--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: ssh: keyboard-interactive authentification does not work
- From: Jochen Voss <voss@debian.org>
- Date: Mon, 24 Apr 2006 17:11:36 +0100
- Message-id: <E1FY3ey-00078T-Un@seehuhn.de>
Package: ssh
Version: 1:3.8.1p1-8.sarge.4
Severity: normal
Tags: sarge
Hello,
recently the keyboard-interactive authentification method of the ssh
version in Sarge stopped working for me. The login process is just
aborted with a "Connection closed by [ip address]" message. There
seems to be no error messages, neither in the server output, nor in
the client output. The corresponding logs and my sshd_config file are
appended.
The same problem appears when I try to log in remotely. Remote logins
used to work until a few days ago, and I cannot recall any significant
configuration changes since then. The lastest updates were
[UPGRADE] exim4 4.50-8 -> 4.50-8sarge2
[UPGRADE] exim4-base 4.50-8 -> 4.50-8sarge2
[UPGRADE] exim4-config 4.50-8 -> 4.50-8sarge2
[UPGRADE] exim4-daemon-light 4.50-8 -> 4.50-8sarge2
[UPGRADE] libc6 2.3.2.ds1-22 -> 2.3.2.ds1-22sarge3
[UPGRADE] libc6-dev 2.3.2.ds1-22 -> 2.3.2.ds1-22sarge3
[UPGRADE] libperl5.8 5.8.4-8sarge3 -> 5.8.4-8sarge4
[UPGRADE] locales 2.3.2.ds1-22 -> 2.3.2.ds1-22sarge3
[UPGRADE] mutt 1.5.9-2 -> 1.5.9-2sarge1
[UPGRADE] perl 5.8.4-8sarge3 -> 5.8.4-8sarge4
[UPGRADE] perl-base 5.8.4-8sarge3 -> 5.8.4-8sarge4
[UPGRADE] perl-doc 5.8.4-8sarge3 -> 5.8.4-8sarge4
[UPGRADE] perl-modules 5.8.4-8sarge3 -> 5.8.4-8sarge4
[UPGRADE] tar 1.14-2.1 -> 1.14-2.2
Help how to solve this problem would be very welcome. I understand
that bugs in sarge are not usually fixed, but since this is
potentially annoying (e.g. loosing the ability to log into a hosted
server), it might be good to document a work-around (if there is one)
somewhere.
I hope this helps,
Jochen
== client side =======================================================
> slogin -vvv localhost
OpenSSH_3.8.1p1 Debian-8.sarge.4, OpenSSL 0.9.7e 25 Oct 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/voss/.ssh/identity type -1
debug1: identity file /home/voss/.ssh/id_rsa type -1
debug1: identity file /home/voss/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1 Debian-8.sarge.4
debug1: match: OpenSSH_3.8.1p1 Debian-8.sarge.4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 129/256
debug2: bits set: 560/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/voss/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 5
debug1: Host 'localhost' is known and matches the RSA host key.
debug1: Found key in /home/voss/.ssh/known_hosts:5
debug2: bits set: 541/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/voss/.ssh/identity ((nil))
debug2: key: /home/voss/.ssh/id_rsa ((nil))
debug2: key: /home/voss/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/voss/.ssh/identity
debug3: no such identity: /home/voss/.ssh/identity
debug1: Trying private key: /home/voss/.ssh/id_rsa
debug3: no such identity: /home/voss/.ssh/id_rsa
debug1: Trying private key: /home/voss/.ssh/id_dsa
debug3: no such identity: /home/voss/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
Connection closed by 127.0.0.1
======================================================================
== server log (with log level DEBUG3) ================================
Apr 24 16:50:39 seehuhn sshd[26029]: Connection from ::ffff:127.0.0.1 port 3313
Apr 24 16:50:39 seehuhn sshd[26026]: debug1: Forked child 26029.
