Package: ssh Version: 1:3.6.1p2-9 Severity: normal
-- System Information: Debian Release: testing/unstable Architecture: i386 Kernel: Linux malaise 2.4.18-01 #1 SMP Mon Sep 8 10:10:05 EDT 2003 i686 Locale: LANG=C, LC_CTYPE=C Versions of packages ssh depends on: ii adduser 3.51 Add and remove users and groups ii debconf 1.3.14 Debian configuration management sy ii libc6 2.3.2-8 GNU C Library: Shared libraries an ii libpam-modules 0.76-14 Pluggable Authentication Modules f ii libpam0g 0.76-14 Pluggable Authentication Modules l ii libssl0.9.7 0.9.7b-2 SSL shared libraries ii libwrap0 7.6-ipv6.1-3 Wietse Venema's TCP wrappers libra ii zlib1g 1:1.1.4-14 compression library - runtime -- debconf information: * ssh/privsep_tell: ssh/insecure_rshd: ssh/privsep_ask: true ssh/ssh2_keys_merged: * ssh/user_environment_tell: * ssh/forward_warning: ssh/insecure_telnetd: ssh/new_config: true * ssh/use_old_init_script: true * ssh/protocol2_only: true ssh/encrypted_host_key_but_no_keygen: * ssh/run_sshd: true * ssh/SUID_client: true I just upgraded from woody to testing. I further upgraded libc6 and ssh to unstable in the hopes that that would fix this problem. Prior to the upgrade to testing, everything worked fine. Afterwards... If an account uses NIS for passwords, attempting to ssh into the host using .ssh/authorized_keys causes the server to hang. However, if the account does not have an authorized_keys file (thus requiring a password prompt), or is local, the login proceeds successfully. I attach the following files: 1- the server's log during the login attempt 2- the client's log 3- /etc/pam.d/ssh 4- /etc/ssh/sshd_config 5- /etc/nsswitch.conf
debug2: read_server_config: filename /etc/ssh/sshd_config debug1: sshd version OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA socket: Address family not supported by protocol debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Server will not fork when running in debugging mode. Connection from 131.142.42.180 port 48375 debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 debug2: Network child is on pid 2472 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 101:65534 debug1: permanently_set_uid: 101/65534 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 2048 8192 debug3: mm_request_send entering: type 1 debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug2: dh_gen_key: priv key bits set: 115/256 debug2: bits set: 1664/3191 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: bits set: 1599/3191 debug3: mm_key_sign entering debug3: mm_request_send entering: type 4 debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 5 debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_sign debug3: mm_answer_sign: signature 0x8099958(143) debug3: mm_request_send entering: type 5 debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user dj service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for dj debug3: mm_start_pam entering debug3: mm_request_send entering: type 41 debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug3: monitor_read: checking request 41 debug2: input_userauth_request: try method none debug1: Starting up PAM with username "dj" Failed none for dj from 131.142.42.180 port 48375 ssh2 debug3: Trying to reverse map address 131.142.42.180. debug1: userauth-request for user dj service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug1: PAM setting rhost to "pelf" debug2: monitor_read: 41 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x809bde8 debug1: temporarily_use_uid: 263/30 (e=0/0) debug1: trying public key file /home/dj/.ssh/authorized_keys debug3: secure_filename: checking '/home/dj/.ssh' debug3: secure_filename: checking '/home/dj' debug3: secure_filename: terminating check at '/home/dj' debug1: matching key found: file /home/dj/.ssh/authorized_keys, line 3 Found matching DSA key: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX debug1: restore_uid: 0/0 debug3: mm_answer_keyallowed: key 0x809bde8 is allowed debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss Postponed publickey for dj from 131.142.42.180 port 48375 ssh2 debug1: userauth-request for user dj service ssh-connection method publickey debug1: attempt 2 failures 1 debug2: input_userauth_request: try method publickey debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_request_receive entering debug3: mm_answer_keyallowed: key_from_blob: 0x809bed8 debug1: temporarily_use_uid: 263/30 (e=0/0) debug1: trying public key file /home/dj/.ssh/authorized_keys debug3: secure_filename: checking '/home/dj/.ssh' debug3: secure_filename: checking '/home/dj' debug3: secure_filename: terminating check at '/home/dj' debug1: matching key found: file /home/dj/.ssh/authorized_keys, line 3 Found matching DSA key: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX debug1: restore_uid: 0/0 debug3: mm_answer_keyallowed: key 0x809bed8 is allowed debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug3: mm_key_verify entering debug3: mm_request_send entering: type 22 debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY debug3: mm_request_receive_expect entering: type 23 debug3: mm_request_receive entering debug3: monitor_read: checking request 22 debug1: ssh_dss_verify: signature correct debug3: mm_answer_keyverify: key 0x809bdf8 signature verified debug3: mm_request_send entering: type 23 debug2: userauth_pubkey: authenticated 1 pkalg ssh-dss Accepted publickey for dj from 131.142.42.180 port 48375 ssh2 debug3: mm_send_keystate: Sending new keys: 0x8099b70 0x8099af8 debug3: mm_newkeys_to_blob: converting 0x8099b70 debug3: mm_newkeys_to_blob: converting 0x8099af8 debug3: mm_send_keystate: New keys have been sent debug3: mm_send_keystate: Sending compression state debug3: mm_request_send entering: type 24 debug3: mm_send_keystate: Finished sending state
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to malaise [131.142.42.200] port 22. debug1: Connection established. debug1: identity file /home/dj/.ssh/identity type -1 debug1: identity file /home/dj/.ssh/id_rsa type -1 debug3: Not a RSA1 key file /home/dj/.ssh/id_dsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: no key found debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: no key found debug1: identity file /home/dj/.ssh/id_dsa type 2 debug1: Remote protocol version 2.0, remote software version OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 debug1: match: OpenSSH_3.6.1p2 Debian 1:3.6.1p2-9 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[EMAIL PROTECTED] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[EMAIL PROTECTED],hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 129/256 debug1: bits set: 1595/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/dj/.ssh/known_hosts debug3: check_host_in_hostfile: match line 52 debug3: check_host_in_hostfile: filename /home/dj/.ssh/known_hosts debug3: check_host_in_hostfile: match line 49 debug1: Host 'malaise' is known and matches the RSA host key. debug1: Found key in /home/dj/.ssh/known_hosts:52 debug1: bits set: 1605/3191 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug1: try privkey: /home/dj/.ssh/identity debug3: no such identity: /home/dj/.ssh/identity debug1: try privkey: /home/dj/.ssh/id_rsa debug3: no such identity: /home/dj/.ssh/id_rsa debug1: try pubkey: /home/dj/.ssh/id_dsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: input_userauth_pk_ok: pkalg ssh-dss blen 433 lastkey 110710 hint 2 debug2: input_userauth_pk_ok: fp XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX debug3: sign_and_send_pubkey debug1: read PEM private key done: type DSA debug1: ssh-userauth2 successful: method publickey debug1: fd 7 setting O_NONBLOCK debug2: fd 8 is O_NONBLOCK debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug1: send channel open 0 debug1: Entering interactive session.
#%PAM-1.0 auth required pam_nologin.so debug auth required pam_unix.so nis debug auth required pam_env.so debug # [1] account required pam_unix.so nis audit session required pam_unix.so nis debug session optional pam_motd.so debug # [1] session optional pam_mail.so standard noenv debug # [1] session required pam_limits.so debug password required pam_unix.so nis debug # Alternate strength checking for password. Note that this # requires the libpam-cracklib package to be installed. # You will need to comment out the password line above and # uncomment the next two in order to use this. # # password required pam_cracklib.so retry=3 minlen=6 difok=3 # password required pam_unix.so use_authtok nullok md5
# Package generated configuration file # See the sshd(8) manpage for defails # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # ...but breaks Pam auth via kbdint, so we have to turn it off # Use PAM authentication via keyboard-interactive so PAM modules can # properly interface with the user (off due to PrivSep) PAMAuthenticationViaKbdInt no # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel DEBUG3 # Authentication: LoginGraceTime 600 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # rhosts authentication should not be used RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Uncomment to disable s/key passwords #ChallengeResponseAuthentication no # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no #PrintLastLog no KeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net #ReverseMappingCheck yes Subsystem sftp /usr/lib/sftp-server
# /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: files nis group: files nis shadow: files nis hosts: files nis dns networks: files netmasks: files protocols: files nis services: files nis ethers: files rpc: files netgroup: files nis automount: files nis aliases: files nisplus
