Under openssh-3.2.3p1 and openssh-3.3p1, enabling UsePrivilegeSeparation results in only root being able to log in. Under Digital UNIX 4.0F, regular users see "connection closed". With 5.1, a regular user sees the additional message: cannot set login uid 1000: error Not owner. Connection to foo closed by remote host. Sadly, sshd -d -d -d yields no clues. Turning off priv separation 'cures' this problem.
Are you sure? I have 3.3p1 running on 4.0D and 5.1 and I can connect as non-root.
Are you using Enhanced Security? I think that privsep should work in Base Security (but I don't have a box running Base to test). I am working on getting privsep working in Enhanced.
I'm running with base security.
Yeah, I'm sure that UsePrivilegeSeparation yes is the spanner in the works. Attached is the output from ssh -d -d -d for your perusal. First case is with UsePrivilegeSeparation no, second is with yes. Same results occur with 4.0F, as described earlier. # ./sshd -d -d -d debug3: Seeding PRNG from /sys/inet/ssh/libexec/ssh-rand-helper debug1: sshd version OpenSSH_3.3 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /sys/inet/ssh/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug3: Not a RSA1 key file /sys/inet/ssh/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #2 type 1 RSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Server will not fork when running in debugging mode. Connection from 172.20.32.65 port 24513 debug1: Client protocol version 2.0; client software version OpenSSH_3.3 debug1: match: OpenSSH_3.3 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.3 debug1: list_hostkey_types: ssh-dss,ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss,ssh-rsa debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 124/256 debug1: bits set: 1013/2049 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 1069/2049 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user ajs service ssh-connection method none debug1: attempt 0 failures 0 debug2: input_userauth_request: setting up authctxt for ajs debug2: input_userauth_request: try method none Failed none for ajs from 172.20.32.65 port 24513 ssh2 debug1: userauth-request for user ajs service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 1000/1000 (e=0) debug1: trying public key file /u/ajs/.ssh/authorized_keys debug3: secure_filename: checking '/u/ajs/.ssh' debug3: secure_filename: checking '/u/ajs' debug3: secure_filename: terminating check at '/u/ajs' debug1: matching key found: file /u/ajs/.ssh/authorized_keys, line 2 Found matching RSA key: 50:e9:c4:a3:1d:21:6d:97:79:48:54:3d:9a:7e:43:29 debug1: restore_uid debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Postponed publickey for ajs from 172.20.32.65 port 24513 ssh2 debug1: userauth-request for user ajs service ssh-connection method publickey debug1: attempt 2 failures 1 debug2: input_userauth_request: try method publickey debug1: temporarily_use_uid: 1000/1000 (e=0) debug1: trying public key file /u/ajs/.ssh/authorized_keys debug3: secure_filename: checking '/u/ajs/.ssh' debug3: secure_filename: checking '/u/ajs' debug3: secure_filename: terminating check at '/u/ajs' debug1: matching key found: file /u/ajs/.ssh/authorized_keys, line 2 Found matching RSA key: 50:e9:c4:a3:1d:21:6d:97:79:48:54:3d:9a:7e:43:29 debug1: restore_uid debug1: ssh_rsa_verify: signature correct debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa Accepted publickey for ajs from 172.20.32.65 port 24513 ssh2 debug1: Entering interactive session for SSH2. debug1: fd 3 setting O_NONBLOCK debug1: fd 8 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_pty_req: session 0 alloc /dev/pts/2 debug3: tty_parse_modes: SSH2 n_bytes 266 debug3: tty_parse_modes: ospeed 19200 debug3: tty_parse_modes: ispeed 19200 debug3: tty_parse_modes: 1 3 debug3: tty_parse_modes: 2 28 debug3: tty_parse_modes: 3 8 debug3: tty_parse_modes: 4 21 debug3: tty_parse_modes: 5 4 debug3: tty_parse_modes: 6 0 debug3: tty_parse_modes: 7 0 debug3: tty_parse_modes: 8 17 debug3: tty_parse_modes: 9 19 debug3: tty_parse_modes: 10 26 debug3: tty_parse_modes: 11 0 debug3: tty_parse_modes: 12 18 debug3: tty_parse_modes: 13 23 debug3: tty_parse_modes: 14 22 debug1: Ignoring unsupported tty mode opcode 16 (0x10) debug3: tty_parse_modes: 18 15 debug3: tty_parse_modes: 30 1 debug3: tty_parse_modes: 31 0 debug3: tty_parse_modes: 32 0 debug3: tty_parse_modes: 33 1 debug3: tty_parse_modes: 34 0 debug3: tty_parse_modes: 35 0 debug3: tty_parse_modes: 36 1 debug3: tty_parse_modes: 37 0 debug3: tty_parse_modes: 38 1 debug3: tty_parse_modes: 39 1 debug3: tty_parse_modes: 40 0 debug3: tty_parse_modes: 41 0 debug3: tty_parse_modes: 50 1 debug3: tty_parse_modes: 51 1 debug3: tty_parse_modes: 52 0 debug3: tty_parse_modes: 53 1 debug3: tty_parse_modes: 54 1 debug3: tty_parse_modes: 55 1 debug3: tty_parse_modes: 56 0 debug3: tty_parse_modes: 57 0 debug3: tty_parse_modes: 58 0 debug3: tty_parse_modes: 59 1 debug3: tty_parse_modes: 60 1 debug3: tty_parse_modes: 61 1 debug3: tty_parse_modes: 62 0 debug3: tty_parse_modes: 70 1 debug3: tty_parse_modes: 71 0 debug3: tty_parse_modes: 72 1 debug3: tty_parse_modes: 73 0 debug3: tty_parse_modes: 74 0 debug3: tty_parse_modes: 75 0 debug3: tty_parse_modes: 90 1 debug3: tty_parse_modes: 91 1 debug3: tty_parse_modes: 92 0 debug3: tty_parse_modes: 93 0 debug1: server_input_channel_req: channel 0 request x11-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req x11-req debug1: bind port 6010: Can't assign requested address debug1: fd 11 setting O_NONBLOCK debug2: fd 11 is O_NONBLOCK debug1: channel 1: new [X11 inet listener] debug1: server_input_channel_req: channel 0 request auth-agent-req@openssh.com reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req auth-agent-req@openssh.com debug1: temporarily_use_uid: 1000/1000 (e=0) debug1: restore_uid debug1: fd 12 setting O_NONBLOCK debug2: fd 12 is O_NONBLOCK debug1: channel 2: new [auth socket] debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: fd 5 setting TCP_NODELAY debug1: channel 0: rfd 10 isatty debug1: fd 10 setting O_NONBLOCK debug2: fd 9 is O_NONBLOCK debug1: Setting controlling tty using TIOCSCTTY. debug1: Received SIGCHLD. debug1: session_by_pid: pid 133618 debug1: session_exit_message: session 0 channel 0 pid 133618 debug1: channel request 0: exit-status debug1: session_exit_message: release channel 0 debug1: channel 0: write failed debug1: channel 0: close_write debug1: channel 0: output open -> closed debug1: session_close: session 0 pid 133618 debug1: session_pty_cleanup: session 0 release /dev/pts/2 debug2: notify_done: reading debug1: channel 0: read<=0 rfd 10 len -1 debug1: channel 0: read failed debug1: channel 0: close_read debug1: channel 0: input open -> drain debug1: channel 0: ibuf empty debug1: channel 0: send eof debug1: channel 0: input drain -> closed debug1: channel 0: send close debug3: channel 0: will not send data after close debug1: channel 0: rcvd close debug3: channel 0: will not send data after close debug1: channel 0: is dead debug1: channel 0: garbage collecting debug1: channel_free: channel 0: server-session, nchannels 3 debug3: channel_free: status: The following connections are open: #0 server-session (t4 r0 i3/0 o3/0 fd -1/-1) debug3: channel_close_fds: channel 0: r -1 w -1 e -1 Connection closed by remote host. debug1: channel_free: channel 1: X11 inet listener, nchannels 2 debug3: channel_free: status: The following connections are open: debug3: channel_close_fds: channel 1: r 11 w 11 e -1 debug1: channel_free: channel 2: auth socket, nchannels 1 debug3: channel_free: status: The following connections are open: debug3: channel_close_fds: channel 2: r 12 w 12 e -1 debug1: temporarily_use_uid: 1000/1000 (e=0) debug1: restore_uid Closing connection to 172.20.32.65 # ./sshd -d -d -d debug3: Seeding PRNG from /sys/inet/ssh/libexec/ssh-rand-helper debug1: sshd version OpenSSH_3.3 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /sys/inet/ssh/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug3: Not a RSA1 key file /sys/inet/ssh/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #2 type 1 RSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Server will not fork when running in debugging mode. Connection from 172.20.32.65 port 24578 debug1: Client protocol version 2.0; client software version OpenSSH_3.3 debug1: match: OpenSSH_3.3 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.3 debug2: Network child is on pid 133718 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 903:903 debug1: list_hostkey_types: ssh-dss,ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss,ssh-rsa debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 2048 8192 debug3: mm_request_send entering: type 1 debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 127/256 debug1: bits set: 1010/2049 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug1: bits set: 1057/2049 debug3: mm_key_sign entering debug3: mm_request_send entering: type 4 debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 5 debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_sign debug3: mm_answer_sign: signature 140053aa0(143) debug3: mm_request_send entering: type 5 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user ajs service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for ajs debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug2: input_userauth_request: try method none debug3: mm_auth2_read_banner entering debug3: mm_request_send entering: type 8 debug3: mm_request_receive_expect entering: type 9 debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 8 debug3: mm_request_send entering: type 9 debug2: monitor_read: 8 used once, disabling now debug3: mm_request_receive entering debug1: userauth_banner: sent debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 Failed none for ajs from 172.20.32.65 port 24578 ssh2 debug3: mm_request_receive entering debug3: mm_auth_password: user not authenticated Failed none for ajs from 172.20.32.65 port 24578 ssh2 debug1: userauth-request for user ajs service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 14005c080 debug1: temporarily_use_uid: 1000/1000 (e=0) debug1: trying public key file /u/ajs/.ssh/authorized_keys debug3: secure_filename: checking '/u/ajs/.ssh' debug3: secure_filename: checking '/u/ajs' debug3: secure_filename: terminating check at '/u/ajs' debug1: matching key found: file /u/ajs/.ssh/authorized_keys, line 2 Found matching RSA key: 50:e9:c4:a3:1d:21:6d:97:79:48:54:3d:9a:7e:43:29 debug1: restore_uid debug3: mm_answer_keyallowed: key 14005c080 is allowed debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Postponed publickey for ajs from 172.20.32.65 port 24578 ssh2 debug1: userauth-request for user ajs service ssh-connection method publickey debug1: attempt 2 failures 1 debug2: input_userauth_request: try method publickey debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 14005c1e0 debug1: temporarily_use_uid: 1000/1000 (e=0) debug1: trying public key file /u/ajs/.ssh/authorized_keys debug3: secure_filename: checking '/u/ajs/.ssh' debug3: secure_filename: checking '/u/ajs' debug3: secure_filename: terminating check at '/u/ajs' debug1: matching key found: file /u/ajs/.ssh/authorized_keys, line 2 Found matching RSA key: 50:e9:c4:a3:1d:21:6d:97:79:48:54:3d:9a:7e:43:29 debug1: restore_uid debug3: mm_answer_keyallowed: key 14005c1e0 is allowed debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug3: mm_key_verify entering debug3: mm_request_send entering: type 22 debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY debug3: mm_request_receive_expect entering: type 23 debug3: mm_request_receive entering debug3: monitor_read: checking request 22 debug1: ssh_rsa_verify: signature correct debug3: mm_answer_keyverify: key 14004eee0 signature verified debug3: mm_request_send entering: type 23 Accepted hostbased for ajs from 172.20.32.65 port 24578 ssh2 debug1: monitor_child_preauth: ajs has been authenticated by privileged process debug3: mm_get_keystate: Waiting for new keys debug3: mm_request_receive_expect entering: type 24 debug3: mm_request_receive entering debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa Accepted publickey for ajs from 172.20.32.65 port 24578 ssh2 debug3: mm_send_keystate: Sending new keys: 14004ed80 14004ec80 debug3: mm_newkeys_to_blob: converting 14004ed80 debug3: mm_newkeys_to_blob: converting 14004ec80 debug3: mm_send_keystate: New keys have been sent debug3: mm_send_keystate: Sending compression state debug3: mm_request_send entering: type 24 debug3: mm_send_keystate: Finished sending state debug3: mm_newkeys_from_blob: 140054220(122) debug2: mac_init: found hmac-md5 debug3: mm_get_keystate: Waiting for second key debug3: mm_newkeys_from_blob: 140054040(122) debug2: mac_init: found hmac-md5 debug3: mm_get_keystate: Getting compression state debug3: mm_get_keystate: Getting Network I/O buffers debug3: mm_share_sync: Share sync debug3: mm_share_sync: Share sync end debug2: User child is on pid 133720 debug3: mm_request_receive entering debug1: newkeys: mode 0 debug1: newkeys: mode 1 debug1: Entering interactive session for SSH2. debug1: fd 8 setting O_NONBLOCK debug1: fd 9 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug3: mm_request_send entering: type 25 debug3: monitor_read: checking request 25 debug3: mm_answer_pty entering debug1: session_new: init debug1: session_new: session 0 debug3: mm_request_send entering: type 26 debug3: Trying to reverse map address 172.20.32.65. debug3: mm_pty_allocate: waiting for MONITOR_ANS_PTY debug3: mm_request_receive_expect entering: type 26 debug3: mm_request_receive entering debug1: session_pty_req: session 0 alloc /dev/pts/2 debug3: tty_parse_modes: SSH2 n_bytes 266 debug3: tty_parse_modes: ospeed 19200 debug3: tty_parse_modes: ispeed 19200 debug3: tty_parse_modes: 1 3 debug3: tty_parse_modes: 2 28 debug3: tty_parse_modes: 3 8 debug3: tty_parse_modes: 4 21 debug3: tty_parse_modes: 5 4 debug3: tty_parse_modes: 6 0 debug3: tty_parse_modes: 7 0 debug3: tty_parse_modes: 8 17 debug3: tty_parse_modes: 9 19 debug3: tty_parse_modes: 10 26 debug3: tty_parse_modes: 11 0 debug3: tty_parse_modes: 12 18 debug3: tty_parse_modes: 13 23 debug3: tty_parse_modes: 14 22 debug1: Ignoring unsupported tty mode opcode 16 (0x10) debug3: tty_parse_modes: 18 15 debug3: tty_parse_modes: 30 1 debug3: tty_parse_modes: 31 0 debug3: tty_parse_modes: 32 0 debug3: tty_parse_modes: 33 1 debug3: tty_parse_modes: 34 0 debug3: tty_parse_modes: 35 0 debug3: tty_parse_modes: 36 1 debug3: tty_parse_modes: 37 0 debug3: tty_parse_modes: 38 1 debug3: tty_parse_modes: 39 1 debug3: tty_parse_modes: 40 0 debug3: tty_parse_modes: 41 0 debug3: tty_parse_modes: 50 1 debug3: tty_parse_modes: 51 1 debug3: tty_parse_modes: 52 0 debug3: tty_parse_modes: 53 1 debug3: tty_parse_modes: 54 1 debug3: tty_parse_modes: 55 1 debug3: tty_parse_modes: 56 0 debug3: tty_parse_modes: 57 0 debug3: tty_parse_modes: 58 0 debug3: tty_parse_modes: 59 1 debug3: tty_parse_modes: 60 1 debug3: mm_answer_pty: tty /dev/pts/2 ptyfd 3 debug3: mm_request_receive entering debug3: tty_parse_modes: 61 1 debug3: tty_parse_modes: 62 0 debug3: tty_parse_modes: 70 1 debug3: tty_parse_modes: 71 0 debug3: tty_parse_modes: 72 1 debug3: tty_parse_modes: 73 0 debug3: tty_parse_modes: 74 0 debug3: tty_parse_modes: 75 0 debug3: tty_parse_modes: 90 1 debug3: tty_parse_modes: 91 1 debug3: tty_parse_modes: 92 0 debug3: tty_parse_modes: 93 0 debug1: server_input_channel_req: channel 0 request x11-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req x11-req debug1: bind port 6010: Can't assign requested address debug1: fd 12 setting O_NONBLOCK debug2: fd 12 is O_NONBLOCK debug1: channel 1: new [X11 inet listener] debug1: server_input_channel_req: channel 0 request auth-agent-req@openssh.com reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req auth-agent-req@openssh.com debug1: temporarily_use_uid: 1000/1000 (e=1000) debug1: restore_uid debug1: fd 13 setting O_NONBLOCK debug2: fd 13 is O_NONBLOCK debug1: channel 2: new [auth socket] debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: fd 5 setting TCP_NODELAY debug1: channel 0: rfd 11 isatty debug1: fd 11 setting O_NONBLOCK debug2: fd 10 is O_NONBLOCK debug1: Setting controlling tty using TIOCSCTTY. debug3: monitor_read: checking request 27 debug3: mm_answer_pty_cleanup entering debug1: session_by_tty: session 0 tty /dev/pts/2 debug3: mm_session_close: session 0 pid 133720 debug3: mm_session_close: tty /dev/pts/2 ptyfd 3 debug1: session_pty_cleanup: session 0 release /dev/pts/2 debug3: mm_request_receive entering Connection closed by remote host. debug1: channel_free: channel 0: server-session, nchannels 3 debug3: channel_free: status: The following connections are open: #0 server-session (t4 r0 i0/1037 o0/0 fd 11/10) debug3: channel_close_fds: channel 0: r 11 w 10 e -1 debug1: channel_free: channel 1: X11 inet listener, nchannels 2 debug3: channel_free: status: The following connections are open: debug3: channel_close_fds: channel 1: r 12 w 12 e -1 debug1: channel_free: channel 2: auth socket, nchannels 1 debug3: channel_free: status: The following connections are open: debug3: channel_close_fds: channel 2: r 13 w 13 e -1 debug1: session_close: session 0 pid 133721 debug3: mm_request_send entering: type 27 debug3: monitor_read: checking request 27 debug3: mm_answer_pty_cleanup entering debug1: session_by_tty: unknown tty /dev/pts/2 debug1: dump: used 0 session 0 140040488 channel -1 pid 133720 debug1: dump: used 0 session 0 140040650 channel 0 pid 0 debug1: dump: used 0 session 0 140040818 channel 0 pid 0 debug1: dump: used 0 session 0 1400409e0 channel 0 pid 0 debug1: dump: used 0 session 0 140040ba8 channel 0 pid 0 debug1: dump: used 0 session 0 140040d70 channel 0 pid 0 debug1: dump: used 0 session 0 140040f38 channel 0 pid 0 debug1: dump: used 0 session 0 140041100 channel 0 pid 0 debug1: dump: used 0 session 0 1400412c8 channel 0 pid 0 debug1: dump: used 0 session 0 140041490 channel 0 pid 0 debug3: mm_request_receive entering debug1: Received SIGCHLD. debug1: temporarily_use_uid: 1000/1000 (e=1000) debug1: restore_uid Closing connection to 172.20.32.65 debug3: mm_request_send entering: type 38 debug3: monitor_read: checking request 38 debug3: mm_answer_term: tearing down sessions
I get this too with 4.0F and SSH1. I can log into the server as root (as long as root logins are allowed), but with privsep on I can't log in as other users. The connection just gets closed. Debug ssh client: OpenSSH_3.3, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /home/jss/.ssh/config debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to xalph2 [131.111.68.136] port 22. debug1: Connection established. debug1: identity file /home/jss/.ssh/identity type 0 debug1: identity file /home/jss/.ssh/id_rsa type -1 debug1: identity file /home/jss/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.3 debug1: match: OpenSSH_3.3 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.3 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'xalph2' is known and matches the RSA1 host key. debug1: Found key in /etc/ssh/ssh_known_hosts:150 debug1: Encryption type: blowfish debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying RSA authentication with key '/home/jss/.ssh/identity' debug1: Received RSA challenge from server. debug1: Sending response to host key RSA challenge. debug1: Remote: RSA authentication accepted. debug1: RSA authentication accepted by server. debug1: Requesting pty. debug1: Requesting X11 forwarding with authentication spoofing. debug1: fd 3 setting TCP_NODELAY debug1: Requesting shell. debug1: Entering interactive session. Connection to xalph2 closed by remote host. Connection to xalph2 closed. debug1: Transferred: stdin 0, stdout 0, stderr 75 bytes in 0.0 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 15191.4 debug1: Exit status -1 On the server: [root@xalph2 /var]# /usr/sbin/sshd -d debug1: sshd version OpenSSH_3.3 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 131.111.68.219 