[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Probem with openssh and pam modules

did you check all module invoked in /etc/pam.d/ssh can be found 
in /lib/security/  ?

c++, Tonio

En réponse à Anne Carasik <gator@cacr.caltech.edu>:

> Hi there,
> 
> This might provide a clue:
>  debug1: PAM setting tty to \"/dev/pts/3\"
>  PAM session setup failed[28]: Module is unknown
> 
> -Anne
> 
> This one time, Alexis Sukrieh wrote:
> > here is the full output
> > 
> > ( I\'ve turned UsePrivilegeSeparation to \"no\" )
> > 
> > 
> > _______________________________________________________
> > poseidon:~# sshd -ddd
> > debug1: sshd version OpenSSH_3.4p1 Debian 1:3.4p1-2
> > debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
> > debug1: read PEM private key done: type RSA
> > debug1: private host key: #0 type 1 RSA
> > debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
> > debug1: read PEM private key done: type DSA
> > debug1: private host key: #1 type 2 DSA
> > debug1: Bind to port 22 on 0.0.0.0.
> > Server listening on 0.0.0.0 port 22.
> > debug1: Server will not fork when running in debugging mode.
> > Connection from 127.0.0.1 port 32989
> > debug1: Client protocol version 2.0; client software version
> OpenSSH_3.4p1 
> > Debian 1:3.4p1-2
> > debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-2 pat OpenSSH*
> > Enabling compatibility mode for protocol 2.0
> > debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-2
> > debug1: list_hostkey_types: ssh-rsa,ssh-dss
> > debug1: SSH2_MSG_KEXINIT sent
> > debug1: SSH2_MSG_KEXINIT received
> > debug2: kex_parse_kexinit: 
> > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> > debug2: kex_parse_kexinit: 
> >
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc@lysator.liu.se
> > debug2: kex_parse_kexinit: 
> >
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc@lysator.liu.se
> > debug2: kex_parse_kexinit: 
> >
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-
96,hmac-md5-96
> > debug2: kex_parse_kexinit: 
> >
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-
96,hmac-md5-96
> > debug2: kex_parse_kexinit: none,zlib
> > debug2: kex_parse_kexinit: none,zlib
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit: first_kex_follows 0
> > debug2: kex_parse_kexinit: reserved 0
> > debug2: kex_parse_kexinit: 
> > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> > debug2: kex_parse_kexinit: 
> >
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc@lysator.liu.se
> > debug2: kex_parse_kexinit: 
> >
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc@lysator.liu.se
> > debug2: kex_parse_kexinit: 
> >
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-
96,hmac-md5-96
> > debug2: kex_parse_kexinit: 
> >
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-
96,hmac-md5-96
> > debug2: kex_parse_kexinit: none
> > debug2: kex_parse_kexinit: none
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit: first_kex_follows 0
> > debug2: kex_parse_kexinit: reserved 0
> > debug2: mac_init: found hmac-md5
> > debug1: kex: client->server aes128-cbc hmac-md5 none
> > debug2: mac_init: found hmac-md5
> > debug1: kex: server->client aes128-cbc hmac-md5 none
> > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
> > WARNING: /etc/ssh/moduli does not exist, using old modulus
> > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> > debug1: dh_gen_key: priv key bits set: 131/256
> > debug1: bits set: 486/1024
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
> > debug1: bits set: 531/1024
> > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> > debug1: kex_derive_keys
> > debug1: newkeys: mode 1
> > debug1: SSH2_MSG_NEWKEYS sent
> > debug1: waiting for SSH2_MSG_NEWKEYS
> > debug1: newkeys: mode 0
> > debug1: SSH2_MSG_NEWKEYS received
> > debug1: KEX done
> > debug1: userauth-request for user sukria service ssh-connection method
> none
> > debug1: attempt 0 failures 0
> > debug2: input_userauth_request: setting up authctxt for sukria
> > debug1: Starting up PAM with username \"sukria\"
> > debug3: Trying to reverse map address 127.0.0.1.
