topic Re: ssh wants passwd in Operating System - HP-UX

ssh wants passwd

Debbie Smith — Wed, 04 Jan 2006 18:46:24 GMT

I am using Secure_Shell 3.81.002 on hpux lli
on both systems. ssh is not working for one
user only but works fine for all others.

this is the output from ssh -v
OpenSSH_3.8, OpenSSL 0.9.7d 17 Mar 2004
HP-UX_Secure_Shell-A.03.81.002, HP_UX Secure Shell version
debug1: Reading configuration data /opt/ssh/etc/ssh_config
debug1: Connecting to shm3ts1 [15.1.27.77] port 22.
debug1: Connection established.
debug1: identity file /home/ops/.ssh/id_rsa type 1
debug1: identity file /home/ops/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8
debug1: match: OpenSSH_3.8 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'shm3ts1' is known and matches the RSA host key.
debug1: Found key in /home/ops/.ssh/known_hosts:42
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/ops/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Offering public key: /home/ops/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:

I am not using dsa only rsa. I tried removing .ssh directory and did ssh-keygen -t rsa and using the defaults but am still having the same problem. Upgrading is not an option at this time.

Re: ssh wants passwd

Doug O'Leary — Wed, 04 Jan 2006 19:35:21 GMT

Hey;

Check /var/adm/syslog/syslog.log; that will usually tell you why it blew off the key. Also, check permissions on ~ops/.ssh - it must be 700. Also check permissions on ~ops/.ssh/authorized_keys; that shouldn't allow write access to anyone other than the owner.

If all those check out, I'm leaning towards a server config. Your debug output seems to suggest that it read the ssh key and accepted it.

Ensure these two options are set to yes:

RSAAuthentication yes
PubkeyAuthentication yes

Checking those things should give you something to go on...

HTH;

Doug

Re: ssh wants passwd

Jov — Wed, 04 Jan 2006 23:07:34 GMT

Hi,

You've recreated the .ssh/ and the require contents and also entered the passphrase as well? Or are you using an empty passhrase, thus not require user interaction?

If you can elaborate the ssh setup it might help.

Jov

Re: ssh wants passwd

RAC_1 — Wed, 04 Jan 2006 23:12:11 GMT

Looking at ssh -v output, makes me think that it is working. It is just asking for the password.

Is that the case??? If not, post following.

ssh -vvv "server_name" - From client

sshd -ddd - From server

Re: ssh wants passwd

Ralph Grothe — Thu, 05 Jan 2006 03:27:22 GMT

Silly question,
have you checked your /opt/ssh/etc/sshd_config that it actually would accept .shosts files?
As you can see from man sshd_config the default if not explicitly set is for obvious security reasons to disable HostBasedAuthentication and especially assumes IgnoreRhosts being set to yes.
If that's the case chage those to directives accordingly and issue

# kill -1 $(cat /var/run/sshd.pid)

Re: ssh wants passwd

Debbie Smith — Thu, 05 Jan 2006 11:58:28 GMT

Here are some answers to your questions:
For the ssh-keygen setup no entries only
Was working before and with no changes to the system â
stopped just for this one user.

It looks like to me that it wants the dsa authentication
which I am not using and never was using, just the
rsa

The same server user can ssh to other users on the same client
and it is only requesting the rsa authentication: (meaning it works correctly)
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /home/bv/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.

Here is the client syslog.log:
Jan 5 08:29:17 shm3ts1 sshd[12115]: error: PAM: Authentication failed for bv from shs1xx
Jan 5 08:29:17 shm3ts1 sshd[12115]: Failed keyboard-interactive/pam for bv from 15.1.xx.xx port 54694 ssh2
Jan 5 08:29:17 shm3ts1 sshd[12115]: Failed password for bv from 15.1.xx.xx port 54694 ssh2
Jan 5 08:29:17 shm3ts1 sshd[12115]: error: PAM: Authentication failed for bv from shs1xx
Jan 5 08:29:25 shm3ts1 above message repeats 2 times
Jan 5 08:29:17 shm3ts1 sshd[12115]: Failed keyboard-interactive/pam for bv from 15.1.xx.xx port 54694 ssh2
Jan 5 08:29:19 shm3ts1 sshd[12115]: Failed password for bv from 15.1.xx.xx port 54694 ssh2
Jan 5 08:29:25 shm3ts1 above message repeats 2 times

I guess I am confused why is it asking for the dsa authentication for this one user only.
The permissions are 700 on .ssh and 600 authorized_keys, also tried 644 on authorized_keys.

Re: ssh wants passwd

baiju_3 — Thu, 05 Jan 2006 12:06:49 GMT

I am sure that you are getting a password prompt for this user . Please check the user account status on the remote server .

If the remote is trusted , check the account status using /usr/lbin/getprpw user_name .

thx,
bl.

Re: ssh wants passwd

Debbie Smith — Thu, 05 Jan 2006 12:58:05 GMT

Thanks BL! the system is not trusted but the user password was * for some reason.
It is now working!