Solaris 8 x86 rsa pubkey auth problem

Mikhail Manuylov mikhail.manuilov at gmail.com
Thu May 4 03:16:58 EST 2006


Hi there,

Actually I've solved my "bug" last friday, but I'm not shure it was a
bug in openssh behaviour.

But I really think (in my cryptography knowledge) is somewhat wrong.
1) ssh.c: 768: 'load_public_identity_files' function is called
eventually calling
2) ssh.c: 1208: ' key_load_public' function with my -i key supplied
filename as parameter and returns ponter to 'Key' structure
3) Here is sourcecode for that function:
I'll insert my own comments starting with '#':

/* load public key from ssh v1 private or any pubkey file */
Key *
key_load_public(const char *filename, char **commentp)
{
    Key *pub;
    char file[MAXPATHLEN];

    /* try rsa1 private key */
    pub = key_load_public_type(KEY_RSA1, filename, commentp);
    # fails here with RSA private key
    if (pub != NULL)
        return pub;

    /* try rsa1 public key */
    pub = key_new(KEY_RSA1);
    if (key_try_load_public(pub, filename, commentp) == 1)
    # fails here obviously
        return pub;
    key_free(pub);

    /* try ssh2 public key */
    pub = key_new(KEY_UNSPEC);
    if (key_try_load_public(pub, filename, commentp) == 1)
    # fails here too
        return pub;

    if ((strlcpy(file, filename, sizeof file) < sizeof(file)) &&
        (strlcat(file, ".pub", sizeof file) < sizeof(file)) &&
        (key_try_load_public(pub, file, commentp) == 1))
>>>   # Here it actually finds "auditor_id_rsa.pub" file ( i've left
old ssh-dss public key here )
         # And then it's used to authenticate to remote sshd,
authentication with public key????
         # And sshd at auth2-pubkey.c:77 recieves ssh-dss (not ssh-rsa
it founds in authorized_keys) and fails
         # In debug output it was never mentioned that ssh used
"auditor_id_rsa.pub" only "auditor_id_rsa" without "pub"
         # extension, so have been digging not so obvious sources of
openssh for about a week =(
        return pub;
    key_free(pub);
    return NULL;
}

What is the reason of trying to find public key and offering it to
authenticate? This somewhat ridicule, i suppose...


On 4/21/06, Mikhail Manuylov <mikhail.manuilov at gmail.com> wrote:
> Hello,
>
> I got some weird problem with public key authentication using rsa key pair.
>
> Let me first of all explain my setup.
>
> 1) I got two Solaris 8 x86 boxes
> uname -a
> SunOS 5.8 Generic_117351-24 i86pc i386 i86pc
>
> <kdc: 192.168.10.11> <---> <module: 192.168.10.10>
>
> 2) They're running absolutely identical openssh installations
> I'm using pkgsrc, so I've builded all necessary packages from two days
> old pkgsrc sources
> on one of the boxes and installed the same binaries on second
> OpenSSH_4.3p1, OpenSSL 0.9.7i 14 Oct 2005
>
> 3) The only differense in their setup is that 'kdc' is a intel p4 boxm
> and module is p3 box.
>
> I've generated rsa key pair via ssh-keygen, and placed public part of
> it into /home/root/.ssh/authorized_keys
> on both computers.
>
> The problem:
>
> I can't log into any (not only to module) computer running the same
> version of sshd (and of course user holding the same public key)
> using 'kdc', pubkey athentication fails and ssh pops password prompt
> up. Pubkey athentication with that key works flawlessly with any
> other direction even when  'module' connecting to 'kdc'.
>
> How I can help debugging this problem:
>
> I've supplied debug output of both ssh and sshd from two cases:
> 1) 'module' authenticating on 'kdc' ( works ok )
> 2) 'kdc' authenticating on  'module' ( pubkey failed )
>
> I've already compiled gdb and openssh with debug info. I've also
> started two debug sshd yesterday, but due two my not so cool knowledge
> of
> openssh sources and maybe schema of forking and privelege separation I
> still can't reach user_key_allowed function.
>
> Thank you for your great work. And thanks for help beforehand.
>
> Here's debug output:
>
> 1) kdc# ssh -vvv -i ~/.ssh/auditor_rsa_id root at 192.168.10.10
> OpenSSH_4.3p1, OpenSSL 0.9.7i 14 Oct 2005
> debug1: Reading configuration data /usr/pkg/etc/ssh/ssh_config
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to 192.168.10.10 [ 192.168.10.10] port 22.
> debug1: Connection established.
> debug1: permanently_set_uid: 0/1
> debug3: Not a RSA1 key file auditor_id_rsa.
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug3: key_read: missing keytype
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug2: key_type_from_name: unknown key type '-----END'
> debug3: key_read: missing keytype
> debug1: identity file auditor_id_rsa type 2
> debug1: Remote protocol version 2.0 , remote software version OpenSSH_4.3
> debug1: match: OpenSSH_4.3 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_4.3
> debug2: fd 3 setting O_NONBLOCK
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes12
> 8-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes12
> 8-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit: none, zlib at openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se
> ,aes12
> 8-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se
> ,aes12
> 8-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit: none, zlib at openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_init: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug2: mac_init: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug2: dh_gen_key: priv key bits set: 115/256
> debug2: bits set: 513/1024
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug3: check_host_in_hostfile: filename /home/root/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 4
> debug1: Host '192.168.10.10' is known and matches the RSA host key.
