From aheinecke at gnupg.org  Thu Oct  6 06:32:36 2016
From: aheinecke at gnupg.org (Andre Heinecke)
Date: Wed, 05 Oct 2016 21:32:36 +0200
Subject: Socket forwarding with non existent remote directories
Message-ID: <2673044.fTjt0GCvxU@esus>

Hi openssh dev's,

I love an  truly appreciate the Socket forwarding feature in OpenSSH 6.7.
i use it for forwarding the socket of GnuPG's agent
(that handles the secret stuff) to remote machines.

Usecase:
======

I am a remote worker and use gnupg agent forwarding 
to connect to our company  infrastructure that makes heavy use 
of PGP encryption while keeping my key out of the hands of 
the company on a personal smartcard that is connected to
 my local system.


Problem
=====

Now with GnuPG 2.1.13 the socket directory changed from
~/.gnupg to /run/user/<uid>/gnupg on systems where
 /run/user/<uid> exists, to better accommodate systemd.

I now have the problem that my config line:
RemoteForward /var/run/user/10118/gnupg/S.gpg-agent /home/aheinecke/.gnupg/S.gpg-agent.extra

Does not work if /var/run/user/10118/gnupg/ does not exist.
OpenSSH does not create the directory and fails to forward
the socket.

That it does not exist is the usual case because systemd
cleans up this directory on logout if no processes exist that 
are still accessing it. There are of course workarounds like
creating that directory before the agent forwarding connection
but they are workarounds and I'd like to have this working
smoothly.


The gpg-agent forwarding is an awesome feature for us.
( I documented it under https://wiki.gnupg.org/AgentForwarding )

In my opinion OpenSSH should create the parent directories of
RemoteForwarded files if possible. Maybe as a configuration option?
Do you agree? 

Or do you think that some other software component
in this setup is behaving wrongly?

Regards,
Andre

-- 
Andre Heinecke |  ++49-541-335083-262  | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998
Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161005/9387f3ea/attachment.bin>

From dkg at fifthhorseman.net  Thu Oct  6 09:31:33 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Wed, 05 Oct 2016 18:31:33 -0400
Subject: Socket forwarding with non existent remote directories
In-Reply-To: <2673044.fTjt0GCvxU@esus>
References: <2673044.fTjt0GCvxU@esus>
Message-ID: <87int65sxm.fsf@alice.fifthhorseman.net>

On Wed 2016-10-05 15:32:36 -0400, Andre Heinecke wrote:
> In my opinion OpenSSH should create the parent directories of
> RemoteForwarded files if possible. Maybe as a configuration option?
> Do you agree? 

fwiw, i think this would be useful.  I could probably help Andre
assemble a patch if there's no objection to the idea.

         --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161005/50fd1b5a/attachment-0001.bin>

From jmknoble at pobox.com  Thu Oct  6 16:50:04 2016
From: jmknoble at pobox.com (Jim Knoble)
Date: Wed, 5 Oct 2016 22:50:04 -0700
Subject: Socket forwarding with non existent remote directories
In-Reply-To: <87int65sxm.fsf@alice.fifthhorseman.net>
References: <2673044.fTjt0GCvxU@esus> <87int65sxm.fsf@alice.fifthhorseman.net>
Message-ID: <ADF9C122-0BAB-4E05-AB37-B05DF4EB10A1@pobox.com>

I'm not familiar enough with the syntax of RemoteForward to know which is the local socket and which the remote one, but if it's the remote end's directory that doesn't exist, that can be harder. Edge cases like:

- The containing file system usually exists, but is not mounted at the time of login.
- There is an error in expansion of the value (for example, the user's home directory was inadvertently reset in /etc/passwd, or the service that backs it gave a bad answer). 
- The directory exists, but cannot be stat()ed due to permissions (e.g., /var/run/user is mode 0111). 

Should sshd attempt to create the containing directory in those cases?

Perhaps a better approach would be to find a way to use PAM or login scripts to create the needed directory where appropriate?

-- 
jim knoble


> On Oct 5, 2016, at 15:31, Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> 
>> On Wed 2016-10-05 15:32:36 -0400, Andre Heinecke wrote:
>> In my opinion OpenSSH should create the parent directories of
>> RemoteForwarded files if possible. Maybe as a configuration option?
>> Do you agree?
> 
> fwiw, i think this would be useful.  I could probably help Andre
> assemble a patch if there's no objection to the idea.
> 
>         --dkg
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


From dkg at fifthhorseman.net  Fri Oct  7 05:56:51 2016
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Thu, 06 Oct 2016 14:56:51 -0400
Subject: Socket forwarding with non existent remote directories
In-Reply-To: <EAB7415D-6299-488E-93B6-F11B28A573DB@pobox.com>
References: <2673044.fTjt0GCvxU@esus> <87int65sxm.fsf@alice.fifthhorseman.net>
 <EAB7415D-6299-488E-93B6-F11B28A573DB@pobox.com>
Message-ID: <87y421487g.fsf@alice.fifthhorseman.net>

On Thu 2016-10-06 00:57:02 -0400, Jim Knoble wrote:
> I'm not familiar enough with the syntax of RemoteForward to know which is the local socket and which the remote one, but if it's the remote end's directory that doesn't exist, that can be harder. Edge cases like:
>
> - The containing file system usually exists, but is not mounted at the time of login.
> - There is an error in expansion of the value (for example, the user's home directory was inadvertently reset in /etc/passwd, or the service that backs it gave a bad answer). 
> - The directory exists, but cannot be stat()ed due to permissions (e.g., /var/run/user is mode 0111). 
>
> Should sshd attempt to create the containing directory in those cases?

Currently, i think sshd tries to create the socket (as the non-priv
user), and if that fails it gives up.

I think sshd could first try to create the containing directory (as the
non-priv user, of course), and ignore any failures.  It would then
proceed as it currently does.

In Andre's case, systemd's PAM session hooks create /run/user/<uid>, but
he wants to forward a socket to /run/user/<uid>/gnupg/S.gpg-agent.

Arguably, the most "correct" fix would be to recursively try to create
every directory component in the tree, but Andre's case would be handled
just by creating one level of directory.  For example, consider this
simple (but untested) patch:



diff --git a/misc.c b/misc.c
index 9421b4d..a85caca 100644
--- a/misc.c
+++ b/misc.c
@@ -1153,6 +1153,7 @@ unix_listener(const char *path, int backlog, int unlink_first)
 {
 	struct sockaddr_un sunaddr;
 	int saved_errno, sock;
+        const char *parentdir;
 
 	memset(&sunaddr, 0, sizeof(sunaddr));
 	sunaddr.sun_family = AF_UNIX;
@@ -1174,6 +1175,9 @@ unix_listener(const char *path, int backlog, int unlink_first)
 		if (unlink(path) != 0 && errno != ENOENT)
 			error("unlink(%s): %.100s", path, strerror(errno));
 	}
+        parentdir = basename(path);
+	if (mkdir(parentdir, 0700) != 0 && errno != EEXIST)
+		error("mkdir(%s): %.100s", parentdir, strerror(errno));
 	if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) {
 		saved_errno = errno;
 		error("bind: %.100s", strerror(errno));



> Perhaps a better approach would be to find a way to use PAM or login
> scripts to create the needed directory where appropriate?

i don't think login scripts would do the trick; users might forward
sockets without initiating a login session, right?  So it'd have to be
PAM if you take this route.  But having to twiddle your pam stack for
each new sub-directory you want seems like not a great process.

        --dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 930 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161006/cd255950/attachment.bin>

From alukardd at alukardd.org  Mon Oct 10 23:56:35 2016
From: alukardd at alukardd.org (Alexey)
Date: Mon, 10 Oct 2016 15:56:35 +0300
Subject: Support Capabilities for ssh client port forwarding
Message-ID: <07c5e8aa3a8de890bd0b3668c829948e@alukardd.org>

Hello.

I think openssh-client should allow use port forwarding not only for 
root user.
CAP_NET_BIND_SERVICE enought to use privileged ports.

I do patch for myself, but I think, that you could improve it and apply 
to master.

--- openssh-7.3p1.orig/readconf.c
+++ openssh-7.3p1/readconf.c
@@ -15,6 +15,7 @@
  #include "includes.h"

  #include <sys/types.h>
+#include <sys/capability.h>
  #include <sys/stat.h>
  #include <sys/socket.h>
  #include <sys/wait.h>
@@ -327,7 +328,16 @@ add_local_forward(Options *options, cons
  	extern uid_t original_real_uid;
  	int i;

+	cap_flag_value_t cap_flag_value_e, cap_flag_value_p;
+	cap_t caps;
+
+	caps = cap_get_proc();
+	cap_get_flag(caps, CAP_NET_BIND_SERVICE, CAP_EFFECTIVE, 
&cap_flag_value_e);
+	cap_get_flag(caps, CAP_NET_BIND_SERVICE, CAP_PERMITTED, 
&cap_flag_value_p);
+
  	if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0 &&
+			(cap_flag_value_e != CAP_SET || cap_flag_value_p != CAP_SET) &&
  	    newfwd->listen_path == NULL)
  		fatal("Privileged ports can only be forwarded by root.");
  	/* Don't add duplicates */
--- openssh-7.3p1.orig/configure.ac
+++ openssh-7.3p1/configure.ac
@@ -775,6 +775,9 @@ main() { if (NSVersionOfRunTimeLibrary("
  	use_pie=auto
  	check_for_libcrypt_later=1
  	check_for_openpty_ctty_bug=1
+	# libcap
+	# use capabilities
+	LIBS="$LIBS -lcap"
  	AC_DEFINE([PAM_TTY_KLUDGE], [1],
  		[Work around problematic Linux PAM modules handling of PAM_TTY])
  	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],


And specify one more build dependencie: libcap-dev.

Regards,
Alexey Mochkin.

From jjelen at redhat.com  Wed Oct 12 00:02:16 2016
From: jjelen at redhat.com (Jakub Jelen)
Date: Tue, 11 Oct 2016 15:02:16 +0200
Subject: Wanted: smartcard with ECDSA support
In-Reply-To: <CA+1ewKbWmecJxGRhopnQ0x8C2T=Ebue==9kjHBfgXOREfyowsQ@mail.gmail.com>
References: <CA+1ewKbWmecJxGRhopnQ0x8C2T=Ebue==9kjHBfgXOREfyowsQ@mail.gmail.com>
Message-ID: <2418133b-3f20-5eac-24b0-bf6b3f943bef@redhat.com>

On 03/31/2015 11:23 AM, Thomas Calderon wrote:
> Hi list,
>
> I have no idea if Damien Miller had the time to work on that.
>
> I have an initial patch to authenticate using PKCS#11 and ECDSA keys.
> This requires OpenSSL 1.0.2, prior OpenSSL versions do not expose the
> required interfaces to override the signature function pointer for ECDSA.
> The only limitation is that the OpenSSL API misses some cleanup function
> (finish, for instance), hence I have yet to find a way to properly free the
> PKCS#11 resources.
>
> Is this a contribution you might be interested in ?
Hello list,
sorry for pulling such old thread up. But I recently moved into the 
smartcard
waters and I found the missing functionality of ECDSA keys quite 
unfortunate.
I have access to the PIV Test cards by NIST [1] so I can work on this 
functionality.

As far as I remember, both of the patches hanging around [2] [3] were 
working to
some extent, but in other exposed some non-ideal behavior and were not 
adhering
to the best practices of PKCS#11 [4], which I found quite useful when 
implementing
some other tool communicating over PKCS#11.

But before starting investing time into these improvements, I would like 
to see if there is
some progress in upstream OpenSSH, a way to test (or if the ECDSA cards 
donation
request is still actual blocker) and willingness to accept this feature 
(and possibly other
PKCS#11 related).

[1] http://csrc.nist.gov/groups/SNS/piv/testcards.html
[2] https://bugzilla.mindrot.org/show_bug.cgi?id=2474
[3] https://ambientworks.net/ecdsa-ssh.txt
[4] https://wiki.oasis-open.org/pkcs11/CommonBugs

Regards,

-- 
Jakub Jelen
Security Technologies
Red Hat


From tnmy44 at gmail.com  Sat Oct 15 03:27:26 2016
From: tnmy44 at gmail.com (Tanmay Tiwari)
Date: Fri, 14 Oct 2016 21:57:26 +0530
Subject: feature addition to openssh_client: Specification of source port
Message-ID: <CAH=qcB0ROSYAgK-rT7ZFmP7P4QhOhCSRCfJyBKS_ZUaFHAmjpQ@mail.gmail.com>

Hello

*Feature*: Specification of local port when initiating a ssh connection
using ssh client (and optionally specification of local address/interface)

Many people approach me for patching their openssh installation to allow
specification of source port when using ssh client. Mostly the reason is
they are using a source port based firewall.

I think it would be good to have the feature in the main branch of openssh.
Specifying local port is a rather basic feature for a network related
application.

I am willing to work on the feature (Its a 50 line patch anyway).

What are the reasons it hasn't been added yet? And should it be added to
master?

From djm at mindrot.org  Mon Oct 17 10:40:00 2016
From: djm at mindrot.org (Damien Miller)
Date: Mon, 17 Oct 2016 10:40:00 +1100 (AEDT)
Subject: feature addition to openssh_client: Specification of source port
In-Reply-To: <CAH=qcB0ROSYAgK-rT7ZFmP7P4QhOhCSRCfJyBKS_ZUaFHAmjpQ@mail.gmail.com>
References: <CAH=qcB0ROSYAgK-rT7ZFmP7P4QhOhCSRCfJyBKS_ZUaFHAmjpQ@mail.gmail.com>
Message-ID: <alpine.BSO.2.20.1610171034480.50@natsu.mindrot.org>

On Fri, 14 Oct 2016, Tanmay Tiwari wrote:

> Hello
> 
> *Feature*: Specification of local port when initiating a ssh connection
> using ssh client (and optionally specification of local address/interface)
> 
> Many people approach me for patching their openssh installation to allow
> specification of source port when using ssh client. Mostly the reason is
> they are using a source port based firewall.

Are these still a thing? Source port based filtering is pretty 1990s...

> I think it would be good to have the feature in the main branch of openssh.
> Specifying local port is a rather basic feature for a network related
> application.
> 
> I am willing to work on the feature (Its a 50 line patch anyway).

I don't think this warrants a separate option, so you'd maximise your
chances of getting it in if it was implemented as adding an optional port
to BindAddress, e.g

BindAddress *:2222
BindAddress [::]:2222
BindAddress 192.20.123.45:2222

> What are the reasons it hasn't been added yet? And should it be added to
> master?

AFAIK nobody has ever asked before.

Basing your patch off master would make it easiest to merge. Once you
have something please file a bug and attach a patch to
https://bugzilla.mindrot.org/

-d

From djm at mindrot.org  Mon Oct 17 10:40:44 2016
From: djm at mindrot.org (Damien Miller)
Date: Mon, 17 Oct 2016 10:40:44 +1100 (AEDT)
Subject: Support Capabilities for ssh client port forwarding
In-Reply-To: <07c5e8aa3a8de890bd0b3668c829948e@alukardd.org>
References: <07c5e8aa3a8de890bd0b3668c829948e@alukardd.org>
Message-ID: <alpine.BSO.2.20.1610171040120.50@natsu.mindrot.org>

Hi,

Could you please file a bug at https://bugzilla.mindrot.org and attach
this? That will make sure it doesn't get lost.

-d

On Mon, 10 Oct 2016, Alexey wrote:

> Hello.
> 
> I think openssh-client should allow use port forwarding not only for root
> user.
> CAP_NET_BIND_SERVICE enought to use privileged ports.
> 
> I do patch for myself, but I think, that you could improve it and apply to
> master.
> 
> --- openssh-7.3p1.orig/readconf.c
> +++ openssh-7.3p1/readconf.c
> @@ -15,6 +15,7 @@
>  #include "includes.h"
> 
>  #include <sys/types.h>
> +#include <sys/capability.h>
>  #include <sys/stat.h>
>  #include <sys/socket.h>
>  #include <sys/wait.h>
> @@ -327,7 +328,16 @@ add_local_forward(Options *options, cons
>  	extern uid_t original_real_uid;
>  	int i;
> 
> +	cap_flag_value_t cap_flag_value_e, cap_flag_value_p;
> +	cap_t caps;
> +
> +	caps = cap_get_proc();
> +	cap_get_flag(caps, CAP_NET_BIND_SERVICE, CAP_EFFECTIVE,
> &cap_flag_value_e);
> +	cap_get_flag(caps, CAP_NET_BIND_SERVICE, CAP_PERMITTED,
> &cap_flag_value_p);
> +
>  	if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0 &&
> +			(cap_flag_value_e != CAP_SET || cap_flag_value_p !=
> CAP_SET) &&
>  	    newfwd->listen_path == NULL)
>  		fatal("Privileged ports can only be forwarded by root.");
>  	/* Don't add duplicates */
> --- openssh-7.3p1.orig/configure.ac
> +++ openssh-7.3p1/configure.ac
> @@ -775,6 +775,9 @@ main() { if (NSVersionOfRunTimeLibrary("
>  	use_pie=auto
>  	check_for_libcrypt_later=1
>  	check_for_openpty_ctty_bug=1
> +	# libcap
> +	# use capabilities
> +	LIBS="$LIBS -lcap"
>  	AC_DEFINE([PAM_TTY_KLUDGE], [1],
>  		[Work around problematic Linux PAM modules handling of
> PAM_TTY])
>  	AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"],
> 
> 
> And specify one more build dependencie: libcap-dev.
> 
> Regards,
> Alexey Mochkin.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 

From lists at manon.de  Mon Oct 17 11:07:16 2016
From: lists at manon.de (Manon Goo)
Date: Mon, 17 Oct 2016 02:07:16 +0200
Subject: Keys stored on PKCS11 module and openssh-certificates 
Message-ID: <7554388407A6D0BB30320D6B@cordula.local>

Hello,

Does ssh-add offer any possibility to add a  pkcs11-token and a ssh 
certificate from an additional file to the ssh-agent?

I have tried "ssh-add -s ~/lib/opensc-pkcs11.so ~/.ssh/mykey-cert.pub" but 
this does not work, and the code after line 276 ("276:        /* Now try to 
add the certificate flavour too */" )  in ssh-add.c seams assumes that the 
certificate is related to a private-key from a file.

Is there any other way to use ssh-certificates together with pkcs11 tokens?

kind regards,
Manon



From prk4man at gmail.com  Wed Oct 19 01:06:02 2016
From: prk4man at gmail.com (Perry Gagne)
Date: Tue, 18 Oct 2016 10:06:02 -0400
Subject: Feature Request: Make ssh-keygen -R accepts Host aliases from
 .ssh/config
Message-ID: <CAKEf3ACZZop+an9kteeFSrnKN7LeO1AOqmM9TP1bbEck-myVxA@mail.gmail.com>

Hello,

This is my first feature request, so I am a little unfamilar with OpenSSH
dev.  I have used OpenSSH for a number of years, and am familar with a few
of its advanced features.

I make pretty good use of the ssh_config (normally ~/.ssh/config) file for
a few different reasons. This allows me to create entries like this:

Host myvm
Hostname vm-5.testlab.example.com
User root
ForwardX11Trusted yes


Now "myvm" is an alias to vm-5.testlab.example.com and tells SSH to login
with root (and what ever other options you specify). So instead of having
to type:

ssh -Y root at vm-5.testlab.example.com


I can just type:

ssh myvm.


This alias works with other tools like scp,sftp,etc.

One annoying thing I found when working with hosts that get reinstalled
regularly is I occasionally want to delete there known_host entires. I have
been using ssh-keygen -R to do this. However, the -R does not accept this
config file aliases. So I can just type:

ssh-keygen -R myvm

I have to type:

ssh-keygen -R  vm-5.testlab.example.com


Is there a technical reason for this? Is there a reason ssh-keygen can't do
a lookup in the config file for host alias to get the full hostname?

I wanted to send this email, before filling a feature request to get some
feedback.

Thanks,
--Perry

From jjelen at redhat.com  Wed Oct 19 02:27:45 2016
From: jjelen at redhat.com (Jakub Jelen)
Date: Tue, 18 Oct 2016 17:27:45 +0200
Subject: Feature Request: Make ssh-keygen -R accepts Host aliases from
 .ssh/config
In-Reply-To: <CAKEf3ACZZop+an9kteeFSrnKN7LeO1AOqmM9TP1bbEck-myVxA@mail.gmail.com>
References: <CAKEf3ACZZop+an9kteeFSrnKN7LeO1AOqmM9TP1bbEck-myVxA@mail.gmail.com>
Message-ID: <73d9fa95-ad8a-a83f-7160-8038b77dabf9@redhat.com>

On 10/18/2016 04:06 PM, Perry Gagne wrote:
> One annoying thing I found when working with hosts that get reinstalled
> regularly is I occasionally want to delete there known_host entires. I have
> been using ssh-keygen -R to do this. However, the -R does not accept this
> config file aliases. So I can just type:
>
> ssh-keygen -R myvm
>
> I have to type:
>
> ssh-keygen -R  vm-5.testlab.example.com
>
>
> Is there a technical reason for this? Is there a reason ssh-keygen can't do
> a lookup in the config file for host alias to get the full hostname?
The ssh-keygen is not reading client configuration (~/.ssh/config) and 
therefore it does not have any idea what are the aliases defined there. 
The aliases are not stored in the known hosts file either so we would 
not be able to progress without the configuration file (which is not 
needed for anything else).

In all other tools it works, because they use internally the ssh client 
with its configuration. But ssh-keygen is standalone tool which should 
not depend on any configuration files, afaik.

Regards,

-- 
Jakub Jelen
Associate Software Engineer
Security Technologies
Red Hat


From mindrot at hda3.com  Wed Oct 19 02:52:36 2016
From: mindrot at hda3.com (Peter Moody)
Date: Tue, 18 Oct 2016 08:52:36 -0700
Subject: Feature Request: Make ssh-keygen -R accepts Host aliases from
 .ssh/config
In-Reply-To: <CAKEf3ACZZop+an9kteeFSrnKN7LeO1AOqmM9TP1bbEck-myVxA@mail.gmail.com>
References: <CAKEf3ACZZop+an9kteeFSrnKN7LeO1AOqmM9TP1bbEck-myVxA@mail.gmail.com>
Message-ID: <CADbMJxnOdexhCyUe1XO7fFQUhjs=QCH1uo6Sq5tiiFHMPgpuNA@mail.gmail.com>

> One annoying thing I found when working with hosts that get reinstalled
> regularly is I occasionally want to delete there known_host entires. I have
> been using ssh-keygen -R to do this.

alternative solution: use host certificates rather than host keys.

* you distribute a single ca pubkey rather than a hostkey for every host.
* you'll _never_ see a "do you accept this host key" message if you're
connecting to a host with a correct host cert.

From lijin.abc at gmail.com  Wed Oct 19 04:34:27 2016
From: lijin.abc at gmail.com (Jin Li)
Date: Tue, 18 Oct 2016 12:34:27 -0500
Subject: Why stdin is required to be overwritten in SSH?
Message-ID: <CABP_fjrNiJZ13SVuneo2tn7rHirQt_7UBLA_TR1QbxECEmd6rg@mail.gmail.com>

Hi SSH,

I have put the ssh command in `script.sh`, with the code:

~~~
#!/usr/bin/env bash
ssh -q server date
~~~

And I have one `main.sh` to call `script.sh` as below.

~~~
#!/usr/bin/env bash
# vim: set noexpandtab tabstop=2:

while read -r run
do
./script.sh
done < <(seq 10)
~~~

The `script.sh` can be called only once, say

~~~
$ ./main.sh
Tue Oct 18 12:26:05 CDT 2016
~~~

But 10 runs are expected.

If I modify the stdin when calling, like `main1.sh` as below.

~~~
#!/usr/bin/env bash
# vim: set noexpandtab tabstop=2:

while read -r run
do
./script.sh < /dev/null
done < <(seq 10)
~~~

It will return the right 10 calling.

~~~
$ ./main1.sh
Tue Oct 18 12:28:24 CDT 2016
Tue Oct 18 12:28:24 CDT 2016
Tue Oct 18 12:28:25 CDT 2016
Tue Oct 18 12:28:25 CDT 2016
Tue Oct 18 12:28:26 CDT 2016
Tue Oct 18 12:28:26 CDT 2016
Tue Oct 18 12:28:27 CDT 2016
Tue Oct 18 12:28:27 CDT 2016
Tue Oct 18 12:28:28 CDT 2016
Tue Oct 18 12:28:29 CDT 2016
~~~

Could you tell me why `stdin` needs to be overwritten in SSH? Thanks.

My machine info is as below.

~~~
$ bash --version
GNU bash, version 4.3.42(1)-release (x86_64-apple-darwin15.0.0)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

$ ssh -V
OpenSSH_6.9p1, LibreSSL 2.1.8
~~~

Best regards,
Jin

From dtucker at zip.com.au  Wed Oct 19 06:04:11 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Tue, 18 Oct 2016 12:04:11 -0700
Subject: Why stdin is required to be overwritten in SSH?
In-Reply-To: <CABP_fjrNiJZ13SVuneo2tn7rHirQt_7UBLA_TR1QbxECEmd6rg@mail.gmail.com>
References: <CABP_fjrNiJZ13SVuneo2tn7rHirQt_7UBLA_TR1QbxECEmd6rg@mail.gmail.com>
Message-ID: <CALDDTe0iDZh3OO3EJSCPCdVxEJjMG0_iBXDLCqiy+oOcA+FM0A@mail.gmail.com>

On Tue, Oct 18, 2016 at 10:34 AM, Jin Li <lijin.abc at gmail.com> wrote:
> Could you tell me why `stdin` needs to be overwritten in SSH? Thanks.

Consider this (almost) equivalent simplified script:

while read -r run
do
  ssh localhost date
done < <(seq 10)

What's happening is that the remaining 9 lines are being read by ssh
and sent to the remote server where the "date" command ignores them
and they are discarded (but ssh doesn't know that the remote "date" is
going to do that).  If you replace the "date" with "cat" you can see
this:

$ cat t
while read -r run
do
  cat
done < <(seq 10)

$ bash t
2
3
4
5
6
7
8
9
10

This doesn't happen with a local "date" command because it never reads
its stdin.

When you redirect ssh's stdin to /dev/null the ssh no longer consumes
the output from "seq".  ssh also has a "-n" option that does this.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From lijin.abc at gmail.com  Wed Oct 19 06:42:29 2016
From: lijin.abc at gmail.com (Jin Li)
Date: Tue, 18 Oct 2016 14:42:29 -0500
Subject: Why stdin is required to be overwritten in SSH?
In-Reply-To: <CALDDTe0iDZh3OO3EJSCPCdVxEJjMG0_iBXDLCqiy+oOcA+FM0A@mail.gmail.com>
References: <CABP_fjrNiJZ13SVuneo2tn7rHirQt_7UBLA_TR1QbxECEmd6rg@mail.gmail.com>
 <CALDDTe0iDZh3OO3EJSCPCdVxEJjMG0_iBXDLCqiy+oOcA+FM0A@mail.gmail.com>
Message-ID: <CABP_fjoiPzHW0FAa7HVQLhhL_4iBvACCtaxQxadzb7eSij9S5w@mail.gmail.com>

Hi Darren,

I got it. Many thanks for your excellent explanations.

Best regards,
Jin

On Tue, Oct 18, 2016 at 2:04 PM, Darren Tucker <dtucker at zip.com.au> wrote:
> On Tue, Oct 18, 2016 at 10:34 AM, Jin Li <lijin.abc at gmail.com> wrote:
>> Could you tell me why `stdin` needs to be overwritten in SSH? Thanks.
>
> Consider this (almost) equivalent simplified script:
>
> while read -r run
> do
>   ssh localhost date
> done < <(seq 10)
>
> What's happening is that the remaining 9 lines are being read by ssh
> and sent to the remote server where the "date" command ignores them
> and they are discarded (but ssh doesn't know that the remote "date" is
> going to do that).  If you replace the "date" with "cat" you can see
> this:
>
> $ cat t
> while read -r run
> do
>   cat
> done < <(seq 10)
>
> $ bash t
> 2
> 3
> 4
> 5
> 6
> 7
> 8
> 9
> 10
>
> This doesn't happen with a local "date" command because it never reads
> its stdin.
>
> When you redirect ssh's stdin to /dev/null the ssh no longer consumes
> the output from "seq".  ssh also has a "-n" option that does this.
>
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.

From dfv at eurotux.com  Fri Oct 21 06:19:16 2016
From: dfv at eurotux.com (Diogo Vieira)
Date: Thu, 20 Oct 2016 20:19:16 +0100
Subject: Custom PAM module not working correctly
Message-ID: <1476991156.2407.0@webmail.eurotux.com>

Hello,

I've developed a custom PAM module which only allows a user to 
authenticate to the server only if another user of the same machine 
also authenticates succesfully. It's currently a simple module which 
also works as a PAM aware application since it authenticates each user 
with PAM itself. Both the pamtester utility and su can use this module 
correctly. However, when I try to use it with my openssh server the 
authentication fails after the first prompt.

To give you an example of a session I've attached below both the logs 
server-side[0] and client-side[1]. A correct authentication flow should 
be like this example from pamtester:

[root at 035f4248e494 pam.d]# pamtester sshd root authenticate
Your username: dfv
Password:
Please ask for someone to grant you access.
Grantee's username: other
Password:
pamtester: successfully authenticated

I also attached my sshd_config[2] (maybe something's wrong with it).

Can someone help me understand the problem? I'm sorry if I'm missing 
something obvious but I'm new to PAM modules and didn't find anything 
relevant in the docs for openssh or the linux-pam project.

If it's relevant, the OS I'm using for development and testing is 
CentOS 7 (with OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013).

Thank you very much,
Diogo Vieira


Logs:

 * [0]:

[root at 035f4248e494 pam.d]# /usr/sbin/sshd -D -dd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 653
debug2: parse_server_config: config /etc/ssh/sshd_config len 653
debug1: sshd version OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type ECDSA
debug1: private host key: #1 type 3 ECDSA
debug1: private host key: #2 type 4 ED25519
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-D'
debug1: rexec_argv[2]='-dd'
Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 172.17.0.1 port 35432 on 172.17.0.2 port 22
debug1: Client protocol version 2.0; client software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug2: fd 3 setting O_NONBLOCK
debug2: Network child is on pid 98
debug1: SELinux support disabled [preauth]
debug1: permanently_set_uid: 74/74 [preauth]
debug1: list_hostkey_types: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 
[preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: kex_parse_kexinit: 
curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 
[preauth]
debug2: kex_parse_kexinit: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519 
[preauth]
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se 
[preauth]
debug2: kex_parse_kexinit: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se 
[preauth]
debug2: kex_parse_kexinit: 
hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 
[preauth]
debug2: kex_parse_kexinit: 
hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 
[preauth]
debug2: kex_parse_kexinit: none,zlib at openssh.com [preauth]
debug2: kex_parse_kexinit: none,zlib at openssh.com [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
debug2: kex_parse_kexinit: reserved 0  [preauth]
debug2: kex_parse_kexinit: 
curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c 
[preauth]
debug2: kex_parse_kexinit: 
ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa 
[preauth]
debug2: kex_parse_kexinit: 
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc 
[preauth]
debug2: kex_parse_kexinit: 
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc 
[preauth]
debug2: kex_parse_kexinit: 
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 
[preauth]
debug2: kex_parse_kexinit: 
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 
[preauth]
debug2: kex_parse_kexinit: zlib at openssh.com,zlib,none [preauth]
debug2: kex_parse_kexinit: zlib at openssh.com,zlib,none [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
debug2: kex_parse_kexinit: reserved 0  [preauth]
debug1: kex: client->server chacha20-poly1305 at openssh.com <implicit> 
zlib at openssh.com [preauth]
debug1: kex: server->client chacha20-poly1305 at openssh.com <implicit> 
zlib at openssh.com [preauth]
debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64 [preauth]
debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64 [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug2: monitor_read: 6 used once, disabling now
debug2: kex_derive_keys [preauth]
debug2: set_newkeys: mode 1 [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug2: set_newkeys: mode 0 [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user root service ssh-connection method 
none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug2: parse_server_config: config reprocess config len 653
debug1: authentication methods list 0: keyboard-interactive
debug2: monitor_read: 8 used once, disabling now
debug2: input_userauth_request: setting up authctxt for root [preauth]
debug1: authentication methods list 0: keyboard-interactive [preauth]
debug2: Unrecognized authentication method name: none [preauth]
debug1: PAM: initializing for "root"
debug1: PAM: setting PAM_RHOST to "gateway"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 100 used once, disabling now
debug1: userauth-request for user root service ssh-connection method 
keyboard-interactive [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method keyboard-interactive 
[preauth]
debug1: keyboard-interactive devs  [preauth]
debug1: auth2_challenge: user=root devs= [preauth]
debug1: kbdint_alloc: devices 'pam' [preauth]
debug2: auth2_challenge_start: devices pam [preauth]
debug2: kbdint_next_device: devices <empty> [preauth]
debug1: auth2_challenge_start: trying authentication method 'pam' 
[preauth]
debug2: monitor_read: 4 used once, disabling now
debug2: monitor_read: 80 used once, disabling now
Postponed keyboard-interactive for root from 172.17.0.1 port 35432 ssh2 
[preauth]
debug2: PAM: sshpam_respond entering, 1 responses
Password: PAM: Authentication failure for root from gateway
debug2: auth2_challenge_start: devices <empty> [preauth]
debug2: monitor_read: 110 used once, disabling now
Failed keyboard-interactive/pam for root from 172.17.0.1 port 35432 ssh2
debug1: userauth-request for user root service ssh-connection method 
keyboard-interactive [preauth]
debug1: attempt 2 failures 1 [preauth]
debug2: input_userauth_request: try method keyboard-interactive 
[preauth]
debug1: keyboard-interactive devs  [preauth]
debug1: auth2_challenge: user=root devs= [preauth]
debug1: kbdint_alloc: devices 'pam' [preauth]
debug2: auth2_challenge_start: devices pam [preauth]
debug2: kbdint_next_device: devices <empty> [preauth]
debug1: auth2_challenge_start: trying authentication method 'pam' 
[preauth]
Postponed keyboard-interactive for root from 172.17.0.1 port 35432 ssh2 
[preauth]


  * [1]:

ssh root at 172.17.0.2 -vv                                                 
                                                                        
                                                                        
      ?
OpenSSH_7.2p2, OpenSSL 1.0.2j-fips  26 Sep 2016
debug1: Reading configuration data /home/dfv/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug2: resolving "172.17.0.2" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 172.17.0.2 [172.17.0.2] port 22.
debug1: Connection established.
debug1: identity file /home/dfv/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/dfv/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/dfv/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/dfv/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/dfv/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/dfv/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/dfv/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/dfv/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug1: Remote protocol version 2.0, remote software version 
OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 172.17.0.2:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: 
curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: 
ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: 
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: ciphers stoc: 
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: MACs ctos: 
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: 
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: zlib at openssh.com,zlib,none
debug2: compression stoc: zlib at openssh.com,zlib,none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: 
curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: ciphers stoc: 
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: MACs ctos: 
hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: MACs stoc: 
hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: compression ctos: none,zlib at openssh.com
debug2: compression stoc: none,zlib at openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256 at libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC: 
<implicit> compression: zlib at openssh.com
debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC: 
<implicit> compression: zlib at openssh.com
debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64
debug1: kex: curve25519-sha256 at libssh.org need=64 dh_need=64
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 
SHA256:Er0MNm+5rNC5ras2Lc04cAvtgYfkgTH85Eg8GMtznjg
debug1: Host '172.17.0.2' is known and matches the ECDSA host key.
debug1: Found key in /home/dfv/.ssh/known_hosts:90
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug2: key: /home/dfv/.ssh/id_rsa (0x55bd50ecf980), agent
debug2: key: desafio-sei (0x55bd50ed4ae0), agent
debug2: key: /home/dfv/.ssh/id_dsa ((nil))
debug2: key: /home/dfv/.ssh/id_ecdsa ((nil))
debug2: key: /home/dfv/.ssh/id_ed25519 ((nil))
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Your username: dfv
debug1: Authentications that can continue: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Your username:

  * [2]:

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile	.ssh/authorized_keys
UsePrivilegeSeparation sandbox		# Default for new installations.
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY 
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem	sftp	/usr/libexec/openssh/sftp-server

PasswordAuthentication no
ChallengeResponseAuthentication yes
GSSAPIAuthentication no
GSSAPICleanupCredentials no
UsePAM yes
PermitRootLogin yes

AuthenticationMethods keyboard-interactive


From l__mart at hotmail.com  Fri Oct 21 03:21:07 2016
From: l__mart at hotmail.com (L. Mart)
Date: Thu, 20 Oct 2016 16:21:07 +0000
Subject: user guide for openssh?
Message-ID: <BLUPR15MB046753223413FB32982B0AE7A9D50@BLUPR15MB0467.namprd15.prod.outlook.com>

Hello,

I have never used ssh, of any sort, before.

Is there a manual or a web site that can help me accomplish the following?

  1.  Set up ssh on a laptop.
  2.  Set up ssh on an RPi.
  3.  Connect the laptop and RPi with an Ethernet cable.
  4.  Run the RPI using the laptop's keyboard and video.
  5.  How to troubleshoot when things go South.

After reading many articles on the Internet, I am confused and have more questions than answers.

Can you help me? Thanks.

From john.delisle at ceridian.com  Fri Oct 21 07:36:51 2016
From: john.delisle at ceridian.com (Delisle, John)
Date: Thu, 20 Oct 2016 20:36:51 +0000
Subject: user guide for openssh?
In-Reply-To: <BLUPR15MB046753223413FB32982B0AE7A9D50@BLUPR15MB0467.namprd15.prod.outlook.com>
References: <BLUPR15MB046753223413FB32982B0AE7A9D50@BLUPR15MB0467.namprd15.prod.outlook.com>
Message-ID: <SN2PR15MB0944F037633CD720C290A151F9D50@SN2PR15MB0944.namprd15.prod.outlook.com>

Sounds like you're in need of some beginners help in general.  

A great resource would be any of the many Raspberry Pi forums, including Reddit https://www.reddit.com/r/raspberry_pi

I'd suggest posting there and seeing if they can assist you.

-----Original Message-----
From: openssh-unix-dev [mailto:openssh-unix-dev-bounces+john.delisle=ceridian.com at mindrot.org] On Behalf Of L. Mart
Sent: Thursday, October 20, 2016 11:21 AM
To: openssh-unix-dev at mindrot.org
Subject: user guide for openssh?

Hello,

I have never used ssh, of any sort, before.

Is there a manual or a web site that can help me accomplish the following?

  1.  Set up ssh on a laptop.
  2.  Set up ssh on an RPi.
  3.  Connect the laptop and RPi with an Ethernet cable.
  4.  Run the RPI using the laptop's keyboard and video.
  5.  How to troubleshoot when things go South.

After reading many articles on the Internet, I am confused and have more questions than answers.

Can you help me? Thanks.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.mindrot.org_mailman_listinfo_openssh-2Dunix-2Ddev&d=DQICAg&c=oklsBIxRnDpJ-VAEkzDjSTEeyFKO0VEDPITdiYRmc-U&r=L18eSgAiUGB_Bt3hzdup9MPvNthQ_JOCOe5zy_HF644&m=12JxgJclSlR0KSNTSuD2VZA_Q868tURhCCF1Iqp4T-U&s=s-lKAAUwk6gdD8FMPLu22_0C6rZBzB9sLcI7qyuJ2Fg&e= 

From dtucker at zip.com.au  Fri Oct 21 10:17:30 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Thu, 20 Oct 2016 16:17:30 -0700
Subject: Custom PAM module not working correctly
In-Reply-To: <1476991156.2407.0@webmail.eurotux.com>
References: <1476991156.2407.0@webmail.eurotux.com>
Message-ID: <CALDDTe2mkqgAZbvTCL+qf3Cr2UW3=D=9RG7fNsqBA0iiot3s-w@mail.gmail.com>

On Thu, Oct 20, 2016 at 12:19 PM, Diogo Vieira <dfv at eurotux.com> wrote:
> Hello,
>
> I've developed a custom PAM module which only allows a user to authenticate
> to the server only if another user of the same machine also authenticates
> succesfully. It's currently a simple module which also works as a PAM aware
> application since it authenticates each user with PAM itself. Both the
> pamtester utility and su can use this module correctly. However, when I try
> to use it with my openssh server the authentication fails after the first
> prompt.

My guess is that you're using pam_set_data/pam_get_data.
Unfortunately this doesn't currently work with challenge-response
authentication because the PAM calls are made in a subprocess that
terminates, and thus the changes are lost. See:

https://bugzilla.mindrot.org/show_bug.cgi?id=688
https://bugzilla.mindrot.org/show_bug.cgi?id=2548

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From dfv at eurotux.com  Sat Oct 22 01:33:29 2016
From: dfv at eurotux.com (Diogo Vieira)
Date: Fri, 21 Oct 2016 15:33:29 +0100
Subject: Custom PAM module not working correctly
In-Reply-To: <CALDDTe2mkqgAZbvTCL+qf3Cr2UW3=D=9RG7fNsqBA0iiot3s-w@mail.gmail.com>
References: <1476991156.2407.0@webmail.eurotux.com>
 <CALDDTe2mkqgAZbvTCL+qf3Cr2UW3=D=9RG7fNsqBA0iiot3s-w@mail.gmail.com>
Message-ID: <1477060409.2407.0@webmail.eurotux.com>

I actually don't use pam_set_data/pam_get_data directly but it's 
possible that they're used by the library itself maybe? I use calls 
like pam_start, pam_end, pam_get_user and pam_authenticate so I assume 
at least one of them actually uses those (I glanced their source code 
but couldn't find anything).

Do you expect this to be fixed in an upcoming release? I saw the patch 
in the referenced bug report, so I would guess so.

I resolved the issue for now since I just wanted to authenticate users 
with UNIX password by not using PAM to authenticate them and use 
getspnam/getpwnam directly, but it could be useful in the future to use 
other authentication methods.

Thank you for your help.

Best regards,
Diogo Vieira


On Sex, Out 21, 2016 at 12:17 , Darren Tucker <dtucker at zip.com.au> 
wrote:
> On Thu, Oct 20, 2016 at 12:19 PM, Diogo Vieira <dfv at eurotux.com> 
> wrote:
>>  Hello,
>> 
>>  I've developed a custom PAM module which only allows a user to 
>> authenticate
>>  to the server only if another user of the same machine also 
>> authenticates
>>  succesfully. It's currently a simple module which also works as a 
>> PAM aware
>>  application since it authenticates each user with PAM itself. Both 
>> the
>>  pamtester utility and su can use this module correctly. However, 
>> when I try
>>  to use it with my openssh server the authentication fails after the 
>> first
>>  prompt.
> 
> My guess is that you're using pam_set_data/pam_get_data.
> Unfortunately this doesn't currently work with challenge-response
> authentication because the PAM calls are made in a subprocess that
> terminates, and thus the changes are lost. See:
> 
> https://bugzilla.mindrot.org/show_bug.cgi?id=688
> https://bugzilla.mindrot.org/show_bug.cgi?id=2548
> 
> --
> Darren Tucker (dtucker at zip.com.au)
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA 
> (new)
>     Good judgement comes with experience. Unfortunately, the 
> experience
> usually comes from bad judgement.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


From edgar.zaiser at ipcomm.de  Sat Oct 22 04:25:36 2016
From: edgar.zaiser at ipcomm.de (Edgar Zaiser)
Date: Fri, 21 Oct 2016 19:25:36 +0200 (CEST)
Subject: PAM Radius login for locally unknown user
Message-ID: <000501d22bc0$22cc1140$686433c0$@ipcomm.de>

Dear Sirs,



I?m writting a pam module for Radius authentication, which should allow a
remote login via ssh on a Linux machine with an openssh server.

In particular, the user which is configured at the remote Radius server is
not present on the local user database of the Linux machine.

Unfortunatly, openssh will not allow to start a PAM user authentication if
cannot find the user login in the local user database.



Do you have any idea how to solve this problem?



I was wondering if it?s not possible to perform the check the locally
defined user after the PAM authentication was performed?



I?m working with openssh-7.2p2. The check for the user is performed in
fiel auth2.c, function input_userauth_request.



Thank you in advance for any help and response!



Mit freundlichen Gr??en / Best regards

------------------------

Dipl. Ing. Edgar Zaiser


IPCOMM GmbH
Walter-Bouhon-Stra?e 4
90427 N?rnberg
Germany

Tel.: +49 911 18 07 91-62
Fax: +49 911 18 07 91-10
 <http://www.ipcomm.de/> http://www.ipcomm.de

Gesch?ftsf?hrer / General Manager: Artur Votteler
Sitz der Gesellschaft / Headquarters: D-90427 N?rnberg, Germany
Amtsgericht / Local Court: N?rnberg - HR B 31759
WEEE-Reg.-Nr. / WEE-Reg.-No.: DE51203130
UST-IDNR.: DE813859506

Hinweis: Diese E-Mail und etwaige Anlagen k?nnen Betriebs- oder
Gesch?ftsgeheimnisse, dem Anwaltsgeheimnis unterliegende oder sonstige
vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrt?mlich
erhalten haben, ist Ihnen der Status dieser E-Mail bekannt. Bitte
benachrichtigen Sie uns in diesem Fall sofort durch Antwort-Mail und
l?schen Sie diese E-Mail nebst etwaigen Anlagen von Ihrem System. Ebenso
d?rfen Sie diese E-Mail oder seine Anlagen nicht kopieren oder an Dritte
weitergeben. Vielen Dank.




From des at des.no  Sun Oct 23 10:56:29 2016
From: des at des.no (=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?=)
Date: Sun, 23 Oct 2016 01:56:29 +0200
Subject: PAM Radius login for locally unknown user
In-Reply-To: <000501d22bc0$22cc1140$686433c0$@ipcomm.de> (Edgar Zaiser's
 message of "Fri, 21 Oct 2016 19:25:36 +0200 (CEST)")
References: <000501d22bc0$22cc1140$686433c0$@ipcomm.de>
Message-ID: <861sz87xaq.fsf@desk.des.no>

Edgar Zaiser <edgar.zaiser at ipcomm.de> writes:
> In particular, the user which is configured at the remote Radius
> server is not present on the local user database of the Linux machine.

You need to look into nsswitch.

DES
-- 
Dag-Erling Sm?rgrav - des at des.no

From des at des.no  Sun Oct 23 11:03:40 2016
From: des at des.no (=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?=)
Date: Sun, 23 Oct 2016 02:03:40 +0200
Subject: Custom PAM module not working correctly
In-Reply-To: <1477060409.2407.0@webmail.eurotux.com> (Diogo Vieira's message
 of "Fri, 21 Oct 2016 15:33:29 +0100")
References: <1476991156.2407.0@webmail.eurotux.com>
 <CALDDTe2mkqgAZbvTCL+qf3Cr2UW3=D=9RG7fNsqBA0iiot3s-w@mail.gmail.com>
 <1477060409.2407.0@webmail.eurotux.com>
Message-ID: <86twc46ieb.fsf@desk.des.no>

Diogo Vieira <dfv at eurotux.com> writes:
> I actually don't use pam_set_data/pam_get_data directly but it's
> possible that they're used by the library itself maybe? I use calls
> like pam_start, pam_end, pam_get_user and pam_authenticate so I assume
> at least one of them actually uses those (I glanced their source code
> but couldn't find anything).

No, they don't.

There's really no way to figure this out without access to your source
code.

DES
-- 
Dag-Erling Sm?rgrav - des at des.no

From edgar.zaiser at ipcomm.de  Mon Oct 24 17:57:03 2016
From: edgar.zaiser at ipcomm.de (Edgar Zaiser)
Date: Mon, 24 Oct 2016 08:57:03 +0200 (CEST)
Subject: AW: PAM Radius login for locally unknown user
In-Reply-To: <861sz87xaq.fsf@desk.des.no>
References: <000501d22bc0$22cc1140$686433c0$@ipcomm.de>
 <861sz87xaq.fsf@desk.des.no>
Message-ID: <000301d22dc3$d2475ad0$76d61070$@ipcomm.de>

Hello,

NSS is not an option in my case.

In the meantime I've checked the behavior of the console login. There the 
user login is checked locally after the PAM authentication is performed.

Is there any reason why in case of openssh the user login is checked before 
PAM authentication ?

Mit freundlichen Gr??en / Best regards
------------------------ 
Dipl. Ing. Edgar Zaiser

IPCOMM GmbH
Walter-Bouhon-Stra?e 4
90427 N?rnberg
Germany

Tel.: +49 911 18 07 91-62
Fax: +49 911 18 07 91-10
http://www.ipcomm.de

Gesch?ftsf?hrer / General Manager: Artur Votteler
Sitz der Gesellschaft / Headquarters: D-90427 N?rnberg, Germany
Amtsgericht / Local Court: N?rnberg - HR B 31759
WEEE-Reg.-Nr. / WEE-Reg.-No.: DE51203130
UST-IDNR.: DE813859506

Hinweis: Diese E-Mail und etwaige Anlagen k?nnen Betriebs- oder 
Gesch?ftsgeheimnisse, dem Anwaltsgeheimnis unterliegende oder sonstige 
vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrt?mlich 
erhalten haben, ist Ihnen der Status dieser E-Mail bekannt. Bitte 
benachrichtigen Sie uns in diesem Fall sofort durch Antwort-Mail und l?schen 
Sie diese E-Mail nebst etwaigen Anlagen von Ihrem System. Ebenso d?rfen Sie 
diese E-Mail oder seine Anlagen nicht kopieren oder an Dritte weitergeben. 
Vielen Dank.

-----Urspr?ngliche Nachricht-----
Von: Dag-Erling Sm?rgrav [mailto:des at des.no]
Gesendet: Sonntag, 23. Oktober 2016 01:56
An: Edgar Zaiser <edgar.zaiser at ipcomm.de>
Cc: openssh-unix-dev at mindrot.org
Betreff: Re: PAM Radius login for locally unknown user

Edgar Zaiser <edgar.zaiser at ipcomm.de> writes:
> In particular, the user which is configured at the remote Radius
> server is not present on the local user database of the Linux machine.

You need to look into nsswitch.

DES
--
Dag-Erling Sm?rgrav - des at des.no

From des at des.no  Mon Oct 24 18:31:02 2016
From: des at des.no (=?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?=)
Date: Mon, 24 Oct 2016 09:31:02 +0200
Subject: AW: PAM Radius login for locally unknown user
In-Reply-To: <000301d22dc3$d2475ad0$76d61070$@ipcomm.de> (Edgar Zaiser's
 message of "Mon, 24 Oct 2016 08:57:03 +0200 (CEST)")
References: <000501d22bc0$22cc1140$686433c0$@ipcomm.de>
 <861sz87xaq.fsf@desk.des.no>
 <000301d22dc3$d2475ad0$76d61070$@ipcomm.de>
Message-ID: <86wpgy9pah.fsf@desk.des.no>

Edgar Zaiser <edgar.zaiser at ipcomm.de> writes:
> Is there any reason why in case of openssh the user login is checked before 
> PAM authentication ?

https://blog.des.no/2015/08/openssh-pam-and-user-names/

DES
-- 
Dag-Erling Sm?rgrav - des at des.no

From lijin.abc at gmail.com  Tue Oct 25 03:11:38 2016
From: lijin.abc at gmail.com (Jin Li)
Date: Mon, 24 Oct 2016 11:11:38 -0500
Subject: SSH fail to login due to hang over after authenticated.
Message-ID: <CABP_fjpzS_hyPPMtH9ZMZCuVMMFy+1JSruZZH9stRPAZ11-mug@mail.gmail.com>

Hi OpenSSH,

I encountered that SSH will hang over after I input the password.
Could you help show me how to resolve this problem? Thanks for your
help.

Please find the ssh debug info and my ssh version as below.

$ ssh -vvv user1 at remote_host
OpenSSH_6.9p1, LibreSSL 2.1.8
debug1: Reading configuration data /Users/user1/.ssh/config
debug1: /Users/user1/.ssh/config line 36: Applying options for remote_host
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: /etc/ssh/ssh_config line 102: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to remote_host port 22.
debug1: Connection established.
debug1: identity file /Users/user1/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user1/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user1/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user1/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user1/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user1/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user1/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/user1/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.9
debug1: Remote protocol version 2.0, remote software version
OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 pat OpenSSH_6.6.1*
compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to remote_host as 'user1'
debug3: hostkeys_foreach: reading file "/Users/user1/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file
/Users/user1/.ssh/known_hosts:3
debug3: load_hostkeys: loaded 1 keys from remote_host
debug3: order_hostkeyalgs: prefer hostkeyalgs:
ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit:
ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-ed25519,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug1: kex: server->client chacha20-poly1305 at openssh.com <implicit> none
debug1: kex: client->server chacha20-poly1305 at openssh.com <implicit> none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256
SHA256:EmPTWh360hkSprEQER26MTB5HcjJW6lGfmeFFMyRU2w
debug3: hostkeys_foreach: reading file "/Users/user1/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file
/Users/user1/.ssh/known_hosts:3
debug3: load_hostkeys: loaded 1 keys from remote_host
debug3: hostkeys_foreach: reading file "/Users/user1/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file
/Users/user1/.ssh/known_hosts:3
debug3: load_hostkeys: loaded 1 keys from 165.91.209.220
debug1: Host 'remote_host is known and matches the ECDSA host key.
debug1: Found key in /Users/user1/.ssh/known_hosts:3
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /Users/user1/.ssh/id_rsa (0x7ff939e000c0),
debug2: key: /Users/user1/.ssh/id_dsa (0x0),
debug2: key: /Users/user1/.ssh/id_ecdsa (0x0),
debug2: key: /Users/user1/.ssh/id_ed25519 (0x0),
debug3: input_userauth_banner
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/user1/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply

$ ssh -V
OpenSSH_6.9p1, LibreSSL 2.1.8

Best regards,
Jin

From lijin.abc at gmail.com  Tue Oct 25 03:25:26 2016
From: lijin.abc at gmail.com (Jin Li)
Date: Mon, 24 Oct 2016 11:25:26 -0500
Subject: SSH fail to login due to hang over after authenticated.
In-Reply-To: <CAH=qcB2+GsuOECsYj45xk-LnZ4Uv57VBWnqc2r1JCW+4SNxuag@mail.gmail.com>
References: <CABP_fjpzS_hyPPMtH9ZMZCuVMMFy+1JSruZZH9stRPAZ11-mug@mail.gmail.com>
 <CAH=qcB2+GsuOECsYj45xk-LnZ4Uv57VBWnqc2r1JCW+4SNxuag@mail.gmail.com>
Message-ID: <CABP_fjpLnAgPaTTsvW1XRyAh11PSqB6_O0W4B1n0Jub99PcpLQ@mail.gmail.com>

Hi Tanmay,

The server is not responsive for different accounts. But the client
can access different servers. Thus, I am sure it is something wrong in
server side. Since we can not login server for now, thus, we can not
check the error log in server. Do you have some clues to debug this
problem? Thanks for your help.

Best regards,
Jin

On Mon, Oct 24, 2016 at 11:22 AM, Tanmay Tiwari <tnmy44 at gmail.com> wrote:
> Can you confirm if the problem is specific to the ssh client, or the ssh
> server? (Try to ssh into the same server from different client, and to some
> different server from the same client)
>
> On Mon, Oct 24, 2016 at 9:41 PM, Jin Li <lijin.abc at gmail.com> wrote:
>>
>> Hi OpenSSH,
>>
>> I encountered that SSH will hang over after I input the password.
>> Could you help show me how to resolve this problem? Thanks for your
>> help.
>>
>> Please find the ssh debug info and my ssh version as below.
>>
>> $ ssh -vvv user1 at remote_host
>> OpenSSH_6.9p1, LibreSSL 2.1.8
>> debug1: Reading configuration data /Users/user1/.ssh/config
>> debug1: /Users/user1/.ssh/config line 36: Applying options for remote_host
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: /etc/ssh/ssh_config line 20: Applying options for *
>> debug1: /etc/ssh/ssh_config line 102: Applying options for *
>> debug2: ssh_connect: needpriv 0
>> debug1: Connecting to remote_host port 22.
>> debug1: Connection established.
>> debug1: identity file /Users/user1/.ssh/id_rsa type 1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /Users/user1/.ssh/id_rsa-cert type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /Users/user1/.ssh/id_dsa type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /Users/user1/.ssh/id_dsa-cert type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /Users/user1/.ssh/id_ecdsa type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /Users/user1/.ssh/id_ecdsa-cert type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /Users/user1/.ssh/id_ed25519 type -1
>> debug1: key_load_public: No such file or directory
>> debug1: identity file /Users/user1/.ssh/id_ed25519-cert type -1
>> debug1: Enabling compatibility mode for protocol 2.0
>> debug1: Local version string SSH-2.0-OpenSSH_6.9
>> debug1: Remote protocol version 2.0, remote software version
>> OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
>> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 pat OpenSSH_6.6.1*
>> compat 0x04000000
>> debug2: fd 3 setting O_NONBLOCK
>> debug1: Authenticating to remote_host as 'user1'
>> debug3: hostkeys_foreach: reading file "/Users/user1/.ssh/known_hosts"
>> debug3: record_hostkey: found key type ECDSA in file
>> /Users/user1/.ssh/known_hosts:3
>> debug3: load_hostkeys: loaded 1 keys from remote_host
>> debug3: order_hostkeyalgs: prefer hostkeyalgs:
>>
>> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
>> debug1: SSH2_MSG_KEXINIT sent
>> debug1: SSH2_MSG_KEXINIT received
>> debug2: kex_parse_kexinit:
>>
>> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>> debug2: kex_parse_kexinit:
>>
>> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-ed25519,ssh-rsa,ssh-dss
>> debug2: kex_parse_kexinit:
>>
>> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
>> debug2: kex_parse_kexinit:
>>
>> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
>> debug2: kex_parse_kexinit:
>>
>> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
>> debug2: kex_parse_kexinit:
>>
>> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
>> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
>> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit: first_kex_follows 0
>> debug2: kex_parse_kexinit: reserved 0
>> debug2: kex_parse_kexinit:
>>
>> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
>> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
>> debug2: kex_parse_kexinit:
>>
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
>> debug2: kex_parse_kexinit:
>>
>> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
>> debug2: kex_parse_kexinit:
>>
>> hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
>> debug2: kex_parse_kexinit:
>>
>> hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
>> debug2: kex_parse_kexinit: none,zlib at openssh.com
>> debug2: kex_parse_kexinit: none,zlib at openssh.com
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit:
>> debug2: kex_parse_kexinit: first_kex_follows 0
>> debug2: kex_parse_kexinit: reserved 0
>> debug1: kex: server->client chacha20-poly1305 at openssh.com <implicit> none
>> debug1: kex: client->server chacha20-poly1305 at openssh.com <implicit> none
>> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>> debug1: Server host key: ecdsa-sha2-nistp256
>> SHA256:EmPTWh360hkSprEQER26MTB5HcjJW6lGfmeFFMyRU2w
>> debug3: hostkeys_foreach: reading file "/Users/user1/.ssh/known_hosts"
>> debug3: record_hostkey: found key type ECDSA in file
>> /Users/user1/.ssh/known_hosts:3
>> debug3: load_hostkeys: loaded 1 keys from remote_host
>> debug3: hostkeys_foreach: reading file "/Users/user1/.ssh/known_hosts"
>> debug3: record_hostkey: found key type ECDSA in file
>> /Users/user1/.ssh/known_hosts:3
>> debug3: load_hostkeys: loaded 1 keys from 165.91.209.220
>> debug1: Host 'remote_host is known and matches the ECDSA host key.
>> debug1: Found key in /Users/user1/.ssh/known_hosts:3
>> debug2: set_newkeys: mode 1
>> debug1: SSH2_MSG_NEWKEYS sent
>> debug1: expecting SSH2_MSG_NEWKEYS
>> debug2: set_newkeys: mode 0
>> debug1: SSH2_MSG_NEWKEYS received
>> debug1: Roaming not allowed by server
>> debug1: SSH2_MSG_SERVICE_REQUEST sent
>> debug2: service_accept: ssh-userauth
>> debug1: SSH2_MSG_SERVICE_ACCEPT received
>> debug2: key: /Users/user1/.ssh/id_rsa (0x7ff939e000c0),
>> debug2: key: /Users/user1/.ssh/id_dsa (0x0),
>> debug2: key: /Users/user1/.ssh/id_ecdsa (0x0),
>> debug2: key: /Users/user1/.ssh/id_ed25519 (0x0),
>> debug3: input_userauth_banner
>> debug1: Authentications that can continue: publickey,password
>> debug3: start over, passed a different list publickey,password
>> debug3: preferred publickey,keyboard-interactive,password
>> debug3: authmethod_lookup publickey
>> debug3: remaining preferred: keyboard-interactive,password
>> debug3: authmethod_is_enabled publickey
>> debug1: Next authentication method: publickey
>> debug1: Offering RSA public key: /Users/user1/.ssh/id_rsa
>> debug3: send_pubkey_test
>> debug2: we sent a publickey packet, wait for reply
>>
>> $ ssh -V
>> OpenSSH_6.9p1, LibreSSL 2.1.8
>>
>> Best regards,
>> Jin
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>

