LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 01-01-2005, 12:24 PM   #1
student04
Member
 
Registered: Jan 2004
Location: Georgia
Distribution: OS X, CentOS
Posts: 669

Rep: Reputation: 34
Question ssh logins denied - "keyboard-interactive"


Hey,

This has been giving me headaches... I've tried configuring the sshd_config in many different ways and i still get the same error. I even copied my id_dsa.pub key to the remote computer (a friend's, with whom I'm trying to set this up) and I get the same error. It worked yesterday and gave the debug1: Authentications that can continue: password,keyboard-interactive and i did what it said on the tutorial http://www.linuxquestions.org/questi...ticle&artid=79 . Now the error is debug1: Authentications that can continue: keyboard-interactive.

Take a look
Code:
[alex@localhost .ssh]$ ssh -vv alex@blabla
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090703f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug2: ssh_connect: needpriv 0
debug1: Connecting to blabla [blabla] port 22.
debug1: Connection established.
debug1: identity file /home/alex/.ssh/identity type -1
debug1: identity file /home/alex/.ssh/id_rsa type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/alex/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 137/256
debug2: bits set: 1055/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'blabla' is known and matches the DSA host key.
debug1: Found key in /home/alex/.ssh/known_hosts:2
debug2: bits set: 1036/2048
debug1: ssh_dss_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: keyboard-interactive
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (keyboard-interactive).
debug1: Calling cleanup 0x80628b0(0x0)
[alex@localhost .ssh]$
I know the key authentication is correct because it says so above, but i have no idea what the hell this keyboard-interactive is. Is there an option (what is it) that can disable that annoying thing? His port 22 is open and sshd is indeed running.

This is his sshd_config file:
Code:
[alex@localhost gentoo]$ cat sshd_config
#       $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#KbdInteractiveAuthentication yes

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
ServerKeyBits 2048

# Logging
#obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO

# Authentication:

LoginGraceTime 60
PermitRootLogin yes
#StrictModes yes

RSAAuthentication no
PubkeyAuthentication no
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords'
UsePAM no

#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
Compression yes
ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem       sftp    /usr/lib/misc/sftp-server

AllowUsers alex,aniket
PAMAuthenticationViaKbdInt no
KeepAlive yes
He is running Gentoo Linux 2004.3, kernel 2.6.9.

Thanks; any help welcome.

Last edited by student04; 01-01-2005 at 09:49 PM.
 
Old 01-01-2005, 10:05 PM   #2
student04
Member
 
Registered: Jan 2004
Location: Georgia
Distribution: OS X, CentOS
Posts: 669

Original Poster
Rep: Reputation: 34
An update - progress made, but still no successful logins:

sshd_config is now
Code:
#       $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
KbdInteractiveAuthentication no

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
ServerKeyBits 2048

# Logging
#obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO

# Authentication:

LoginGraceTime 60
PermitRootLogin yes
#StrictModes yes

RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords'
UsePAM no

#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
Compression yes
ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem       sftp    /usr/lib/misc/sftp-server

AllowUsers alex,aniket
PAMAuthenticationViaKbdInt no
I now see three authentication methods: password, pubkey and keyboard interactive. It now prompts me for the password, but the password i give (the correct one) is rejected anyway. What's up with this?
 
Old 01-02-2005, 03:14 AM   #3
Tim Retout
LQ Newbie
 
Registered: Dec 2004
Location: UK
Distribution: Debian
Posts: 21

Rep: Reputation: 15
AllowUsers needs usernames separated by spaces.
 
Old 01-02-2005, 03:21 AM   #4
Tim Retout
LQ Newbie
 
Registered: Dec 2004
Location: UK
Distribution: Debian
Posts: 21

Rep: Reputation: 15
I'd also suggest 'PermitRootLogin no'; you can still get to root using su, but it'll stop people brute-forcing the root password remotely.
 
Old 01-02-2005, 03:24 AM   #5
student04
Member
 
Registered: Jan 2004
Location: Georgia
Distribution: OS X, CentOS
Posts: 669

Original Poster
Rep: Reputation: 34
ok thanks; i'll try that tomorrow (i.e. later today--it's 4:30AM ) when he's awake, and post back
 
Old 01-02-2005, 04:13 PM   #6
student04
Member
 
Registered: Jan 2004
Location: Georgia
Distribution: OS X, CentOS
Posts: 669

Original Poster
Rep: Reputation: 34
It didn't work - the thing is, even with 'PermitRootLogin yes' root cannot login. I have tried many different combinations, but cannot see what is preventing the password from being rejected.

My friend can login locally with the passwords, but ssh is rejecting it, so the passwords are correct.

Any other suggestions?

Thanks.
 
Old 01-02-2005, 05:03 PM   #7
Tim Retout
LQ Newbie
 
Registered: Dec 2004
Location: UK
Distribution: Debian
Posts: 21

Rep: Reputation: 15
Well, you could try removing 'AllowUsers' completely... and of course, I assume you've restarted the sshd server. After that, you can try enabling PAM, and enabling keyboard authentication via PAM.

UsePAM yes
PAMAuthenticationViaKbdInt yes <-- (not sure about this one)

Last edited by Tim Retout; 01-02-2005 at 05:04 PM.
 
Old 01-02-2005, 05:28 PM   #8
Tim Retout
LQ Newbie
 
Registered: Dec 2004
Location: UK
Distribution: Debian
Posts: 21

Rep: Reputation: 15
Actually, you could try fishing the default sshd_config out of portage, and seeing whether that fixes it all. Deleting everything in the file will have a similar effect...

Here's the default sshd_config to start again with.

Last edited by Tim Retout; 01-02-2005 at 05:30 PM.
 
Old 01-02-2005, 05:49 PM   #9
Tim Retout
LQ Newbie
 
Registered: Dec 2004
Location: UK
Distribution: Debian
Posts: 21

Rep: Reputation: 15
And if that doesn't work, then post the output of ssh -v alex@blabla again - several things have changed.

Hope you can get this sorted.
 
Old 01-03-2005, 07:58 PM   #10
student04
Member
 
Registered: Jan 2004
Location: Georgia
Distribution: OS X, CentOS
Posts: 669

Original Poster
Rep: Reputation: 34
Thanks, Tim Retout. The default sshd_config file did the trick. <-- me and my friend's graditude for you.
 
Old 01-04-2005, 04:03 AM   #11
Tim Retout
LQ Newbie
 
Registered: Dec 2004
Location: UK
Distribution: Debian
Posts: 21

Rep: Reputation: 15
Great, glad to help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh problem: one user is allowed the other is refused! levent.ozkan Linux - Networking 5 10-05-2005 01:34 PM
Restricting SSH logins. bullium Linux - Security 3 05-10-2005 01:15 AM
Root Logins are not allowed martincho Debian 10 01-30-2005 06:55 PM
Need help using Webmin to tell SSH to allow logins Xolo Linux - Security 9 11-22-2004 03:57 PM
ssh access allowed only to root user? zovres Linux - Newbie 5 09-25-2003 04:19 PM


All times are GMT -5. The time now is 12:12 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration