Bug#364635: ssh: keyboard-interactive authentification does not work

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#364635: ssh: keyboard-interactive authentification does not work
From: Jochen Voss <voss@debian.org>
Date: Mon, 24 Apr 2006 17:11:36 +0100
Message-id: <[🔎] E1FY3ey-00078T-Un@seehuhn.de>
Reply-to: Jochen Voss <voss@debian.org>, 364635@bugs.debian.org
Package: ssh
Version: 1:3.8.1p1-8.sarge.4
Severity: normal
Tags: sarge

Hello,

recently the keyboard-interactive authentification method of the ssh
version in Sarge stopped working for me.  The login process is just
aborted with a "Connection closed by [ip address]" message.  There
seems to be no error messages, neither in the server output, nor in
the client output.  The corresponding logs and my sshd_config file are
appended.

The same problem appears when I try to log in remotely.  Remote logins
used to work until a few days ago, and I cannot recall any significant
configuration changes since then.  The lastest updates were

    [UPGRADE] exim4 4.50-8 -> 4.50-8sarge2
    [UPGRADE] exim4-base 4.50-8 -> 4.50-8sarge2
    [UPGRADE] exim4-config 4.50-8 -> 4.50-8sarge2
    [UPGRADE] exim4-daemon-light 4.50-8 -> 4.50-8sarge2
    [UPGRADE] libc6 2.3.2.ds1-22 -> 2.3.2.ds1-22sarge3
    [UPGRADE] libc6-dev 2.3.2.ds1-22 -> 2.3.2.ds1-22sarge3
    [UPGRADE] libperl5.8 5.8.4-8sarge3 -> 5.8.4-8sarge4
    [UPGRADE] locales 2.3.2.ds1-22 -> 2.3.2.ds1-22sarge3
    [UPGRADE] mutt 1.5.9-2 -> 1.5.9-2sarge1
    [UPGRADE] perl 5.8.4-8sarge3 -> 5.8.4-8sarge4
    [UPGRADE] perl-base 5.8.4-8sarge3 -> 5.8.4-8sarge4
    [UPGRADE] perl-doc 5.8.4-8sarge3 -> 5.8.4-8sarge4
    [UPGRADE] perl-modules 5.8.4-8sarge3 -> 5.8.4-8sarge4
    [UPGRADE] tar 1.14-2.1 -> 1.14-2.2

Help how to solve this problem would be very welcome.  I understand
that bugs in sarge are not usually fixed, but since this is
potentially annoying (e.g. loosing the ability to log into a hosted
server), it might be good to document a work-around (if there is one)
somewhere.

I hope this helps,
Jochen

== client side =======================================================
> slogin -vvv localhost
OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/voss/.ssh/identity type -1
debug1: identity file /home/voss/.ssh/id_rsa type -1
debug1: identity file /home/voss/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1 Debian-8.sarge.4
debug1: match: OpenSSH_3.8.1p1 Debian-8.sarge.4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 129/256
debug2: bits set: 560/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/voss/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 5
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /home/voss/.ssh/known_hosts:5
debug2: bits set: 541/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/voss/.ssh/identity ((nil))
debug2: key: /home/voss/.ssh/id_rsa ((nil))
debug2: key: /home/voss/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/voss/.ssh/identity
debug3: no such identity: /home/voss/.ssh/identity
debug1: Trying private key: /home/voss/.ssh/id_rsa
debug3: no such identity: /home/voss/.ssh/id_rsa
debug1: Trying private key: /home/voss/.ssh/id_dsa
debug3: no such identity: /home/voss/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
Connection closed by 127.0.0.1
======================================================================


