I hooked up my old server box today so that I could update the software, only to find that I could not ssh over to it:
[EMAIL PROTECTED] ~ $ ssh bullet Permission denied (publickey,keyboard-interactive). There were no 'official' logs, but a website I found on google suggested running /usr/sbin/sshd -ddd -p 2202 and then trying to shell over with ssh -p 2202 <boxname> Here's the output. I piped it to a file: [EMAIL PROTECTED] ~ $ cat sshd.log debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 237 debug2: parse_server_config: config /etc/ssh/sshd_config len 237 debug3: /etc/ssh/sshd_config:21 setting Protocol 2 debug3: /etc/ssh/sshd_config:60 setting PasswordAuthentication no debug3: /etc/ssh/sshd_config:87 setting UsePAM yes debug3: /etc/ssh/sshd_config:91 setting X11Forwarding yes debug3: /etc/ssh/sshd_config:127 setting Subsystem sftp /usr/lib/misc/sftp-server debug1: sshd version OpenSSH_4.7p1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-ddd' debug1: rexec_argv[2]='-p' debug1: rexec_argv[3]='2202' debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 2202 on 0.0.0.0. Server listening on 0.0.0.0 port 2202. socket: Address family not supported by protocol debug3: fd 4 is not O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 7 config len 237 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7 debug1: inetd sockets after dupping: 3, 3 Connection from 192.168.1.2 port 57643 debug1: Client protocol version 2.0; client software version OpenSSH_4.7 debug1: match: OpenSSH_4.7 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.7 debug2: fd 3 setting O_NONBLOCK debug3: privsep user:group 22:22 debug1: permanently_set_uid: 22/22 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[EMAIL PROTECTED],hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[EMAIL PROTECTED],hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] debug2: kex_parse_kexinit: none,[EMAIL PROTECTED] debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED],aes128-ctr,aes192-ctr,aes256-ctr debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[EMAIL PROTECTED],hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[EMAIL PROTECTED],hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: [EMAIL PROTECTED],zlib,none debug2: kex_parse_kexinit: [EMAIL PROTECTED],zlib,none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 [EMAIL PROTECTED] debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 [EMAIL PROTECTED] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug2: Network child is on pid 8390 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 1024 8192 debug3: mm_request_send entering: type 1 debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug2: dh_gen_key: priv key bits set: 126/256 debug2: bits set: 519/1024 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 533/1024 debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug3: mm_key_sign entering debug3: mm_request_send entering: type 4 debug3: monitor_read: checking request 4 debug3: mm_answer_sign debug3: mm_answer_sign: signature 0x80a9fd8(143) debug3: mm_request_send entering: type 5 debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 5 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user michael service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: Trying to reverse map address 192.168.1.2. debug2: parse_server_config: config reprocess config len 237 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for michael debug3: mm_start_pam entering debug3: mm_request_send entering: type 47 debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug2: input_userauth_request: try method none debug3: monitor_read: checking request 47 debug1: PAM: initializing for "michael" debug1: PAM: setting PAM_RHOST to "192.168.1.2" debug1: PAM: setting PAM_TTY to "ssh" debug2: monitor_read: 47 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug1: userauth-request for user michael service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=michael devs= debug1: kbdint_alloc: devices 'pam' debug2: auth2_challenge_start: devices pam debug2: kbdint_next_device: devices <empty> debug1: auth2_challenge_start: trying authentication method 'pam' debug3: mm_sshpam_init_ctx debug3: mm_request_send entering: type 50 debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX debug3: mm_request_receive_expect entering: type 51 debug3: mm_request_receive entering debug3: monitor_read: checking request 50 debug3: mm_answer_pam_init_ctx debug3: PAM: sshpam_init_ctx entering debug3: ssh_msg_send: type 7 debug3: mm_request_send entering: type 51 debug3: mm_request_receive entering debug3: mm_sshpam_query debug3: mm_request_send entering: type 52 debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY debug3: mm_request_receive_expect entering: type 53 debug3: mm_request_receive entering debug3: monitor_read: checking request 52 debug3: mm_answer_pam_query debug3: PAM: sshpam_query entering debug3: ssh_msg_recv entering debug3: PAM: Authentication failure PAM: Authentication failure for michael from 192.168.1.2 debug3: mm_request_send entering: type 53 debug3: mm_request_receive entering debug3: mm_sshpam_query: pam_query returned -1 debug3: mm_sshpam_free_ctx debug3: mm_request_send entering: type 56 debug3: mm_sshpam_free_ctx: waiting for MONITOR_ANS_PAM_FREE_CTX debug3: mm_request_receive_expect entering: type 57 debug3: mm_request_receive entering debug3: monitor_read: checking request 56 debug3: mm_answer_pam_free_ctx debug3: PAM: sshpam_free_ctx entering debug3: PAM: sshpam_thread_cleanup entering debug3: mm_request_send entering: type 57 debug2: monitor_read: 56 used once, disabling now Failed keyboard-interactive/pam for michael from 192.168.1.2 port 57643 ssh2 debug1: Unable to open the btmp file /var/log/btmp: No such file or directory debug3: mm_request_receive entering Connection closed by 192.168.1.2 debug1: do_cleanup debug1: PAM: cleanup debug3: PAM: sshpam_thread_cleanup entering debug1: do_cleanup debug1: PAM: cleanup debug3: PAM: sshpam_thread_cleanup entering Here's the /etc/sshd_config: [EMAIL PROTECTED] ~ $ cat sshd_config # $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no # no default banner path #Banner /some/path # here are the new patched ldap related tokens # entries in your LDAP must have posixAccount & ldapPublicKey objectclass #UseLPK yes #LpkLdapConf /etc/ldap.conf #LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/ #LpkUserDN ou=users,dc=phear,dc=org #LpkGroupDN ou=groups,dc=phear,dc=org #LpkBindDN cn=Manager,dc=phear,dc=org #LpkBindPw secret #LpkServerGroup mail #LpkFilter (hostAccess=master.phear.org) #LpkForceTLS no #LpkSearchTimelimit 3 #LpkBindTimelimit 3 # override default of no subsystems Subsystem sftp /usr/lib/misc/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server And here's the emerge information for ssh: [EMAIL PROTECTED] ~ $ cat emerge-openssh.log These are the packages that would be merged, in order: Calculating dependencies ... done! [ebuild R ] net-misc/openssh-4.7_p1-r6 USE="kerberos pam tcpd -X -X509 -chroot -hpn -ldap -libedit (-selinux) -skey -smartcard -static" 0 kB Total: 1 package (1 reinstall), Size of downloads: 0 kB I tried upgrading PAM and rebooting, but it didn't solve the problem. I'm running pam-1.0.1, if that matters...
