HP-UX 11.00 machine and it works fine. But those machines have latest Patch set. The one which had problems has QPACK June 01. I think it might be OS patch issue.

Thanks again for the response.