LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-14-2004, 12:20 PM   #1
graw
LQ Newbie
 
Registered: Dec 2004
Distribution: Gentoo
Posts: 3

Rep: Reputation: 0
Strange SSH problem


I have a strange ssh problem. I'm running the 2.6.9 kernel on a gentoo box, naturally, with the sshd going for remote administration. The gentoo box is acting as a router and firewall for my small subnet, both being done by iptables.

The problem occurs when I try to ssh into the box from the internet. I can ssh into the box fine from anywhere inside the local subnet (eth1), but any connection coming into eth0 seems to hang.

The client connects, and the server registers the connection, it then asks for the password for the given user. If an incorrect password is entered, it tells you and asks again. So far, so good. The problem arises if the correct password is entered. No prompt appears. It just hangs. Eventually, after about 10 minutes (might be longer, I've not bothered to time it) it times out. However, the /var/log/everything/current file shows that the session is successfully opened - it just never gets to the client.

This is not a firewall issue, as it makes no difference as to whether the firewall is active or not.

Wanting to debug this problem further, I set up the sshd as a standalone non-daemon process listening on port 1745. I also turned debug mode on so I could see what it was doing. Also, I ran the client with -v -v -v which I believe turns on the highest debugging level. Apologies for not posting links, apparently I'm not allowed to.

What the server said:
debug1: sshd version OpenSSH_3.8.1p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: Bind to port 1745 on 0.0.0.0.
Server listening on 0.0.0.0 port 1745.
socket: Address family not supported by protocol
debug1: Server will not fork when running in debugging mode.
Connection from 131.111.179.82 port 33802
debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 Debia
n 1:3.4p1-1.woody.3
debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
debug1: permanently_set_uid: 22/22
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user growse service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "growse"
debug1: PAM: setting PAM_RHOST to "student.cusu.cam.ac.uk"
debug1: PAM: setting PAM_TTY to "ssh"
Failed none for growse from 131.111.179.82 port 33802 ssh2
Failed none for growse from 131.111.179.82 port 33802 ssh2
debug1: userauth-request for user growse service ssh-connection method keyboard-
interactive
debug1: attempt 1 failures 1
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=growse devs=
debug1: kbdint_alloc: devices 'pam'
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for growse from 131.111.179.82 port 33802 ssh2
debug1: PAM: num PAM env strings 0
Postponed keyboard-interactive/pam for growse from 131.111.179.82 port 33802 ssh
2
Accepted keyboard-interactive/pam for growse from 131.111.179.82 port 33802 ssh2
debug1: monitor_child_preauth: growse has been authenticated by privileged proce
ss
Accepted keyboard-interactive/pam for growse from 131.111.179.82 port 33802 ssh2
debug1: PAM: reinitializing credentials
debug1: permanently_set_uid: 1000/100
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_new: init
debug1: session_new: session 0
debug1: session_pty_req: session 0 alloc /dev/pts/5
debug1: server_input_channel_req: channel 0 request shell reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: PAM: setting PAM_TTY to "/dev/pts/5"
debug1: Setting controlling tty using TIOCSCTTY.


What the client said:

kern:~$ ssh -v -v -v growse@tickle.growse.com -p 1745
OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3, SSH protocols 1.5/2.0, OpenSSL 0x0090603f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to tickle.growse.com [81.178.108.159] port 1745.
debug1: Connection established.
debug1: identity file /home/hrn21/.ssh/identity type -1
debug1: identity file /home/hrn21/.ssh/id_rsa type -1
debug1: identity file /home/hrn21/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 132/256
debug1: bits set: 1043/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/hrn21/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /home/hrn21/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 3
debug1: Host 'tickle.growse.com' is known and matches the RSA host key.
debug1: Found key in /home/hrn21/.ssh/known_hosts:1
debug1: bits set: 1041/2048
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug1: try privkey: /home/hrn21/.ssh/identity
debug3: no such identity: /home/hrn21/.ssh/identity
debug1: try privkey: /home/hrn21/.ssh/id_rsa
debug3: no such identity: /home/hrn21/.ssh/id_rsa
debug1: try privkey: /home/hrn21/.ssh/id_dsa
debug3: no such identity: /home/hrn21/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: next auth method to try is keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 23 padlen 9 extra_pad 64)
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 0
debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64)
debug1: ssh-userauth2 successful: method keyboard-interactive
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug1: send channel open 0
debug1: Entering interactive session.
debug2: callback start
debug1: ssh_session2_setup: id 0
debug1: channel request 0: pty-req
debug3: tty_make_modes: ospeed 38400
debug3: tty_make_modes: ispeed 38400
debug3: tty_make_modes: 1 3
debug3: tty_make_modes: 2 28
debug3: tty_make_modes: 3 127
debug3: tty_make_modes: 4 21
debug3: tty_make_modes: 5 4
debug3: tty_make_modes: 6 0
debug3: tty_make_modes: 7 0
debug3: tty_make_modes: 8 17
debug3: tty_make_modes: 9 19
debug3: tty_make_modes: 10 26
debug3: tty_make_modes: 12 18
debug3: tty_make_modes: 13 23
debug3: tty_make_modes: 14 22
debug3: tty_make_modes: 18 15
debug3: tty_make_modes: 30 0
debug3: tty_make_modes: 31 0
debug3: tty_make_modes: 32 0
debug3: tty_make_modes: 33 0
debug3: tty_make_modes: 34 0
debug3: tty_make_modes: 35 0
debug3: tty_make_modes: 36 1
debug3: tty_make_modes: 37 0
debug3: tty_make_modes: 38 1
debug3: tty_make_modes: 39 0
debug3: tty_make_modes: 40 0
debug3: tty_make_modes: 41 0
debug3: tty_make_modes: 50 1
debug3: tty_make_modes: 51 1
debug3: tty_make_modes: 52 0
debug3: tty_make_modes: 53 1
debug3: tty_make_modes: 54 1
debug3: tty_make_modes: 55 1
debug3: tty_make_modes: 56 0
debug3: tty_make_modes: 57 0
debug3: tty_make_modes: 58 0
debug3: tty_make_modes: 59 1
debug3: tty_make_modes: 60 1
debug3: tty_make_modes: 61 1
debug3: tty_make_modes: 62 0
debug3: tty_make_modes: 70 1
debug3: tty_make_modes: 71 0
debug3: tty_make_modes: 72 1
debug3: tty_make_modes: 73 0
debug3: tty_make_modes: 74 0
debug3: tty_make_modes: 75 0
debug3: tty_make_modes: 90 1
debug3: tty_make_modes: 91 1
debug3: tty_make_modes: 92 0
debug3: tty_make_modes: 93 0
debug1: channel request 0: shell
debug1: fd 3 setting TCP_NODELAY
debug2: callback done
debug1: channel 0: open confirm rwindow 0 rmax 32768


