# [SOLVED] strange ssh issue

## mlnzigzag

i got a box that i can just access through a vpn

ssh ver is 5.2p1 and here is a sample of a config file used:

```

hostMI ~ # cat /etc/ssh/sshd_config 

Port 22

Protocol 2

ListenAddress 0.0.0.0

PermitRootLogin no

StrictModes yes

MaxAuthTries 3

PasswordAuthentication yes

PermitEmptyPasswords no

AllowTcpForwarding yes

GatewayPorts no

X11Forwarding no

PrintMotd no

TCPKeepAlive yes

UsePrivilegeSeparation yes

PermitUserEnvironment no

Compression yes

ClientAliveInterval 0

ClientAliveCountMax 3

UseDNS no

PidFile /var/run/sshd.pid

Subsystem   sftp   /usr/lib/misc/sftp-server

```

following we have hostNA, that runs a vpn server and hostMI, connected through the vpn

i used to login to hostNA as user myuser, and then ssh to hostMI:

right now, if i do ssh hostMI as user myuser@hostNA the box returns:

```
myuser@hostNA ~ $ ssh hostMI

Received disconnect from 10.7.0.5: 2: Too many authentication failures for myuser

myuser@hostNA ~ $ ssh 10.7.0.5

Received disconnect from 10.7.0.5: 2: Too many authentication failures for myuser

```

then, i do:

```
myuser@hostNA ~ $ cat .ssh/known_hosts 

hostMI,10.7.0.5 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8rhOoSw2LeHd93kU6fayE5VcoL7uqLCNuDG8JvfCihIAVIUId4u8TnCP14OPsGhro6/rfeAQ89K2C1dcP7W1CSuKjjixR6PfaTP2hJZFoR8d3dxiK1e9oMC9MRo5X4FRW/h9caDKd0kLNF8OKOeIMtsfDD4QXr5PvJaOc+KhBsEfa+WEhMj25qVXxatIlsUc/zzewOrT7Hp1MaK0UoMxCVhAGlWTWIeKk79nnSLk6/db4dcI9bVKMgPNTFhV5wJfN5BVwPqQFC2Xw0fP5jRZlFDOmtE03PH6g81ZUGiwbgHXJHTGGZB0xAyASlt1/9T1m4l9581PT6iDAMquG4+5xw==

myuser@hostNA ~ $ rm -rf .ssh/known_hosts 

removed `.ssh/known_hosts'

myuser@hostNA ~ $ ssh hostMI

Host key verification failed.

myuser@hostNA ~ $ ssh 10.7.0.5

Host key verification failed.

myuser@hostNA ~ $
```

BUT if i su to root and then ssh -l myuser hostMI, it just works!

```
hostNA ~ # ssh -l myuser hostMI

Password: 

Last login: Mon Mar 15 14:22:08 2010 from 10.7.0.1

myuser@hostMI ~ $ 
```

even with another non-root user, i got the same:

```
hostNA ~ # su alfonso

alfonso@hostNA /root $ ssh -l myuser hostMI

Host key verification failed.
```

any help will be appreciated

M.Last edited by mlnzigzag on Wed Mar 24, 2010 7:11 pm; edited 1 time in total

----------

## Hu

Is there anything interesting in the ssh verbose output?  What do you have in your client ssh_config files?

----------

## mlnzigzag

 *Hu wrote:*   

> Is there anything interesting in the ssh verbose output?

 

```
myuser@hostNA ~ $ ssh -v hostMI

OpenSSH_5.3p1, OpenSSL 0.9.8l 5 Nov 2009

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Connecting to hostMI [10.7.0.5] port 22.

debug1: Connection established.

debug1: identity file /home/myuser/.ssh/identity type -1

debug1: identity file /home/myuser/.ssh/id_rsa type -1

debug1: identity file /home/myuser/.ssh/id_dsa type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3

debug1: match: OpenSSH_5.3 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_5.3

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-ctr hmac-md5 none

debug1: kex: client->server aes128-ctr hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: read_passphrase: can't open /dev/tty: Permission denied

Host key verification failed.

myuser@hostNA ~ $ su

Password: 

hostNA myuser # source /etc/profile

hostNA myuser # cd /root

hostNA ~ # ssh -v -l myuser hostMI    

OpenSSH_5.3p1, OpenSSL 0.9.8l 5 Nov 2009

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Connecting to hostMI [10.7.0.5] port 22.

debug1: Connection established.

debug1: permanently_set_uid: 0/0

debug1: identity file /root/.ssh/identity type -1

debug1: identity file /root/.ssh/id_rsa type -1

debug1: identity file /root/.ssh/id_dsa type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3

debug1: match: OpenSSH_5.3 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_5.3

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-ctr hmac-md5 none

debug1: kex: client->server aes128-ctr hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host 'hostMI' is known and matches the RSA host key.

debug1: Found key in /root/.ssh/known_hosts:7

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,keyboard-interactive

debug1: Next authentication method: publickey

debug1: Trying private key: /root/.ssh/identity

debug1: Trying private key: /root/.ssh/id_rsa

debug1: Trying private key: /root/.ssh/id_dsa

debug1: Next authentication method: keyboard-interactive

Password: 

debug1: Authentication succeeded (keyboard-interactive).

debug1: channel 0: new [client-session]

debug1: Requesting no-more-sessions@openssh.com

debug1: Entering interactive session.

Last login: Mon Mar 22 14:17:23 2010 from 10.7.0.1

myuser@hostNA ~ $ 

```

 *Hu wrote:*   

> What do you have in your client ssh_config files?

