[Summary] [OFF TOPIC] SSH: cannot log in anywhere, even to localhost

From: Filipe Litaiff <filipe_litaiff_at_optiglobe.com.br>
Date: Tue Nov 30 2004 - 10:39:39 EST
Weird problem, weird solution.

Set "BatchMode no" on ssh_config and tnings worked.

The strange thing is that none level of verbosity gave a clue..... Had
to compare with other functioning box.

Thanks Jason Marshall, Andrew Hall and J. Oquendo. This is a great
forum, indeed.

Filipe.

Original question:

>
> >
> > Sorry about the off topic issue (although it involves a Solaris
> > box), but I am stuck with this and this is a really great forum.
> > I will summarize.
> > - Secure Shell A.03.81.002 ;
> >
> > - Can login by ssh from any hosts, no problem here;
> >
> > - Cannot login to anyhost, even to localhost;
> >
> > - known_hosts is not being populated; No idea why;
> >
> > First Scenario:
> >
> > - Get the "Host key verification failed" message whenever I try to
> > login;
> >
> > A piece of the log is below. The coplete log, as well as sshd_config

> > and ssh_config is attached.
> >
> > Any help would be much appreciated. Thanks in advance, folks!
> >
> > Filipe.
> >
> >
> > ---
> > (...)
> > debug2: kex_parse_kexinit: none,zlib
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit: first_kex_follows 0
> > debug2: kex_parse_kexinit: reserved 0
> > debug2: mac_init: found hmac-md5
> > debug1: kex: server->client aes128-cbc hmac-md5 none
> > debug2: mac_init: found hmac-md5
> > debug1: kex: client->server aes128-cbc hmac-md5 none
> > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> > debug2: dh_gen_key: priv key bits set: 128/256
> > debug2: bits set: 501/1024
> > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> > debug3: check_host_in_hostfile: filename /.ssh/known_hosts
> > debug3: check_host_in_hostfile: filename
> > /opt/ssh/etc/ssh_known_hosts
> > debug3: check_host_in_hostfile: filename /.ssh/known_hosts
> > debug3: check_host_in_hostfile: filename
> > /opt/ssh/etc/ssh_known_hosts
> > debug2: no key of type 0 for host localhost
> > debug3: check_host_in_hostfile: filename /.ssh/known_hosts2
> > debug3: check_host_in_hostfile: filename
> > /opt/ssh/etc/ssh_known_hosts2
> > debug3: check_host_in_hostfile: filename /.ssh/known_hosts
> > debug3: check_host_in_hostfile: filename
> > /opt/ssh/etc/ssh_known_hosts
> > debug2: no key of type 2 for host localhost Host key verification
> > failed.
> > ====================
> > Second Scenario: Added added the "localhost" entry on
> > /opt/ssh/etc/ssh_known_hosts manually.
> > Then things changed, but I couldn't still log in:
> > ---
> > ebug1: Found key in /opt/ssh/etc/ssh_known_hosts:2
> > debug2: bits set: 496/1024
> > debug1: ssh_rsa_verify: signature correct
> > debug2: kex_derive_keys
> > debug2: set_newkeys: mode 1
> > debug1: SSH2_MSG_NEWKEYS sent
> > debug1: expecting SSH2_MSG_NEWKEYS
> > debug2: set_newkeys: mode 0
> > debug1: SSH2_MSG_NEWKEYS received
> > debug1: SSH2_MSG_SERVICE_REQUEST sent
> > debug2: service_accept: ssh-userauth
> > debug1: SSH2_MSG_SERVICE_ACCEPT received
> > debug2: key: /.ssh/id_rsa (00000000)
> > debug2: key: /.ssh/id_dsa (00000000)
> > debug1: Authentications that can continue:
> > publickey,password,keyboard-interactive
> > debug1: Next authentication method: publickey
> > debug1: Trying private key: /.ssh/id_rsa
> > debug1: Trying private key: /.ssh/id_dsa
> > debug2: we did not send a packet, disable method
> > debug1: No more authentication methods to try.
> > Permission denied (publickey,password,keyboard-interactive).
> > ---
> > All logs, sshd_conf and ssh_conf are attached.
> > Any help would be much appreciated. Thanks in advance, folks!
> >
> > Filipe.
> >
> >  <<SSHD_Trouble.txt>>
> > The log; sshd_config and ssh_config
> > ************************************
> >
> > The log
> > *******
> >
> >
> > optg3:/# ssh -v -v -v root@localhost
> > OpenSSH_3.8 , OpenSSL 0.9.7d 17 Mar 2004
> > HP-UX_Secure_Shell-A.03.81.002, HP_UX Secure Shell version
> > debug1: Reading configuration data /opt/ssh/etc/ssh_config
> > debug3: Seeding PRNG from /opt/ssh/libexec/ssh-rand-helper
> > debug2: ssh_connect: needpriv 0
> > debug1: Connecting to localhost [127.0.0.1] port 22.
> > debug1: Connection established.
> > debug1: identity file /.ssh/id_rsa type -1
> > debug1: identity file /.ssh/id_dsa type -1
> > debug1: Remote protocol version 2.0, remote software version
> > OpenSSH_3.8
> > debug1: match: OpenSSH_3.8 pat OpenSSH*
> > debug1: Enabling compatibility mode for protocol 2.0