Apr 24 16:50:39 seehuhn sshd[26029]: debug1: Client protocol version 2.0; client software version OpenSSH_3.8.1p1 Debian-8.sarge.4
Apr 24 16:50:39 seehuhn sshd[26029]: debug1: match: OpenSSH_3.8.1p1 Debian-8.sarge.4 pat OpenSSH*
Apr 24 16:50:39 seehuhn sshd[26029]: debug1: Enabling compatibility mode for protocol 2.0
Apr 24 16:50:39 seehuhn sshd[26029]: debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1 Debian-8.sarge.4
Apr 24 16:50:39 seehuhn sshd[26029]: debug2: Network child is on pid 26030
Apr 24 16:50:39 seehuhn sshd[26029]: debug3: preauth child monitor started
Apr 24 16:50:39 seehuhn sshd[26029]: debug3: mm_request_receive entering
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: monitor_read: checking request 0
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: mm_answer_moduli: got parameters: 1024 1024 8192
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: mm_request_send entering: type 1
Apr 24 16:50:40 seehuhn sshd[26029]: debug2: monitor_read: 0 used once, disabling now
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: mm_request_receive entering
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: monitor_read: checking request 4
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: mm_answer_sign
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: mm_answer_sign: signature 0x809dc50(143)
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: mm_request_send entering: type 5
Apr 24 16:50:40 seehuhn sshd[26029]: debug2: monitor_read: 4 used once, disabling now
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: mm_request_receive entering
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: monitor_read: checking request 6
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: mm_answer_pwnamallow
Apr 24 16:50:40 seehuhn sshd[26029]: debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: mm_request_send entering: type 7
Apr 24 16:50:41 seehuhn sshd[26029]: debug2: monitor_read: 6 used once, disabling now
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: mm_request_receive entering
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: monitor_read: checking request 45
Apr 24 16:50:41 seehuhn sshd[26029]: debug1: PAM: initializing for "voss"
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: Normalising mapped IPv4 in IPv6 address
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: Trying to reverse map address 127.0.0.1.
Apr 24 16:50:41 seehuhn sshd[26029]: debug1: PAM: setting PAM_RHOST to "localhost"
Apr 24 16:50:41 seehuhn sshd[26029]: debug1: PAM: setting PAM_TTY to "ssh"
Apr 24 16:50:41 seehuhn sshd[26029]: debug2: monitor_read: 45 used once, disabling now
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: mm_request_receive entering
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: monitor_read: checking request 3
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: mm_answer_authserv: service=ssh-connection, style=
Apr 24 16:50:41 seehuhn sshd[26029]: debug2: monitor_read: 3 used once, disabling now
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: mm_request_receive entering
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: monitor_read: checking request 10
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: mm_answer_authpassword: sending result 0
Apr 24 16:50:41 seehuhn sshd[26029]: debug3: mm_request_send entering: type 11
Apr 24 16:50:41 seehuhn sshd[26029]: Failed none for voss from ::ffff:127.0.0.1 port 3313 ssh2
Apr 24 16:50:42 seehuhn sshd[26029]: debug3: mm_request_receive entering
Apr 24 16:50:42 seehuhn sshd[26029]: debug3: monitor_read: checking request 48
Apr 24 16:50:42 seehuhn sshd[26029]: debug3: mm_answer_pam_init_ctx
Apr 24 16:50:42 seehuhn sshd[26029]: debug3: PAM: sshpam_init_ctx entering
======================================================================
== /etc/ssh/sshd_config ==============================================
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 600
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
# Change to yes to enable tunnelled clear text passwords
PasswordAuthentication yes
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
Subsystem sftp /usr/lib/sftp-server
UsePAM yes
======================================================================
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.12.4-bytemark-uml-20050811-1-full
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Versions of packages ssh depends on:
ii adduser 3.63 Add and remove users and groups
ii debconf 1.4.30.13 Debian configuration management sy
ii dpkg 1.10.28 Package maintenance system for Deb
ii libc6 2.3.2.ds1-22sarge3 GNU C Library: Shared libraries an
ii libpam-modules 0.76-22 Pluggable Authentication Modules f
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7e-3sarge1 SSL shared libraries
ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime
-- debconf information:
ssh/insecure_rshd:
ssh/ssh2_keys_merged:
ssh/user_environment_tell:
* ssh/forward_warning:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/protocol2_only: true
ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true
* ssh/SUID_client: true
ssh/disable_cr_auth: false
--- End Message ---