ssh -vvv

Darren Tucker dtucker at zip.com.au
Sun Apr 13 10:03:43 EST 2003


"Lumpkin, Buddy" wrote:
> I just had an interesting experience tracking down a bug on Solaris
> 8, and ssh -vvv was of no help 
[snip]

The server doesn't tell the client why an authentication failed because
that information would be very useful to an attacker.  In general, you
want to "leak" as little information as possible before the user is
authenticated.  This makes the attacker's job harder, and legitimate
admins have other ways of getting the info (server-side debugging, see
below).

> Is there a debug option to sshd that might have found this?

Yes, you want the *server* side debug options.  You can run sshd on
another port to get them without disrupting your production daemon:

/path/to/sshd -ddd -p 2022

then on the client:

ssh -vvv -p 2022 yourhost

This is very helpful for debugging authentication issues, although it's
not always possible; some firewall configs only allow port 22.  In those
cases and if all else fails you can kill off the production daemon and
run the debugging daemon on port 22 (pick a quiet time and keep a few
spare sessions or have alternate access to the box.)

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list