Linux - Security This forum is for all security related questions.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
#1
Member
Registered: Nov 2002
Posts: 207
Rep:
sshd not working properly
Hi,
I have a problem with sshd daemon on a target linux system:
The system has only one user (root) without password.
The sshd_config looks like:
Code:
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel DEBUG3
LoginGraceTime 30
PermitRootLogin yes
RSAAuthentication yes
PubkeyAuthentication yes
PermitEmptyPasswords yes
PasswordAuthentication no
X11Forwarding no
The debug output from client is:
Code:
ssh -vvv root@@172.24.30.167
OpenSSH_4.2p1, OpenSSL 0.9.8a 11 Oct 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 172.24.30.167 [172.24.30.167] port 22.
debug1: Connection established.
debug1: identity file /homes/insi/.ssh/identity type -1
debug3: Not a RSA1 key file /homes/insi/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /homes/insi/.ssh/id_rsa type 1
debug1: identity file /homes/insi/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5
debug1: match: OpenSSH_5.5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.2
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 131/256
debug2: bits set: 1031/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /homes/insi/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 7
debug1: Host '172.24.30.167' is known and matches the RSA host key.
debug1: Found key in /homes/insi/.ssh/known_hosts:7
debug2: bits set: 987/2048
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
It gets block her till the timeout
And on the server side, the debug outout is:
Code:
Mar 30 15:19:52 localhost sshd[1262]: debug3: fd 5 is not O_NONBLOCK
Mar 30 15:19:52 localhost sshd[1262]: debug1: Forked child 1270.
Mar 30 15:19:52 localhost sshd[1270]: debug3: oom_adjust_restore
Mar 30 15:19:52 localhost sshd[1262]: debug3: send_rexec_state: entering fd = 8 config len 331
Mar 30 15:19:52 localhost sshd[1262]: debug3: ssh_msg_send: type 0
Mar 30 15:19:52 localhost sshd[1270]: Set /proc/self/oom_adj to 0
Mar 30 15:19:52 localhost sshd[1262]: debug3: send_rexec_state: done
Mar 30 15:19:52 localhost sshd[1270]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Mar 30 15:19:52 localhost sshd[1270]: debug1: inetd sockets after dupping: 3, 3
Mar 30 15:19:52 localhost sshd[1270]: Connection from 172.21.3.22 port 50043
Mar 30 15:19:52 localhost sshd[1270]: debug1: Client protocol version 2.0; client software version OpenSSH_4.2
Mar 30 15:19:52 localhost sshd[1270]: debug1: match: OpenSSH_4.2 pat OpenSSH_4*
Mar 30 15:19:52 localhost sshd[1270]: debug1: Enabling compatibility mode for protocol 2.0
Mar 30 15:19:52 localhost sshd[1270]: debug1: Local version string SSH-2.0-OpenSSH_5.5
Mar 30 15:19:52 localhost sshd[1270]: debug2: fd 3 setting O_NONBLOCK
Mar 30 15:19:52 localhost sshd[1270]: debug2: Network child is on pid 1271
Mar 30 15:19:52 localhost sshd[1270]: debug3: preauth child monitor started
Mar 30 15:19:52 localhost sshd[1270]: debug3: mm_request_receive entering
Mar 30 15:19:52 localhost sshd[1270]: debug3: monitor_read: checking request 0
Mar 30 15:19:52 localhost sshd[1270]: debug3: mm_answer_moduli: got parameters: 1024 1024 8192
Mar 30 15:19:52 localhost sshd[1270]: WARNING: /usr/local/etc/moduli does not exist, using fixed modulus
Mar 30 15:19:52 localhost sshd[1270]: debug3: mm_request_send entering: type 1
Mar 30 15:19:52 localhost sshd[1270]: debug2: monitor_read: 0 used once, disabling now
Mar 30 15:19:52 localhost sshd[1270]: debug3: mm_request_receive entering
Mar 30 15:19:52 localhost sshd[1270]: debug3: monitor_read: checking request 4
Mar 30 15:19:52 localhost sshd[1270]: debug3: mm_answer_sign
Mar 30 15:19:52 localhost sshd[1270]: debug3: mm_answer_sign: signature 0x1001ce48(143)
Mar 30 15:19:52 localhost sshd[1270]: debug3: mm_request_send entering: type 5
Mar 30 15:19:52 localhost sshd[1270]: debug2: monitor_read: 4 used once, disabling now
Mar 30 15:19:52 localhost sshd[1270]: debug3: mm_request_receive entering
Does anyone knows for what reason it hangs?
Thanks,
Indy
#2
Member
Registered: May 2006
Location: BE
Distribution: Debian/Gentoo
Posts: 412
Rep:
This might not solve your problem but you might want to configure your server with a proper root password and set your ssh to accept an rsa/dsa key. That way you (1) secure your server a minimum, (2) Still access it without a password if you wish and (3) you never know, it might get rid of your problem.
Seriously though, a passwordless root account seems like you're asking for trouble.
my 2c
#3
Member
Registered: Nov 2002
Posts: 207
Original Poster
Rep:
Thanks for your response eco. As you suspected (so did I), I didn't solve the problem. It seems to me that I'm not getting to a point where the key exchange is being handled.
#4
Member
Registered: Aug 2010
Location: Australia
Posts: 37
Rep:
Looks as though you need to create a new rsa key. Detailed instructions can be found here
http://magicmonster.com/kb/net/ssh/auto_login.html
I agree with eco, you don't want access to a server without a password with root access, you should create a user account without root privilege and if you need to to have access to special files/dir that only root can execute/write you could use sudo or add to visudo.
#5
Member
Registered: Nov 2002
Posts: 207
Original Poster
Rep:
Thanks jrosco,
#6
Member
Registered: Aug 2010
Location: Australia
Posts: 37
Rep:
Do you have root access to the server?
If so, change
Code:
PasswordAuthentication no
to
Code:
PasswordAuthentication yes
in the sshd_config file. And then fix the ssh key exchange issue.
#7
Member
Registered: Nov 2002
Posts: 207
Original Poster
Rep:
Ok,
#8
Member
Registered: Aug 2010
Location: Australia
Posts: 37
Rep:
Can you login locally on the server
from what I understand about setting up ssh keys, you would create a key
Put in default location .e.g ./root/.ssh/
Don't enter any pass-phrase
Code:
cat dsa.pub >> /root/.ssh/authorized_keys
Copy dsa private key over to the client
ensure the private keys have chmod 600
Quote:
The system is a board of embedded kind. It has no busybox or anything compact like that but fairly small to be working with
What type of system is it (route/modem/firewall)?
Quote:
I can't change the password, it gives me some error I've unheard of (passwd: Critical error - immediate abort)
Weird that you can't change the root password
#9
Member
Registered: May 2006
Location: BE
Distribution: Debian/Gentoo
Posts: 412
Rep:
Hi,
I had a quick look on the net and a lot of it seems to point to
cracklib being the problem.
Have a look at these links:
link1
link2
link3
link4
If you did do this already and it didn't help, well, it'll just be the second time I can't help
All times are GMT -5. The time now is 10:47 AM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
