Ok. I was able to try it this morning, and it still does not work, but it will take anything for a password still. Do i need to turn off password authentication on both sides of this?
Either side alone should do. If that's not working, perhaps the "ordering problem" conclusion is not accurate. We might want to try running the sshd in debug mode (-d on the cmd line). Maybe that will tell us more. I don't know any ssh support areas better than the man pages or google. And either one of those is vulnerable to having information not pertinent to a particular ssh build or version.
Jeremy
I am not sure what you mean by the last set of ideas you sent me, can you give me a pointer to a place to read about this other than the man pages,
Thanks,
Ben
Jeremy Enos wrote:
I don't know what your needs are, but you can also specify
PasswordAuthentication no
on the client side instead of the server. You can do this in a user's local config file or the system's global ssh_config. You can also specify a host list or mask that a particular setting applies to within the a config file too. This solution is a hack at best, but maybe it will help you get unstuck for the moment.
Jeremy
At 05:57 PM 2/19/2004, Benjamin Simmons wrote:
Ok, I think I found a problem neither one of us saw coming from setting that to a no. When I use my remote ssh connection tool on my windows environment to try to connect, I cannot get authenticated anymore. So, I might be able to login if I was physically in the room, but I can't be until around 8am CST tomorrow. I will test it then and let you know what has happened at that point.
Any other thoughts on a way to re-order the authentication methods ?
Thanks, Ben
Jeremy Enos wrote:
That's a good data point. Don't be troubled- that means it's working! It's just got the auth methods out of order for some reason; I'm not quite sure why. Password attempt fails, and it continues on to the next auth method, which is likely pub key which will work.
So the only mystery now is why is it in the wrong order, and how to change it. The only thing that comes to mind quickly is setting:
PasswordAuthentication no
in the sshd_config on the target hosts. However, this can really be a pain in the event that root's keys ever get messed up. But if you trust that won't happen, give it a try. The worst case scenario is that it will require console access to reverse it.
Jeremy
At 04:41 PM 2/19/2004, Benjamin Simmons wrote:
I am troubled by the fact that when it prompts a user for a password, I can type anything and it is a successful authentication. Does this help in any way?
I have made the update from a file off a node. Here are the relevant files you had asked for.
Ben
RH 9 machine (from machine)
[EMAIL PROTECTED] ssh]# tail /var/log/messages
Feb 19 15:47:58 viper sshd(pam_unix)[5432]: session opened for user apwinter by (uid=502)
Feb 19 15:48:47 viper sshd(pam_unix)[5486]: session opened for user apwinter by (uid=502)
Feb 19 15:49:23 viper sshd(pam_unix)[5486]: session closed for user apwinter
Feb 19 15:49:25 viper sshd(pam_unix)[5432]: session closed for user apwinter
Feb 19 16:05:33 viper su(pam_unix)[5565]: session opened for user bdsimmns by root(uid=0)
Feb 19 16:06:02 viper su(pam_unix)[5565]: session closed for user bdsimmns
Feb 19 16:17:57 viper sshd(pam_unix)[5645]: session opened for user root by (uid=0)
Feb 19 16:21:43 viper su(pam_unix)[5707]: session opened for user bdsimmns by root(uid=0)
Feb 19 16:23:33 viper su(pam_unix)[5707]: session closed for user bdsimmns
RH 7.3 machine (to machine) ( I supplied a bad password and got in)
[EMAIL PROTECTED] root]# tail /var/log/messages
Feb 19 16:27:24 goddard31 kernel: EXT2-fs error (device ide0(3,6)): ext2_write_inode: unable to read inode block - inode=32396, block=65540
Feb 19 16:27:56 goddard31 kernel: end_request: I/O error, dev 03:06 (hda), sector 0
Feb 19 16:27:56 goddard31 kernel: end_request: I/O error, dev 03:06 (hda), sector 8
Feb 19 16:27:56 goddard31 kernel: end_request: I/O error, dev 03:06 (hda), sector 524296
Feb 19 16:34:57 engrcluster rpc.mountd: authenticated unmount request from viper.engr.memphis.edu:633 for /root (/root)
Feb 19 16:34:57 engrcluster rpc.mountd: authenticated unmount request from viper.engr.memphis.edu:635 for /home (/home)
Feb 19 16:37:02 engrcluster rpc.mountd: authenticated mount request from viper.engr.memphis.edu:904 for /home (/home)
Feb 19 16:37:02 engrcluster rpc.mountd: authenticated mount request from viper.engr.memphis.edu:908 for /root (/root)
Feb 19 16:38:24 engrcluster sshd(pam_unix)[19884]: session opened for user root by (uid=0)
Feb 19 16:38:54 engrcluster sshd(pam_unix)[19966]: session opened for user bdsimmns by (uid=0)
[EMAIL PROTECTED] root]#
File from server(now replaced by a file from a node)
# $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
# This is the sshd server system-wide configuration file. See # sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value.
#Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress ::
# HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 3600 #ServerKeyBits 768
# Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO
# Authentication:
#LoginGraceTime 120 #PermitRootLogin yes #StrictModes yes
RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys
# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication yes
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts noi
#RSAAAuthentication yes
# To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no
# Change to no to disable s/key passwords #ChallengeResponseAuthentication yes
# Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes
#AFSTokenPassing no
# Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no
# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt no
#X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression yes
#MaxStartups 10 # no default banner path #Banner /some/path #VerifyReverseMapping no
# override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server
File from a node [EMAIL PROTECTED] ssh]# vi sshd_config
# $OpenBSD: sshd_config,v 1.48 2002/02/19 02:50:59 deraadt Exp $
# This is the sshd server system-wide configuration file. See sshd(8) # for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value.
#Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress ::
# HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 3600 #ServerKeyBits 768
# Logging #obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO
# Authentication:
#LoginGraceTime 600 #PermitRootLogin yes #StrictModes yes
#RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys
# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no
# Change to no to disable s/key passwords #ChallengeResponseAuthentication yes
# Kerberos options # KerberosAuthentication automatically enabled if keyfile exists #KerberosAuthentication yes #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes
# AFSTokenPassing automatically enabled if k_hasafs() is true #AFSTokenPassing yes
# Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no
# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes
#X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes #UseLogin no
#MaxStartups 10 # no default banner path #Banner /some/path #VerifyReverseMapping no
# override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server IgnoreRhosts yes RhostsRSAAuthentication yes RSAAuthentication yes RhostsAuthentication no
Jeremy Enos wrote:
Could you send your sshd file as well? You may want to try backing it up and copying the config from a compute node too...
also watch /var/log/messages on the target host during the attempt/failure.
(tail -f /var/log/messages)
Jeremy
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Oscar-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/oscar-users
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Oscar-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/oscar-users
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Oscar-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/oscar-users
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Oscar-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/oscar-users
