# sshd woes

## nadir-san

I hardly ever post problems, but damn, this one got me stumped.

I cant ssh to my machine, either to local host or remotely

I have tried regenerating all my keys, unmerging and remerging, openssh, openssl, and pam

I have checked all my configs, and Im still stuck

now, I dont know much about ssh or pam for that matter, but when I try to login, here's what I get.

and yes, ive tried with 'UsePAM no' , and different pam options

/etc/ssh/sshd_config

```

Port 22

Protocol 2

ListenAddress 0.0.0.0

#ListenAddress ::

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 768

# Logging

#obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

#LoginGraceTime 2m

#PermitRootLogin yes

#StrictModes yes

#MaxAuthTries 6

#RSAAuthentication yes

PubkeyAuthentication yes

#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

PasswordAuthentication no

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,

# and session processing. If this is enabled, PAM authentication will

# be allowed through the ChallengeResponseAuthentication mechanism.

# Depending on your PAM configuration, this may bypass the setting of

# PasswordAuthentication, PermitEmptyPasswords, and

# "PermitRootLogin without-password". If you just want the PAM account and

# session checks to run without PAM authentication, then enable this but set

# ChallengeResponseAuthentication=no

UsePAM yes

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#TCPKeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression yes

#ClientAliveInterval 0

#ClientAliveCountMax 3

#UseDNS yes

#PidFile /var/run/sshd.pid

#MaxStartups 10

# no default banner path

#Banner /some/path

# override default of no subsystems

Subsystem       sftp    /usr/lib/misc/sftp-server

```

login failure 

```

nadir@frink:~$ ssh -vvv nadir@*.*.*.*

OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3, SSH protocols 1.5/2.0, OpenSSL 0x0090603f

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Rhosts Authentication disabled, originating port will not be trusted.

debug1: ssh_connect: needpriv 0

debug1: Connecting to *.*.*.* [*.*.*.*] port 22.

debug1: Connection established.

debug1: identity file /home/users/nadir/.ssh/identity type -1

debug1: identity file /home/users/nadir/.ssh/id_rsa type -1

debug1: identity file /home/users/nadir/.ssh/id_dsa type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8

debug1: match: OpenSSH_3.8 pat OpenSSH*

Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none

debug2: kex_parse_kexinit: none

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit: none,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: mac_init: found hmac-md5

debug1: kex: server->client aes128-cbc hmac-md5 none

debug2: mac_init: found hmac-md5

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: dh_gen_key: priv key bits set: 121/256

debug1: bits set: 1032/2049

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug3: check_host_in_hostfile: filename /home/users/nadir/.ssh/known_hosts

debug3: check_host_in_hostfile: match line 1

debug1: Host '*.*.*.*' is known and matches the RSA host key.

debug1: Found key in /home/users/nadir/.ssh/known_hosts:1

debug1: bits set: 1041/2049

debug1: ssh_rsa_verify: signature correct

debug1: kex_derive_keys

debug1: newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: waiting for SSH2_MSG_NEWKEYS

debug1: newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: done: ssh_kex2.

debug1: send SSH2_MSG_SERVICE_REQUEST

debug1: service_accept: ssh-userauth

debug1: got SSH2_MSG_SERVICE_ACCEPT

debug1: authentications that can continue: publickey,password,keyboard-interactive

debug3: start over, passed a different list publickey,password,keyboard-interactive

debug3: preferred publickey,keyboard-interactive,password

debug3: authmethod_lookup publickey

debug3: remaining preferred: keyboard-interactive,password

debug3: authmethod_is_enabled publickey

debug1: next auth method to try is publickey

debug1: try privkey: /home/users/nadir/.ssh/identity

debug3: no such identity: /home/users/nadir/.ssh/identity

debug1: try privkey: /home/users/nadir/.ssh/id_rsa

debug3: no such identity: /home/users/nadir/.ssh/id_rsa

debug1: try privkey: /home/users/nadir/.ssh/id_dsa

debug3: no such identity: /home/users/nadir/.ssh/id_dsa

debug2: we did not send a packet, disable method

debug3: authmethod_lookup keyboard-interactive

debug3: remaining preferred: password

debug3: authmethod_is_enabled keyboard-interactive

debug1: next auth method to try is keyboard-interactive

debug2: userauth_kbdint

debug2: we sent a keyboard-interactive packet, wait for reply

debug1: authentications that can continue: publickey,password,keyboard-interactive

debug3: userauth_kbdint: disable: no info_req_seen

debug2: we did not send a packet, disable method

debug3: authmethod_lookup password

debug3: remaining preferred:

debug3: authmethod_is_enabled password

debug1: next auth method to try is password

nadir@*.*.*.*'s password:

debug3: packet_send2: adding 48 (len 61 padlen 19 extra_pad 64)

debug2: we sent a password packet, wait for reply

debug1: authentications that can continue: publickey,password,keyboard-interactive

Permission denied, please try again.

nadir@*.*.*.*'s password:

debug3: packet_send2: adding 48 (len 61 padlen 19 extra_pad 64)

debug2: we sent a password packet, wait for reply

debug1: authentications that can continue: publickey,password,keyboard-interactive

Permission denied, please try again.

nadir@*.*.*.*'s password:

debug3: packet_send2: adding 48 (len 61 padlen 19 extra_pad 64)

debug2: we sent a password packet, wait for reply

debug1: authentications that can continue: publickey,password,keyboard-interactive

debug2: we did not send a packet, disable method

debug1: no more auth methods to try

Permission denied (publickey,password,keyboard-interactive).

debug1: Calling cleanup 0x8063aac(0x0)

nadir@frink:~$

