LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 08-03-2011, 02:00 AM   #1
kirtikjr
Member
 
Registered: Apr 2007
Location: banglore
Distribution: RedHat EL v4
Posts: 35

Rep: Reputation: 15
issues with ssh login


I have a Rhel 3 machine.

I can login to it through telnet.



The config files /etc/ssh/sshd_config and /etc/ssh/ssh_config has not been modified.
/etc/hosts.allow and /etc/hosts.deny have all commented lines.

But the IP address of the system was changed. Could this be issue?

It was earlier configured for passwordless login(dsa).

I tried moving the contents for .ssh file to bkp folder, still no help.



-bash-2.05b$ uname -a
Linux itanium2 2.4.21-9.EL #1 SMP Thu Jan 8 16:54:40 EST 2004 ia64 ia64 ia64 GNU/Linux



posting the verbose ssh log

------------------------------

bash-2.05b$ ssh -v qa_fnp@10.91.220.35
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: Connecting to 10.91.220.35 [10.91.220.35] port 22.
debug1: Connection established.
debug1: identity file /home2/qa_fnp/.ssh/identity type -1
debug1: identity file /home2/qa_fnp/.ssh/id_rsa type -1
debug1: identity file /home2/qa_fnp/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '10.91.220.35' is known and matches the RSA host key.
debug1: Found key in /home2/qa_fnp/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home2/qa_fnp/.ssh/identity
debug1: Trying private key: /home2/qa_fnp/.ssh/id_rsa
debug1: Trying private key: /home2/qa_fnp/.ssh/id_dsa
debug1: Next authentication method: password
qa_fnp@10.91.220.35's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: channel 0: request pty-req
debug1: channel 0: request shell
debug1: channel 0: open confirm rwindow 0 rmax 32768
debug1: channel_free: channel 0: client-session, nchannels 1
Connection to 10.91.220.35 closed by remote host.
Connection to 10.91.220.35 closed.
debug1: Transferred: stdin 0, stdout 0, stderr 87 bytes in 0.0 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 4650.7
debug1: Exit status -1
-bash-2.05b$
 
Old 08-03-2011, 07:09 AM   #2
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,074

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
If your IP address has changed you need to regenerate your keys (and remove the existing keys from the remote machine(s) that connect to "this" server).

So, on your changed IP server, log in and cd .ssh. Remove the id_dsa and id_dsa.pub files then execute ssh-keygen with at least -t dsa plus any additional options you use. Hit the return key for the passphrase prompt (if you want).

Then on the remote machine(s), log in and cd .ssh. Edit the authorized_keys and known_hosts files deleting the "old" entries for the server that changed. Then connect:
Code:
ssh change_server
That ought to work.

It's convenient to copy the id_dsa.pub file from the changed server to your remote servers, putting the content into the authorized_keys file in ~/.ssh (and vice-versa depending on whether you want bi-directional connections).

It may be a good idea to edit /etc/hosts and add the IP address and name of the server that changed (so you can simply refer to it by name on your remote system) of the form
Code:
192.16.1.10     server.domain server
By so doing, you should, on the remote machine, be able to ping server (and, of course, simply ssh server as well).

Hope this helps some.

Last edited by tronayne; 08-03-2011 at 07:11 AM.
 
Old 08-03-2011, 07:37 AM   #3
kirtikjr
Member
 
Registered: Apr 2007
Location: banglore
Distribution: RedHat EL v4
Posts: 35

Original Poster
Rep: Reputation: 15
Well my aim was not exactly a passwordless login, but just an ssh, as our applications need ssh, getting a passsword prompt is ok. Even I tried to delete the entire .ssh directory and recreated the keys again (with -t rsa). No help.
The verbose output of ssh was obtained when I tried to self ssh an user in the same server.

I checked the /var/log/secure file. The last lines are:

Aug 3 01:03:57 itanium2 sshd[9400]: Accepted password for qa_fnp from ::ffff:10.41.10.38 port 40590 ssh2
Aug 3 01:03:57 itanium2 sshd[9401]: Accepted password for qa_fnp from ::ffff:10.41.10.38 port 40590 ssh2
Aug 3 01:03:57 itanium2 sshd[9402]: fatal: PAM session setup failed[28]: Module is unknown

I guess something is wrong with PAM settings
-bash-2.05b$ sudo cat /etc/pam.d/sshd
#%PAM-1.0
#auth include system-auth
#account required pam_nologin.so
#account include system-auth
#password include system-auth
#session optional pam_keyinit.so force revoke
#session include system-auth
#session required pam_loginuid.so
#
auth required pam_stack.so service=system-auth
#auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
session required pam_loginuid.so
 
Old 08-03-2011, 08:46 AM   #4
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,074

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
It does look like it may be a PAM problem; however, PAM is not included with Slackware and I don't have any experience with it in any event so I'm afraid I can't really help you with PAM.

Something that itches back there in memory is that changing a system IP address can require regenerating keys. As in system keys and, possibly, keys for things like PAM? Not sure, could be way off base. The message about a missing module might be a hint -- either a module is completely missing or it's not selected in the set up (and, as I say, I'm not familiar with PAM)

Hopefully, somebody else can lend a hand.
 
Old 08-03-2011, 09:55 AM   #5
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by kirtikjr
Code:
Aug 3 01:03:57 itanium2 sshd[9402]: fatal: PAM session setup failed[28]: Module is unknown
Please post your /etc/pam.d/system-auth config (in code tags).
 
Old 08-04-2011, 12:35 AM   #6
kirtikjr
Member
 
Registered: Apr 2007
Location: banglore
Distribution: RedHat EL v4
Posts: 35

Original Poster
Rep: Reputation: 15
Actually the issues were with PAM settings only. If u see the last line: session required pam_loginuid.so
I tried to look in the /lib/security directory. pam_loginuid.so file was not there.
I commented the last line in /etc/pam.d/sshd.
It worked.
Thanks to all
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] SSH login problem for additional users after password-less login setup uncle-c Linux - Newbie 3 02-10-2010 12:51 PM
SSH login banner/No root login jmoschetti45 Linux - Security 3 01-17-2010 04:51 PM
ssh login issues : hostname phody_lee Linux - Networking 5 04-15-2009 05:29 AM
SSH Problem - Can't login using Hostname, can login using ip address jqweezy Linux - Networking 7 01-26-2009 02:21 PM
ftp login -- ssh no login waffe Linux - General 4 12-27-2003 12:42 AM


All times are GMT -5. The time now is 03:21 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration