Any insight would be very welcome.
Client: Solaris 9 SPARC with both OpenSSH 4.3p2 and OEM ssh
client binaries.
Server: Solaris 10 SPARC with OEM sshd. OpenAFS 1.4.3
pam_afs.so.1
Problem: OpenSSH 4.3p2 client fails against Solaris 10 sshd.
Note below that it completely skips over 'password'
authentication method and goes to keyboard-interactive
(which should work as well, but does not).
Solution?: Set 'PAMAuthenticationViaKBDInt no' and it forces
'password' auth to not be skipped. Why kbdint
won't work, I don't know.
Note that PAMAuthenticationViaKBDInt is not an
option listed in the sshd_config man page under
Solaris 10 yet it is defined in the stock Solaris
10 /etc/ssh/sshd_config file!
#-----------------------------------------------------------------
# OpenSSH 4.3p2 client fails against Solaris 10 sshd
#-----------------------------------------------------------------
~:noodle> ssh -v [EMAIL PROTECTED]
OpenSSH_4.3p2, OpenSSL 0.9.7g 11 Apr 2005
debug1: Reading configuration data /usr/rcf/etc/ssh_config
debug1: Connecting to bertha [129.83.11.117] port 22.
debug1: Connection established.
debug1: identity file /afs/rcf/user/jblaine/.ssh/identity type -1
debug1: identity file /afs/rcf/user/jblaine/.ssh/id_rsa type -1
debug1: identity file /afs/rcf/user/jblaine/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.1
debug1: no match: Sun_SSH_1.1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'bertha' is known and matches the RSA host key.
debug1: Found key in /afs/rcf/user/jblaine/.ssh/known_hosts:278
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
# Next auth method should be 'password' if this fails
debug1: Trying private key: /afs/rcf/user/jblaine/.ssh/identity
debug1: Trying private key: /afs/rcf/user/jblaine/.ssh/id_rsa
debug1: Trying private key: /afs/rcf/user/jblaine/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
# WHAT HAPPENED TO 'password' !?
Password:
debug1: Authentications that can continue:
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentications that can continue:
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive
Password:
debug1: Authentications that can continue:
gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive
debug1: No more authentication methods to try.
Permission denied
(gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).
~:noodle>
#-----------------------------------------------------------------
# Solaris 9's SSH client works fine with Solaris 10 sshd
#-----------------------------------------------------------------
~:noodle> /usr/bin/ssh -v [EMAIL PROTECTED]
SSH Version Sun_SSH_1.0, protocol versions 1.5/2.0.
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: getuid 26560 geteuid 26560 anon 1
debug1: Connecting to bertha [129.83.11.117] port 22.
debug1: Connection established.
debug1: identity file /afs/rcf/user/jblaine/.ssh/identity type 3
debug1: identity file /afs/rcf/user/jblaine/.ssh/id_rsa type 3
debug1: identity file /afs/rcf/user/jblaine/.ssh/id_dsa type 3
debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.1
debug1: no match: Sun_SSH_1.1
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_1.0
debug1: sent kexinit: diffie-hellman-group1-sha1
debug1: sent kexinit: ssh-rsa,ssh-dss
debug1: sent kexinit: aes128-cbc,blowfish-cbc,3des-cbc,rijndael128-cbc
debug1: sent kexinit: aes128-cbc,blowfish-cbc,3des-cbc,rijndael128-cbc
debug1: sent kexinit: hmac-sha1,hmac-md5
debug1: sent kexinit: hmac-sha1,hmac-md5
debug1: sent kexinit: none
debug1: sent kexinit: none
debug1: sent kexinit:
debug1: sent kexinit:
debug1: send KEXINIT
debug1: done
debug1: wait KEXINIT
debug1: got kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug1: got kexinit: ssh-rsa,ssh-dss
debug1: got kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
debug1: got kexinit: aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
debug1: got kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug1: got kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
debug1: got kexinit: none,zlib
debug1: got kexinit: none,zlib
debug1: got kexinit:
en_CA.UTF-8,en_US.UTF-8,es_MX.UTF-8,en_CA,en_CA.ISO8859-1,en_US,en_US.ISO8859-1,en_US.ISO8859-15,[EMAIL
PROTECTED],es,es_MX,es_MX.ISO8859-1,fr,fr_CA,fr_CA.ISO8859-1,C,POSIX,fr_CA.UTF-8
debug1: got kexinit:
en_CA.UTF-8,en_US.UTF-8,es_MX.UTF-8,en_CA,en_CA.ISO8859-1,en_US,en_US.ISO8859-1,en_US.ISO8859-15,[EMAIL
PROTECTED],es,es_MX,es_MX.ISO8859-1,fr,fr_CA,fr_CA.ISO8859-1,C,POSIX,fr_CA.UTF-8
debug1: first kex follow: 0
debug1: reserved: 0
debug1: done
debug1: kex: server->client unable to decide common locale
debug1: kex: server->client aes128-cbc hmac-sha1 none
debug1: kex: client->server unable to decide common locale
debug1: kex: client->server aes128-cbc hmac-sha1 none
debug1: Sending SSH2_MSG_KEXDH_INIT.
debug1: bits set: 519/1024
debug1: Wait SSH2_MSG_KEXDH_REPLY.
debug1: Got SSH2_MSG_KEXDH_REPLY.
debug1: Host 'bertha' is known and matches the RSA host key.
debug1: Found key in /afs/rcf/user/jblaine/.ssh/known_hosts:278
debug1: bits set: 493/1024
debug1: ssh_rsa_verify: signature correct
debug1: Wait SSH2_MSG_NEWKEYS.
debug1: GOT SSH2_MSG_NEWKEYS.
debug1: send SSH2_MSG_NEWKEYS.
debug1: done: send SSH2_MSG_NEWKEYS.
debug1: done: KEX2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: key does not exist: /afs/rcf/user/jblaine/.ssh/identity
debug1: key does not exist: /afs/rcf/user/jblaine/.ssh/id_rsa
debug1: key does not exist: /afs/rcf/user/jblaine/.ssh/id_dsa
debug1: next auth method to try is password
[EMAIL PROTECTED]'s password:
debug1: ssh-userauth2 successfull: method password
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: client_init id 0 arg 0
debug1: channel request 0: shell
debug1: channel 0: open confirm rwindow 0 rmax 32768
#-----------------------------------------------------------------
# The /etc/ssh/sshd_config on the Solaris 10 box (bertha)
#-----------------------------------------------------------------
Protocol 2
Port 22
ListenAddress ::
AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd no
KeepAlive yes
SyslogFacility auth
LogLevel debug
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
KeyRegenerationInterval 3600
StrictModes no
LoginGraceTime 600
MaxAuthTries 8
MaxAuthTriesLog 3
PermitEmptyPasswords no
PasswordAuthentication yes
PAMAuthenticationViaKBDInt yes
PermitRootLogin yes
Subsystem sftp /usr/lib/ssh/sftp-server
IgnoreRhosts yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
#-----------------------------------------------------------------
# /etc/pam.conf entries on bertha
#-----------------------------------------------------------------
sshd auth requisite pam_authtok_get.so.1
sshd auth required pam_dhkeys.so.1
sshd auth sufficient pam_afs.so.1 try_first_pass ignore_root
setenv_password_expires
sshd auth required pam_unix_auth.so.1
###
sshd-kbdint auth requisite pam_authtok_get.so.1
sshd-kbdint auth required pam_dhkeys.so.1
sshd-kbdint auth sufficient pam_afs.so.1 try_first_pass ignore_root
setenv_password_expires debug
sshd-kbdint auth required pam_unix_auth.so.1 debug
#-----------------------------------------------------------------
# Failed attempt (OpenSSH 4.3 client) syslog info from
# Solaris 10 sshd and PAM modules
#-----------------------------------------------------------------
Connection from 129.83.10.14 port 45710
debug1: Client protocol version 2.0; client software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-Sun_SSH_1.1
debug1: Forked child 724.