```

files 

```

-rwxr--r--  1 root root 111892 Jun 13 19:15 moduli

-rwxr--r--  1 root root   1159 Jun 13 19:15 ssh_config

-rwx------  1 root root    672 Jun 13 18:49 ssh_host_dsa_key

-rwxr--r--  1 root root    601 Jun 13 18:49 ssh_host_dsa_key.pub

-rwx------  1 root root    526 Jun 13 18:49 ssh_host_key

-rwxr--r--  1 root root    330 Jun 13 18:49 ssh_host_key.pub

-rwx------  1 root root    887 Jun 13 18:49 ssh_host_rsa_key

-rwxr--r--  1 root root    221 Jun 13 18:49 ssh_host_rsa_key.pub

-rwxr--r--  1 root root   2826 Jun 21 23:03 sshd_config

```

/etc/pam.d/sshd 

```

#%PAM-1.0

#auth       required    pam_stack.so service=system-auth

#auth       required     pam_shells.so

#auth      required     pam_nologin.so

#account    required    pam_stack.so service=system-auth

#password   required    pam_stack.so service=system-auth

#session           required     pam_stack.so service=system-auth

auth       required     pam_securetty.so

auth       sufficient   pam_winbind.so try_first_pass

auth       sufficient   pam_unix.so try_first_pass

auth       required     pam_nologin.so

account    sufficient   pam_winbind.so

account    sufficient   pam_stack.so service=system-auth

password   sufficient   pam_winbind.so

password   required     pam_stack.so service=system-auth

password   required     pam_permit.so

session    required     pam_mkhomedir.so skel=/etc/skel umask=0027 silent

session    optional     pam_console.so

session    required     pam_permit.so

```

versions 

```

*  net-misc/openssh

      Latest version installed: 3.9_p1-r2

```

```

*  dev-libs/openssl

      Latest version installed: 0.9.7e-r1

```

```

*  sys-libs/pam

      Latest version installed: 0.77-r6

```

got any ideas??? , im pretty clueless at the moment, any suggestion welcome  :Smile: 

----------

## limn

Just to clarify:

You used to have ssh working and then it stopped working? Did something change?

You want only to be able to connect using keys, not passwords?

----------

## nadir-san

it was working , I did an emerge sync world. there not too long ago, and it hasnt worked since, one think i also dod was delete my known hosts, but I dont see how this would effect me.

Ive regenerated my keys since then too.

yes id like to use keys, but at this stage ,I kinda just want it to work

----------

## limn

Comment this line out in your sshd_config,restart sshd, then try to log in.

```
PasswordAuthentication no
```

Password authentication should then work. Your password is still encrypted in transmission.