> > debug1: PAM setting rhost to \"poseidon\"
> > debug2: input_userauth_request: try method none
> > Failed none for sukria from 127.0.0.1 port 32989 ssh2
> > debug1: userauth-request for user sukria service ssh-connection method
> 
> > keyboard-interactive
> > debug1: attempt 1 failures 1
> > debug2: input_userauth_request: try method keyboard-interactive
> > debug1: keyboard-interactive devs
> > debug1: auth2_challenge: user=sukria devs=
> > debug1: kbdint_alloc: devices \'\'
> > debug2: auth2_challenge_start: devices
> > Failed keyboard-interactive for sukria from 127.0.0.1 port 32989
> ssh2
> > debug1: userauth-request for user sukria service ssh-connection method
> 
> > password
> > debug1: attempt 2 failures 2
> > debug2: input_userauth_request: try method password
> > debug1: PAM Password authentication accepted for user \"sukria\"
> > debug2: pam_acct_mgmt() = 0
> > Accepted password for sukria from 127.0.0.1 port 32989 ssh2
> > debug1: Entering interactive session for SSH2.
> > debug1: fd 3 setting O_NONBLOCK
> > debug1: fd 8 setting O_NONBLOCK
> > debug1: server_init_dispatch_20
> > debug1: server_input_channel_open: ctype session rchan 0 win 65536 max
> 16384
> > debug1: input_session_request
> > debug1: channel 0: new [server-session]
> > debug1: session_new: init
> > debug1: session_new: session 0
> > debug1: session_open: channel 0
> > debug1: session_open: session 0: link with channel 0
> > debug1: server_input_channel_open: confirm session
> > debug1: server_input_channel_req: channel 0 request pty-req reply 0
> > debug1: session_by_channel: session 0 channel 0
> > debug1: session_input_channel_req: session 0 req pty-req
> > debug1: Allocating pty.
> > debug1: session_pty_req: session 0 alloc /dev/pts/3
> > debug3: tty_parse_modes: SSH2 n_bytes 256
> > debug3: tty_parse_modes: ospeed 9600
> > debug3: tty_parse_modes: ispeed 9600
> > debug3: tty_parse_modes: 1 3
> > debug3: tty_parse_modes: 2 28
> > debug3: tty_parse_modes: 3 127
> > debug3: tty_parse_modes: 4 21
> > debug3: tty_parse_modes: 5 4
> > debug3: tty_parse_modes: 6 0
> > debug3: tty_parse_modes: 7 0
> > debug3: tty_parse_modes: 8 17
> > debug3: tty_parse_modes: 9 19
> > debug3: tty_parse_modes: 10 26
> > debug3: tty_parse_modes: 12 18
> > debug3: tty_parse_modes: 13 23
> > debug3: tty_parse_modes: 14 22
> > debug3: tty_parse_modes: 18 15
> > debug3: tty_parse_modes: 30 0
> > debug3: tty_parse_modes: 31 0
> > debug3: tty_parse_modes: 32 0
> > debug3: tty_parse_modes: 33 0
> > debug3: tty_parse_modes: 34 0
> > debug3: tty_parse_modes: 35 0
> > debug3: tty_parse_modes: 36 1
> > debug3: tty_parse_modes: 37 0
> > debug3: tty_parse_modes: 38 1
> > debug3: tty_parse_modes: 39 0
> > debug3: tty_parse_modes: 40 0
> > debug3: tty_parse_modes: 41 0
> > debug3: tty_parse_modes: 50 1
> > debug3: tty_parse_modes: 51 1
> > debug3: tty_parse_modes: 52 0
> > debug3: tty_parse_modes: 53 1
> > debug3: tty_parse_modes: 54 1
> > debug3: tty_parse_modes: 55 1
> > debug3: tty_parse_modes: 56 0
> > debug3: tty_parse_modes: 57 0
> > debug3: tty_parse_modes: 58 0
> > debug3: tty_parse_modes: 59 1
> > debug3: tty_parse_modes: 60 1
> > debug3: tty_parse_modes: 61 1
> > debug3: tty_parse_modes: 62 0
> > debug3: tty_parse_modes: 70 1
> > debug3: tty_parse_modes: 71 0