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: Failed to acquire GSS-API credentials for any mechanisms (No
credentials were supplied, or the credentials were unavailable or
inaccessible Unknown code 0)
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: Peer sent proposed langtags, ctos:
debug1: Peer sent proposed langtags, stoc:
debug1: We proposed langtags, ctos:
en-CA,en-US,es-MX,es,fr,fr-CA,i-default
debug1: We proposed langtags, stoc:
en-CA,en-US,es-MX,es,fr,fr-CA,i-default
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 127/256
debug1: bits set: 517/1024
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 520/1024
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user root service ssh-connection method none
debug1: attempt 0 initial attempt 0 failures 0 initial failures 0
Failed none for root from 129.83.10.14 port 45710 ssh2
debug1: userauth-request for user root service ssh-connection method
keyboard-interactive
debug1: attempt 1 initial attempt 0 failures 1 initial failures 0
debug1: keyboard-interactive devs
debug1: got 1 responses
debug1: PAM conv function returns PAM_SUCCESS
AFS Options: nowarn=0, use_first_pass=0, try_first_pass=1, ignore_uid
= 1, ignore_uid_id = 0, refresh_token=0, set_token=0, dont_fork=0,
use_klog=0
AFS Username = `root'
AFS Ignoring superuser root
pam_unix_auth: entering pam_sm_authenticate()
AFS Options: nowarn=0, use_first_pass=1, try_first_pass=0, ignore_uid
= 1, ignore_uid_id = 0, refresh_token=8, set_token=8, dont_fork=8,
use_klog=8
AFS Ignoring superuser root
while authorizing: Authentication failed
Failed keyboard-interactive for root from 129.83.10.14 port 45710 ssh2
debug1: userauth-request for user root service ssh-connection method
keyboard-interactive
debug1: attempt 2 initial attempt 1 failures 2 initial failures 1
debug1: keyboard-interactive devs
debug1: got 1 responses
debug1: PAM conv function returns PAM_SUCCESS
AFS Options: nowarn=0, use_first_pass=0, try_first_pass=1, ignore_uid
= 1, ignore_uid_id = 0, refresh_token=0, set_token=0, dont_fork=0,
use_klog=0
AFS Username = `root'
AFS Ignoring superuser root
pam_unix_auth: entering pam_sm_authenticate()
AFS Options: nowarn=0, use_first_pass=1, try_first_pass=0, ignore_uid
= 1, ignore_uid_id = 0, refresh_token=8, set_token=8, dont_fork=8,
use_klog=8
AFS Ignoring superuser root
while authorizing: Authentication failed
Failed keyboard-interactive for root from 129.83.10.14 port 45710 ssh2
debug1: userauth-request for user root service ssh-connection method
keyboard-interactive
debug1: attempt 3 initial attempt 2 failures 3 initial failures 2
debug1: keyboard-interactive devs
debug1: got 1 responses
debug1: PAM conv function returns PAM_SUCCESS
AFS Options: nowarn=0, use_first_pass=0, try_first_pass=1, ignore_uid
= 1, ignore_uid_id = 0, refresh_token=0, set_token=0, dont_fork=0,
use_klog=0
AFS Username = `root'
AFS Ignoring superuser root
pam_unix_auth: entering pam_sm_authenticate()
AFS Options: nowarn=0, use_first_pass=1, try_first_pass=0, ignore_uid
= 1, ignore_uid_id = 0, refresh_token=8, set_token=8, dont_fork=8,
use_klog=8
AFS Ignoring superuser root
while authorizing: Authentication failed
Failed keyboard-interactive for root from 129.83.10.14 port 45710 ssh2
Connection closed by 129.83.10.14
debug1: Calling cleanup 0x260f4(0x8a538)
debug1: Calling cleanup 0x1f7d4(0x893f8)
debug1: Calling cleanup 0x45854(0x0)
