Mailing List Archive

På 2000-Apr-09 klokka 03:12:31 -0400 skrivet Keith Baker:

: I am attmepting to install ssh/sshd on my RH6.1 Intel Box. Everything
: seems to be working (not quite smooth sailing - I had to resort to
: precompiled RPM for OpenSSL). I did however get it "working." I
: generated a host key as root and then changed back to joe-user. I created
: a key for joe-user. I then ssh'd to my own host. I got a prompt for a
: password and was very excited... except I typed in my password and got
: rejected. Any ideas? I am using PAM and I believe my passwords are
: shadowed...

Did you build with support for TCP wrappers? (You may have done so
inadvertently even if you didn't specify --with-tcp-wrappers.) Try
allowing access to sshd via /etc/hosts.allow. For example:

sshd: ALL: ALLOW

Also, try running sshd in 'debug' mode:

/path/to/sshd -d -p 4022

and ssh as well:

ssh -v -p 4022 remote.example.net

Finally, make sure that your ~/.ssh/ directory has mode 0700
(drwx------), since you have StrictModes set in sshd_config.

: I would like to better understand the "To disable tunneled clear text
: password, change to no here" comment... Is this "clear text" passwords
: which are then encrypted int he tunnel?

Exactly.

: and what is an SKey?

http://lheawww.gsfc.nasa.gov/~srr/skey_info.html

--
jim knoble
jmknoble@pobox.com

If I am not mistaken this does not seem to be a tcp-wrapper problem as it
does connect to the service... its only in the password verification that
it fails... I did however try your suggestions... Is there a way to get
sshd to spit out all of the decrypted data it gets? I'd like to see the
password after it comes through to see it ifs ssh or PAM thats taking the
cake... Do I have to do anything to PAM to allow ssh to use it for
authentication?

[root@fuzzball t3chie]# /usr/local/sbin/sshd -d -p 4022
debug: sshd version OpenSSH-1.2.3
debug: Bind to port 4022 on 0.0.0.0.
Server listening on 0.0.0.0 port 4022.
Generating 768 bit RSA key.
RSA key generation complete.
debug: Server will not fork when running in debugging mode.
Connection from 192.168.1.3 port 1288
debug: Client protocol version 1.5; client software version OpenSSH-1.2.3
debug: Sent 768 bit public key and 1024 bit host key.
debug: Encryption type: 3des
debug: Received session key; encryption turned on.
debug: Installing crc compensation attack detector.
debug: Starting up PAM with username "t3chie"
debug: Attempting authentication for t3chie.
Failed rsa for t3chie from 192.168.1.3 port 1288
debug: PAM Password authentication for "t3chie" failed: Authentication
failure
Failed password for t3chie from 192.168.1.3 port 1288
Connection closed by 192.168.1.3
debug: Calling cleanup 0x804ea50(0x0)
Cannot close PAM session: System error
Cannot delete credentials: Authentication service cannot retrieve user
credentials
debug: Calling cleanup 0x8056f8c(0x0)


[t3chie@fuzzball ~]# /usr/local/bin/ssh -v -p 4022 fuzzball
SSH Version OpenSSH-1.2.3, protocol version 1.5.
Compiled with SSL.
debug: Reading configuration data /usr/local/etc/ssh_config
debug: Applying options for *
debug: ssh_connect: getuid 500 geteuid 0 anon 0
debug: Connecting to fuzzball.dorm.null [192.168.1.3] port 4022.
debug: Connection established.
debug: Remote protocol version 1.5, remote software version OpenSSH-1.2.3
debug: Waiting for server public key.
debug: Received server public key (768 bits) and host key (1024 bits).
debug: Host 'fuzzball.dorm.null' is known and matches the host key.
debug: Encryption type: 3des
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
debug: Trying RSA authentication with key 't3chie@fuzzball.dorm.null'
debug: Server refused our key.
debug: Doing password authentication.
t3chie@fuzzball.dorm.null's password:
Permission denied, please try again.

On Sun, 9 Apr 2000, Keith Baker wrote:

> password after it comes through to see it ifs ssh or PAM thats taking the
> cake... Do I have to do anything to PAM to allow ssh to use it for
> authentication?
>

Yes, it's in the docs of openssh somewhere. You've got to copy a file
from the distro to

/etc/pam.d/sshd

I'd tell you exactly where to find it but I deleted the source tree from
my machine.