> > debug3: tty_parse_modes: 72 1
> > debug3: tty_parse_modes: 73 0
> > debug3: tty_parse_modes: 74 0
> > debug3: tty_parse_modes: 75 0
> > debug3: tty_parse_modes: 90 1
> > debug3: tty_parse_modes: 91 1
> > debug3: tty_parse_modes: 92 0
> > debug3: tty_parse_modes: 93 0
> > debug1: server_input_channel_req: channel 0 request shell reply 0
> > debug1: session_by_channel: session 0 channel 0
> > debug1: session_input_channel_req: session 0 req shell
> > debug1: PAM setting tty to \"/dev/pts/3\"
> > PAM session setup failed[28]: Module is unknown
> > debug1: Calling cleanup 0x805a3ec(0x80917a0)
> > debug1: session_pty_cleanup: session 0 release /dev/pts/3
> > debug1: Calling cleanup 0x80604b8(0x0)
> > debug1: channel_free: channel 0: server-session, nchannels 1
> > debug3: channel_free: status: The following connections are open:
> >   #0 server-session (t10 r0 i0/0 o0/0 fd -1/-1)
> > 
> > debug3: channel_close_fds: channel 0: r -1 w -1 e -1
> > debug1: Calling cleanup 0x8052b48(0x0)
> > debug1: Calling cleanup 0x806be4c(0x0)
> > poseidon:~#
> > 
> > 
> > At 07:22 02/10/2002 -0700, Anne Carasik wrote:
> > >Kill your sshd. Run it in debugging mode (it will not
> > >fork a process):
> > >
> > ># sshd -ddd
> > >
> > >Open another window, now run the client in verbose mode:
> > >
> > >$ ssh -vvv user@host
> > >
> > >Then email us the output. :) Otherwise, this is really difficult
> > >to troubleshoot.
> > >
> > >-Anne
> > >
> > >
> > >
> > >This one time, Alexis Sukrieh wrote:
> > >> You\'re right, it was set to yes but after putting it to \'no\', the
> same
> > >> problem is still there...
> > >>
> > >> At 16:11 02/10/2002 +0200, you wrote:
> > >> >You need to turn off UsePrivilegeSeparation
> > >> >in your /etc/ssh/sshd_config file.
> > >> >
> > >> >\"UsePrivilegeSeparation no\"
> > >>
> > >>
> > >>
> > >>
> > >> Alexis Sukrieh (sukria), <alexis@sukria.net>
> > >> . homepage - [http://sukria.net]
> > >> . clef PGP - [http://sukria.net/print.php?c=privacy]
> > >> . mydynaweb - [http://www.mydynaweb.net]
> > >> ______________________________________________
> > >>
> > >>
> > >> --
> > >> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > >> with a subject of \"unsubscribe\". Trouble? Contact
> > >> listmaster@lists.debian.org
> > >>
> > >
> > >--
> > >              .-\"\".__.\"``\".   Anne Carasik, System Administrator
> > > .-.--. _...\' (/)   (/)   ``\'   gator at cacr dot caltech dot edu
> > >(O/ O) \\-\'      ` -=\"\"\"=.    \',  Center for Advanced Computing
> Research
> >
> >~`~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > >
> > 
> > Alexis Sukrieh (sukria), <alexis@sukria.net>
> > . homepage - [http://sukria.net]
> > . clef PGP - [http://sukria.net/print.php?c=privacy]
> > . mydynaweb - [http://www.mydynaweb.net]
> > ______________________________________________
> > 
> > 
> > -- 
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of \"unsubscribe\". Trouble? Contact 
> > listmaster@lists.debian.org
> > 
> 
> -- 
>               .-\"\".__.\"``\".   Anne Carasik, System Administrator
>  .-.--. _...\' (/)   (/)   ``\'   gator at cacr dot caltech dot edu 
> (O/ O) \\-\'      ` -=\"\"\"=.    \',  Center for Advanced Computing Research 
>   
> ~`~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
>
Reply to: