Re: [SOLVED] Help please: how to enable SSH password authentication under FreeBSD 6.2? Solved - but not in an expected way
Hi again, Well as mentioned yesterday, I couldn't let this one go by without at least trying to figure out the real reason, so I experimented somewhat further. The issue of ssh1 vs. ssh2 appears to already be clarified, so I won't go into it again. Yes, indeed. I myself yesterday came to realise that I had incorrectly used the term SSH1 for password authentication, whereas it's basically just a different handshake and encryption protocol. My bad. :p Then: It shouldn't. That's odd, as there's no reason to use SSH1 with FreeBSD 5.4 -- SSH2 worked just fine in 5.X. I'd investigate your puTTY installation/ config, as it sounds to be corrupt. Well, I did indeed run the daemon in debug mode, and from the traces I gather that the handshaking doesn't work properly. Towards the end of the traces, we find: debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client-server 3des-cbc hmac-sha1 none debug1: kex: server-client 3des-cbc hmac-sha1 none debug1: expecting SSH2_MSG_KEXDH_INIT debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS Connection closed by 192.168.1.103 debug1: do_cleanup debug1: do_cleanup And it never (or well, hardly ever) seems to get past that point. I then checked if perhaps I could configure anything in PuTTY regarding the handshaking or so, and found very few options there (all yielding no better luck in connecting). Then, I checked the PuTTY version, and found that it was release-0.50, whereas I read you used versions 0.58 and 0.59. D/L-ed version 0.59 and that works fine! Sooo, indeed the PuTTY installation I had was flaky. For some reason it did work fine with my FreeBSD 5.4 installation, dunno why ?!? Good, glad this one is solved and that it turned out to be such a trivial thing! Tnx for your help, and cheers! Olafo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SOLVED] Help please: how to enable SSH password authentication under FreeBSD 6.2? Solved - but not in an expected way
Hi all, To cut to the chase, I 'solved' the issue, or rather, the mystery around it at least, but the 'solution' was not quite as expected. I tried both suggestions given. Firstly: It rather looks like putty is checking the server key with the older one (you mentioned you reinstalled the box). Well... Yes and no. Yes: the box was 'reinstalled', but completely cleanly, with a newer FreeBSD version (i.e. 6.2 vs. 5.3), and using a completely different IP address. Given those parameters, it's better to call it a clean install. :P Also, PuTTY never got to the stage where it infomrmed me that a new host was found and if I wanted to store the fingerprint. Instead, it directly bailed out with a message like 'Host key not found' (or something like that). try to delete the know_host entry in the register database (look for the entry start-run-regedit then look for the SshHostKeys entry and delete the old key). This should fix your pb ;) I did so anyway and it didn't seem to make a difference. I kept getting the same error. Then I tried the other suggestion: # Change to no to disable PAM authentication ChallengeResponseAuthentication no I did that (trying setting it to 'yes' as well as 'no') and this too, did not seem to make a difference. No, normally PuTTY gives me the 'host key' error some 3 times or so before properly finding any host, so I'm used to that. On the new box, I tried it easily 15 times in a row before posing the question yesterday. Today I gave it a longer pounding, and lo and behold: all of a sudden after some 30 attempts it worked! Then, I tried switching the ChallengeResponseAuthentication to the opposite value it was set at, gave it again a pouding of around 20 attempts, and again 1 succeeded. I tried reproducing my 'luck', but some 40 further attempts all yielded no score. It then dawned on me that it might be simply PuTTY that is causing the errors, and indeed, I tried Tunnelier and it works a charm (with and without PAM), and during all atempts I made, it directly logged in without any issues. Conclusion (or assumption, if you will): there seem to be some major incompatibility issues between PuTTY and FreeBSD 6.2's bundled SSH version. Of course it is easy enough to use a different client at home, it's just that when abroad and wanting to check the machine, it is handy to quickly download PuTTY.exe and have a quick check without having to install a complete program... Oh well, at least it works now, and I know the box was (and still is) configured correctly, and I have found a good work-around (i.e. using a better SSH client than PuTTY). Cheers, and thanks for baring with me, Olafo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SOLVED] Help please: how to enable SSH password authentication under FreeBSD 6.2? Solved - but not in an expected way
In response to Olaf Greve [EMAIL PROTECTED]: To cut to the chase, I 'solved' the issue, or rather, the mystery around it at least, but the 'solution' was not quite as expected. I tried both suggestions given. Firstly: It rather looks like putty is checking the server key with the older one (you mentioned you reinstalled the box). Well... Yes and no. Yes: the box was 'reinstalled', but completely cleanly, with a newer FreeBSD version (i.e. 6.2 vs. 5.3), and using a completely different IP address. Given those parameters, it's better to call it a clean install. :P Also, PuTTY never got to the stage where it infomrmed me that a new host was found and if I wanted to store the fingerprint. Instead, it directly bailed out with a message like 'Host key not found' (or something like that). try to delete the know_host entry in the register database (look for the entry start-run-regedit then look for the SshHostKeys entry and delete the old key). This should fix your pb ;) I did so anyway and it didn't seem to make a difference. I kept getting the same error. Then I tried the other suggestion: # Change to no to disable PAM authentication ChallengeResponseAuthentication no I did that (trying setting it to 'yes' as well as 'no') and this too, did not seem to make a difference. No, normally PuTTY gives me the 'host key' error some 3 times or so before properly finding any host, so I'm used to that. On the new box, I tried it easily 15 times in a row before posing the question yesterday. Today I gave it a longer pounding, and lo and behold: all of a sudden after some 30 attempts it worked! Then, I tried switching the ChallengeResponseAuthentication to the opposite value it was set at, gave it again a pouding of around 20 attempts, and again 1 succeeded. I tried reproducing my 'luck', but some 40 further attempts all yielded no score. It then dawned on me that it might be simply PuTTY that is causing the errors, and indeed, I tried Tunnelier and it works a charm (with and without PAM), and during all atempts I made, it directly logged in without any issues. Conclusion (or assumption, if you will): there seem to be some major incompatibility issues between PuTTY and FreeBSD 6.2's bundled SSH version. I'm not seeing this. I tried this with PuTTY 0.58 on a fresh FreeBSD 6.2p1 system and had no problems. So I grabbed the latest PuTTY 0.59, and that worked fine as well. This is a brand new FreeBSD server I just started setting up yesterday, I haven't touched /etc/ssh/sshd_config at all yet. I just finished the upgrade to p1 this morning and tried it out. I haven't been following this thread, so I don't have any ideas on what your problem might be, but it's certainly not FreeBSD or puTTY's fault or I'd be seeing the same problem. Have you tried running sshd with the -d option, and puTTY with logging enabled to see exactly what's going on? Be sure you understand how -d works on the server if you don't have physical access to it. -- Bill Moran Collaborative Fusion Inc. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SOLVED] Help please: how to enable SSH password authentication under FreeBSD 6.2? Solved - but not in an expected way
Hi Bill, I'm not seeing this. I tried this with PuTTY 0.58 on a fresh FreeBSD 6.2p1 system and had no problems. So I grabbed the latest PuTTY 0.59, and that worked fine as well. [...] I haven't been following this thread, so I don't have any ideas on what your problem might be, but it's certainly not FreeBSD or puTTY's fault or I'd be seeing the same problem. The issue is that PuTTY does not fall back from its SSH2 attempt to SSH1 (with password authentication), as is what I specified in my /etc/ssh/sshd_config Is this what you tried too, or did you use SSH2 (i.e. key authentication, instead of password authentication)? In my case, SSHD is running in debug mode and the debug log clearly indicates that PuTTY only tries SSH2 and does not fall back to SSH1, whereas on my live box (FreeBSD 5.4 release AMD64, custom kernel), PuTTY does fall back to SSH1. The 'lines' to the new server are about as short as they can be, as I'm currently setting the machine up over our local network, so the only thing in between the client and server is our router, which does not mess with the SSH traffic... In short: I see no reason why the PuTTY / FreeBSD 6.2 SSH combination would _not_ be at fault (especially as other SSH clients do work fine on this box, and as PuTTY also works when connecting to other boxes). :P Contrary to what I was thinking yesterday, I don't think my configuration is at fault... In case in such a situation the password authentication does work fine for you, I'd be curious to find out the reason why it doesn't work for me (perhaps you could then also post me your sshd_config settings). As mentioned, there is an easy work around by using a different SSH client, but PuTTY is handy for quick d/l-ing when abroad, and not having administrator's rights to the machine you're on at that time. Cheers! Olafo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SOLVED] Help please: how to enable SSH password authentication under FreeBSD 6.2? Solved - but not in an expected way
Hi again, I must ammend a technically incorrect thing that I wrote previously: Is this what you tried too, or did you use SSH2 (i.e. key authentication, instead of password authentication)? Both SSH1 and SSH2 can use password authentication, so I incorrectly wrote that PuTTY does not fall back to SSH1 password authentication. This is an obfuscating statement. The issue in fact, seems to reside in some issues between PuTTY and FreeBSD 6.2's SSH when it comes down to the key negotiation (using SSH2), and it simply does not get beyond that point, and hence almost never presents me with the login prompt. Perhaps I'll give the SSHD a go with the -d option, and perhaps I'll also check if I can find PuTTY debug logs; even if it were just for the heck of not wanting to give in on this. :D Cheers, Olafo ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SOLVED] Help please: how to enable SSH password authentication under FreeBSD 6.2? Solved - but not in an expected way
Olaf Greve wrote: The issue is that PuTTY does not fall back from its SSH2 attempt to SSH1 (with password authentication), as is what I specified in my /etc/ssh/sshd_config Is this what you tried too, or did you use SSH2 (i.e. key authentication, instead of password authentication)? Unless I misunderstand, then you have a serious misapprehension. SSH1 versus SSH2 is *nothing* to do with keys versus passwords. Both SSH1 and SSH2 support password or key based authentication. The difference is that SSH1 an older protocol and is *insecure* and no-one should still be using it unless they have some legacy app which really cannot be updated. I strongly suggest that at the very least you enable SSH2 as the first protocol in sshd_config with a line like Protocol 2,1 though from what I can see, SSH2 only has been the default for a while, and rightly so. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: [SOLVED] Help please: how to enable SSH password authentication under FreeBSD 6.2?
Olaf Greve wrote: Hi guys, The question: I recall having had this issue before, and I *think* the resolution was to enable PAM authentication or so outside of /etc/ssh/sshd_config. I thought to recall that I either did this in rc.conf (or the defaults for that), or in the custom kernel configuration. However, I couldn't find any hints to that anymore on the live box...:( Does anyone know how to get this going properly, and what it is that I'm overlooking? It rather looks like putty is checking the server key with the older one (you mentioned you reinstalled the box). try to delete the know_host entry in the register database (look for the entry start-run-regedit then look for the SshHostKeys entry and delete the old key). This should fix your pb ;) -- View this message in context: http://www.nabble.com/Help-please%3A-how-to-enable-SSH-password-authentication-under-FreeBSD-6.2--tf3214121.html#a8930024 Sent from the freebsd-questions mailing list archive at Nabble.com. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