 

```

myuser@hostNA ~ $ cat /etc/ssh/ssh_config 

#   $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $

# This is the ssh client system-wide configuration file.  See

# ssh_config(5) for more information.  This file provides defaults for

# users, and the values can be changed in per-user configuration files

# or on the command line.

# Configuration data is parsed as follows:

#  1. command line options

#  2. user-specific file

#  3. system-wide file

# Any configuration value is only changed the first time it is set.

# Thus, host-specific definitions should be at the beginning of the

# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive

# list of available options, their meanings and defaults, please see the

# ssh_config(5) man page.

# Host *

#   ForwardAgent no

#   ForwardX11 no

#   RhostsRSAAuthentication no

#   RSAAuthentication yes

#   PasswordAuthentication yes

#   HostbasedAuthentication no

#   GSSAPIAuthentication no

#   GSSAPIDelegateCredentials no

#   BatchMode no

#   CheckHostIP yes

#   AddressFamily any

#   ConnectTimeout 0

#   StrictHostKeyChecking ask

#   IdentityFile ~/.ssh/identity

#   IdentityFile ~/.ssh/id_rsa

#   IdentityFile ~/.ssh/id_dsa

#   Port 22

#   Protocol 2,1

#   Cipher 3des

#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc

#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160

#   EscapeChar ~

#   Tunnel no

#   TunnelDevice any:any

#   PermitLocalCommand no

#   VisualHostKey no

myuser@hostNA ~ $

```

Thanks a lot for your support

M.

----------

## Hu

 *mlnzigzag wrote:*   

> [code]myuser@hostNA ~ $ ssh -v hostMI
> 
> debug1: read_passphrase: can't open /dev/tty: Permission denied
> 
> 

 Your terminal cannot be opened to read the passphrase from you, so authentication fails.  Root bypasses the permission check.  Have you been using su to change user identities between when you logged in and when you ran the non-root ssh?

----------

## mlnzigzag

 *Hu wrote:*   

>  *mlnzigzag wrote:*   [code]myuser@hostNA ~ $ ssh -v hostMI
> 
> debug1: read_passphrase: can't open /dev/tty: Permission denied
> 
>  Your terminal cannot be opened to read the passphrase from you, so authentication fails.  Root bypasses the permission check.  Have you been using su to change user identities between when you logged in and when you ran the non-root ssh?

 

So it's a hostNA local problem of permissions..

1) any user but root will have this trouble

2) i didn't su to any user (but root) when i logged in to perform the tests above.

What can be changed in the /dev/tty permissions (i didn't manually) and how can i set the right permission back to such devices?

thanks a lot

M.

----------

## mlnzigzag

```
hostNA ~ # ls -la /dev/tty

crw-rw---- 1 root tty 5, 0 Mar 24 19:58 /dev/tty

hostNA ~ # chmod og=rw /dev/tty

hostNA ~ # ls -la /dev/tty

crw-rw-rw- 1 root tty 5, 0 Mar 24 20:00 /dev/tty

hostNA ~ # exit

exit

myuser@hostNA ~ $ ssh hostMI

The authenticity of host 'hostMI (10.7.0.5)' can't be established.

RSA key fingerprint is 2b:ed:16:ae:83:e8:60:43:7c:f7:40:54:31:6f:6c:18.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'hostMI,10.7.0.5' (RSA) to the list of known hosts.

Password: 

Last login: Wed Mar 24 20:00:49 2010 from 10.7.0.1

myuser@hostMI ~ $
```

Anyway, I'm still wondering what may have changed such permissions.

Any suggestions?

M.

----------

## Hu

For me, the permissions of /dev/tty are 666.  They have been this way for as long as I can remember, and are this way even on non-Gentoo systems.  I do not know how the permissions on yours were changed, nor do I have any suggestions how to find the culprit unless the problem recurs.

----------

## Mike Hunt

... or you could keep permissions at 0660 and add users to the tty group.

----------

## Hu

 *Mike Hunt wrote:*   

> ... or you could keep permissions at 0660 and add users to the tty group.

 This is a terrible idea.  Membership in the tty group entitles a user to write arbitrary content into the terminals of any logged on user.  Consider the output of find /dev/pts -ls for details.

----------

## Mike Hunt

 *Hu wrote:*   

>  *Mike Hunt wrote:*   ... or you could keep permissions at 0660 and add users to the tty group. This is a terrible idea.  Membership in the tty group entitles a user to write arbitrary content into the terminals of any logged on user.  Consider the output of find /dev/pts -ls for details.

 

Okie dokie. I wasn't aware of that. Thanks Hu.  :Smile: 

----------