----------

## nadir-san

same thing man

```

debug1: send SSH2_MSG_SERVICE_REQUEST

debug1: service_accept: ssh-userauth

debug1: got SSH2_MSG_SERVICE_ACCEPT

debug1: authentications that can continue: publickey,password,keyboard-interactive

debug3: start over, passed a different list publickey,password,keyboard-interactive

debug3: preferred publickey,keyboard-interactive,password

debug3: authmethod_lookup publickey

debug3: remaining preferred: keyboard-interactive,password

debug3: authmethod_is_enabled publickey

debug1: next auth method to try is publickey

debug1: try privkey: /home/users/nadir/.ssh/identity

debug3: no such identity: /home/users/nadir/.ssh/identity

debug1: try privkey: /home/users/nadir/.ssh/id_rsa

debug3: no such identity: /home/users/nadir/.ssh/id_rsa

debug1: try privkey: /home/users/nadir/.ssh/id_dsa

debug3: no such identity: /home/users/nadir/.ssh/id_dsa

debug2: we did not send a packet, disable method

debug3: authmethod_lookup keyboard-interactive

debug3: remaining preferred: password

debug3: authmethod_is_enabled keyboard-interactive

debug1: next auth method to try is keyboard-interactive

debug2: userauth_kbdint

debug2: we sent a keyboard-interactive packet, wait for reply

debug1: authentications that can continue: publickey,password,keyboard-interactive

debug3: userauth_kbdint: disable: no info_req_seen

debug2: we did not send a packet, disable method

debug3: authmethod_lookup password

debug3: remaining preferred:

debug3: authmethod_is_enabled password

debug1: next auth method to try is password

root@*.*.*.*'s password:

debug3: packet_send2: adding 64 (len 59 padlen 5 extra_pad 64)

debug2: we sent a password packet, wait for reply

debug1: authentications that can continue: publickey,password,keyboard-interactive

```

----------

## limn

Why is root looking at nadir's .ssh directory?

----------

## nadir-san

/home/users/nadir/  is on the remote machine, trying to ssh as root to my server where there sshd demon is b0rked.

----------

## rex123

Looks weird.

Maybe try stopping sshd on the server, then run it via the command-line as 

```
sshd -ddd
```

Then try to connect and look at the server's debug output.

----------

## limn

Commenting out 

```
PasswordAuthentication no
```

didn't change anything because you are using PAM, so it is ignored. 

If it were actually no it wouldn't given you the opportunity to try to log in using your password.

If I use your PAM sshd config it won't let root log in at all using passwords, but it does not prevent a normal user to log in. 

In fact, it will allow my user to log in with any password at all, including an empty password - and that's without private 

and public keys configured. The first behavior matches yours, but the second does not.

I don't know PAM well enough to know what is going on in your config. You might try commenting out the second set of lines 

and uncommenting the first set and restarting sshd. My config has only the top set of lines. You could also try emerging

 openssh without PAM.

----------

## mlybarger

i'm having a similar problem here. ssh was working fine.  boxA could ssh into boxB, and boxB could also ssh into boxB.  neither is working now.  i cannot ssh into box b at all.  i had rsync setup to pull files using ssh, but it's not working.  i just recently did emerge -u world and updated the /etc files because everthing else was borked w/o updating the etc files.  

i'm also not sure what this PAM stuff is or why a seemingly default install of sshd won't allow even a standard user to connect to localhost:

[code]

mark@robusta aspects $ emerge -p openssh

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild   R   ] net-misc/openssh-3.9_p1-r2

mark@robusta aspects $ ssh robusta

Permission denied (publickey,keyboard-interactive).

mark@robusta aspects $ ssh localhost

The authenticity of host 'localhost (127.0.0.1)' can't be established.

RSA key fingerprint is 98:10:9e:9f:f8:63:5f:2d:81:70:a6:4c:9e:2b:78:2c.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'localhost' (RSA) to the list of known hosts.

Permission denied (publickey,keyboard-interactive).

[/code]

----------

## nadir-san

yep, I tried it with and without pam, no joy, 

infact i synced there and remerged a load of stuff including baselayout, still no job, im not sure what to do.

my install is about 2 years old, I wonder if there are any upgrades recently that broke some basic functionality.

----------

## kopfsalat

Don't know if it's the same problem, but my sshd failed me recently, after years without problems. I had to put

```

sshd sshd1 sshd2 : ALL : ALLOW

```

into /etc/hosts.allow to be able to connect locally or from outside.  Perhaps behaviour of the wrapper changed?

----------

## nizar

Could you please post the output of:

```

ls -lh /dev/tty[0-6]

grep DEVFS /usr/src/linux/.config

```

Do you get any message about devfs when you boot the system?

----------

## nadir-san

ok guys I solved it, and I feel like such a dumbass, I must apologise.

For some reason I had a rule in my firewall (which I have no recollection of inserting) which was dnating all inbound connections which did not originate from my machine to some other PC on the same isp I use, which also happened to be running ssh, fishy stuff eh! , thats why I was getting host has changed warning's I'll investigate this further. 

thanks anyway peeps  :Smile:  , I just hope I wasn't hacked, no signs of root kit or anything else suspicious, but still

----------

## rex123

Good to hear that you solved it. I don't think anyone here would have been able to diagnose that.

It might have helped to try my original suggestion of running the server in debug mode... you would have seen that there was in fact no connection coming in.

----------