> debug1: Found key in /home/root/.ssh/known_hosts:4
> debug2: bits set: 516/1024
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: auditor_id_rsa (80b2d48)
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug3: start over, passed a different list
> publickey,password,keyboard-interactive
> debug3: preferred publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Offering public key: auditor_id_rsa
> debug3: send_pubkey_test
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup keyboard-interactive
> debug3: remaining preferred: password
> debug3: authmethod_is_enabled keyboard-interactive
> debug1: Next authentication method: keyboard-interactive
> debug2: userauth_kbdint
> debug2: we sent a keyboard-interactive packet, wait for reply
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug3: userauth_kbdint: disable: no info_req_seen
> debug2: we did not send a packet, disable method
> debug3: authmethod_lookup password
> debug3: remaining preferred:
> debug3: authmethod_is_enabled password
> debug1: Next authentication method: password
>
> 2) module# /usr/pkg/sbin/sshd -D -d -d -d -e
> debug2: load_server_config: filename /usr/pkg/etc/ssh/sshd_config
> debug2: load_server_config: done config len = 226
> debug2: parse_server_config: config /usr/pkg/etc/ssh/sshd_config len 226
> debug1: sshd version OpenSSH_4.3p1
> debug3: Not a RSA1 key file /usr/pkg/etc/ssh/ssh_host_rsa_key.
> debug1: read PEM private key done: type RSA
> debug1: private host key: #0 type 1 RSA
> debug3: Not a RSA1 key file /usr/pkg/etc/ssh/ssh_host_dsa_key.
> debug1: read PEM private key done: type DSA
> debug1: private host key: #1 type 2 DSA
> debug1: rexec_argv[0]='/usr/pkg/sbin/sshd'
> debug1: rexec_argv[1]='-D'
> debug1: rexec_argv[2]='-d'
> debug1: rexec_argv[3]='-d'
> debug1: rexec_argv[4]='-d'
> debug1: rexec_argv[5]='-e'
> debug2: fd 3 setting O_NONBLOCK
> debug1: Bind to port 22 on 192.168.132.15.
> Server listening on 192.168.132.15 port 22.
> debug2: fd 4 setting O_NONBLOCK
> debug1: Bind to port 22 on 192.168.10.10.
> Server listening on 192.168.10.10 port 22.
> debug1: fd 5 clearing O_NONBLOCK
> debug1: Server will not fork when running in debugging mode.
> debug3: send_rexec_state: entering fd = 10 config len 226
> debug3: ssh_msg_send: type 0
> debug3: send_rexec_state: done
> debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 10
> debug3: recv_rexec_state: entering fd = 5
> debug3: ssh_msg_recv entering
> debug3: recv_rexec_state: done
> debug2: parse_server_config: config rexec len 226
> debug1: sshd version OpenSSH_4.3p1
> debug3: Not a RSA1 key file /usr/pkg/etc/ssh/ssh_host_rsa_key.
> debug1: read PEM private key done: type RSA
> debug1: private host key: #0 type 1 RSA
> debug3: Not a RSA1 key file /usr/pkg/etc/ssh/ssh_host_dsa_key.
> debug1: read PEM private key done: type DSA
> debug1: private host key: #1 type 2 DSA
> debug1: inetd sockets after dupping: 3, 3
> Connection from 192.168.10.11 port 8759
> debug1: Client protocol version 2.0; client software version OpenSSH_4.3
> debug1: match: OpenSSH_4.3 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_4.3
> debug2: fd 3 setting O_NONBLOCK
> debug3: privsep user:group 100:100
> debug1: permanently_set_uid: 100/100
> debug1: list_hostkey_types: ssh-rsa,ssh-dss
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,
> rijndael-cbc at lysator.liu.se,aes12
> 8-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,
> rijndael-cbc at lysator.liu.se,aes12
> 8-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes12
> 8-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes12
> 8-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit: none, zlib at openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_init: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug2: mac_init: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
> debug3: mm_request_send entering: type 0
> debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
> debug3: mm_request_receive_expect entering: type 1
> debug3: mm_request_receive entering
> debug2: Network child is on pid 3358
> debug3: preauth child monitor started
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 0
> debug3: mm_answer_moduli: got parameters: 1024 1024 8192
> debug3: mm_request_send entering: type 1
> debug3: mm_choose_dh: remaining 0
> debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> debug2: dh_gen_key: priv key bits set: 129/256
> debug2: bits set: 524/1024
> debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
> debug2: bits set: 495/1024
> debug3: mm_key_sign entering
> debug3: mm_request_send entering: type 4
> debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
> debug3: mm_request_receive_expect entering: type 5
> debug3: mm_request_receive entering
> debug2: monitor_read: 0 used once, disabling now
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 4
> debug3: mm_answer_sign
> debug3: mm_answer_sign: signature 80c7850(271)
> debug3: mm_request_send entering: type 5
> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> debug2: monitor_read: 4 used once, disabling now
> debug3: mm_request_receive entering
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: KEX done
> debug1: userauth-request for user root service ssh-connection method none
> debug1: attempt 0 failures 0
> debug3: mm_getpwnamallow entering
> debug3: mm_request_send entering: type 6
> debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
> debug3: mm_request_receive_expect entering: type 7
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 6
> debug3: mm_answer_pwnamallow
> debug3: auth_shadow_acctexpired: today 13256 sp_expire -1 days left -13257
> debug3: account expiration disabled
> debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
> debug3: mm_request_send entering: type 7
> debug2: monitor_read: 6 used once, disabling now
> debug3: mm_request_receive entering
> debug2: input_userauth_request: setting up authctxt for root
> debug3: mm_inform_authserv entering
> debug3: mm_request_send entering: type 3
> debug2: input_userauth_request: try method none
> debug3: mm_auth_password entering
> debug3: mm_request_send entering: type 10
> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
> debug3: mm_request_receive_expect entering: type 11
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 3
> debug3: mm_answer_authserv: service=ssh-connection, style=
> debug2: monitor_read: 3 used once, disabling now
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 10
> debug3: mm_answer_authpassword: sending result 0
> debug3: mm_request_send entering: type 11
> Failed none for root from 192.168.10.11 port 8759 ssh2
> debug3: mm_request_receive entering
> debug3: mm_auth_password: user not authenticated
> Failed none for root from 192.168.10.11 port 8759 ssh2
> debug1: userauth-request for user root service ssh-connection method publickey
> debug1: attempt 1 failures 1
> debug2: input_userauth_request: try method publickey
> debug1: test whether pkalg/pkblob are acceptable
> debug3: mm_key_allowed entering
> debug3: mm_request_send entering: type 20
> debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
> debug3: mm_request_receive_expect entering: type 21
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 20
> debug3: mm_answer_keyallowed entering
> debug3: mm_answer_keyallowed: key_from_blob: 80c04e8
> debug1: temporarily_use_uid: 0/1 (e=0/1)
> debug1: trying public key file /home/root/.ssh/authorized_keys
> debug3: secure_filename: checking '/usr/home/root/.ssh'
> debug3: secure_filename: checking '/usr/home/root'
> debug3: secure_filename: terminating check at '/usr/home/root'
> debug3: key_read: type mismatch
> debug2: user_key_allowed: check options: 'ssh-rsa
> AAAAB3NzaC1yc2EAAAABIwAAAQEA5SXtHW7fmMWxkvjUKkB3pEygK6MkzOUejT8DCucnLJ2NT/lDdsWUR1Bz+nFmzFrcHEnP1H0+zlTEEEr
> T1StBaiWmMO1mqD/AXh7XjVylsV+7E9qcQ6OHjfYaNjSffk1hAzLokrXti0qeBbZpz8yAy4LsscxNdX97aDtDB2S9AJYoWSNVsnJJKDGYlQpHL1sK+rfezYOHfeCyBh/Ui07sF2RbPz3k59QFok5VY1EUwvM0
> LMjXOAuTl0m7PyouuU3JSr7NRu52nsyNxPLwFvK1wvqX+5dJCIJ8Z9J1peWj4o51ERvKvx7rQSG7N/q10J41IU9koPsi/sr0usLmx3ROsw==
> root at kgc
> '
> debug2: key_type_from_name: unknown key type
> 'AAAAB3NzaC1yc2EAAAABIwAAAQEA5SXtHW7fmMWxkvjUKkB3pEygK6MkzOUejT8DCucnLJ2NT/lDdsWUR1Bz+nFmzFrcHEnP1H0+zlTEEErT1St
> BaiWmMO1mqD/AXh7XjVylsV+7E9qcQ6OHjfYaNjSffk1hAzLokrXti0qeBbZpz8yAy4LsscxNdX97aDtDB2S9AJYoWSNVsnJJKDGYlQpHL1sK+rfezYOHfeCyBh/Ui07sF2RbPz3k59QFok5VY1EUwvM0LMjX
> OAuTl0m7PyouuU3JSr7NRu52nsyNxPLwFvK1wvqX+5dJCIJ8Z9J1peWj4o51ERvKvx7rQSG7N/q10J41IU9koPsi/sr0usLmx3ROsw=='
> debug3: key_read: missing keytype
> debug2: user_key_allowed: advance:
> 'AAAAB3NzaC1yc2EAAAABIwAAAQEA5SXtHW7fmMWxkvjUKkB3pEygK6MkzOUejT8DCucnLJ2NT/lDdsWUR1Bz+nFmzFrcHEnP1H0+zlTEEErT1StBaiWmMO1mq