From tnmy44 at gmail.com  Tue Oct 25 03:22:13 2016
From: tnmy44 at gmail.com (Tanmay Tiwari)
Date: Mon, 24 Oct 2016 21:52:13 +0530
Subject: SSH fail to login due to hang over after authenticated.
In-Reply-To: <CABP_fjpzS_hyPPMtH9ZMZCuVMMFy+1JSruZZH9stRPAZ11-mug@mail.gmail.com>
References: <CABP_fjpzS_hyPPMtH9ZMZCuVMMFy+1JSruZZH9stRPAZ11-mug@mail.gmail.com>
Message-ID: <CAH=qcB2+GsuOECsYj45xk-LnZ4Uv57VBWnqc2r1JCW+4SNxuag@mail.gmail.com>

Can you confirm if the problem is specific to the ssh client, or the ssh
server? (Try to ssh into the same server from different client, and to some
different server from the same client)

On Mon, Oct 24, 2016 at 9:41 PM, Jin Li <lijin.abc at gmail.com> wrote:

> Hi OpenSSH,
>
> I encountered that SSH will hang over after I input the password.
> Could you help show me how to resolve this problem? Thanks for your
> help.
>
> Please find the ssh debug info and my ssh version as below.
>
> $ ssh -vvv user1 at remote_host
> OpenSSH_6.9p1, LibreSSL 2.1.8
> debug1: Reading configuration data /Users/user1/.ssh/config
> debug1: /Users/user1/.ssh/config line 36: Applying options for remote_host
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 20: Applying options for *
> debug1: /etc/ssh/ssh_config line 102: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to remote_host port 22.
> debug1: Connection established.
> debug1: identity file /Users/user1/.ssh/id_rsa type 1
> debug1: key_load_public: No such file or directory
> debug1: identity file /Users/user1/.ssh/id_rsa-cert type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /Users/user1/.ssh/id_dsa type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /Users/user1/.ssh/id_dsa-cert type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /Users/user1/.ssh/id_ecdsa type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /Users/user1/.ssh/id_ecdsa-cert type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /Users/user1/.ssh/id_ed25519 type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /Users/user1/.ssh/id_ed25519-cert type -1
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_6.9
> debug1: Remote protocol version 2.0, remote software version
> OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 pat OpenSSH_6.6.1*
> compat 0x04000000
> debug2: fd 3 setting O_NONBLOCK
> debug1: Authenticating to remote_host as 'user1'
> debug3: hostkeys_foreach: reading file "/Users/user1/.ssh/known_hosts"
> debug3: record_hostkey: found key type ECDSA in file
> /Users/user1/.ssh/known_hosts:3
> debug3: load_hostkeys: loaded 1 keys from remote_host
> debug3: order_hostkeyalgs: prefer hostkeyalgs:
> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-
> nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com
> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-
> nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-
> sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-
> group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit:
> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-
> nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com
> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-
> ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ss
> h-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-
> dss-cert-v00 at openssh.com,ssh-ed25519,ssh-rsa,ssh-dss
> debug2: kex_parse_kexinit:
> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,
> aes128-gcm at openssh.com,aes256-gcm at openssh.com,
> arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,
> cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,
> aes128-gcm at openssh.com,aes256-gcm at openssh.com,
> arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,
> cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-
> 256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-
> etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com
> ,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at openssh.com,
> hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-
> etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com
> ,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-
> 256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-
> etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com
> ,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at openssh.com,
> hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-
> etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com
> ,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug2: kex_parse_kexinit:
> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-
> nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-
> sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-
> group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1
> 28-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com
> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
> aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1
> 28-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com
> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
> aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> debug2: kex_parse_kexinit:
> hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com
> ,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm@
> openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
> hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-
> 128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,h
> mac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit:
> hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-etm at openssh.com
> ,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm@
> openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
> hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-
> 128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,h
> mac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit: none,zlib at openssh.com
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit:
> debug2: kex_parse_kexinit: first_kex_follows 0
> debug2: kex_parse_kexinit: reserved 0
> debug1: kex: server->client chacha20-poly1305 at openssh.com <implicit> none
> debug1: kex: client->server chacha20-poly1305 at openssh.com <implicit> none
> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> debug1: Server host key: ecdsa-sha2-nistp256
> SHA256:EmPTWh360hkSprEQER26MTB5HcjJW6lGfmeFFMyRU2w
> debug3: hostkeys_foreach: reading file "/Users/user1/.ssh/known_hosts"
> debug3: record_hostkey: found key type ECDSA in file
> /Users/user1/.ssh/known_hosts:3
> debug3: load_hostkeys: loaded 1 keys from remote_host
> debug3: hostkeys_foreach: reading file "/Users/user1/.ssh/known_hosts"
> debug3: record_hostkey: found key type ECDSA in file
> /Users/user1/.ssh/known_hosts:3
> debug3: load_hostkeys: loaded 1 keys from 165.91.209.220
> debug1: Host 'remote_host is known and matches the ECDSA host key.
> debug1: Found key in /Users/user1/.ssh/known_hosts:3
> debug2: set_newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: expecting SSH2_MSG_NEWKEYS
> debug2: set_newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: Roaming not allowed by server
> debug1: SSH2_MSG_SERVICE_REQUEST sent
> debug2: service_accept: ssh-userauth
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug2: key: /Users/user1/.ssh/id_rsa (0x7ff939e000c0),
> debug2: key: /Users/user1/.ssh/id_dsa (0x0),
> debug2: key: /Users/user1/.ssh/id_ecdsa (0x0),
> debug2: key: /Users/user1/.ssh/id_ed25519 (0x0),
> debug3: input_userauth_banner
> debug1: Authentications that can continue: publickey,password
> debug3: start over, passed a different list publickey,password
> debug3: preferred publickey,keyboard-interactive,password
> debug3: authmethod_lookup publickey
> debug3: remaining preferred: keyboard-interactive,password
> debug3: authmethod_is_enabled publickey
> debug1: Next authentication method: publickey
> debug1: Offering RSA public key: /Users/user1/.ssh/id_rsa
> debug3: send_pubkey_test
> debug2: we sent a publickey packet, wait for reply
>
> $ ssh -V
> OpenSSH_6.9p1, LibreSSL 2.1.8
>
> Best regards,
> Jin
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>

From tnmy44 at gmail.com  Tue Oct 25 04:04:31 2016
From: tnmy44 at gmail.com (Tanmay Tiwari)
Date: Mon, 24 Oct 2016 22:34:31 +0530
Subject: SSH fail to login due to hang over after authenticated.
In-Reply-To: <CABP_fjpLnAgPaTTsvW1XRyAh11PSqB6_O0W4B1n0Jub99PcpLQ@mail.gmail.com>
References: <CABP_fjpzS_hyPPMtH9ZMZCuVMMFy+1JSruZZH9stRPAZ11-mug@mail.gmail.com>
 <CAH=qcB2+GsuOECsYj45xk-LnZ4Uv57VBWnqc2r1JCW+4SNxuag@mail.gmail.com>
 <CABP_fjpLnAgPaTTsvW1XRyAh11PSqB6_O0W4B1n0Jub99PcpLQ@mail.gmail.com>
Message-ID: <CAH=qcB33y0cOUnhxwyVngfOTvP1Z1KAcAMfkTLU599PCW9ikMw@mail.gmail.com>

I don't think it will be easy to identify the problem remotely. You can try
logging in with password (if not disabled), or sshing with some other key,
or logging into some other user. If you are able to get access to the
machine, post the server's error log here.

On Mon, Oct 24, 2016 at 9:55 PM, Jin Li <lijin.abc at gmail.com> wrote:

> Hi Tanmay,
>
> The server is not responsive for different accounts. But the client
> can access different servers. Thus, I am sure it is something wrong in
> server side. Since we can not login server for now, thus, we can not
> check the error log in server. Do you have some clues to debug this
> problem? Thanks for your help.
>
> Best regards,
> Jin
>
> On Mon, Oct 24, 2016 at 11:22 AM, Tanmay Tiwari <tnmy44 at gmail.com> wrote:
> > Can you confirm if the problem is specific to the ssh client, or the ssh
> > server? (Try to ssh into the same server from different client, and to
> some
> > different server from the same client)
> >
> > On Mon, Oct 24, 2016 at 9:41 PM, Jin Li <lijin.abc at gmail.com> wrote:
> >>
> >> Hi OpenSSH,
> >>
> >> I encountered that SSH will hang over after I input the password.
> >> Could you help show me how to resolve this problem? Thanks for your
> >> help.
> >>
> >> Please find the ssh debug info and my ssh version as below.
> >>
> >> $ ssh -vvv user1 at remote_host
> >> OpenSSH_6.9p1, LibreSSL 2.1.8
> >> debug1: Reading configuration data /Users/user1/.ssh/config
> >> debug1: /Users/user1/.ssh/config line 36: Applying options for
> remote_host
> >> debug1: Reading configuration data /etc/ssh/ssh_config
> >> debug1: /etc/ssh/ssh_config line 20: Applying options for *
> >> debug1: /etc/ssh/ssh_config line 102: Applying options for *
> >> debug2: ssh_connect: needpriv 0
> >> debug1: Connecting to remote_host port 22.
> >> debug1: Connection established.
> >> debug1: identity file /Users/user1/.ssh/id_rsa type 1
> >> debug1: key_load_public: No such file or directory
> >> debug1: identity file /Users/user1/.ssh/id_rsa-cert type -1
> >> debug1: key_load_public: No such file or directory
> >> debug1: identity file /Users/user1/.ssh/id_dsa type -1
> >> debug1: key_load_public: No such file or directory
> >> debug1: identity file /Users/user1/.ssh/id_dsa-cert type -1
> >> debug1: key_load_public: No such file or directory
> >> debug1: identity file /Users/user1/.ssh/id_ecdsa type -1
> >> debug1: key_load_public: No such file or directory
> >> debug1: identity file /Users/user1/.ssh/id_ecdsa-cert type -1
> >> debug1: key_load_public: No such file or directory
> >> debug1: identity file /Users/user1/.ssh/id_ed25519 type -1
> >> debug1: key_load_public: No such file or directory
> >> debug1: identity file /Users/user1/.ssh/id_ed25519-cert type -1
> >> debug1: Enabling compatibility mode for protocol 2.0
> >> debug1: Local version string SSH-2.0-OpenSSH_6.9
> >> debug1: Remote protocol version 2.0, remote software version
> >> OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
> >> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 pat OpenSSH_6.6.1*
> >> compat 0x04000000
> >> debug2: fd 3 setting O_NONBLOCK
> >> debug1: Authenticating to remote_host as 'user1'
> >> debug3: hostkeys_foreach: reading file "/Users/user1/.ssh/known_hosts"
> >> debug3: record_hostkey: found key type ECDSA in file
> >> /Users/user1/.ssh/known_hosts:3
> >> debug3: load_hostkeys: loaded 1 keys from remote_host
> >> debug3: order_hostkeyalgs: prefer hostkeyalgs:
> >>
> >> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-
> nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com
> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
> >> debug1: SSH2_MSG_KEXINIT sent
> >> debug1: SSH2_MSG_KEXINIT received
> >> debug2: kex_parse_kexinit:
> >>
> >> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-
> nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-
> sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-
> group14-sha1,diffie-hellman-group1-sha1
> >> debug2: kex_parse_kexinit:
> >>
> >> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-
> nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com
> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-
> ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ss
> h-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-
> dss-cert-v00 at openssh.com,ssh-ed25519,ssh-rsa,ssh-dss
> >> debug2: kex_parse_kexinit:
> >>
> >> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,
> aes128-gcm at openssh.com,aes256-gcm at openssh.com,
> arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,
> cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> >> debug2: kex_parse_kexinit:
> >>
> >> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,
> aes128-gcm at openssh.com,aes256-gcm at openssh.com,
> arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,
> cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> >> debug2: kex_parse_kexinit:
> >>
> >> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-
> 256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-
> etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com
> ,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at openssh.com,
> hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-
> etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com
> ,hmac-sha1-96,hmac-md5-96
> >> debug2: kex_parse_kexinit:
> >>
> >> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-
> 256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-
> etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com
> ,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at openssh.com,
> hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,hmac-md5-96-
> etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com
> ,hmac-sha1-96,hmac-md5-96
> >> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> >> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
> >> debug2: kex_parse_kexinit:
> >> debug2: kex_parse_kexinit:
> >> debug2: kex_parse_kexinit: first_kex_follows 0
> >> debug2: kex_parse_kexinit: reserved 0
> >> debug2: kex_parse_kexinit:
> >>
> >> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-
> nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-
> sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-
> group14-sha1,diffie-hellman-group1-sha1
> >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
> >> debug2: kex_parse_kexinit:
> >>
> >> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1
> 28-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com
> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
> aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> >> debug2: kex_parse_kexinit:
> >>
> >> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes1
> 28-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com
> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
> aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
> >> debug2: kex_parse_kexinit:
> >>
> >> hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-
> etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,
> hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-
> etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,
> umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,
> hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,
> hmac-sha1-96,hmac-md5-96
> >> debug2: kex_parse_kexinit:
> >>
> >> hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-
> etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,
> hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-
> etm at openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,
> umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,
> hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com,
> hmac-sha1-96,hmac-md5-96
> >> debug2: kex_parse_kexinit: none,zlib at openssh.com
> >> debug2: kex_parse_kexinit: none,zlib at openssh.com
> >> debug2: kex_parse_kexinit:
> >> debug2: kex_parse_kexinit:
> >> debug2: kex_parse_kexinit: first_kex_follows 0
> >> debug2: kex_parse_kexinit: reserved 0
> >> debug1: kex: server->client chacha20-poly1305 at openssh.com <implicit>
> none
> >> debug1: kex: client->server chacha20-poly1305 at openssh.com <implicit>
> none
> >> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> >> debug1: Server host key: ecdsa-sha2-nistp256
> >> SHA256:EmPTWh360hkSprEQER26MTB5HcjJW6lGfmeFFMyRU2w
> >> debug3: hostkeys_foreach: reading file "/Users/user1/.ssh/known_hosts"
> >> debug3: record_hostkey: found key type ECDSA in file
> >> /Users/user1/.ssh/known_hosts:3
> >> debug3: load_hostkeys: loaded 1 keys from remote_host
> >> debug3: hostkeys_foreach: reading file "/Users/user1/.ssh/known_hosts"
> >> debug3: record_hostkey: found key type ECDSA in file
> >> /Users/user1/.ssh/known_hosts:3
> >> debug3: load_hostkeys: loaded 1 keys from 165.91.209.220
> >> debug1: Host 'remote_host is known and matches the ECDSA host key.
> >> debug1: Found key in /Users/user1/.ssh/known_hosts:3
> >> debug2: set_newkeys: mode 1
> >> debug1: SSH2_MSG_NEWKEYS sent
> >> debug1: expecting SSH2_MSG_NEWKEYS
> >> debug2: set_newkeys: mode 0
> >> debug1: SSH2_MSG_NEWKEYS received
> >> debug1: Roaming not allowed by server
> >> debug1: SSH2_MSG_SERVICE_REQUEST sent
> >> debug2: service_accept: ssh-userauth
> >> debug1: SSH2_MSG_SERVICE_ACCEPT received
> >> debug2: key: /Users/user1/.ssh/id_rsa (0x7ff939e000c0),
> >> debug2: key: /Users/user1/.ssh/id_dsa (0x0),
> >> debug2: key: /Users/user1/.ssh/id_ecdsa (0x0),
> >> debug2: key: /Users/user1/.ssh/id_ed25519 (0x0),
> >> debug3: input_userauth_banner
> >> debug1: Authentications that can continue: publickey,password
> >> debug3: start over, passed a different list publickey,password
> >> debug3: preferred publickey,keyboard-interactive,password
> >> debug3: authmethod_lookup publickey
> >> debug3: remaining preferred: keyboard-interactive,password
> >> debug3: authmethod_is_enabled publickey
> >> debug1: Next authentication method: publickey
> >> debug1: Offering RSA public key: /Users/user1/.ssh/id_rsa
> >> debug3: send_pubkey_test
> >> debug2: we sent a publickey packet, wait for reply
> >>
> >> $ ssh -V
> >> OpenSSH_6.9p1, LibreSSL 2.1.8
> >>
> >> Best regards,
> >> Jin
> >> _______________________________________________
> >> openssh-unix-dev mailing list
> >> openssh-unix-dev at mindrot.org
> >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
> >
>

From lijin.abc at gmail.com  Tue Oct 25 10:18:22 2016
From: lijin.abc at gmail.com (Jin Li)
Date: Mon, 24 Oct 2016 18:18:22 -0500
Subject: SSH fail to login due to hang over after authenticated.
In-Reply-To: <CAH=qcB33y0cOUnhxwyVngfOTvP1Z1KAcAMfkTLU599PCW9ikMw@mail.gmail.com>
References: <CABP_fjpzS_hyPPMtH9ZMZCuVMMFy+1JSruZZH9stRPAZ11-mug@mail.gmail.com>
 <CAH=qcB2+GsuOECsYj45xk-LnZ4Uv57VBWnqc2r1JCW+4SNxuag@mail.gmail.com>
 <CABP_fjpLnAgPaTTsvW1XRyAh11PSqB6_O0W4B1n0Jub99PcpLQ@mail.gmail.com>
 <CAH=qcB33y0cOUnhxwyVngfOTvP1Z1KAcAMfkTLU599PCW9ikMw@mail.gmail.com>
Message-ID: <CABP_fjqj=dapnGX+=mrJJSbKQN+dghvpg950ru0Bm7UgKB90ew@mail.gmail.com>

Hi Tanmay,

After rebooting machine, I am able to login by SSH now. I want to resolve
this problem, as it occurs regularly. Please find the attached syslog.

$ sudo cat /var/log/syslog
Oct 23 06:43:30 remote_host postfix/pickup[10007]: D63E79D1: uid=0
from=<root>
Oct 23 06:43:30 remote_host postfix/cleanup[10819]: D63E79D1:
message-id=<20161023114330.D63E79D1 at remote_host>
Oct 23 06:43:30 remote_host postfix/qmgr[2899]: D63E79D1:
from=<root at remote_host>, size=654, nrcpt=1 (queue active)
Oct 23 06:43:30 remote_host postfix/local[10821]: D63E79D1:
to=<root at remote_host>, orig_to=<root>, relay=local, delay=0.05,
delays=0.04/0/0/0.01, dsn=2.0.0, status=sent (delivered to command:
procmail -a "$EXTENSION")
Oct 23 06:43:30 remote_host postfix/qmgr[2899]: D63E79D1: removed
Oct 23 06:45:01 remote_host CRON[10835]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 06:47:01 remote_host CRON[10853]: (root) CMD (test -x
/usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ))
Oct 23 06:47:54 remote_host postfix/pickup[10007]: 215CEA70: uid=0
from=<root>
Oct 23 06:47:54 remote_host postfix/cleanup[10888]: 215CEA70:
message-id=<20161023114754.215CEA70 at remote_host>
Oct 23 06:47:54 remote_host postfix/qmgr[2899]: 215CEA70:
from=<root at remote_host>, size=683, nrcpt=1 (queue active)
Oct 23 06:47:54 remote_host postfix/local[10890]: 215CEA70:
to=<root at remote_host>, orig_to=<root>, relay=local, delay=0.01,
delays=0.01/0/0/0, dsn=2.0.0, status=sent (delivered to command: procmail
-a "$EXTENSION")
Oct 23 06:47:54 remote_host postfix/qmgr[2899]: 215CEA70: removed
Oct 23 06:55:01 remote_host CRON[10942]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 07:05:01 remote_host CRON[11011]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 07:15:01 remote_host CRON[11084]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 07:17:01 remote_host CRON[11102]: (root) CMD (   cd / && run-parts
--report /etc/cron.hourly)
Oct 23 07:25:01 remote_host CRON[11163]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 07:35:01 remote_host CRON[11243]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 07:45:01 remote_host CRON[11324]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 07:55:01 remote_host CRON[11406]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 08:05:01 remote_host CRON[11481]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 08:15:01 remote_host CRON[11551]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 08:17:01 remote_host CRON[11569]: (root) CMD (   cd / && run-parts
--report /etc/cron.hourly)
Oct 23 08:25:01 remote_host CRON[11625]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 08:35:01 remote_host CRON[11696]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 08:45:01 remote_host CRON[11768]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 08:55:01 remote_host CRON[11847]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 09:05:01 remote_host CRON[11926]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 09:15:01 remote_host CRON[12000]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 09:17:01 remote_host CRON[12019]: (root) CMD (   cd / && run-parts
--report /etc/cron.hourly)
Oct 23 09:21:04 remote_host kernel: [313912.323553] RPC: AUTH_GSS upcall
failed. Please check user daemon is running.
Oct 23 09:24:06 remote_host kernel: [314093.942478] RPC: AUTH_GSS upcall
failed. Please check user daemon is running.
Oct 23 09:25:01 remote_host CRON[12680]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 09:35:01 remote_host CRON[12760]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 09:45:01 remote_host CRON[12831]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 09:50:42 remote_host kernel: [315690.534126] RPC: AUTH_GSS upcall
failed. Please check user daemon is running.
Oct 23 09:54:21 remote_host kernel: [315909.000602] RPC: AUTH_GSS upcall
failed. Please check user daemon is running.
Oct 23 09:55:01 remote_host CRON[14144]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 09:59:28 remote_host kernel: [316215.875005] RPC: AUTH_GSS upcall
failed. Please check user daemon is running.
Oct 23 10:03:49 remote_host kernel: [316477.118160] RPC: AUTH_GSS upcall
failed. Please check user daemon is running.
Oct 23 10:05:01 remote_host CRON[14532]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 10:09:44 remote_host kernel: [316832.291530] RPC: AUTH_GSS upcall
failed. Please check user daemon is running.
Oct 23 10:12:42 remote_host kernel: [317010.114637] RPC: AUTH_GSS upcall
failed. Please check user daemon is running.
Oct 23 10:15:01 remote_host CRON[15222]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 10:17:01 remote_host CRON[15586]: (root) CMD (   cd / && run-parts
--report /etc/cron.hourly)
Oct 23 10:23:52 remote_host kernel: [317679.809341] RPC: AUTH_GSS upcall
failed. Please check user daemon is running.
Oct 23 10:25:01 remote_host CRON[16258]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 10:35:01 remote_host CRON[16372]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 10:45:01 remote_host CRON[16444]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 10:49:01 remote_host kernel: [319189.320124] RPC: AUTH_GSS upcall
failed. Please check user daemon is running.
Oct 23 10:55:01 remote_host CRON[16596]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 11:03:00 remote_host kernel: [320028.430980] RPC: AUTH_GSS upcall
failed. Please check user daemon is running.
Oct 23 11:05:01 remote_host CRON[17469]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 11:15:01 remote_host CRON[31685]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)
Oct 23 11:17:01 remote_host CRON[4819]: (root) CMD (   cd / && run-parts
--report /etc/cron.hourly)
Oct 23 11:25:01 remote_host CRON[2313]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 11:31:55 remote_host kernel: [321763.354272] RPC: AUTH_GSS upcall
failed. Please check user daemon is running.
Oct 23 11:35:01 remote_host CRON[2689]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 11:45:01 remote_host CRON[2774]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 11:51:02 remote_host kernel: [322910.504397] RPC: AUTH_GSS upcall
failed. Please check user daemon is running.
Oct 23 11:55:01 remote_host CRON[4929]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 12:05:01 remote_host CRON[5054]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 12:15:01 remote_host CRON[5129]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 12:17:01 remote_host CRON[5146]: (root) CMD (   cd / && run-parts
--report /etc/cron.hourly)
Oct 23 12:25:01 remote_host CRON[5204]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 12:35:01 remote_host CRON[5275]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 12:45:01 remote_host CRON[5345]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 12:55:01 remote_host CRON[5417]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 13:05:01 remote_host CRON[5489]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 13:15:01 remote_host CRON[5567]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 13:17:01 remote_host CRON[5586]: (root) CMD (   cd / && run-parts
--report /etc/cron.hourly)
Oct 23 13:25:01 remote_host CRON[5643]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 13:35:02 remote_host CRON[5721]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 13:45:01 remote_host CRON[5795]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 13:55:01 remote_host CRON[5866]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 14:05:01 remote_host CRON[5938]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 14:15:01 remote_host CRON[6011]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 14:17:01 remote_host CRON[6028]: (root) CMD (   cd / && run-parts
--report /etc/cron.hourly)
Oct 23 14:25:01 remote_host CRON[6088]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 14:35:01 remote_host CRON[6161]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 14:39:29 remote_host kernel: [333017.245325] RPC: AUTH_GSS upcall
failed. Please check user daemon is running.
Oct 23 14:45:01 remote_host CRON[6378]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 14:55:01 remote_host CRON[6453]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 15:02:37 remote_host kernel: [334405.015954] RPC: AUTH_GSS upcall
failed. Please check user daemon is running.
Oct 23 15:04:51 remote_host kernel: [334539.603690] RPC: AUTH_GSS upcall
failed. Please check user daemon is running.
Oct 23 15:05:01 remote_host CRON[6914]: (root) CMD (command -v debian-sa1 >
/dev/null && debian-sa1 1 1)
Oct 23 15:15:01 remote_host CRON[19128]: (root) CMD (command -v debian-sa1
> /dev/null && debian-sa1 1 1)

Please let me know if you want some addiional error log. Thanks for your
help.

