topic Re: SSH login in Operating System - HP-UX

SSH login

sheevm — Wed, 11 Apr 2007 10:43:58 GMT

Hi All,

We recently upgraded SSH to 4.40 version.

when user login using SSH they receive a message about “keyboard interactive” and are prompted for a password (even when all the public keys have been installed), they hit enter and can get in

Does anyone out there know how to fix this?

Thanks.

Re: SSH login

Steven Schweda — Wed, 11 Apr 2007 10:53:00 GMT

You might be amazed by how much more useful
actual commands with their actual output can
be in diagnosing problems like this, when
compared with an incomplete, vague
description of what happened.

Log in from where/what? Log into what?

Adding "-v" to the "ssh" command might also
be useful, while you're at it. And even
"ssh -V".

Re: SSH login

Marco A. — Fri, 20 Apr 2007 13:37:11 GMT

Read more about it at .:

http://docs.hp.com/en/T1471-90015/ch01s16.html

and ..

http://docs.hp.com/en/T1471-90015/T1471-90015.pdf

Actually you can select what you want to use, PAM, or the Keyboard-Interactive.

Regards

Re: SSH login

Clay Jordan — Fri, 20 Apr 2007 17:21:31 GMT

If you have access, you might also try running sshd in the foreground on the server with 'sshd -D -d -p ' and then connecting from one of the problem clients specifying the same port. You should get an the order and success/failure of the various authentication methods you have enabled.

Re: SSH login

Rasheed Tamton — Sat, 21 Apr 2007 07:12:36 GMT

Hi,

SSH is sensitive to file permissions. Please make sure your permissions on file/dirs are correct.

chmod 700 $HOME/.ssh
chmod 600 $HOME/.ssh/*

Also, check whether the publickey authentication is enabled in /opt/ssh/etc/sshd_config file or not.

ssh -vvv -l username hostname

and see the output.

Regards.

Re: SSH login

Ralph Grothe — Mon, 23 Apr 2007 08:56:57 GMT

This sounds strange,
because an upgrade of SSH should by most generate new host keys during some post-install routine.
If that happened, and you forgot to recover the old host keys then your users would likely see a screen like this (apart from the deviating fingerprint) when they try to login:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
85:44:38:4e:74:99:e4:77:d1:2e:01:46:4f:ea:e7:15.
Please contact your system administrator.
Add correct host key in /home/grothe/.ssh/known_hosts to get rid of this message
.
Offending key in /home/grothe/.ssh/known_hosts:943
RSA host key for tiber has changed and you have requested strict checking.
Host key verification failed.

As said, before annoying your users and requiring them to edit their $HOME/.ssh/known_hosts file to replace the offending key (if at all they know how to do this),
you should move the old host keys from before the update in place (e.g. /opt/ssh/etc/ssh_host_{rsa,dsa}_key*)

Whereas, your users' public keys should not have been affected by the upgrade.

Re: SSH login

Steven E. Protter — Mon, 23 Apr 2007 09:06:47 GMT

Shalom,

Check permission and ownership on keys and .ssh and home directory.

Consider clearing out the known_hosts file.

Consider not using .zero releases they are often buggy.

SEP