> > debug1: Local version string SSH-2.0-OpenSSH_3.8
> > debug3: RNG is ready, skipping seeding
> > debug1: SSH2_MSG_KEXINIT sent
> > debug1: SSH2_MSG_KEXINIT received
> > debug2: kex_parse_kexinit:
> > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> > debug2: kex_parse_kexinit:
> > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes2
> > 56 -cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> > debug2: kex_parse_kexinit:
> > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes2
> > 56 -cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> > debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sh
> > a1
> > -96,hmac-md5-96
> > debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sh
> > a1
> > -96,hmac-md5-96
> > debug2: kex_parse_kexinit: none,zlib
> > debug2: kex_parse_kexinit: none,zlib
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit: first_kex_follows 0
> > debug2: kex_parse_kexinit: reserved 0
> > debug2: kex_parse_kexinit:
> > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
> > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> > debug2: kex_parse_kexinit:
> > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes2
> > 56 -cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> > debug2: kex_parse_kexinit:
> > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes2
> > 56 -cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
> > debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sh
> > a1
> > -96,hmac-md5-96
> > debug2: kex_parse_kexinit:
> > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sh
> > a1
> > -96,hmac-md5-96
> > debug2: kex_parse_kexinit: none,zlib
> > debug2: kex_parse_kexinit: none,zlib
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit:
> > debug2: kex_parse_kexinit: first_kex_follows 0
> > debug2: kex_parse_kexinit: reserved 0
> > debug2: mac_init: found hmac-md5
> > debug1: kex: server->client aes128-cbc hmac-md5 none
> > debug2: mac_init: found hmac-md5
> > debug1: kex: client->server aes128-cbc hmac-md5 none
> > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> > debug2: dh_gen_key: priv key bits set: 128/256
> > debug2: bits set: 501/1024
> > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> > debug3: check_host_in_hostfile: filename /.ssh/known_hosts
> > debug3: check_host_in_hostfile: filename
> > /opt/ssh/etc/ssh_known_hosts
> > debug3: check_host_in_hostfile: filename /.ssh/known_hosts
> > debug3: check_host_in_hostfile: filename
> > /opt/ssh/etc/ssh_known_hosts
> > debug2: no key of type 0 for host localhost
> > debug3: check_host_in_hostfile: filename /.ssh/known_hosts2
> > debug3: check_host_in_hostfile: filename
> > /opt/ssh/etc/ssh_known_hosts2
> > debug3: check_host_in_hostfile: filename /.ssh/known_hosts
> > debug3: check_host_in_hostfile: filename
> > /opt/ssh/etc/ssh_known_hosts
> > debug2: no key of type 2 for host localhost Host key verification
> > failed.
> > optg3:/#
> >
> > *******************************
> > sshd_config
> > *******************************
> >
> > #       $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp
$
> >
> > # This is the sshd server system-wide configuration file.  See #
> > sshd_config(5) for more information.
> >
> > # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
> >
> > # The strategy used for options in the default sshd_config shipped
> > with # OpenSSH is to specify options with their default value where
> > # possible, but leave them commented.  Uncommented options change a
> > # default value.
> >
> > #Port 22
> > Protocol 2
> > #ListenAddress 0.0.0.0
> > #ListenAddress ::
> >
> > # HostKey for protocol version 1
> > HostKey /opt/ssh/etc/ssh_host_key
> > # HostKeys for protocol version 2
> > HostKey /opt/ssh/etc/ssh_host_rsa_key HostKey
> > /opt/ssh/etc/ssh_host_dsa_key
> >
> > # Lifetime and size of ephemeral version 1 server key
> > #KeyRegenerationInterval 1h #ServerKeyBits 768
> >
> > # Logging
> > #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH
> > #LogLevel
>
> > INFO
> >
> > # Authentication:
> >
> > #LoginGraceTime 2m
> > #PermitRootLogin yes
> > #StrictModes yes
> >
> > #RSAAuthentication yes
> > #PubkeyAuthentication yes
> > #AuthorizedKeysFile     .ssh/authorized_keys
> >
> > # For this to work you will also need host keys in
> > /opt/ssh/etc/ssh_known_hosts #RhostsRSAAuthentication no # similar
> > for
>
> > protocol version 2 #HostbasedAuthentication no # Change to yes if
> > you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and

> > HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the
> > user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes
> >
> > # To disable tunneled clear text passwords, change to no here!
> > #PasswordAuthentication yes
> > #PermitEmptyPasswords no
> >
> > # Change to no to disable s/key passwords
> > #ChallengeResponseAuthentication yes
> >
> > # Kerberos options
> > KerberosAuthentication yes
> > #KerberosOrLocalPasswd yes
> > #KerberosTicketCleanup yes
> > #KerberosGetAFSToken no
> >
> > # GSSAPI options
> > #GSSAPIAuthentication no
> > #GSSAPICleanupCredentials yes
> >
> > # Set this to 'yes' to enable PAM authentication (via
> > challenge-response) # and session processing. Depending on your PAM
> > configuration, this may # bypass the setting of
> 'PasswordAuthentication' and 'PermitEmptyPasswords'
> > UsePAM yes
> >
> > #AllowTcpForwarding yes
> > #GatewayPorts no
> > X11Forwarding yes
> > #X11DisplayOffset 10
> > X11UseLocalhost no
> > #PrintMotd yes
> > #PrintLastLog yes
> > #TCPKeepAlive yes
> > #UseLogin no
> > #UsePrivilegeSeparation yes
> > #PermitUserEnvironment no
> > #Compression yes
> > #ClientAliveInterval 0
> > #ClientAliveCountMax 3
> > #UseDNS yes
> > #PidFile /var/run/sshd.pid
> > #MaxStartups 10
> >
> > # no default banner path
> > #Banner /some/path
> >
> > # override default of no subsystems
> > Subsystem       sftp    /opt/ssh/libexec/sftp-server
> >
> >
> > ******************************************************
> >
> > ssh_config
> > **********
> >
> > #       $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $
> >
> > # This is the ssh client system-wide configuration file.  See #
> > ssh_config(5) for more information.  This file provides defaults for

> > #
>
> > users, and the values can be changed in per-user configuration files

> > #
>
> > or on the command line.
> >
> > # Configuration data is parsed as follows:
> > #  1. command line options
> > #  2. user-specific file
> > #  3. system-wide file
> > # Any configuration value is only changed the first time it is set.
> > # Thus, host-specific definitions should be at the beginning of the
> > # configuration file, and defaults at the end.
> >
> > # Site-wide defaults for various options
> >
> > # Host *
> > #   ForwardAgent no
> > #   ForwardX11 no
> > #   RhostsRSAAuthentication no
> > #   RSAAuthentication yes
> > #   PasswordAuthentication yes
> > #   HostbasedAuthentication no
> > BatchMode yes
> > #   CheckHostIP yes
> > #   AddressFamily any
> > #   ConnectTimeout 0
> > #   StrictHostKeyChecking ask
> > #   IdentityFile ~/.ssh/identity
> > #   IdentityFile ~/.ssh/id_rsa
> > #   IdentityFile ~/.ssh/id_dsa
> > #   Port 22
> >     Protocol 2
> > #   Cipher 3des
> > #   Ciphers
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256
> -c
> bc
> > #   EscapeChar ~
> > _______________________________________________
> > sunmanagers mailing list
> > sunmanagers@sunmanagers.org
> > http://www.sunmanagers.org/mailman/listinfo/sunmanagers
> >
>
> ---
> Jason Marshall, Unix Geek, Kelman Technologies, Inc., Calgary, AB,
> Canada.
>
>   From a Sun Microsystems bug report (#4102680):
>     "Workaround: don't pound on the mouse like a wild monkey."
>
>   "I have great faith in fools:
>      Self confidence my friends call it."  -Edgar Allan Poe
>
>
>
>

---
Jason Marshall, Unix Geek, Kelman Technologies, Inc., Calgary, AB,
Canada.

  From a Sun Microsystems bug report (#4102680):
    "Workaround: don't pound on the mouse like a wild monkey."

  "I have great faith in fools:
     Self confidence my friends call it."  -Edgar Allan Poe
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Tue Nov 30 10:41:45 2004

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:40 EST