The sshd config file:

# $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

Port 1745
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords'
UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /usr/lib/misc/sftp-server


Can anyone solve this?
 
Old 12-15-2004, 12:49 AM   #2
bastard23
Member
 
Registered: Mar 2003
Distribution: Debian
Posts: 275

Rep: Reputation: 30
Hmmm... Don't know.

Can you transfer files between your server and the remote client?
Try "netcat -l -p 1234" on the server and "dd if=/dev/zero bs=4k count=100|netcat <server> 1234"

Does the shell start running on the server?
What is in your pam files?
 
Old 12-15-2004, 02:03 AM   #3
aqoliveira
Member
 
Registered: Dec 2001
Location: Portugal
Distribution: /Red Hat/Fedora/Solaris
Posts: 622

Rep: Reputation: 30
Howzit

Well after checking the logs there are a few things that I saw that caught my attention and says that no such keys check under those directories if u have these keys generated if not then use the cmd key-gen to generate new keys if needed.

ebug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug1: try privkey: /home/hrn21/.ssh/identity
debug3: no such identity: /home/hrn21/.ssh/identity
debug1: try privkey: /home/hrn21/.ssh/id_rsa
debug3: no such identity: /home/hrn21/.ssh/id_rsa
debug1: try privkey: /home/hrn21/.ssh/id_dsa
debug3: no such identity: /home/hrn21/.ssh/id_dsa
debug2: we did not send a packet, disable method

In your sshd conf file choose the type keys u want to use for the authentication by activating the following

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

Futher down the sshd config file place the following

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

PasswordAuthentication yes
PermitEmptyPasswords no

Rather remark this statement
#UsePAM yes

After sshd conf file configured it should work ok

tony
 
Old 12-15-2004, 05:14 AM   #4
graw
LQ Newbie
 
Registered: Dec 2004
Distribution: Gentoo
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks for the replies

My /etc/pam.d/sshd file says this:


auth required pam_stack.so service=system-auth
auth required pam_shells.so
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth


My server is running a webserver which works fine, ditto secure imap server, so I don't think it's a global problem.

I made those changes to my sshd_config, but it hangs at the same place.

I can't keygen on the client as I don't own the client, surely a key is only needed there for public key authing which I don't want/need?
 
Old 12-15-2004, 02:24 PM   #5
bastard23
Member
 
Registered: Mar 2003
Distribution: Debian
Posts: 275

Rep: Reputation: 30
OK,

I don't think that it is related to public key auth. You seem to be authenticating fine. I haven't seen this problem before, but here are some more things to look at:

What's in /etc/pam.d/system-auth (that's what the pam_stack module does)? Did you try it with UsePAM No in sshd_config?

What processes are started on the server?

Could increase the debug level (-ddd) on sshd?

Can the client ssh to other places? Do you have a different host to ssh from?
 
Old 12-15-2004, 04:32 PM   #6
graw
LQ Newbie
 
Registered: Dec 2004
Distribution: Gentoo
Posts: 3

Original Poster
Rep: Reputation: 0
Problem is solved!!!!!!!!!!!

Turns out to be the fault of the modem. I cam across this page: http://www.magwag.plus.com/jim/tips-300t.html which describes the same problem as me with the same modem. I just need to set the output tos to 0x0 and it's all fine. Tested it and everything

Happy happy happy
 
Old 12-15-2004, 04:47 PM   #7
bastard23
Member
 
Registered: Mar 2003
Distribution: Debian
Posts: 275

Rep: Reputation: 30
Well that's an odd problem. Glad you found a fix.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
strange ssh problem yull Linux - Security 8 12-11-2004 02:58 PM
strange, strange alsa problem: sound is grainy/pixellated? fenderman11111 Linux - Software 1 11-01-2004 05:16 PM
strange characters while loggin in through ssh legolin Linux - Networking 3 08-14-2004 02:39 AM
Strange ssh problem Inexactitude *BSD 2 04-05-2004 01:37 PM
Strange! SSH and Telnet login problem McSmooth Linux - General 7 10-03-2003 09:24 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration