Bug#330844: Problem encountered with openssh-server/pam on sid after dist-upgrading on Fri Sep 30 near 3:00:00 CEST

[Camille Prevost <camille.prevost@home108.com>]

Package: openssh-server # or *pam* (?)
Version: 1:4.2p1-4

Login through the console is OK, ssh remote connections with the same 
client through others servers on sid upgraded at the same time are OK 
(!), and of course this error appears before and after a demoralised reboot

Thank you for attention, regards,
Camille Prevost



The Error Client-Side

> [cam@horizon] ~ #ssh -p 22002 cam@nadir
> Password: 
> Read from remote host nadir: Connection reset by peer
> Connection to nadir closed.
>
>
>
> #######
> #After#
> #######
>
>
>
> [cam@horizon] ~ #ssh -vvv -p 22002 cam@nadir
> OpenSSH_4.2p1 Debian-4, OpenSSL 0.9.7g 11 Apr 2005
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to nadir [10.105.108.1] port 22002.
> debug1: Connection established.
> debug1: identity file /home/cam/.ssh/identity type -1
> debug1: identity file /home/cam/.ssh/id_rsa type -1
> debug1: identity file /home/cam/.ssh/id_dsa type -1
> debug1: Remote protocol version 2.0, remote software version OpenSSH_4.2p1
> Debian-4
> debug1: match: OpenSSH_4.2p1 Debian-4 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_4.2p1 Debian-4
> debug2: fd 3 setting O_NONBLOCK
> debug3: Trying to reverse map address 10.105.108.1.
> debug1: Miscellaneous failure
> No credentials cache found
>
> debug1: Miscellaneous failure
> No credentials cache found
>
> debug1: Offering GSSAPI proposal: (null)
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
> debug2: kex_parse_kexinit: 
> debug2: kex_parse_kexinit: 
> debug2: kex_parse_kexinit: first_kex_follows 0 
> debug2: kex_parse_kexinit: reserved 0 
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib@openssh.com
> debug2: kex_parse_kexinit: none,zlib@openssh.com
> debug2: kex_parse_kexinit: 
> debug2: kex_parse_kexinit: 
> debug2: kex_parse_kexinit: first_kex_follows 0 
> debug2: kex_parse_kexinit: reserved 0 
> debug2: mac_init: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug2: mac_init: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug2: dh_gen_key: priv key bits set: 132/256
> debug2: bits set: 492/1024
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug3: check_host_in_hostfile: filename /home/cam/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 1
> debug3: check_host_in_hostfile: filename /home/cam/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 2
> debug1: Host 'nadir' is known and matches the RSA host key.
> debug1: Found key in /home/cam/.ssh/known_hosts:1
> debug2: bits set: 494/1024
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /home/cam/.ssh/identity ((nil))
> debug2: key: /home/cam/.ssh/id_rsa ((nil))
> debug2: key: /home/cam/.ssh/id_dsa ((nil))
> debug1: Authentications that can continue: publickey,keyboard-interactive
> debug3: start over, passed a different list publickey,keyboard-interactive
> debug3: preferred publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: /home/cam/.ssh/identity
> debug3: no such identity: /home/cam/.ssh/identity
> debug1: Trying private key: /home/cam/.ssh/id_rsa
> debug3: no such identity: /home/cam/.ssh/id_rsa
> debug1: Trying private key: /home/cam/.ssh/id_dsa
> debug3: no such identity: /home/cam/.ssh/id_dsa
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup keyboard-interactive
> debug3: remaining preferred: password
> debug3: authmethod_is_enabled keyboard-interactive
> debug1: Next authentication method: keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 1
> Password: 
> debug3: packet_send2: adding 32 (len 22 padlen 10 extra_pad 64)
> debug2: input_userauth_info_req
> debug2: input_userauth_info_req: num_prompts 0
> debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64)
> debug1: Authentication succeeded (keyboard-interactive).
> debug1: channel 0: new [client-session]
> debug3: ssh_session2_open: channel_new: 0
> debug2: channel 0: send open
> debug1: Entering interactive session.
> debug1: channel 0: free: client-session, nchannels 1
> debug3: channel 0: status: The following connections are open:
>   #0 client-session (t3 r-1 i0/0 o0/0 fd 4/5 cfd -1)
>   
> debug3: channel 0: close_fds r 4 w 5 e 6 c -1
> Read from remote host nadir: Connection reset by peer
> Connection to nadir closed.
> debug1: Transferred: stdin 0, stdout 0, stderr 84 bytes in 0.1 seconds
> debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 1260.8
> debug1: Exit status -1
>   

The Error Server-Side

> tail /var/log/auth.log
>
> Sep 30 05:01:49 nadir sshd[6302]: Accepted keyboard-interactive/pam for cam from 10.105.108.2 port 45259 ssh2
> Sep 30 05:01:49 nadir sshd[6307]: (pam_unix) session opened for user cam by (uid=0)
> Sep 30 05:01:49 nadir sshd[6307]: fatal: PAM: pam_setcred(): Critical error - immediate abort
> Sep 30 05:01:49 nadir sshd[6307]: (pam_unix) session closed for user cam