Hi all,
On my one machine, I am running Gentoo 2007, Linux server_1 2.6.23-hardened-r4 #1 SMP.
From the above server, I ssh to my second server, running FreeBSD 7 , FreeBSD server_2 7.0-RELEASE-p3 FreeBSD 7.0-RELEASE-p3
My ssh output, from server_1, looks as follows:
$ ssh -v user@server_2
OpenSSH_4.7p1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to server_2 [server_2] port 22.
debug1: Connection established.
debug1: identity file /var/user/home/.ssh/identity type -1
debug1: identity file /var/user/home/.ssh/id_rsa type -1
debug1: identity file /var/user/home/.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version 3.2.9.1 SSH Secure Shell (non-commercial)
debug1: no match: 3.2.9.1 SSH Secure Shell (non-commercial)
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Host 'server_2' is known and matches the DSA host key.
debug1: Found key in /var/nagios/home/.ssh/known_hosts:25
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /var/nagios/home/.ssh/identity
debug1: Trying private key: /var/nagios/home/.ssh/id_rsa
debug1: Offering public key: /var/nagios/home/.ssh/id_dsa
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
user@server_2's password:
Authenticated with partial success.
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
I installed sshd2 on my FreeBSD server, as I am running VSFTP on it and chrooting the ftp users to their directories, and enabled compatibility mode on it for ssh from my Gentoo server.
This is my config files for sshd and sshd2 on my FreeBSD server:
# cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $
# $FreeBSD: src/crypto/openssh/sshd_config,v 1.47 2006/11/10 16:52:41 des Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.
#VersionAddendum FreeBSD-20061110
#Port 22
#Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys2
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# Change to yes to enable built-in password authentication.
#PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable PAM authentication
ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
And the config file for sshd2:
# cat /usr/local/etc/ssh2/sshd2_config
## SSH CONFIGURATION FILE FORMAT VERSION 1.1
## REGEX-SYNTAX egrep
## end of metaconfig
## (leave above lines intact!)
## sshd2_config
## SSH 3.2 Server Configuration File
##
## General
# HostKeyFile hostkey
# PublicHostKeyFile hostkey.pub
# RandomSeedFile random_seed
# BannerMessageFile /usr/local/etc/ssh2/ssh_banner_message
# BannerMessageFile /etc/issue.net
#
# VerboseMode no
# QuietMode no
# SyslogFacility AUTH
# SyslogFacility LOCAL7
# SftpSyslogFacility LOCAL7
## Network
# Port is commented out as it is specified by the startup script.
# Port 22
# ListenAddress any
# ResolveClientHostName yes
# RequireReverseMapping no
# MaxBroadcastsPerSecond 0
# MaxBroadcastsPerSecond 1
# NoDelay no
# KeepAlive yes
# MaxConnections 50
# MaxConnections 0
# 0 == number of connections not limited
## Crypto
# Ciphers AnyCipher
# Ciphers AnyStdCipher
# Ciphers 3des
# Following includes "none" 'cipher':
# Ciphers AnyStd
#
# MACs AnyMAC
# MACs AnyStdMAC
# Following includes "none" 'mac':
# MACs AnyStd
#
# RekeyIntervalSeconds 3600
## User
# PrintMotd yes
# CheckMail yes
# StrictModes yes
# Specifies 1 hour (you can also use 'w' for week, 'd' for day, 'm' for
# minute, 's' for seconds)
# IdleTimeOut 1h
# without specifier, the default number is in seconds
# IdleTimeOut 3600
#
# UserConfigDirectory "%D/.ssh2"
# UserConfigDirectory "/usr/local/etc/ssh2/auth/%U"
# AuthorizationFile authorization
# This variable is set here, because by default it's empty, and so no
# variables can be set. Because of that, we set a few common ones here.
SettableEnvironmentVars LANG,LC_(ALL|COLLATE|CTYPE|MONETARY|NUMERIC|TIME),PATH,TERM,TZ
