Bug 837

Summary:

connection closed by remote host

Product:

Portable OpenSSH

Reporter:

godfrey.anderson

Component:

ssh

Assignee:

OpenSSH Bugzilla mailing list <openssh-bugs>

Status:

CLOSED FIXED

Severity:

normal

Priority:

Version:

-current

Hardware:

SPARC

OS:

Solaris

Attachments:

Description	Flags
output of sshd in debug mode & sshd_config file	none
Content of pam.conf file on problem server	none

Description godfrey.anderson 2004-04-08 04:41:07 AEST

Hi,

I am using OpenSSH_3.4p1 on Solaris 8 systems to implement password less logins 
between two servers.

I have created a public/private key from one account on server HostA., I have 
then copied the "id_rsa_pub" key to a user account on hostB.
in directory $HOME/.ssh, the permission of the authorized_keys file set 
with "chmod 600 authorized_keys", the .ssh directory is set to 700 by chmod,
the $HOME directory permisions is also set to 755.

When I try to connect using the command "ssh -l usernameA HostB" I receive the 
following messages:

Connection to unixs348 closed by remote host.
Connection to unixs348 closed.

The connection was NOT successful

I have taken the same "id_rsa.pub" file and tried it under a second account  on 
HostB,with exactly the same permissions setup as above, and the 
command  "ssh -l usernameB HostB"  from HostA completes SUCCESSFULLY.

I have created public/private keys for passwordless logins on many of our 
servers,  setup in exactly the same way, I have no idea why the 
ssh connection failes on one userid and is successful on the next, can anyone 
shed some light on this for me,

Thanks in advance for any help.....


Godfrey

Here is the debug output of the failed connection attempt using usernameA:

OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to unixs348 [10.66.71.25] port 22.
debug1: Connection established.
debug1: identity file /export/home/etl_ops/.ssh/identity type -1
debug3: Not a RSA1 key file /export/home/etl_ops/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: no key found
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: no key found
debug1: identity file /export/home/etl_ops/.ssh/id_rsa type 1
debug1: identity file /export/home/etl_ops/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.4p1
debug1: match: OpenSSH_3.4p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.4p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-
group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-
cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-
cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-
group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-
cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-
cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 133/256
debug1: bits set: 1567/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /export/home/etl_ops/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /export/home/etl_ops/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'unixs348' is known and matches the RSA host key.
debug1: Found key in /export/home/etl_ops/.ssh/known_hosts:1
debug1: bits set: 1577/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug3: input_userauth_banner
debug1: authentications that can continue: publickey,password,keyboard-
interactive
debug3: start over, passed a different list publickey,password,keyboard-
interactive
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred: 
debug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug1: try privkey: /export/home/etl_ops/.ssh/identity
debug3: no such identity: /export/home/etl_ops/.ssh/identity
debug1: try pubkey: /export/home/etl_ops/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 110948 hint 1
debug2: input_userauth_pk_ok: fp 61:ff:c1:f1:05:24:73:8d:8b:63:e0:4b:db:68:3e:61
debug3: sign_and_send_pubkey
debug1: read PEM private key done: type RSA
debug1: ssh-userauth2 successful: method publickey
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug1: send channel open 0
debug1: Entering interactive session.
debug1: channel_free: channel 0: client-session, nchannels 1
debug3: channel_free: status: The following connections are open:
  #0 client-session (t3 r-1 i0/0 o0/0 fd 5/6)

debug3: channel_close_fds: channel 0: r 5 w 6 e 7
Connection to unixs348 closed by remote host.
Connection to unixs348 closed.
debug1: Transferred: stdin 0, stdout 0, stderr 79 bytes in 0.0 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 1603.7
debug1: Exit status -1
etl_ops@unixs352:/export/home/etl_ops/.ssh$ 


Here is the result of the same command on the successful attempt using 
usernameB:

OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to unixs348 [10.66.71.25] port 22.
debug1: Connection established.
debug1: identity file /export/home/etl_ops/.ssh/identity type -1
debug3: Not a RSA1 key file /export/home/etl_ops/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: no key found
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug3: key_read: no space
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: no key found
debug1: identity file /export/home/etl_ops/.ssh/id_rsa type 1
debug1: identity file /export/home/etl_ops/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.4p1
debug1: match: OpenSSH_3.4p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.4p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-
group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-
cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-
cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-
group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-
cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-
cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 127/256
debug1: bits set: 1577/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /export/home/etl_ops/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug3: check_host_in_hostfile: filename /export/home/etl_ops/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1
debug1: Host 'unixs348' is known and matches the RSA host key.
debug1: Found key in /export/home/etl_ops/.ssh/known_hosts:1
debug1: bits set: 1564/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug3: input_userauth_banner
debug1: authentications that can continue: publickey,password,keyboard-
interactive
debug3: start over, passed a different list publickey,password,keyboard-
interactive
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred: 
debug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug1: try privkey: /export/home/etl_ops/.ssh/identity
debug3: no such identity: /export/home/etl_ops/.ssh/identity
debug1: try pubkey: /export/home/etl_ops/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 110948 hint 1
debug2: input_userauth_pk_ok: fp 61:ff:c1:f1:05:24:73:8d:8b:63:e0:4b:db:68:3e:61
debug3: sign_and_send_pubkey
debug1: read PEM private key done: type RSA
debug1: ssh-userauth2 successful: method publickey
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug1: send channel open 0
debug1: Entering interactive session.
debug2: callback start
debug1: ssh_session2_setup: id 0
debug1: channel request 0: pty-req
debug3: tty_make_modes: ospeed 9600
debug3: tty_make_modes: ispeed 0
debug3: tty_make_modes: 1 3
debug3: tty_make_modes: 2 28
debug3: tty_make_modes: 3 8
debug3: tty_make_modes: 4 21
debug3: tty_make_modes: 5 4
debug3: tty_make_modes: 6 0
debug3: tty_make_modes: 7 0
debug3: tty_make_modes: 8 17
debug3: tty_make_modes: 9 19
debug3: tty_make_modes: 10 26
debug3: tty_make_modes: 11 25
debug3: tty_make_modes: 12 18
debug3: tty_make_modes: 13 23
debug3: tty_make_modes: 14 22
debug3: tty_make_modes: 16 0
debug3: tty_make_modes: 18 15
debug3: tty_make_modes: 30 0
debug3: tty_make_modes: 31 0
debug3: tty_make_modes: 32 0
debug3: tty_make_modes: 33 0
debug3: tty_make_modes: 34 0
debug3: tty_make_modes: 35 0
debug3: tty_make_modes: 36 1
debug3: tty_make_modes: 37 0
debug3: tty_make_modes: 38 1
debug3: tty_make_modes: 39 0
debug3: tty_make_modes: 40 0
debug3: tty_make_modes: 41 1
debug3: tty_make_modes: 50 1
debug3: tty_make_modes: 51 1
debug3: tty_make_modes: 52 0
debug3: tty_make_modes: 53 1
debug3: tty_make_modes: 54 1
debug3: tty_make_modes: 55 1
debug3: tty_make_modes: 56 0
debug3: tty_make_modes: 57 0
debug3: tty_make_modes: 58 0
debug3: tty_make_modes: 59 1
debug3: tty_make_modes: 60 1
debug3: tty_make_modes: 61 1
debug3: tty_make_modes: 62 0
debug3: tty_make_modes: 70 1
debug3: tty_make_modes: 71 0
debug3: tty_make_modes: 72 1
debug3: tty_make_modes: 73 0
debug3: tty_make_modes: 74 0
debug3: tty_make_modes: 75 0
debug3: tty_make_modes: 90 1
debug3: tty_make_modes: 91 1
debug3: tty_make_modes: 92 0
debug3: tty_make_modes: 93 0
debug1: channel request 0: shell
debug1: fd 4 setting TCP_NODELAY
debug2: callback done
debug1: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 131072
Last login: Wed Apr  7 10:54:16 2004 from 10.1.40.123

Comment 1 Darren Tucker 2004-04-08 10:44:11 AEST

3.4p1 is quite old, and you reproduce with 3.8p1?

Either way, the information most likely to to show what's going on is will be in
the server-side debugging.  Try:
# /path/to/sshd -ddd -p 2222
then connect with
$ ssh -p 2022 yourhost

then attach (note: use "create new attachment", do not paste into the text
fields) the output of sshd on your failing host.

Comment 2 godfrey.anderson 2004-04-09 01:34:12 AEST

Created attachment 599 [details]
output of sshd in debug mode & sshd_config file

Here is the output from the sshd -ddd -p 2222 command.
Note, that I have disguised my IP addresses, as I should have done when I first
submitted the bug.

The content of my sshd_config file is also included.

Comment 3 Darren Tucker 2004-04-13 19:06:32 AEST

Comment on attachment 599 [details]
output of sshd in debug mode & sshd_config file

>debug1: PAM establishing creds
>setuid 231: Not owner

OK, it looks like it's blowing up inside pam_setcred().  I'm pretty sure that's
been fixed in 3.8p1, please try that (note that you'll need to put "UsePAM yes"
and "PasswordAuthentication no" into your sshd_config).

If that doesn't fix it, what modules do you have in your PAM sshd stack?

Comment 4 godfrey.anderson 2004-04-14 04:21:44 AEST

Created attachment 601 [details]
Content of pam.conf file on problem server

Please find attached the content of the pam.conf file on the problem server.
It is identical to other pam.conf file on servers with the same version of
openssh.

The sshd_config config file is already setup to use PAM with the parameter 
"PAMAuthenticationViaKbdInt"  set to "yes", I am told is equivalent to
using "UsePAM yes".

Unfortunately the server is question is a Production server in
a sensitive environment, so installing a new version of openssh
is not an option open to me at this time.

Comment 5 Darren Tucker 2004-04-14 12:13:41 AEST

PAMAuthenticationViaKbdInt isn't equivalent to UsePAM, but the difference
probably isn't going to matter in this case.

This is probably caused by the same thing as bug #789.  The patches in that bug
are quite simple, so you can probably apply those to 3.4p1 with minimal hassle
(you will need both attachments #537 and #547).

BTW I hope you have applied the buffer patch to your 3.4p1:
http://www.openssh.com/txt/buffer.adv

Comment 6 Darren Tucker 2004-05-07 10:32:41 AEST

Closing this bug: it's an old OpenSSH version, a patch is available and the
issue is believed fixed in 3.8.1p1.  Please reopen if you can reproduce the
problem on 3.8.1p1.