topic Re: SSH permission denied issue in Operating System - Linux

SSH permission denied issue

admin1979 — Wed, 09 Sep 2009 08:42:37 GMT

Hello,

We have a peculiar ssh issue between 2 Linux hosts. 1 SYS_A (SLES 10, 10.99.20.253) and other SYS_B(SuSE 7.0, 10.99.20.76) systems.
We can ssh from SYS_A to SYS_B but gets permission denied from SYS_B to SYS_A. Here is the verbose output.

SYS_B >> ssh SYS_A -v
SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0.
Compiled with SSL (0x0090581f).
debug: Reading configuration data /etc/ssh/ssh_config
debug: Applying options for *
debug: Seeding random number generator
debug: ssh_connect: getuid 501 geteuid 0 anon 0
debug: Connecting to SYS_A [10.99.20.253] port 22.
debug: Seeding random number generator
debug: Allocated local port 804.
debug: Connection established.
debug: Remote protocol version 1.99, remote software version OpenSSH_4.2
debug: Local version string SSH-1.5-OpenSSH_2.1.1
debug: Waiting for server public key.
debug: Received server public key (768 bits) and host key (1024 bits).
The authenticity of host 'SYS_A' can't be established.
RSA key fingerprint is ee:a4:e7:42:4b:d3:2d:8b:22:c2:33:7c:16:4d:a2:08.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'SYS_A,10.99.20.253' (RSA) to the list of known hosts.
debug: Seeding random number generator
debug: Encryption type: 3des
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
Permission denied.
debug: Calling cleanup 0x805d200(0x0)
SYS_B >>

SYS_B >> netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.99.20.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 san1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 10.99.20.253 0.0.0.0 UG 0 0 0 eth0

The SYS_A is having ,
SYS_A>> ssh -V
OpenSSH_4.2p1, OpenSSL 0.9.8a 11 Oct 2005

and SYS_B ,
SYSB >> ssh -V
SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f).

Plz let me know if you need anymore info.
Plz suggest.

Thanx.
admin

Re: SSH permission denied issue

Steven E. Protter — Wed, 09 Sep 2009 09:02:39 GMT

Shalom,

Check the ownership of the directory .ssh and the files within, permissions as well.

Consider restarting the sshd daemon on the receiving server.

Check these two reference articles:
http://www.hpux.ws/?p=19

http://www.hpux.ws/?p=10

SEP

Re: SSH permission denied issue

Matti_Kurkela — Wed, 09 Sep 2009 09:43:03 GMT

"Local version string: SSH-1.5-OpenSSH_2.1.1" and other messages after it suggest SYS_B is trying to use SSH protocol version 1. That protocol version has known weaknesses and modern systems may disable the backwards compatibility at the server side by default.

On the other hand, OpenSSH 2.1.1 is so old that SSH protocol 2.0 might have been still treated as "experimental" back when it was released, and you may have to change the settings to use it.

The version string is of the form SSH--_. Protocol version 1.99 would mean "I'm really 2.0 but I may be able to use protocol version 1.x too."

Please check the "Protocol" setting in /etc/ssh/ssh_config on SYS_B, and in /etc/ssh/sshd_config on SYS_A respectively.

MK

Re: SSH permission denied issue

admin1979 — Wed, 09 Sep 2009 10:37:52 GMT

Hello,

Thats sound interesting but what settings need to be modified ?

In fact on both the systems,

/etc/ssh/ssh_config says,

# Protocol 2,1

Anything else you need?

Thanx,
admin

Re: SSH permission denied issue

admin1979 — Wed, 09 Sep 2009 10:54:03 GMT

Hello,

I tried using a different Protocol and got below messages,

SYS_B:> ssh SYS_A -2 -v
SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0.
Compiled with SSL (0x0090581f).
debug: Reading configuration data /etc/ssh/ssh_config
debug: Applying options for *
debug: ssh_connect: getuid 0 geteuid 0 anon 0
debug: Connecting to SYS_A [10.99.20.253] port 22.
debug: Seeding random number generator
debug: Allocated local port 648.
debug: Connection established.
debug: Remote protocol version 1.99, remote software version OpenSSH_4.2
Enabling compatibility mode for protocol 2.0
debug: Local version string SSH-2.0-OpenSSH_2.1.1
debug: send KEXINIT
debug: done
debug: wait KEXINIT
debug: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug: got kexinit: ssh-rsa,ssh-dss
debug: got kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug: got kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug: got kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug: got kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug: got kexinit: none,zlib@openssh.com
debug: got kexinit: none,zlib@openssh.com
debug: got kexinit:
debug: got kexinit:
debug: first kex follow: 0
debug: reserved: 0
debug: done
debug: kex: server->client 3des-cbc hmac-sha1 none
debug: kex: client->server 3des-cbc hmac-sha1 none
debug: Sending SSH2_MSG_KEXDH_INIT.
debug: bits set: 506/1024
debug: Wait SSH2_MSG_KEXDH_REPLY.
debug: Got SSH2_MSG_KEXDH_REPLY.
debug: keytype ssh-dss
debug: keytype ssh-dss
debug: keytype ssh-dss
debug: Host 'SYS_A' is known and matches the DSA host key.
debug: bits set: 499/1024
debug: len 55 datafellows 0
debug: dsa_verify: signature correct
debug: Wait SSH2_MSG_NEWKEYS.
debug: GOT SSH2_MSG_NEWKEYS.
debug: send SSH2_MSG_NEWKEYS.
debug: done: send SSH2_MSG_NEWKEYS.
debug: done: KEX2.
debug: send SSH2_MSG_SERVICE_REQUEST
debug: service_accept: ssh-userauth
debug: got SSH2_MSG_SERVICE_ACCEPT
debug: authentications that can continue: publickey,keyboard-interactive
debug: key does not exist: /root/.ssh/id_dsa
Permission denied (publickey,keyboard-interactive).
debug: Calling cleanup 0x805d200(0x0)
SYS_B>

Re: SSH permission denied issue

Ivan Krastev — Wed, 09 Sep 2009 21:26:38 GMT

Check for key presence:

debug: key does not exist: /root/.ssh/id_dsa

regards,
ivan