> D/AXh7XjVylsV+7E9qcQ6OHjfYaNjSffk1hAzLokrXti0qeBbZpz8yAy4LsscxNdX97aDtDB2S9AJYoWSNVsnJJKDGYlQpHL1sK+rfezYOHfeCyBh/Ui07sF2RbPz3k59QFok5VY1EUwvM0LMjXOAuTl0m7Py
> ouuU3JSr7NRu52nsyNxPLwFvK1wvqX+5dJCIJ8Z9J1peWj4o51ERvKvx7rQSG7N/q10J41IU9koPsi/sr0usLmx3ROsw==
> root at kgc
> '
> debug1: restore_uid: 0/1
> debug2: key not found
> debug1: temporarily_use_uid: 0/1 (e=0/1)
> debug1: trying public key file /home/root/.ssh/authorized_keys2
> debug1: restore_uid: 0/1
> debug3: mm_answer_keyallowed: key 80c04e8 is disallowed
> debug3: mm_request_send entering: type 21
> debug3: mm_request_receive entering
> debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
> Failed publickey for root from 192.168.10.11 port 8759 ssh2
> debug1: userauth-request for user root service ssh-connection method
> keyboard-interactive
> debug1: attempt 2 failures 2
> debug2: input_userauth_request: try method keyboard-interactive
> debug1: keyboard-interactive devs
> debug1: auth2_challenge: user=root devs=
> debug1: kbdint_alloc: devices 'skey'
> debug2: auth2_challenge_start: devices skey
> debug2: kbdint_next_device: devices <empty>
> debug1: auth2_challenge_start: trying authentication method 'skey'
> debug3: mm_skey_query: entering
> debug3: mm_request_send entering: type 16
> debug3: mm_request_receive_expect entering: type 17
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 16
> debug3: mm_answer_skeyquery: sending challenge success: 0
> debug3: mm_request_send entering: type 17
> debug3: mm_request_receive entering
> debug3: mm_skey_query: no challenge
> Failed keyboard-interactive for root from 192.168.10.11 port 8759 ssh2
> Connection closed by 192.168.10.11
> debug1: do_cleanup
> debug1: do_cleanup
>
> 3) module# ssh -vvv -i ~/.ssh/auditor_rsa_id root at 192.168.10.11
> OpenSSH_4.3p1, OpenSSL 0.9.7i 14 Oct 2005
> debug1: Reading configuration data /usr/pkg/etc/ssh/ssh_config
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to 192.168.10.11 [192.168.10.11] port 22.
> debug1: Connection established.
> debug1: permanently_set_uid: 0/1
> debug3: Not a RSA1 key file auditor_id_rsa.
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug3: key_read: missing keytype
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug2: key_type_from_name: unknown key type '-----END'
> debug3: key_read: missing keytype
> debug1: identity file auditor_id_rsa type -1
> debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
> debug1: match: OpenSSH_4.3 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_4.3
> debug2: fd 3 setting O_NONBLOCK
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se
> ,aes12
> 8-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se
> ,aes12
> 8-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit: none, zlib at openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se
> ,aes12
> 8-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se
> ,aes12
> 8-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit: none, zlib at openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_init: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug2: mac_init: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug2: dh_gen_key: priv key bits set: 143/256
> debug2: bits set: 522/1024
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug3: check_host_in_hostfile: filename /home/root/.ssh/known_hosts
> debug3: check_host_in_hostfile: match line 15
> debug1: Host '192.168.10.11' is known and matches the RSA host key.
> debug1: Found key in /home/root/.ssh/known_hosts:15
> debug2: bits set: 483/1024
> debug1: ssh_rsa_verify: signature correct
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: auditor_id_rsa (0)
> debug1: Authentications that can continue:
> publickey,password,keyboard-interactive
> debug3: start over, passed a different list
> publickey,password,keyboard-interactive
> debug3: preferred publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Trying private key: auditor_id_rsa
> debug1: read PEM private key done: type RSA
> debug3: sign_and_send_pubkey
> debug2: we sent a publickey packet, wait for reply
> debug1: Authentication succeeded (publickey).
> debug2: fd 5 setting O_NONBLOCK
> debug3: fd 6 is O_NONBLOCK
> debug1: channel 0: new [client-session]
> debug3: ssh_session2_open: channel_new: 0
> debug2: channel 0: send open
> debug1: Entering interactive session.
