-   Linux - Server (
-   -   issues with ssh login (

kirtikjr 08-03-2011 02:00 AM

issues with ssh login
I have a Rhel 3 machine.

I can login to it through telnet.

The config files /etc/ssh/sshd_config and /etc/ssh/ssh_config has not been modified.
/etc/hosts.allow and /etc/hosts.deny have all commented lines.

But the IP address of the system was changed. Could this be issue?

It was earlier configured for passwordless login(dsa).

I tried moving the contents for .ssh file to bkp folder, still no help.

-bash-2.05b$ uname -a
Linux itanium2 2.4.21-9.EL #1 SMP Thu Jan 8 16:54:40 EST 2004 ia64 ia64 ia64 GNU/Linux

posting the verbose ssh log


bash-2.05b$ ssh -v qa_fnp@
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: Connecting to [] port 22.
debug1: Connection established.
debug1: identity file /home2/qa_fnp/.ssh/identity type -1
debug1: identity file /home2/qa_fnp/.ssh/id_rsa type -1
debug1: identity file /home2/qa_fnp/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2
debug1: match: OpenSSH_3.6.1p2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '' is known and matches the RSA host key.
debug1: Found key in /home2/qa_fnp/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home2/qa_fnp/.ssh/identity
debug1: Trying private key: /home2/qa_fnp/.ssh/id_rsa
debug1: Trying private key: /home2/qa_fnp/.ssh/id_dsa
debug1: Next authentication method: password
qa_fnp@'s password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: channel 0: request pty-req
debug1: channel 0: request shell
debug1: channel 0: open confirm rwindow 0 rmax 32768
debug1: channel_free: channel 0: client-session, nchannels 1
Connection to closed by remote host.
Connection to closed.
debug1: Transferred: stdin 0, stdout 0, stderr 87 bytes in 0.0 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 4650.7
debug1: Exit status -1

tronayne 08-03-2011 07:09 AM

If your IP address has changed you need to regenerate your keys (and remove the existing keys from the remote machine(s) that connect to "this" server).

So, on your changed IP server, log in and cd .ssh. Remove the id_dsa and files then execute ssh-keygen with at least -t dsa plus any additional options you use. Hit the return key for the passphrase prompt (if you want).

Then on the remote machine(s), log in and cd .ssh. Edit the authorized_keys and known_hosts files deleting the "old" entries for the server that changed. Then connect:

ssh change_server
That ought to work.

It's convenient to copy the file from the changed server to your remote servers, putting the content into the authorized_keys file in ~/.ssh (and vice-versa depending on whether you want bi-directional connections).

It may be a good idea to edit /etc/hosts and add the IP address and name of the server that changed (so you can simply refer to it by name on your remote system) of the form
Code:    server.domain server
By so doing, you should, on the remote machine, be able to ping server (and, of course, simply ssh server as well).

Hope this helps some.

kirtikjr 08-03-2011 07:37 AM

Well my aim was not exactly a passwordless login, but just an ssh, as our applications need ssh, getting a passsword prompt is ok. Even I tried to delete the entire .ssh directory and recreated the keys again (with -t rsa). No help.
The verbose output of ssh was obtained when I tried to self ssh an user in the same server.

I checked the /var/log/secure file. The last lines are:

Aug 3 01:03:57 itanium2 sshd[9400]: Accepted password for qa_fnp from ::ffff: port 40590 ssh2
Aug 3 01:03:57 itanium2 sshd[9401]: Accepted password for qa_fnp from ::ffff: port 40590 ssh2
Aug 3 01:03:57 itanium2 sshd[9402]: fatal: PAM session setup failed[28]: Module is unknown

I guess something is wrong with PAM settings
-bash-2.05b$ sudo cat /etc/pam.d/sshd
#auth include system-auth
#account required
#account include system-auth
#password include system-auth
#session optional force revoke
#session include system-auth
#session required
auth required service=system-auth
#auth required
account required service=system-auth
password required service=system-auth
session required service=system-auth
session required
session optional
session required

tronayne 08-03-2011 08:46 AM

It does look like it may be a PAM problem; however, PAM is not included with Slackware and I don't have any experience with it in any event so I'm afraid I can't really help you with PAM.

Something that itches back there in memory is that changing a system IP address can require regenerating keys. As in system keys and, possibly, keys for things like PAM? Not sure, could be way off base. The message about a missing module might be a hint -- either a module is completely missing or it's not selected in the set up (and, as I say, I'm not familiar with PAM)

Hopefully, somebody else can lend a hand.

anomie 08-03-2011 09:55 AM


Originally Posted by kirtikjr

Aug 3 01:03:57 itanium2 sshd[9402]: fatal: PAM session setup failed[28]: Module is unknown

Please post your /etc/pam.d/system-auth config (in code tags).

kirtikjr 08-04-2011 12:35 AM

Actually the issues were with PAM settings only. If u see the last line: session required
I tried to look in the /lib/security directory. file was not there.
I commented the last line in /etc/pam.d/sshd.
It worked.
Thanks to all

All times are GMT -5. The time now is 10:07 PM.