== server log (with log level DEBUG3) ================================
Apr 24 16:50:39 seehuhn sshd[26029]: Connection from ::ffff:127.0.0.1 port 3313
Apr 24 16:50:39 seehuhn sshd[26026]: debug1: Forked child 26029.
Apr 24 16:50:39 seehuhn sshd[26029]: debug1: Client protocol version 2.0; client software version OpenSSH_3.8.1p1 Debian-8.sarge.4
Apr 24 16:50:39 seehuhn sshd[26029]: debug1: match: OpenSSH_3.8.1p1 Debian-8.sarge.4 pat OpenSSH*
Apr 24 16:50:39 seehuhn sshd[26029]: debug1: Enabling compatibility mode for protocol 2.0
Apr 24 16:50:39 seehuhn sshd[26029]: debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4
Apr 24 16:50:39 seehuhn sshd[26029]: debug2: Network child is on pid 26030
Apr 24 16:50:39 seehuhn sshd[26029]: debug3: preauth child monitor started
Apr 24 16:50:39 seehuhn sshd[26029]: debug3: mm_request_receive entering
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: monitor_read: checking request 0
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: mm_answer_moduli: got parameters: 1024 1024 8192
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: mm_request_send entering: type 1
Apr 24 16:50:40 seehuhn sshd[26029]: debug2: monitor_read: 0 used once, disabling now
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: mm_request_receive entering
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: monitor_read: checking request 4
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: mm_answer_sign
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: mm_answer_sign: signature 0x809dc50(143)
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: mm_request_send entering: type 5
Apr 24 16:50:40 seehuhn sshd[26029]: debug2: monitor_read: 4 used once, disabling now
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: mm_request_receive entering
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: monitor_read: checking request 6
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: mm_answer_pwnamallow
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: mm_request_send entering: type 7
Apr 24 16:50:41 seehuhn sshd[26029]: debug2: monitor_read: 6 used once, disabling now
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: mm_request_receive entering
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: monitor_read: checking request 45
Apr 24 16:50:41 seehuhn sshd[26029]: debug1: PAM: initializing for "voss"
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: Normalising mapped IPv4 in IPv6 address
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: Trying to reverse map address 127.0.0.1.
Apr 24 16:50:41 seehuhn sshd[26029]: debug1: PAM: setting PAM_RHOST to "localhost"
Apr 24 16:50:41 seehuhn sshd[26029]: debug1: PAM: setting PAM_TTY to "ssh"
Apr 24 16:50:41 seehuhn sshd[26029]: debug2: monitor_read: 45 used once, disabling now
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: mm_request_receive entering
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: monitor_read: checking request 3
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: mm_answer_authserv: service=ssh-connection, style=
Apr 24 16:50:41 seehuhn sshd[26029]: debug2: monitor_read: 3 used once, disabling now
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: mm_request_receive entering
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: monitor_read: checking request 10
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: mm_answer_authpassword: sending result 0
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: mm_request_send entering: type 11
Apr 24 16:50:41 seehuhn sshd[26029]: Failed none for voss from ::ffff:127.0.0.1 port 3313 ssh2
Apr 24 16:50:42 seehuhn sshd[26029]: debug3: mm_request_receive entering
Apr 24 16:50:42 seehuhn sshd[26029]: debug3: monitor_read: checking request 48
Apr 24 16:50:42 seehuhn sshd[26029]: debug3: mm_answer_pam_init_ctx
Apr 24 16:50:42 seehuhn sshd[26029]: debug3: PAM: sshpam_init_ctx entering
======================================================================


== /etc/ssh/sshd_config ==============================================
# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 600
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes

# Change to yes to enable tunnelled clear text passwords
PasswordAuthentication yes


# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

Subsystem	sftp	/usr/lib/sftp-server

UsePAM yes
======================================================================



-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.12.4-bytemark-uml-20050811-1-full
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)

Versions of packages ssh depends on:
ii  adduser               3.63               Add and remove users and groups
ii  debconf               1.4.30.13          Debian configuration management sy
ii  dpkg                  1.10.28            Package maintenance system for Deb
ii  libc6                 2.3.2.ds1-22sarge3 GNU C Library: Shared libraries an
ii  libpam-modules        0.76-22            Pluggable Authentication Modules f
ii  libpam-runtime        0.76-22            Runtime support for the PAM librar
ii  libpam0g              0.76-22            Pluggable Authentication Modules l
ii  libssl0.9.7           0.9.7e-3sarge1     SSL shared libraries
ii  libwrap0              7.6.dbs-8          Wietse Venema's TCP wrappers libra
ii  zlib1g                1:1.2.2-4.sarge.2  compression library - runtime

-- debconf information:
  ssh/insecure_rshd:
  ssh/ssh2_keys_merged:
  ssh/user_environment_tell:
* ssh/forward_warning:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/protocol2_only: true
  ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true
* ssh/SUID_client: true
  ssh/disable_cr_auth: false
Reply to:
Prev by Date: Bug#248926: scp: add --continue, like wget
Next by Date: Bug#364634: ssh: Weird behavior with broken key
Previous by thread: Bug#248926: scp: add --continue, like wget
Next by thread: Bug#364634: ssh: Weird behavior with broken key
Index(es):
- Date
- Thread