> debug2: callback start
> debug2: client_session2_setup: id 0
> debug2: channel 0: request pty-req confirm 0
> debug3: tty_make_modes: ospeed 38400
> debug3: tty_make_modes: ispeed 38400
> debug3: tty_make_modes: 1 3
> debug3: tty_make_modes: 2 28
> debug3: tty_make_modes: 3 127
> debug3: tty_make_modes: 4 21
> debug3: tty_make_modes: 5 4
> debug3: tty_make_modes: 6 0
> debug3: tty_make_modes: 7 0
> debug3: tty_make_modes: 8 17
> debug3: tty_make_modes: 9 19
> debug3: tty_make_modes: 10 26
> debug3: tty_make_modes: 11 25
> debug3: tty_make_modes: 12 18
> debug3: tty_make_modes: 13 23
> debug3: tty_make_modes: 14 22
> debug3: tty_make_modes: 16 0
> debug3: tty_make_modes: 18 15
> debug3: tty_make_modes: 30 1
> debug3: tty_make_modes: 31 0
> debug3: tty_make_modes: 32 0
> debug3: tty_make_modes: 33 0
> debug3: tty_make_modes: 34 0
> debug3: tty_make_modes: 35 0
> debug3: tty_make_modes: 36 1
> debug3: tty_make_modes: 37 0
> debug3: tty_make_modes: 38 1
> debug3: tty_make_modes: 39 0
> debug3: tty_make_modes: 40 0
> debug3: tty_make_modes: 41 1
> debug3: tty_make_modes: 50 1
> debug3: tty_make_modes: 51 1
> debug3: tty_make_modes: 52 0
> debug3: tty_make_modes: 53 1
> debug3: tty_make_modes: 54 1
> debug3: tty_make_modes: 55 1
> debug3: tty_make_modes: 56 0
> debug3: tty_make_modes: 57 0
> debug3: tty_make_modes: 58 0
> debug3: tty_make_modes: 59 1
> debug3: tty_make_modes: 60 1
> debug3: tty_make_modes: 61 1
> debug3: tty_make_modes: 62 0
> debug3: tty_make_modes: 70 1
> debug3: tty_make_modes: 71 0
> debug3: tty_make_modes: 72 1
> debug3: tty_make_modes: 73 0
> debug3: tty_make_modes: 74 0
> debug3: tty_make_modes: 75 0
> debug3: tty_make_modes: 90 1
> debug3: tty_make_modes: 91 1
> debug3: tty_make_modes: 92 0
> debug3: tty_make_modes: 93 0
> debug2: channel 0: request shell confirm 0
> debug2: fd 3 setting TCP_NODELAY
> debug2: callback done
> debug2: channel 0: open confirm rwindow 0 rmax 32768
> debug2: channel 0: rcvd adjust 131072
> Last login: Tue Apr 18 17:44:32 2006 from 192.168.10.10
>
> 4) kdc# /usr/pkg/sbin/sshd -D -d -d -d -e
> debug2: load_server_config: filename /usr/pkg/etc/ssh/sshd_config
> debug2: load_server_config: done config len = 247
> debug2: parse_server_config: config /usr/pkg/etc/ssh/sshd_config len 247
> debug1: sshd version OpenSSH_4.3p1
> debug3: Not a RSA1 key file /usr/pkg/etc/ssh/ssh_host_rsa_key.
> debug1: read PEM private key done: type RSA
> debug1: private host key: #0 type 1 RSA
> debug3: Not a RSA1 key file /usr/pkg/etc/ssh/ssh_host_dsa_key.
> debug1: read PEM private key done: type DSA
> debug1: private host key: #1 type 2 DSA
> debug1: rexec_argv[0]='/usr/pkg/sbin/sshd'
> debug1: rexec_argv[1]='-D'
> debug1: rexec_argv[2]='-d'
> debug1: rexec_argv[3]='-d'
> debug1: rexec_argv[4]='-d'
> debug1: rexec_argv[5]='-e'
> debug2: fd 3 setting O_NONBLOCK
> debug1: Bind to port 22 on 172.16.2.11.
> Server listening on 172.16.2.11 port 22.
> debug2: fd 4 setting O_NONBLOCK
> debug1: Bind to port 22 on 10.1.1.11.
> Server listening on 10.1.1.11 port 22.
> debug2: fd 5 setting O_NONBLOCK
> debug1: Bind to port 22 on 192.168.10.11.
> Server listening on 192.168.10.11 port 22.
> debug1: fd 6 clearing O_NONBLOCK
> debug1: Server will not fork when running in debugging mode.
> debug3: send_rexec_state: entering fd = 11 config len 247
> debug3: ssh_msg_send: type 0
> debug3: send_rexec_state: done
> debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 11
> debug3: recv_rexec_state: entering fd = 5
> debug3: ssh_msg_recv entering
> debug3: recv_rexec_state: done
> debug2: parse_server_config: config rexec len 247
> debug1: sshd version OpenSSH_4.3p1
> debug3: Not a RSA1 key file /usr/pkg/etc/ssh/ssh_host_rsa_key.
> debug1: read PEM private key done: type RSA
> debug1: private host key: #0 type 1 RSA
> debug3: Not a RSA1 key file /usr/pkg/etc/ssh/ssh_host_dsa_key.