->->->->->->->->->->->->->->->->->->---<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<
James Thompson 138 Cardwell Hall Manhattan, Ks 66506 785-532-0561
Kansas State University Department of Mathematics
->->->->->->->->->->->->->->->->->->---<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<

Naturally, the simplest thing would be for you to install the rpms
amde by opennsh's Linux port maintainer.

Mate
On Sun, Apr 09, 2000 at 03:12:31AM -0400, Keith Baker wrote:
> Appologise if this did make it to the list but I just subscribed and
> didn't see it come back...
>
> I am attmepting to install ssh/sshd on my RH6.1 Intel Box. Everything
> seems to be working (not quite smooth sailing - I had to resort to
> precompiled RPM for OpenSSL). I did however get it "working." I
> generated a host key as root and then changed back to joe-user. I created
> a key for joe-user. I then ssh'd to my own host. I got a prompt for a
> password and was very excited... except I typed in my password and got
> rejected. Any ideas? I am using PAM and I believe my passwords are
> shadowed...
>
> I would like to better understand the "To disable tunneled clear text
> password, change to no here" comment... Is this "clear text" passwords
> which are then encrypted int he tunnel? and what is an SKey?
>
> #syslog
>
> Apr 8 22:03:27 fuzzball sshd[27946]: Failed password for joe-user from 192.168.1.3 port 753
> Apr 8 22:03:29 fuzzball sshd[27946]: Connection closed by 192.168.1.3
> Apr 8 22:03:29 fuzzball sshd[27946]: Cannot close PAM session: System error
> Apr 8 22:03:29 fuzzball sshd[27946]: Cannot delete credentials: Authentication
>
> # This is ssh server systemwide configuration file.
>
> Port 22
> ListenAddress 0.0.0.0
> #ListenAddress ::
> HostKey /usr/local/etc/ssh_host_key
> ServerKeyBits 768
> LoginGraceTime 600
> KeyRegenerationInterval 3600
> PermitRootLogin yes
> #
> # Don't read ~/.rhosts and ~/.shosts files
> IgnoreRhosts yes
> # Uncomment if you don't trust ~/.ssh/known_hosts for
> RhostsRSAAuthentication
> #IgnoreUserKnownHosts yes
> StrictModes yes
> X11Forwarding no
> X11DisplayOffset 10
> PrintMotd yes
> KeepAlive yes
>
> # Logging
> SyslogFacility AUTH
> LogLevel INFO
> #obsoletes QuietMode and FascistLogging
>
> RhostsAuthentication no
> #
> # For this to work you will also need host keys in /etc/ssh_known_hosts
> RhostsRSAAuthentication no
> #
> RSAAuthentication yes
>
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication yes
> PermitEmptyPasswords no
> # Uncomment to disable s/key passwords
> #SkeyAuthentication no
>
> # To change Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #AFSTokenPassing no
> #KerberosTicketCleanup no
>
> # Kerberos TGT Passing does only work with the AFS kaserver
> #KerberosTgtPassing yes
>
> CheckMail no
> UseLogin no
>
>
>
>
>

--
---
Mate Wierdl | Dept. of Math. Sciences | University of Memphis

> Naturally, the simplest thing would be for you to install the rpms
> amde by opennsh's Linux port maintainer.

I like to build packages myself rather than use the rpms. I tend to learn
more (like I learned about PAM config files this time)... My system now
works just fine with a simple message to a mailing list. I'm not much of
a fan of the just rpm it additude because you never really know whats
going on and things just work without understanding... Thats why I
switched to linux...

On Mon, 10 Apr 2000, Keith Baker wrote:

> I like to build packages myself rather than use the rpms. I tend
> to learn more (like I learned about PAM config files this time)...
> My system now works just fine with a simple message to a mailing
> list. I'm not much of a fan of the just rpm it additude because
> you never really know whats going on and things just work without
> understanding... Thats why I switched to linux...

Then use the source RPMS. You get all the code you need, plus all the
ancillary files as well as a set of instructions (the spec file) which
tell you how to get a working system.

-d

--
| "Bombay is 250ms from New York in the new world order" - Alan Cox
| Damien Miller - http://www.mindrot.org/
| Email: djm@mindrot.org (home) -or- djm@ibs.com.au (work)