## Tunneling
# AllowX11Forwarding yes
# AllowTcpForwarding yes
# AllowTcpForwardingForUsers sjl,
cowboyneal@slashdot\.org
# DenyTcpForwardingForUsers 2[[:digit:]]*4,peelo
# AllowTcpForwardingForGroups privileged_tcp_forwarders
# DenyTcpForwardingForGroups coming_from_outside
#
# Local port forwardings to host 10.1.0.25 ports 143 and 25 are
# allowed for all users in group users.
# Note that forwardings using the name of this host will be allowed (if
# it can be resolved from the DNS).
#
# ForwardACL allow local .*%users \i10\.1\.0\.25%(143|25)
#
# Local port forwardings requested exactly to host proxy.company.com
# port 8080 are allowed for users that have 's' as first character
# and belong to the group with group id 10:
#
# ForwardACL allow local s.*%10 proxy\.company\.com%8080
#
# Remote port forwarding is denied for all users to all hosts:
# ForwardACL deny remote .* .*
## Authentication
## publickey and password allowed by default
# AllowedAuthentications publickey,password
# AllowedAuthentications hostbased,publickey,password
# AllowedAuthentications hostbased,publickey,keyboard-interactive
RequiredAuthentications publickey,password
# LoginGraceTime 600
# AuthInteractiveFailureTimeout 2
#
# HostbasedAuthForceClientHostnameDNSMatch no
# UserKnownHosts yes
#
# AuthPublicKey.MaxSize 0
# AuthPublicKey.MinSize 0
# AllowAgentForwarding yes
#
# AuthKbdInt.NumOptional 0
# AuthKbdInt.Optional pam,password
# AuthKbdInt.Required password
# AuthKbdInt.Retries 3
#
# PermitEmptyPasswords no
# PasswordGuesses 3
## Host restrictions
# AllowHosts localhost, foobar.com, friendly.org
#
## Next one matches with, for example, taulu.foobar.com, tuoli.com, but
## not tuoli1.com. Note that you have to input string "\." when you want it
## to match only a literal dot. You also have to escape "," when you
## want to use it in the pattern, because otherwise it is considered a list
## separator.
##
## AllowHosts t..l.\..*
##
## The following matches any numerical IP-address (yes, it is cumbersome)
##
## AllowHosts ([[:digit:]]{1\,3}\.){3}[[:digit:]]{1\,3}
##
## Same thing is achieved with using the special prefix "\i" in a
## pattern. This means that the pattern is only used to match
## IP-addresses.
##
## Using the above example:
##
## AllowHosts \i.*
##
## You can probably see the difference between the two.
##
## Also, you can use subnet masks, by using prefix "\m"
##
## AllowHosts \m127.0/8
## and
## AllowHosts \m127.0.0.0/24
##
## would match localhost ("127.0.0.1").
##
# DenyHosts evil\.org, aol\.com
# AllowSHosts trusted\.host\.org
# DenySHosts not\.quite\.trusted\.org
# IgnoreRhosts no
# IgnoreRootRHosts no
# (the above, if not set, is defaulted to the value of IgnoreRHosts)
## User restrictions
# AllowUsers sj.*,s[[:digit:]]*,s(jl|amza)
# DenyUsers skuuppa,warezdude,31373
# DenyUsers
don@untrusted\.org
# AllowGroups staff,users
# DenyGroups guest,anonymous
# PermitRootLogin yes
# PermitRootLogin nopwd
## Chrooted environment
# ChRootUsers anonymous,ftp,guest
# ChRootGroups sftp,guest
## SSH1 compatibility
Ssh1Compatibility yes
Sshd1Path /usr/local/sbin/sshd
#
# This is given as argument to sshd1 with "-f" if sshd2 is invoked
# with "-f", otherwise the default configuration for sshd1 is used.
Sshd1ConfigFile /etc/ssh/sshd_config
## subsystem definitions
# Subsystems don't have defaults, so this is needed here (uncommented).
# subsystem-sftp sftp-server
# Also internal sftp-server subsystem can be used.
subsystem-sftp internal://sftp-server
## Subconfiguration
# There are no default subconfiguration files. When specified the last
# obtained keyword value will prevail. Note that the host specific files
# are read before the user specific files.
# Following matches (from) any host
#
# HostSpecificConfig .* /usr/local/etc/ssh2/subconfig/host_ext.example
#
# Following matches to subnet mask:
#
# HostSpecificConfig \m192.168.0.0/16 /usr/local/etc/ssh2/subconfig/host_int.example
#
# Following matches to users from ssh.com that have two character long
# username or is sjl and belong to group wheel or wheel[0-9]
#
# UserSpecificConfig (..|sjl)%wheel[[:digit:]]?@ssh\.com /usr/local/etc/ssh2/subconfig/user.example
#
# Following matches to the user anonymous from any host
#
# UserSpecificConfig anonymous@.* /usr/local/etc/ssh2/subconfig/anonymous.example
I have tried various options in the config files, but it keeps on asking me for a password to authenticate.
I am not too sure what I am missing here.
Any help would be greatly appreciated.
How would I be able to see what version of ssh is running on my gentoo server?
Thank you kindly