> debug1: read PEM private key done: type DSA
> debug1: private host key: #1 type 2 DSA
> debug1: inetd sockets after dupping: 3, 3
> Connection from 192.168.10.10 port 8302
> debug1: Client protocol version 2.0; client software version OpenSSH_4.3
> debug1: match: OpenSSH_4.3 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_4.3
> debug2: fd 3 setting O_NONBLOCK
> debug3: privsep user:group 22:22
> debug1: permanently_set_uid: 22/22
> debug1: list_hostkey_types: ssh-rsa,ssh-dss
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,
> rijndael-cbc at lysator.liu.se,aes12
> 8-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,
> rijndael-cbc at lysator.liu.se,aes12
> 8-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes12
> 8-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes12
> 8-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit: none, zlib at openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: mac_init: found hmac-md5
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug2: mac_init: found hmac-md5
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug2: Network child is on pid 16691
> debug3: preauth child monitor started
> debug3: mm_request_receive entering
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
> debug3: mm_request_send entering: type 0
> debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
> debug3: mm_request_receive_expect entering: type 1
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 0
> debug3: mm_answer_moduli: got parameters: 1024 1024 8192
> debug3: mm_request_send entering: type 1
> debug3: mm_choose_dh: remaining 0
> debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
> debug2: dh_gen_key: priv key bits set: 135/256
> debug2: bits set: 518/1024
> debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
> debug2: monitor_read: 0 used once, disabling now
> debug3: mm_request_receive entering
> debug2: bits set: 547/1024
> debug3: mm_key_sign entering
> debug3: mm_request_send entering: type 4
> debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
> debug3: mm_request_receive_expect entering: type 5
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 4
> debug3: mm_answer_sign
> debug3: mm_answer_sign: signature 80c7860(271)
> debug3: mm_request_send entering: type 5
> debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
> debug2: kex_derive_keys
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: monitor_read: 4 used once, disabling now
> debug3: mm_request_receive entering
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: KEX done
> debug1: userauth-request for user root service ssh-connection method none
> debug1: attempt 0 failures 0
> debug3: mm_getpwnamallow entering
> debug3: mm_request_send entering: type 6
> debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
> debug3: mm_request_receive_expect entering: type 7
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 6
> debug3: mm_answer_pwnamallow
> debug3: auth_shadow_acctexpired: today 13256 sp_expire -1 days left -13257
> debug3: account expiration disabled
> debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
> debug3: mm_request_send entering: type 7
> debug2: input_userauth_request: setting up authctxt for root
> debug3: mm_inform_authserv entering
> debug3: mm_request_send entering: type 3
> debug2: input_userauth_request: try method none
> debug3: mm_auth_password entering
> debug3: mm_request_send entering: type 10
> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
> debug3: mm_request_receive_expect entering: type 11
> debug3: mm_request_receive entering
> debug2: monitor_read: 6 used once, disabling now
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 3
> debug3: mm_answer_authserv: service=ssh-connection, style=
> debug2: monitor_read: 3 used once, disabling now
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 10
> debug3: mm_answer_authpassword: sending result 0
> debug3: mm_request_send entering: type 11
> debug3: mm_auth_password: user not authenticated
> Failed none for root from 192.168.10.10 port 8302 ssh2
> Failed none for root from 192.168.10.10 port 8302 ssh2
> debug3: mm_request_receive entering
> debug1: userauth-request for user root service ssh-connection method publickey
> debug1: attempt 1 failures 1
> debug2: input_userauth_request: try method publickey
> debug3: mm_key_allowed entering
> debug3: mm_request_send entering: type 20
> debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
> debug3: mm_request_receive_expect entering: type 21
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 20
> debug3: mm_answer_keyallowed entering
> debug3: mm_answer_keyallowed: key_from_blob: 80c0510
> debug1: temporarily_use_uid: 0/1 (e=0/1)
> debug1: trying public key file /home/root/.ssh/authorized_keys
> debug3: secure_filename: checking '/home/root/.ssh'
> debug3: secure_filename: checking '/home/root'
> debug3: secure_filename: terminating check at '/home/root'
> debug1: matching key found: file /home/root/.ssh/authorized_keys, line 1
> Found matching RSA key: 36:55:cf:41:48:e0:d5:71:f4:34:95:b9:da:72:65:a6
> debug1: restore_uid: 0/1
> debug3: mm_answer_keyallowed: key 80c0510 is allowed
> debug3: mm_request_send entering: type 21
> debug3: mm_key_verify entering
> debug3: mm_request_send entering: type 22
> debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY
> debug3: mm_request_receive_expect entering: type 23
> debug3: mm_request_receive entering
> debug3: mm_request_receive entering
> debug3: monitor_read: checking request 22
> debug1: ssh_rsa_verify: signature correct
> debug3: mm_answer_keyverify: key 80c04b0 signature verified
> debug3: mm_request_send entering: type 23
> debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa
> Accepted publickey for root from 192.168.10.10 port 8302 ssh2
> debug3: mm_send_keystate: Sending new keys: 80be778 80c7a88
> debug3: mm_newkeys_to_blob: converting 80be778
> debug3: mm_newkeys_to_blob: converting 80c7a88
> debug3: mm_send_keystate: New keys have been sent
> debug3: mm_send_keystate: Sending compression state
> debug3: mm_request_send entering: type 24
> debug3: mm_send_keystate: Finished sending state
> Accepted publickey for root from 192.168.10.10 port 8302 ssh2
> debug1: monitor_child_preauth: root has been authenticated by privileged process
> debug3: mm_get_keystate: Waiting for new keys
> debug3: mm_request_receive_expect entering: type 24
> debug3: mm_request_receive entering
> debug3: mm_newkeys_from_blob: 80c7860(118)
> debug2: mac_init: found hmac-md5
> debug3: mm_get_keystate: Waiting for second key
> debug3: mm_newkeys_from_blob: 80c7860(118)
> debug2: mac_init: found hmac-md5
> debug3: mm_get_keystate: Getting compression state
> debug3: mm_get_keystate: Getting Network I/O buffers
> debug3: mm_share_sync: Share sync
> debug3: mm_share_sync: Share sync end
> debug2: set_newkeys: mode 0
> debug2: set_newkeys: mode 1
> debug1: Entering interactive session for SSH2.