port 33065 debug1: Client protocol version 1.5; client software version OpenSSH_3.3 debug1: match: OpenSSH_3.3 pat OpenSSH* debug1: Local version string SSH-1.99-OpenSSH_3.3 debug1: Rhosts Authentication disabled, originating port 33065 not trusted. debug1: Sent 768 bit server key and 1024 bit host key. debug1: Encryption type: blowfish debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Attempting authentication for jss. Failed none for jss from 131.111.68.219 port 33065 debug1: temporarily_use_uid: 914/15 (e=0) debug1: trying public RSA key file /home/jss/.ssh/authorized_keys debug1: restore_uid Accepted rsa for jss from 131.111.68.219 port 33065 debug1: : jss has been authenticated by privileged process Found matching RSA1 key: d3:a3:b2:69:3e:e8:db:21:9a:8d:d0:83:ea:d4:e4:b4 Accepted rsa for jss from 131.111.68.219 port 33065 debug1: session_new: init debug1: session_new: session 0 debug1: Installing crc compensation attack detector. debug1: Allocating pty. debug1: session_new: init debug1: session_new: session 0 debug1: session_pty_req: session 0 alloc /dev/ttyp3 debug1: bind port 6010: Address already in use debug1: bind port 6011: Address already in use debug1: bind port 6012: Address already in use debug1: fd 10 setting O_NONBLOCK debug1: channel 0: new [X11 inet listener] debug1: fd 4 setting TCP_NODELAY debug1: Entering interactive session. debug1: fd 7 setting O_NONBLOCK debug1: fd 12 setting O_NONBLOCK debug1: fd 13 setting O_NONBLOCK debug1: server_init_dispatch_13 debug1: server_init_dispatch_15 debug1: Setting controlling tty using TIOCSCTTY. debug1: session_by_tty: session 0 tty /dev/ttyp3 debug1: session_pty_cleanup: session 0 release /dev/ttyp3 Connection closed by remote host. debug1: Calling cleanup 0x120064bcc(0x0) debug1: channel_free: channel 0: X11 inet listener, nchannels 1 debug1: Calling cleanup 0x12004fab0(0x140030ce8) debug1: Calling cleanup 0x120056f50(0x0) : unpermitted request 27 debug1: Calling cleanup 0x120056f50(0x0) In /var/adm/syslogs.dated/current: Jun 25 17:46:41 xalph2 sshd[13114]: Accepted rsa for jss from 131.111.68.219 port 33087 Jun 25 17:46:42 xalph2 sshd[13120]: audgen(LOGIN): Permission denied Jun 25 17:46:42 xalph2 sshd[13120]: fatal: Couldn't establish session for jss from xpc1.ast.cam.ac.uk Jun 25 17:46:43 xalph2 sshd[13109]: fatal: : unpermitted request 27 Jun 25 17:46:52 xalph2 sshd[13114]: fatal: : unpermitted request 27
Same thing here. Tru64 4.0F. Same syslog messages, UsePrivilegeSeparation no fixes the problem. openssh-3.3p1
Same problem with 3.4p1.
The platform was not tagged to set 'BROKEN_FD_PASSING' after ./configure go into config.h and grep for it and set it. It is a temporary work around. Something that was regretfully missed. A full solution needs to be forth coming from the OSF/1 user/developers. Summary of issue: The issue is by time do_child() is ran when PrivSep is enabled it has lost root access and therefor can not set the SIA security information. For this to be correctly fixed one has to pre-allocate the TTY *BEFORE* root privs are dropped. This is a massive hack. And needs someone willing to look at the problem to solve.
*** Bug 319 has been marked as a duplicate of this bug. ***
*** Bug 353 has been marked as a duplicate of this bug. ***
Current test patch is at: http://www.eviladmin.org/~mouring/sia-privsep If there are still problems please ensure they get posted to the OpenSSH-unix- dev@ list. I'm looking at a commit time of a week and half from today.
*** Bug 429 has been marked as a duplicate of this bug. ***
Can this bug be closed? The ChangeLog seems to indicate that it's been addressed. 20030320 [snip] - (bal) Disable Privsep for Tru64 after pre-authentication due to issues with SIA. Also, clean up of tru64 support patch by Chris Adams <cmadams@hiwaay.net>
I would not claim this is a 'fix'. It is hack because the Tru64 SIA implement expects too much. =( But since no one can get a correct solution to work. Then I guess it will end up being the solution...