LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Ubuntu (https://www.linuxquestions.org/questions/ubuntu-63/)
-   -   ssh no longer works after upgrade from ubuntu 10.10 server to 11.04 (https://www.linuxquestions.org/questions/ubuntu-63/ssh-no-longer-works-after-upgrade-from-ubuntu-10-10-server-to-11-04-a-897714/)

lilmike 08-16-2011 06:08 PM
ssh no longer works after upgrade from ubuntu 10.10 server to 11.04
 
Hi,
I upgraded to ubuntu server 11.04 a while back, and ever since then the ssh does not work. For example, if I try to log in it seems to take my credentials but immediately kicks me off. Further looking in the log shows pam_open_session() module is unknown. I do remember it asking to upgrade some /etc/security/something.conf file, so maybe that has something to do with it. I have no clue how to fix this, and for now I'm stuck using my host's out of band access (and no sftp or scp either). Any help is appreciated.
Thanks,
-Michael.

jschiwal 08-16-2011 06:14 PM
Moved: This thread is more suitable in Ubuntu and has been moved accordingly to help your question get the exposure it deserves.

jschiwal 08-16-2011 06:22 PM
From the pam_open_session manpage:
Quote:
The pam_open_session function sets up a user session for a previously successful authenticated user.
I don't think you have the full picture. Provide more information on how you are logging in? Are you trying to log into you regular user account? Do you use public key authentication?

Try logging in using the -vv option to provide better debugging messages on the client side. It will show messages from both the client and the server.

lilmike 08-17-2011 11:35 AM
Hi,
To answer your questions:
I am using simply user/password authentication, and I am logging into a user account I could access since I created the server (until this upgrade).
I will try using the option you mention (if I can figure out how to get it working :)) and let you know what happens.
Thanks,
-Michael.

lilmike 08-18-2011 10:29 PM
Hi,
As requested, here is the output from ssh -vv (with output sensored to protect my server :)).
Quote:
OpenSSH_5.8p1 Debian-1ubuntu3, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to mydomain.com [w.x.y.z] port 22.
debug1: Connection established.
debug1: identity file /home/somebody/.ssh/id_rsa type -1
debug1: identity file /home/somebody/.ssh/id_rsa-cert type -1
debug1: identity file /home/somebody/.ssh/id_dsa type -1
debug1: identity file /home/somebody/.ssh/id_dsa-cert type -1
debug1: identity file /home/somebody/.ssh/id_ecdsa type -1
debug1: identity file /home/somebody/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8p1 Debian-1ubuntu3
debug1: match: OpenSSH_5.8p1 Debian-1ubuntu3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-1ubuntu3
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa...00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA c9:e2:87:53:b1:1b:8b:39:d1:3b:5f:eb:15:82:26:e0
debug1: Host 'mydomain.com' is known and matches the RSA host key.
debug1: Found key in /home/somebody/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/somebody/.ssh/id_rsa ((nil))
debug2: key: /home/somebody/.ssh/id_dsa ((nil))
debug2: key: /home/somebody/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/somebody/.ssh/id_rsa
debug1: Trying private key: /home/somebody/.ssh/id_dsa
debug1: Trying private key: /home/somebody/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to mydomain.com ([w.x.y.z]:22).
debug2: fd 5 setting O_NONBLOCK
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: fd 3 setting TCP_NODELAY
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Welcome to Ubuntu 11.04 (GNU/Linux 2.6.39.1-linode34 i686)

* Documentation: https://help.ubuntu.com/
You have new mail.
Last login: Thu Aug 18 22:17:15 2011 from li59-247.members.linode.com debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug2: channel 0: rcvd close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug1: fd 1 clearing O_NONBLOCK
Connection to mydomain.com closed.
Transferred: sent 2008, received 2056 bytes, in 0.1 seconds
Bytes per second: sent 23840.9, received 24410.8
debug1: Exit status 254
Hope someone can help.
-Michael.

jschiwal 08-24-2011 03:40 AM
The SSH connection is being established. You are even getting the 'issue' message. Could you check the kernel messages at the same time on the server? A failure with PAM may post a message there. Also look in /etc/security/ and the PAM config files for files with .new at the end which sometimes indicate recommended changes after a package is updated, but the old one may contain lines you need to retain.

I had a problem with SSH after installing a new version of openSuSE. I needed to precede the a path in sshd_config with %h/ that I hadn't need before.

Entering a portion of your error message exactly, inside double quotes, in a Google search may return results useful in finding a solution.

lilmike 08-29-2011 09:02 PM
Hi,
I looked in many places, including /var/log/syslog, /var/log/kern.log, /var/log/auth.log, and a couple others. i found nothing more noticable than I found before, namely that pam says "pam_open_session(), module is unknown")
Thanks,
-Michael.

jschiwal 09-03-2011 07:00 AM
I looked in the manpage for "pam_open_session". It is a function and not a module. You might want to check your pam configuration and make sure you have all your files. Could you post your common-session and sshd files in /etc/pam.d/?

Start with the sshd file. Make sure you have the .so files mentioned in /etc/security.
For example:
Code:
#%PAM-1.0
auth    requisite      pam_nologin.so
auth    include        common-auth
account  requisite      pam_nologin.so
account  include        common-account
password include        common-password
session  required      pam_loginuid.so
session  include        common-session
session  optional      pam_lastlog.so  silent noupdate showfailed
In this example, the pam modules pam_nologin.so, pam_loginuid.so and pam_lastlog.so are used. The common-auth, common-account, common-password and common-session files are pam config files in /etc/pam.d/ that may also use different pam modules.

lilmike 09-04-2011 02:43 PM
Hi,
If you mean that the *.so files mentioned in /etc/pam.d/sshd should be in the directory /etc/security/, there are absolutely no *.so files there. I also looked in /lib/security, and there was only pam_mysql.so in there.
Thanks,
-Michael.

jschiwal 09-07-2011 01:28 AM
The pam .so libraries are in /lib/security or /lib64/security.

lilmike 09-08-2011 05:40 PM
Hi,
I looked in /lib/security and all that is there with a .so extension is pam-mysql.so. I don't see anything listed in sshd there. As for lib64/security, it doesn't even exist (I am running a 32 version of ubuntu, however).
Hth,
-Michael.

jschiwal 09-08-2011 08:33 PM
Check your package manager to see what files should be supplied with the base PAM packages. The pam_unix2 module should be supplied. It's one that is always used to log in as far as I know.


All times are GMT -5. The time now is 03:16 PM.