> debug2: fd 4 setting O_NONBLOCK
> debug2: fd 5 setting O_NONBLOCK
> debug1: server_init_dispatch_20
> debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
> debug1: input_session_request
> debug1: channel 0: new [server-session]
> debug1: session_new: init
> debug1: session_new: session 0
> debug1: session_open: channel 0
> debug1: session_open: session 0: link with channel 0
> debug1: server_input_channel_open: confirm session
> debug1: server_input_channel_req: channel 0 request pty-req reply 0
> debug1: session_by_channel: session 0 channel 0
> debug1: session_input_channel_req: session 0 req pty-req
> debug1: Allocating pty.
> debug1: session_pty_req: session 0 alloc /dev/pts/1
> debug3: tty_parse_modes: SSH2 n_bytes 266
> debug3: tty_parse_modes: ospeed 38400
> debug3: tty_parse_modes: ispeed 38400
> debug3: tty_parse_modes: 1 3
> debug3: tty_parse_modes: 2 28
> debug3: tty_parse_modes: 3 127
> debug3: tty_parse_modes: 4 21
> debug3: tty_parse_modes: 5 4
> debug3: tty_parse_modes: 6 0
> debug3: tty_parse_modes: 7 0
> debug3: tty_parse_modes: 8 17
> debug3: tty_parse_modes: 9 19
> debug3: tty_parse_modes: 10 26
> debug3: tty_parse_modes: 11 25
> debug3: tty_parse_modes: 12 18
> debug3: tty_parse_modes: 13 23
> debug3: tty_parse_modes: 14 22
> debug3: tty_parse_modes: 16 0
> debug3: tty_parse_modes: 18 15
> debug3: tty_parse_modes: 30 1
> debug3: tty_parse_modes: 31 0
> debug3: tty_parse_modes: 32 0
> debug3: tty_parse_modes: 33 0
> debug3: tty_parse_modes: 34 0
> debug3: tty_parse_modes: 35 0
> debug3: tty_parse_modes: 36 1
> debug3: tty_parse_modes: 37 0
> debug3: tty_parse_modes: 38 1
> debug3: tty_parse_modes: 39 0
> debug3: tty_parse_modes: 40 0
> debug3: tty_parse_modes: 41 1
> debug3: tty_parse_modes: 50 1
> debug3: tty_parse_modes: 51 1
> debug3: tty_parse_modes: 52 0
> debug3: tty_parse_modes: 53 1
> debug3: tty_parse_modes: 54 1
> debug3: tty_parse_modes: 55 1
> debug3: tty_parse_modes: 56 0
> debug3: tty_parse_modes: 57 0
> debug3: tty_parse_modes: 58 0
> debug3: tty_parse_modes: 59 1
> debug3: tty_parse_modes: 60 1
> debug3: tty_parse_modes: 61 1
> debug3: tty_parse_modes: 62 0
> debug3: tty_parse_modes: 70 1
> debug3: tty_parse_modes: 71 0
> debug3: tty_parse_modes: 72 1
> debug3: tty_parse_modes: 73 0
> debug3: tty_parse_modes: 74 0
> debug3: tty_parse_modes: 75 0
> debug3: tty_parse_modes: 90 1
> debug3: tty_parse_modes: 91 1
> debug3: tty_parse_modes: 92 0
> debug3: tty_parse_modes: 93 0
> debug1: server_input_channel_req: channel 0 request shell reply 0
> debug1: session_by_channel: session 0 channel 0
> debug1: session_input_channel_req: session 0 req shell
> debug2: fd 3 setting TCP_NODELAY
> debug2: fd 7 setting O_NONBLOCK
> debug3: fd 6 is O_NONBLOCK
> debug1: Received SIGCHLD.
> debug1: session_by_pid: pid 16693
> debug1: session_exit_message: session 0 channel 0 pid 16693
> debug2: channel 0: request exit-status confirm 0
> debug1: session_exit_message: release channel 0
> debug2: channel 0: write failed
> debug2: channel 0: close_write
> debug2: channel 0: output open -> closed
> debug1: session_pty_cleanup: session 0 release /dev/pts/1
> debug2: notify_done: reading
> debug2: channel 0: read<=0 rfd 7 len 0
> debug2: channel 0: read failed
> debug2: channel 0: close_read
> debug2: channel 0: input open -> drain
> debug2: channel 0: ibuf empty
> debug2: channel 0: send eof
> debug2: channel 0: input drain -> closed
> debug2: channel 0: send close
> debug3: channel 0: will not send data after close
> debug2: channel 0: rcvd close
> debug3: channel 0: will not send data after close
> debug2: channel 0: is dead
> debug2: channel 0: gc: notify user
> debug1: session_by_channel: session 0 channel 0
> debug1: session_close_by_channel: channel 0 child 0
> debug1: session_close: session 0 pid 0
> debug2: channel 0: gc: user detached
> debug2: channel 0: is dead
> debug2: channel 0: garbage collecting
> debug1: channel 0: free: server-session, nchannels 1
> debug3: channel 0: status: The following connections are open:
>   #0 server-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1)
>
> debug3: channel 0: close_fds r -1 w -1 e -1 c -1
> Connection closed by 192.168.10.10
> debug1: do_cleanup
> Closing connection to 192.168.10.10
>
>
> --
> Truly yours, Mikhail Manuilov
>
> Reply   Forward
>
>
>
> TMDA daemon
> <tmda at mindrot.org> This message was created automatically by mail
> delivery software (TMDA). Your...
>                   1:55 pm (37 minutes ago)
>
> Mikhail Manuylov
> ---------- Forwarded message ---------- From: "Mikhail Manuylov" <mikhail.man...
>                   2:20 pm (12 minutes ago)
>
> TMDA daemon
> Your confirmation was accepted, and so your original message has been delivered.
>                   2:20 pm (12 minutes ago)
>
> Mail Delivery System
> <MAILER-DAEMON at mindrot.org> to me
>          More options     2:21 pm (12 minutes ago)
> This is the Postfix program at host mail.mindrot.org.
>
> I'm sorry to have to inform you that your message could not
> be delivered to one or more recipients. It's attached below.
>
> For further assistance, please send mail to <postmaster>
>
> If you do so, please include this problem report. You can
> delete your own text from the attached returned message.
>
>                        The Postfix program
>
> <openssh-unix-dev-tmda at mindrot.org> (expanded from <openssh-unix-dev-tmda>):
>    permission denied. Command output:  The message that you sent to
>    openssh-unix-dev looks like HTML. HTML mail to openssh-unix-dev is not
>    permitted. Please resend your message as plain text.  procmail: Error while
>    writing to "/etc/postfix/htmltrap.sh"
>
>
> Final-Recipient: rfc822; openssh-unix-dev-tmda at mindrot.org
> Original-Recipient: rfc822; openssh-unix-dev-tmda
> Action: failed
> Status: 5.0.0
> Diagnostic-Code: X-Postfix; permission denied. Command output:  The message
>    that you sent to openssh-unix-dev looks like HTML. HTML mail to
>    openssh-unix-dev is not permitted. Please resend your message as plain
>    text.  procmail: Error while writing to "/etc/postfix/htmltrap.sh"
>
>
>
> ---------- Forwarded message ----------
> From: "Mikhail Manuylov" <mikhail.manuilov at gmail.com>
> To: openssh-unix-dev at mindrot.org
> Date: Fri, 21 Apr 2006 13:55:34 +0400
> Subject: Solaris 8 x86 rsa pubkey auth problem
> Hello,
>
> I got some weird problem with public key authentication using rsa key pair.
>
> Let me first of all explain my setup.
>
> 1) I got two Solaris 8 x86 boxes
> uname -a
> SunOS 5.8 Generic_117351-24 i86pc i386 i86pc
>
> <kdc: 192.168.10.11> <---> <module: 192.168.10.10>
>
> 2) They're running absolutely identical openssh installations
> I'm using pkgsrc, so I've builded all necessary packages from two days
> old pkgsrc sources
> on one of the boxes and installed the same binaries on second
> OpenSSH_4.3p1, OpenSSL 0.9.7i 14 Oct 2005
>
> 3) The only differense in their setup is that 'kdc' is a intel p4 boxm
> and module is p3 box.
>
> I've generated rsa key pair via ssh-keygen, and placed public part of
> it into /home/root/.ssh/authorized_keys
> on both computers.
>
> The problem:
>
> I can't log into any (not only to module) computer running the same
> version of sshd (and of course user holding the same public key)
> using 'kdc', pubkey athentication fails and ssh pops password prompt
> up. Pubkey athentication with that key works flawlessly with any
> other direction even when  'module' connecting to 'kdc'.
>
> How I can help debugging this problem:
>
> I've supplied debug output of both ssh and sshd from two cases:
> 1) 'module' authenticating on 'kdc' ( works ok )
> 2) 'kdc' authenticating on  'module' ( pubkey failed )
>
> I've already compiled gdb and openssh with debug info. I've also
> started two debug sshd yesterday, but due two my not so cool knowledge
> of
> openssh sources and maybe schema of forking and privelege separation I
> still can't reach user_key_allowed function.
>
> Thank you for your great work. And thanks for help beforehand.
>
> Here's debug output:
>
> 1) kdc# ssh -vvv -i ~/.ssh/auditor_rsa_id root at 192.168.10.10
> OpenSSH_4.3p1, OpenSSL 0.9.7i 14 Oct 2005
> debug1: Reading configuration data /usr/pkg/etc/ssh/ssh_config
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to 192.168.10.10 [ 192.168.10.10] port 22.
> debug1: Connection established.
> debug1: permanently_set_uid: 0/1
> debug3: Not a RSA1 key file auditor_id_rsa.
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug3: key_read: missing keytype
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug2: key_type_from_name: unknown key type '-----END'
> debug3: key_read: missing keytype
> debug1: identity file auditor_id_rsa type 2
> debug1: Remote protocol version 2.0 , remote software version OpenSSH_4.3
> debug1: match: OpenSSH_4.3 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_4.3
> debug2: fd 3 setting O_NONBLOCK
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes12
> 8-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se,aes12
> 8-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,
> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit: none, zlib at openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se
> ,aes12
> 8-ctr,aes192-ctr,aes256-ctr
> debug2: kex_parse_kexinit:
> aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes
>
> --
> Truly yours, Mikhail Manuilov
>


--
Truly yours, Mikhail Manuilov




More information about the openssh-unix-dev mailing list