Hi David, Telnet to chi-vm-4.isi.edu at port 22 shows:
$ telnet chi-vm-4.isi.edu 22 Trying 128.9.136.106... Connected to chi-vm-4.isi.edu (128.9.136.106). Escape character is '^]'. SSH-2.0-OpenSSH_4.3 It would mean that you don't use GSISSH server otherwise you would get something like: SSH-2.0-OpenSSH_5.0p1-hpn13v1 NCSA_GSSAPI_GPT_4.3 GSI Regards, Lukasz On Mar 24, 2010, at 6:17 PM, David Smith wrote: > Hi Jim, > > I checked for the different issues in the error messages in the server log > when debugging, and I didn't see any of them mentioned for my user's login. > > I'm wondering if this message is indicating the failure of the client to > present an authentication method? > > debug2: input_userauth_request: try method none > > Here's the grid-proxy-init output: > > [r...@chi-vm-4 ~]# grid-proxy-init -debug -verify -cert > /etc/grid-security/hostcert.pem -key /etc/grid-security/hostkey.pem > > User Cert File: /etc/grid-security/hostcert.pem > User Key File: /etc/grid-security/hostkey.pem > > Trusted CA Cert Dir: /etc/grid-security/certificates > > Output File: /tmp/x509up_u0 > Your identity: /C=US/O=Biomedical Informatics Research Network > (BIRN)/CN=host/chi-vm-4.isi.edu > Creating proxy .........++++++++++++ > .......++++++++++++ > Done > Proxy Verify OK > Your proxy is valid until: Thu Mar 25 03:43:54 2010 > > Server debug output: > > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: Client protocol version 2.0; > client software version OpenSSH_5.2p1-hpn13v6 GLOBUS_GSSAPI_GPT_4.7 GSI > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: match: OpenSSH_5.2p1-hpn13v6 > GLOBUS_GSSAPI_GPT_4.7 GSI pat OpenSSH* > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: Enabling compatibility mode for > protocol 2.0 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: Local version string > SSH-2.0-OpenSSH_4.3 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: fd 3 setting O_NONBLOCK > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: list_hostkey_types: > ssh-rsa,ssh-dss > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: SSH2_MSG_KEXINIT sent > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: SSH2_MSG_KEXINIT received > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: > ssh-rsa,ssh-dss > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: > none,[email protected] > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: > none,[email protected] > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: > first_kex_follows 0 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: reserved 0 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: > gss-gex-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group14-sha1-dZuIebMjgUqaxvbF7hDbAw==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: > ssh-rsa,ssh-dss,null > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: > aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: > none,[email protected],zlib > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: > none,[email protected],zlib > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: > first_kex_follows 0 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_parse_kexinit: reserved 0 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: mac_init: found hmac-md5 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: kex: client->server aes128-ctr > hmac-md5 none > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: mac_init: found hmac-md5 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: kex: server->client aes128-ctr > hmac-md5 none > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: SSH2_MSG_KEX_DH_GEX_REQUEST > received > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: dh_gen_key: priv key bits set: > 129/256 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: bits set: 516/1024 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: expecting > SSH2_MSG_KEX_DH_GEX_INIT > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: bits set: 495/1024 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: kex_derive_keys > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: set_newkeys: mode 1 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: SSH2_MSG_NEWKEYS sent > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: expecting SSH2_MSG_NEWKEYS > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: set_newkeys: mode 0 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: SSH2_MSG_NEWKEYS received > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: KEX done > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: userauth-request for user > smithd service ssh-connection method none > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: attempt 0 failures 0 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: input_userauth_request: setting > up authctxt for smithd > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: PAM: initializing for "smithd" > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug3: Normalising mapped IPv4 in IPv6 > address > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug3: Trying to reverse map address > 128.9.136.191. > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: PAM: setting PAM_RHOST to > "chi-vm-26.isi.edu" > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: PAM: setting PAM_TTY to "ssh" > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: input_userauth_request: try > method none > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug3: Normalising mapped IPv4 in IPv6 > address > Mar 24 16:01:56 chi-vm-4 sshd[12130]: Failed none for smithd from > 128.9.136.191 port 32828 ssh2 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: userauth-request for user > smithd service ssh-connection method gssapi-with-mic > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: attempt 1 failures 1 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug2: input_userauth_request: try > method gssapi-with-mic > Mar 24 16:01:56 chi-vm-4 sshd[12130]: Failed gssapi-with-mic for smithd from > 128.9.136.191 port 32828 ssh2 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: Connection closed by 128.9.136.191 > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: do_cleanup > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug1: PAM: cleanup > Mar 24 16:01:56 chi-vm-4 sshd[12130]: debug3: PAM: sshpam_thread_cleanup > entering > > > Jim Basney wrote: >> Hi David, >> >> It appears the server is rejecting the authentication. >> What is the server-side output? >> http://grid.ncsa.illinois.edu/ssh/ts_server.html >> >> -Jim >> >> On 3/24/10 4:55 PM, David Smith wrote: >> >>> Greetings, >>> >>> I am having an issue connecting between one of my Globus clients and my >>> GridFTP server using gsissh. Both are GT v5.0.0 - the client is running >>> Debian 5.0.3 and the server is running CentOS 5.2, both 64-bit. >>> >>> I've attached the verbose output of the command at the bottom of the >>> message. What is peculiar about this failure is that: >>> >>> 1) I have a valid myproxy certificate in /tmp >>> 2) I can successfully transfer files from the client to the server using >>> globus-url-copy >>> 3) I can connect from the client to the server over ssh using publickey >>> authentication >>> 4) A globus client on another machine can connect to the same server >>> using gsissh >>> 5) The client's ssh_config has GSSAPIAuthentication and >>> GSSAPIDelegateCredentials set to yes >>> >>> The failing client was compiled from source using the following commands: >>> >>> # ./configure --prefix=/usr/local/globus-5.0.0 >>> --with-gsi-opensshargs="--with-pam --with-md5-passwords >>> --with-tcp-wrappers --with-mic" >>> # make gsi-myproxy gsi-openssh globus-data-management-client >>> # make install >>> >>> There seems to be something misconfigured on the failing client, since >>> the server is working properly with another client. Can anyone tell >>> from the verbose message why the gsissh authentication is denied, or >>> suggest anything else I should take a look at to further investigate the >>> problem? >>> >>> Thank you for your help! >>> >>> OpenSSH_5.2p1-hpn13v6 GLOBUS_GSSAPI_GPT_4.7 GSI, OpenSSL 0.9.8g 19 Oct 2007 >>> debug1: Reading configuration data >>> /usr/local/globus-5.0.0/etc/ssh/ssh_config >>> debug2: ssh_connect: needpriv 0 >>> debug1: Connecting to chi-vm-4 [128.9.136.106] port 22. >>> debug1: Connection established. >>> debug1: identity file /home/smithd/.ssh/id_rsa type -1 >>> debug3: Not a RSA1 key file /home/smithd/.ssh/id_dsa. >>> debug2: key_type_from_name: unknown key type '-----BEGIN' >>> debug3: key_read: missing keytype >>> debug2: key_type_from_name: unknown key type 'Proc-Type:' >>> debug3: key_read: missing keytype >>> debug2: key_type_from_name: unknown key type 'DEK-Info:' >>> debug3: key_read: missing keytype >>> debug3: key_read: missing whitespace >>> debug3: key_read: missing whitespace >>> debug3: key_read: missing whitespace >>> debug3: key_read: missing whitespace >>> debug3: key_read: missing whitespace >>> debug3: key_read: missing whitespace >>> debug3: key_read: missing whitespace >>> debug3: key_read: missing whitespace >>> debug3: key_read: missing whitespace >>> debug3: key_read: missing whitespace >>> debug2: key_type_from_name: unknown key type '-----END' >>> debug3: key_read: missing keytype >>> debug1: identity file /home/smithd/.ssh/id_dsa type 2 >>> debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3 >>> debug1: match: OpenSSH_4.3 pat OpenSSH_4* >>> debug1: Remote is NON-HPN aware >>> debug1: Enabling compatibility mode for protocol 2.0 >>> debug1: Local version string SSH-2.0-OpenSSH_5.2p1-hpn13v6 >>> GLOBUS_GSSAPI_GPT_4.7 GSI >>> debug2: fd 3 setting O_NONBLOCK >>> debug3: Trying to reverse map address 128.9.136.106. >>> debug1: Offering GSSAPI proposal: >>> gss-gex-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group14-sha1-dZuIebMjgUqaxvbF7hDbAw== >>> >>> debug1: SSH2_MSG_KEXINIT sent >>> debug1: SSH2_MSG_KEXINIT received >>> debug1: AUTH STATE IS 0 >>> debug2: kex_parse_kexinit: >>> gss-gex-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group1-sha1-dZuIebMjgUqaxvbF7hDbAw==,gss-group14-sha1-dZuIebMjgUqaxvbF7hDbAw==,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 >>> >>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,null >>> debug2: kex_parse_kexinit: >>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] >>> >>> debug2: kex_parse_kexinit: >>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] >>> >>> debug2: kex_parse_kexinit: >>> hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 >>> >>> debug2: kex_parse_kexinit: >>> hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 >>> >>> debug2: kex_parse_kexinit: none,[email protected],zlib >>> debug2: kex_parse_kexinit: none,[email protected],zlib >>> debug2: kex_parse_kexinit: >>> debug2: kex_parse_kexinit: >>> debug2: kex_parse_kexinit: first_kex_follows 0 >>> debug2: kex_parse_kexinit: reserved 0 >>> debug2: kex_parse_kexinit: >>> diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 >>> >>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss >>> debug2: kex_parse_kexinit: >>> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr >>> >>> debug2: kex_parse_kexinit: >>> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr >>> >>> debug2: kex_parse_kexinit: >>> hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 >>> >>> debug2: kex_parse_kexinit: >>> hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 >>> >>> debug2: kex_parse_kexinit: none,[email protected] >>> debug2: kex_parse_kexinit: none,[email protected] >>> debug2: kex_parse_kexinit: >>> debug2: kex_parse_kexinit: >>> debug2: kex_parse_kexinit: first_kex_follows 0 >>> debug2: kex_parse_kexinit: reserved 0 >>> debug2: mac_setup: found hmac-md5 >>> debug1: REQUESTED ENC.NAME is 'aes128-ctr' >>> debug1: kex: server->client aes128-ctr hmac-md5 none >>> debug2: mac_setup: found hmac-md5 >>> debug1: REQUESTED ENC.NAME is 'aes128-ctr' >>> debug1: kex: client->server aes128-ctr hmac-md5 none >>> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent >>> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP >>> debug2: dh_gen_key: priv key bits set: 137/256 >>> debug2: bits set: 493/1024 >>> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent >>> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY >>> debug3: check_host_in_hostfile: filename /home/smithd/.ssh/known_hosts >>> debug3: check_host_in_hostfile: match line 1 >>> debug3: check_host_in_hostfile: filename /home/smithd/.ssh/known_hosts >>> debug3: check_host_in_hostfile: match line 2 >>> debug1: Host 'chi-vm-4' is known and matches the RSA host key. >>> debug1: Found key in /home/smithd/.ssh/known_hosts:1 >>> debug2: bits set: 510/1024 >>> debug1: ssh_rsa_verify: signature correct >>> debug2: kex_derive_keys >>> debug2: set_newkeys: mode 1 >>> debug1: SSH2_MSG_NEWKEYS sent >>> debug1: expecting SSH2_MSG_NEWKEYS >>> debug2: set_newkeys: mode 0 >>> debug1: SSH2_MSG_NEWKEYS received >>> debug1: SSH2_MSG_SERVICE_REQUEST sent >>> debug2: service_accept: ssh-userauth >>> debug1: SSH2_MSG_SERVICE_ACCEPT received >>> debug2: key: /home/smithd/.ssh/id_rsa ((nil)) >>> debug2: key: /home/smithd/.ssh/id_dsa (0x760860) >>> debug1: Authentications that can continue: publickey,gssapi-with-mic >>> debug3: start over, passed a different list publickey,gssapi-with-mic >>> debug3: preferred gssapi-keyex,external-keyx,gssapi-with-mic,gssapi >>> debug3: authmethod_lookup gssapi-with-mic >>> debug3: remaining preferred: gssapi >>> debug3: authmethod_is_enabled gssapi-with-mic >>> debug1: Next authentication method: gssapi-with-mic >>> debug2: we sent a gssapi-with-mic packet, wait for reply >>> debug1: Authentications that can continue: publickey,gssapi-with-mic >>> debug2: we did not send a packet, disable method >>> debug1: No more authentication methods to try. >>> Permission denied (publickey,gssapi-with-mic). >>> >