Best regards,
Jin

On Mon, Oct 24, 2016 at 12:04 PM, Tanmay Tiwari <tnmy44 at gmail.com> wrote:

> I don't think it will be easy to identify the problem remotely. You can
> try logging in with password (if not disabled), or sshing with some other
> key, or logging into some other user. If you are able to get access to the
> machine, post the server's error log here.
>
> On Mon, Oct 24, 2016 at 9:55 PM, Jin Li <lijin.abc at gmail.com> wrote:
>
>> Hi Tanmay,
>>
>> The server is not responsive for different accounts. But the client
>> can access different servers. Thus, I am sure it is something wrong in
>> server side. Since we can not login server for now, thus, we can not
>> check the error log in server. Do you have some clues to debug this
>> problem? Thanks for your help.
>>
>> Best regards,
>> Jin
>>
>> On Mon, Oct 24, 2016 at 11:22 AM, Tanmay Tiwari <tnmy44 at gmail.com> wrote:
>> > Can you confirm if the problem is specific to the ssh client, or the ssh
>> > server? (Try to ssh into the same server from different client, and to
>> some
>> > different server from the same client)
>> >
>> > On Mon, Oct 24, 2016 at 9:41 PM, Jin Li <lijin.abc at gmail.com> wrote:
>> >>
>> >> Hi OpenSSH,
>> >>
>> >> I encountered that SSH will hang over after I input the password.
>> >> Could you help show me how to resolve this problem? Thanks for your
>> >> help.
>> >>
>> >> Please find the ssh debug info and my ssh version as below.
>> >>
>> >> $ ssh -vvv user1 at remote_host
>> >> OpenSSH_6.9p1, LibreSSL 2.1.8
>> >> debug1: Reading configuration data /Users/user1/.ssh/config
>> >> debug1: /Users/user1/.ssh/config line 36: Applying options for
>> remote_host
>> >> debug1: Reading configuration data /etc/ssh/ssh_config
>> >> debug1: /etc/ssh/ssh_config line 20: Applying options for *
>> >> debug1: /etc/ssh/ssh_config line 102: Applying options for *
>> >> debug2: ssh_connect: needpriv 0
>> >> debug1: Connecting to remote_host port 22.
>> >> debug1: Connection established.
>> >> debug1: identity file /Users/user1/.ssh/id_rsa type 1
>> >> debug1: key_load_public: No such file or directory
>> >> debug1: identity file /Users/user1/.ssh/id_rsa-cert type -1
>> >> debug1: key_load_public: No such file or directory
>> >> debug1: identity file /Users/user1/.ssh/id_dsa type -1
>> >> debug1: key_load_public: No such file or directory
>> >> debug1: identity file /Users/user1/.ssh/id_dsa-cert type -1
>> >> debug1: key_load_public: No such file or directory
>> >> debug1: identity file /Users/user1/.ssh/id_ecdsa type -1
>> >> debug1: key_load_public: No such file or directory
>> >> debug1: identity file /Users/user1/.ssh/id_ecdsa-cert type -1
>> >> debug1: key_load_public: No such file or directory
>> >> debug1: identity file /Users/user1/.ssh/id_ed25519 type -1
>> >> debug1: key_load_public: No such file or directory
>> >> debug1: identity file /Users/user1/.ssh/id_ed25519-cert type -1
>> >> debug1: Enabling compatibility mode for protocol 2.0
>> >> debug1: Local version string SSH-2.0-OpenSSH_6.9
>> >> debug1: Remote protocol version 2.0, remote software version
>> >> OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
>> >> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 pat OpenSSH_6.6.1*
>> >> compat 0x04000000
>> >> debug2: fd 3 setting O_NONBLOCK
>> >> debug1: Authenticating to remote_host as 'user1'
>> >> debug3: hostkeys_foreach: reading file "/Users/user1/.ssh/known_hosts"
>> >> debug3: record_hostkey: found key type ECDSA in file
>> >> /Users/user1/.ssh/known_hosts:3
>> >> debug3: load_hostkeys: loaded 1 keys from remote_host
>> >> debug3: order_hostkeyalgs: prefer hostkeyalgs:
>> >>
>> >> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384
>> -cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com
>> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
>> >> debug1: SSH2_MSG_KEXINIT sent
>> >> debug1: SSH2_MSG_KEXINIT received
>> >> debug2: kex_parse_kexinit:
>> >>
>> >> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-ni
>> stp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha2
>> 56,diffie-hellman-group-exchange-sha1,diffie-hellman-group14
>> -sha1,diffie-hellman-group1-sha1
>> >> debug2: kex_parse_kexinit:
>> >>
>> >> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384
>> -cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com
>> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-
>> cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-dss-
>> cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,ssh-dss-
>> cert-v00 at openssh.com,ssh-ed25519,ssh-rsa,ssh-dss
>> >> debug2: kex_parse_kexinit:
>> >>
>> >> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,
>> aes128-gcm at openssh.com,aes256-gcm at openssh.com,arcfour256,
>> arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
>> aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
>> >> debug2: kex_parse_kexinit:
>> >>
>> >> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,
>> aes128-gcm at openssh.com,aes256-gcm at openssh.com,arcfour256,
>> arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
>> aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
>> >> debug2: kex_parse_kexinit:
>> >>
>> >> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-2
>> 56-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-e
>> tm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,
>> hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at openssh.com,
>> hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
>> hmac-md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,
>> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
>> >> debug2: kex_parse_kexinit:
>> >>
>> >> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-2
>> 56-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-e
>> tm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,
>> hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at openssh.com,
>> hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
>> hmac-md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,
>> hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
>> >> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
>> >> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
>> >> debug2: kex_parse_kexinit:
>> >> debug2: kex_parse_kexinit:
>> >> debug2: kex_parse_kexinit: first_kex_follows 0
>> >> debug2: kex_parse_kexinit: reserved 0
>> >> debug2: kex_parse_kexinit:
>> >>
>> >> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-ni
>> stp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha2
>> 56,diffie-hellman-group-exchange-sha1,diffie-hellman-group14
>> -sha1,diffie-hellman-group1-sha1
>> >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
>> >> debug2: kex_parse_kexinit:
>> >>
>> >> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes12
>> 8-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com
>> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes1
>> 92-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
>> >> debug2: kex_parse_kexinit:
>> >>
>> >> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes12
>> 8-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com
>> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes1
>> 92-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
>> >> debug2: kex_parse_kexinit:
>> >>
>> >> hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-e
>> tm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,
>> hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,
>> hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com
>> ,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com
>> ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com
>> ,hmac-sha1-96,hmac-md5-96
>> >> debug2: kex_parse_kexinit:
>> >>
>> >> hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-e
>> tm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,
>> hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,
>> hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com
>> ,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com
>> ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com
>> ,hmac-sha1-96,hmac-md5-96
>> >> debug2: kex_parse_kexinit: none,zlib at openssh.com
>> >> debug2: kex_parse_kexinit: none,zlib at openssh.com
>> >> debug2: kex_parse_kexinit:
>> >> debug2: kex_parse_kexinit:
>> >> debug2: kex_parse_kexinit: first_kex_follows 0
>> >> debug2: kex_parse_kexinit: reserved 0
>> >> debug1: kex: server->client chacha20-poly1305 at openssh.com <implicit>
>> none
>> >> debug1: kex: client->server chacha20-poly1305 at openssh.com <implicit>
>> none
>> >> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>> >> debug1: Server host key: ecdsa-sha2-nistp256
>> >> SHA256:EmPTWh360hkSprEQER26MTB5HcjJW6lGfmeFFMyRU2w
>> >> debug3: hostkeys_foreach: reading file "/Users/user1/.ssh/known_hosts"
>> >> debug3: record_hostkey: found key type ECDSA in file
>> >> /Users/user1/.ssh/known_hosts:3
>> >> debug3: load_hostkeys: loaded 1 keys from remote_host
>> >> debug3: hostkeys_foreach: reading file "/Users/user1/.ssh/known_hosts"
>> >> debug3: record_hostkey: found key type ECDSA in file
>> >> /Users/user1/.ssh/known_hosts:3
>> >> debug3: load_hostkeys: loaded 1 keys from 165.91.209.220
>> >> debug1: Host 'remote_host is known and matches the ECDSA host key.
>> >> debug1: Found key in /Users/user1/.ssh/known_hosts:3
>> >> debug2: set_newkeys: mode 1
>> >> debug1: SSH2_MSG_NEWKEYS sent
>> >> debug1: expecting SSH2_MSG_NEWKEYS
>> >> debug2: set_newkeys: mode 0
>> >> debug1: SSH2_MSG_NEWKEYS received
>> >> debug1: Roaming not allowed by server
>> >> debug1: SSH2_MSG_SERVICE_REQUEST sent
>> >> debug2: service_accept: ssh-userauth
>> >> debug1: SSH2_MSG_SERVICE_ACCEPT received
>> >> debug2: key: /Users/user1/.ssh/id_rsa (0x7ff939e000c0),
>> >> debug2: key: /Users/user1/.ssh/id_dsa (0x0),
>> >> debug2: key: /Users/user1/.ssh/id_ecdsa (0x0),
>> >> debug2: key: /Users/user1/.ssh/id_ed25519 (0x0),
>> >> debug3: input_userauth_banner
>> >> debug1: Authentications that can continue: publickey,password
>> >> debug3: start over, passed a different list publickey,password
>> >> debug3: preferred publickey,keyboard-interactive,password
>> >> debug3: authmethod_lookup publickey
>> >> debug3: remaining preferred: keyboard-interactive,password
>> >> debug3: authmethod_is_enabled publickey
>> >> debug1: Next authentication method: publickey
>> >> debug1: Offering RSA public key: /Users/user1/.ssh/id_rsa
>> >> debug3: send_pubkey_test
>> >> debug2: we sent a publickey packet, wait for reply
>> >>
>> >> $ ssh -V
>> >> OpenSSH_6.9p1, LibreSSL 2.1.8
>> >>
>> >> Best regards,
>> >> Jin
>> >> _______________________________________________
>> >> openssh-unix-dev mailing list
>> >> openssh-unix-dev at mindrot.org
>> >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>> >
>> >
>>
>
>

From tnmy44 at gmail.com  Tue Oct 25 10:33:25 2016
From: tnmy44 at gmail.com (Tanmay Tiwari)
Date: Tue, 25 Oct 2016 05:03:25 +0530
Subject: SSH fail to login due to hang over after authenticated.
In-Reply-To: <CABP_fjqj=dapnGX+=mrJJSbKQN+dghvpg950ru0Bm7UgKB90ew@mail.gmail.com>
References: <CABP_fjpzS_hyPPMtH9ZMZCuVMMFy+1JSruZZH9stRPAZ11-mug@mail.gmail.com>
 <CAH=qcB2+GsuOECsYj45xk-LnZ4Uv57VBWnqc2r1JCW+4SNxuag@mail.gmail.com>
 <CABP_fjpLnAgPaTTsvW1XRyAh11PSqB6_O0W4B1n0Jub99PcpLQ@mail.gmail.com>
 <CAH=qcB33y0cOUnhxwyVngfOTvP1Z1KAcAMfkTLU599PCW9ikMw@mail.gmail.com>
 <CABP_fjqj=dapnGX+=mrJJSbKQN+dghvpg950ru0Bm7UgKB90ew@mail.gmail.com>
Message-ID: <CAH=qcB2O9pZ+e1AbR=YoKVKfiM7nXGoAzd0EWWfpqQ52tN7Tfg@mail.gmail.com>

Hi Jin,

The log given by you doesn't contain sshd's debug log. Run sshd on server
using command `/usr/sbin/sshd -ddd -p 2200`.
Then connect to the server from client using `ssh -p 2200 user at host`.
Repeat until you can reproduce the problem. Then send the log produced on
the server side.

On Tue, Oct 25, 2016 at 4:48 AM, Jin Li <lijin.abc at gmail.com> wrote:

> Hi Tanmay,
>
> After rebooting machine, I am able to login by SSH now. I want to resolve
> this problem, as it occurs regularly. Please find the attached syslog.
>
> $ sudo cat /var/log/syslog
> Oct 23 06:43:30 remote_host postfix/pickup[10007]: D63E79D1: uid=0
> from=<root>
> Oct 23 06:43:30 remote_host postfix/cleanup[10819]: D63E79D1:
> message-id=<20161023114330.D63E79D1 at remote_host>
> Oct 23 06:43:30 remote_host postfix/qmgr[2899]: D63E79D1:
> from=<root at remote_host>, size=654, nrcpt=1 (queue active)
> Oct 23 06:43:30 remote_host postfix/local[10821]: D63E79D1:
> to=<root at remote_host>, orig_to=<root>, relay=local, delay=0.05,
> delays=0.04/0/0/0.01, dsn=2.0.0, status=sent (delivered to command:
> procmail -a "$EXTENSION")
> Oct 23 06:43:30 remote_host postfix/qmgr[2899]: D63E79D1: removed
> Oct 23 06:45:01 remote_host CRON[10835]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 06:47:01 remote_host CRON[10853]: (root) CMD (test -x
> /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ))
> Oct 23 06:47:54 remote_host postfix/pickup[10007]: 215CEA70: uid=0
> from=<root>
> Oct 23 06:47:54 remote_host postfix/cleanup[10888]: 215CEA70:
> message-id=<20161023114754.215CEA70 at remote_host>
> Oct 23 06:47:54 remote_host postfix/qmgr[2899]: 215CEA70:
> from=<root at remote_host>, size=683, nrcpt=1 (queue active)
> Oct 23 06:47:54 remote_host postfix/local[10890]: 215CEA70:
> to=<root at remote_host>, orig_to=<root>, relay=local, delay=0.01,
> delays=0.01/0/0/0, dsn=2.0.0, status=sent (delivered to command: procmail
> -a "$EXTENSION")
> Oct 23 06:47:54 remote_host postfix/qmgr[2899]: 215CEA70: removed
> Oct 23 06:55:01 remote_host CRON[10942]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 07:05:01 remote_host CRON[11011]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 07:15:01 remote_host CRON[11084]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 07:17:01 remote_host CRON[11102]: (root) CMD (   cd / && run-parts
> --report /etc/cron.hourly)
> Oct 23 07:25:01 remote_host CRON[11163]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 07:35:01 remote_host CRON[11243]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 07:45:01 remote_host CRON[11324]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 07:55:01 remote_host CRON[11406]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 08:05:01 remote_host CRON[11481]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 08:15:01 remote_host CRON[11551]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 08:17:01 remote_host CRON[11569]: (root) CMD (   cd / && run-parts
> --report /etc/cron.hourly)
> Oct 23 08:25:01 remote_host CRON[11625]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 08:35:01 remote_host CRON[11696]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 08:45:01 remote_host CRON[11768]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 08:55:01 remote_host CRON[11847]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 09:05:01 remote_host CRON[11926]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 09:15:01 remote_host CRON[12000]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 09:17:01 remote_host CRON[12019]: (root) CMD (   cd / && run-parts
> --report /etc/cron.hourly)
> Oct 23 09:21:04 remote_host kernel: [313912.323553] RPC: AUTH_GSS upcall
> failed. Please check user daemon is running.
> Oct 23 09:24:06 remote_host kernel: [314093.942478] RPC: AUTH_GSS upcall
> failed. Please check user daemon is running.
> Oct 23 09:25:01 remote_host CRON[12680]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 09:35:01 remote_host CRON[12760]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 09:45:01 remote_host CRON[12831]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 09:50:42 remote_host kernel: [315690.534126] RPC: AUTH_GSS upcall
> failed. Please check user daemon is running.
> Oct 23 09:54:21 remote_host kernel: [315909.000602] RPC: AUTH_GSS upcall
> failed. Please check user daemon is running.
> Oct 23 09:55:01 remote_host CRON[14144]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 09:59:28 remote_host kernel: [316215.875005] RPC: AUTH_GSS upcall
> failed. Please check user daemon is running.
> Oct 23 10:03:49 remote_host kernel: [316477.118160] RPC: AUTH_GSS upcall
> failed. Please check user daemon is running.
> Oct 23 10:05:01 remote_host CRON[14532]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 10:09:44 remote_host kernel: [316832.291530] RPC: AUTH_GSS upcall
> failed. Please check user daemon is running.
> Oct 23 10:12:42 remote_host kernel: [317010.114637] RPC: AUTH_GSS upcall
> failed. Please check user daemon is running.
> Oct 23 10:15:01 remote_host CRON[15222]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 10:17:01 remote_host CRON[15586]: (root) CMD (   cd / && run-parts
> --report /etc/cron.hourly)
> Oct 23 10:23:52 remote_host kernel: [317679.809341] RPC: AUTH_GSS upcall
> failed. Please check user daemon is running.
> Oct 23 10:25:01 remote_host CRON[16258]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 10:35:01 remote_host CRON[16372]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 10:45:01 remote_host CRON[16444]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 10:49:01 remote_host kernel: [319189.320124] RPC: AUTH_GSS upcall
> failed. Please check user daemon is running.
> Oct 23 10:55:01 remote_host CRON[16596]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 11:03:00 remote_host kernel: [320028.430980] RPC: AUTH_GSS upcall
> failed. Please check user daemon is running.
> Oct 23 11:05:01 remote_host CRON[17469]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 11:15:01 remote_host CRON[31685]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 11:17:01 remote_host CRON[4819]: (root) CMD (   cd / && run-parts
> --report /etc/cron.hourly)
> Oct 23 11:25:01 remote_host CRON[2313]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 11:31:55 remote_host kernel: [321763.354272] RPC: AUTH_GSS upcall
> failed. Please check user daemon is running.
> Oct 23 11:35:01 remote_host CRON[2689]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 11:45:01 remote_host CRON[2774]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 11:51:02 remote_host kernel: [322910.504397] RPC: AUTH_GSS upcall
> failed. Please check user daemon is running.
> Oct 23 11:55:01 remote_host CRON[4929]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 12:05:01 remote_host CRON[5054]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 12:15:01 remote_host CRON[5129]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 12:17:01 remote_host CRON[5146]: (root) CMD (   cd / && run-parts
> --report /etc/cron.hourly)
> Oct 23 12:25:01 remote_host CRON[5204]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 12:35:01 remote_host CRON[5275]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 12:45:01 remote_host CRON[5345]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 12:55:01 remote_host CRON[5417]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 13:05:01 remote_host CRON[5489]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 13:15:01 remote_host CRON[5567]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 13:17:01 remote_host CRON[5586]: (root) CMD (   cd / && run-parts
> --report /etc/cron.hourly)
> Oct 23 13:25:01 remote_host CRON[5643]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 13:35:02 remote_host CRON[5721]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 13:45:01 remote_host CRON[5795]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 13:55:01 remote_host CRON[5866]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 14:05:01 remote_host CRON[5938]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 14:15:01 remote_host CRON[6011]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 14:17:01 remote_host CRON[6028]: (root) CMD (   cd / && run-parts
> --report /etc/cron.hourly)
> Oct 23 14:25:01 remote_host CRON[6088]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 14:35:01 remote_host CRON[6161]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 14:39:29 remote_host kernel: [333017.245325] RPC: AUTH_GSS upcall
> failed. Please check user daemon is running.
> Oct 23 14:45:01 remote_host CRON[6378]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 14:55:01 remote_host CRON[6453]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 15:02:37 remote_host kernel: [334405.015954] RPC: AUTH_GSS upcall
> failed. Please check user daemon is running.
> Oct 23 15:04:51 remote_host kernel: [334539.603690] RPC: AUTH_GSS upcall
> failed. Please check user daemon is running.
> Oct 23 15:05:01 remote_host CRON[6914]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
> Oct 23 15:15:01 remote_host CRON[19128]: (root) CMD (command -v debian-sa1
> > /dev/null && debian-sa1 1 1)
>
> Please let me know if you want some addiional error log. Thanks for your
> help.
>
> Best regards,
> Jin
>
> On Mon, Oct 24, 2016 at 12:04 PM, Tanmay Tiwari <tnmy44 at gmail.com> wrote:
>
>> I don't think it will be easy to identify the problem remotely. You can
>> try logging in with password (if not disabled), or sshing with some other
>> key, or logging into some other user. If you are able to get access to the
>> machine, post the server's error log here.
>>
>> On Mon, Oct 24, 2016 at 9:55 PM, Jin Li <lijin.abc at gmail.com> wrote:
>>
>>> Hi Tanmay,
>>>
>>> The server is not responsive for different accounts. But the client
>>> can access different servers. Thus, I am sure it is something wrong in
>>> server side. Since we can not login server for now, thus, we can not
>>> check the error log in server. Do you have some clues to debug this
>>> problem? Thanks for your help.
>>>
>>> Best regards,
>>> Jin
>>>
>>> On Mon, Oct 24, 2016 at 11:22 AM, Tanmay Tiwari <tnmy44 at gmail.com>
>>> wrote:
>>> > Can you confirm if the problem is specific to the ssh client, or the
>>> ssh
>>> > server? (Try to ssh into the same server from different client, and to
>>> some
>>> > different server from the same client)
>>> >
>>> > On Mon, Oct 24, 2016 at 9:41 PM, Jin Li <lijin.abc at gmail.com> wrote:
>>> >>
>>> >> Hi OpenSSH,
>>> >>
>>> >> I encountered that SSH will hang over after I input the password.
>>> >> Could you help show me how to resolve this problem? Thanks for your
>>> >> help.
>>> >>
>>> >> Please find the ssh debug info and my ssh version as below.
>>> >>
>>> >> $ ssh -vvv user1 at remote_host
>>> >> OpenSSH_6.9p1, LibreSSL 2.1.8
>>> >> debug1: Reading configuration data /Users/user1/.ssh/config
>>> >> debug1: /Users/user1/.ssh/config line 36: Applying options for
>>> remote_host
>>> >> debug1: Reading configuration data /etc/ssh/ssh_config
>>> >> debug1: /etc/ssh/ssh_config line 20: Applying options for *
>>> >> debug1: /etc/ssh/ssh_config line 102: Applying options for *
>>> >> debug2: ssh_connect: needpriv 0
>>> >> debug1: Connecting to remote_host port 22.
>>> >> debug1: Connection established.
>>> >> debug1: identity file /Users/user1/.ssh/id_rsa type 1
>>> >> debug1: key_load_public: No such file or directory
>>> >> debug1: identity file /Users/user1/.ssh/id_rsa-cert type -1
>>> >> debug1: key_load_public: No such file or directory
>>> >> debug1: identity file /Users/user1/.ssh/id_dsa type -1
>>> >> debug1: key_load_public: No such file or directory
>>> >> debug1: identity file /Users/user1/.ssh/id_dsa-cert type -1
>>> >> debug1: key_load_public: No such file or directory
>>> >> debug1: identity file /Users/user1/.ssh/id_ecdsa type -1
>>> >> debug1: key_load_public: No such file or directory
>>> >> debug1: identity file /Users/user1/.ssh/id_ecdsa-cert type -1
>>> >> debug1: key_load_public: No such file or directory
>>> >> debug1: identity file /Users/user1/.ssh/id_ed25519 type -1
>>> >> debug1: key_load_public: No such file or directory
>>> >> debug1: identity file /Users/user1/.ssh/id_ed25519-cert type -1
>>> >> debug1: Enabling compatibility mode for protocol 2.0
>>> >> debug1: Local version string SSH-2.0-OpenSSH_6.9
>>> >> debug1: Remote protocol version 2.0, remote software version
>>> >> OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
>>> >> debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 pat OpenSSH_6.6.1*
>>> >> compat 0x04000000
>>> >> debug2: fd 3 setting O_NONBLOCK
>>> >> debug1: Authenticating to remote_host as 'user1'
>>> >> debug3: hostkeys_foreach: reading file "/Users/user1/.ssh/known_hosts
>>> "
>>> >> debug3: record_hostkey: found key type ECDSA in file
>>> >> /Users/user1/.ssh/known_hosts:3
>>> >> debug3: load_hostkeys: loaded 1 keys from remote_host
>>> >> debug3: order_hostkeyalgs: prefer hostkeyalgs:
>>> >>
>>> >> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384
>>> -cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com
>>> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
>>> >> debug1: SSH2_MSG_KEXINIT sent
>>> >> debug1: SSH2_MSG_KEXINIT received
>>> >> debug2: kex_parse_kexinit:
>>> >>
>>> >> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-ni
>>> stp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha2
>>> 56,diffie-hellman-group-exchange-sha1,diffie-hellman-group14
>>> -sha1,diffie-hellman-group1-sha1
>>> >> debug2: kex_parse_kexinit:
>>> >>
>>> >> ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384
>>> -cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com
>>> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
>>> ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,
>>> ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at openssh.com,
>>> ssh-dss-cert-v00 at openssh.com,ssh-ed25519,ssh-rsa,ssh-dss
>>> >> debug2: kex_parse_kexinit:
>>> >>
>>> >> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,
>>> aes128-gcm at openssh.com,aes256-gcm at openssh.com,arcfour256,
>>> arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes1
>>> 92-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
>>> >> debug2: kex_parse_kexinit:
>>> >>
>>> >> chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,
>>> aes128-gcm at openssh.com,aes256-gcm at openssh.com,arcfour256,
>>> arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes1
>>> 92-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
>>> >> debug2: kex_parse_kexinit:
>>> >>
>>> >> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-2
>>> 56-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-e
>>> tm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac
>>> -sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at openssh.com,
>>> hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
>>> hmac-md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-
>>> ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
>>> >> debug2: kex_parse_kexinit:
>>> >>
>>> >> umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-2
>>> 56-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-e
>>> tm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac
>>> -sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm at openssh.com,
>>> hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at openssh.com,
>>> hmac-md5-96-etm at openssh.com,hmac-md5,hmac-ripemd160,hmac-
>>> ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96
>>> >> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
>>> >> debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
>>> >> debug2: kex_parse_kexinit:
>>> >> debug2: kex_parse_kexinit:
>>> >> debug2: kex_parse_kexinit: first_kex_follows 0
>>> >> debug2: kex_parse_kexinit: reserved 0
>>> >> debug2: kex_parse_kexinit:
>>> >>
>>> >> curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-ni
>>> stp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha2
>>> 56,diffie-hellman-group-exchange-sha1,diffie-hellman-group14
>>> -sha1,diffie-hellman-group1-sha1
>>> >> debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
>>> >> debug2: kex_parse_kexinit:
>>> >>
>>> >> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes12
>>> 8-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com
>>> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes1
>>> 92-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
>>> >> debug2: kex_parse_kexinit:
>>> >>
>>> >> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes12
>>> 8-gcm at openssh.com,aes256-gcm at openssh.com,chacha20-poly1305 at openssh.com
>>> ,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes1
>>> 92-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se
>>> >> debug2: kex_parse_kexinit:
>>> >>
>>> >> hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-e
>>> tm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,
>>> hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,
>>> hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com
>>> ,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com
>>> ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com
>>> ,hmac-sha1-96,hmac-md5-96
>>> >> debug2: kex_parse_kexinit:
>>> >>
>>> >> hmac-md5-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64-e
>>> tm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,
>>> hmac-sha2-512-etm at openssh.com,hmac-ripemd160-etm at openssh.com,
>>> hmac-sha1-96-etm at openssh.com,hmac-md5-96-etm at openssh.com
>>> ,hmac-md5,hmac-sha1,umac-64 at openssh.com,umac-128 at openssh.com
>>> ,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com
>>> ,hmac-sha1-96,hmac-md5-96
>>> >> debug2: kex_parse_kexinit: none,zlib at openssh.com
>>> >> debug2: kex_parse_kexinit: none,zlib at openssh.com
>>> >> debug2: kex_parse_kexinit:
>>> >> debug2: kex_parse_kexinit:
>>> >> debug2: kex_parse_kexinit: first_kex_follows 0
>>> >> debug2: kex_parse_kexinit: reserved 0
>>> >> debug1: kex: server->client chacha20-poly1305 at openssh.com <implicit>
>>> none
>>> >> debug1: kex: client->server chacha20-poly1305 at openssh.com <implicit>
>>> none
>>> >> debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
>>> >> debug1: Server host key: ecdsa-sha2-nistp256
>>> >> SHA256:EmPTWh360hkSprEQER26MTB5HcjJW6lGfmeFFMyRU2w
>>> >> debug3: hostkeys_foreach: reading file "/Users/user1/.ssh/known_hosts
>>> "
>>> >> debug3: record_hostkey: found key type ECDSA in file
>>> >> /Users/user1/.ssh/known_hosts:3
>>> >> debug3: load_hostkeys: loaded 1 keys from remote_host
>>> >> debug3: hostkeys_foreach: reading file "/Users/user1/.ssh/known_hosts
>>> "
>>> >> debug3: record_hostkey: found key type ECDSA in file
>>> >> /Users/user1/.ssh/known_hosts:3
>>> >> debug3: load_hostkeys: loaded 1 keys from 165.91.209.220
>>> >> debug1: Host 'remote_host is known and matches the ECDSA host key.
>>> >> debug1: Found key in /Users/user1/.ssh/known_hosts:3
>>> >> debug2: set_newkeys: mode 1
>>> >> debug1: SSH2_MSG_NEWKEYS sent
>>> >> debug1: expecting SSH2_MSG_NEWKEYS
>>> >> debug2: set_newkeys: mode 0
>>> >> debug1: SSH2_MSG_NEWKEYS received
>>> >> debug1: Roaming not allowed by server
>>> >> debug1: SSH2_MSG_SERVICE_REQUEST sent
>>> >> debug2: service_accept: ssh-userauth
>>> >> debug1: SSH2_MSG_SERVICE_ACCEPT received
>>> >> debug2: key: /Users/user1/.ssh/id_rsa (0x7ff939e000c0),
>>> >> debug2: key: /Users/user1/.ssh/id_dsa (0x0),
>>> >> debug2: key: /Users/user1/.ssh/id_ecdsa (0x0),
>>> >> debug2: key: /Users/user1/.ssh/id_ed25519 (0x0),
>>> >> debug3: input_userauth_banner
>>> >> debug1: Authentications that can continue: publickey,password
>>> >> debug3: start over, passed a different list publickey,password
>>> >> debug3: preferred publickey,keyboard-interactive,password
>>> >> debug3: authmethod_lookup publickey
>>> >> debug3: remaining preferred: keyboard-interactive,password
>>> >> debug3: authmethod_is_enabled publickey
>>> >> debug1: Next authentication method: publickey
>>> >> debug1: Offering RSA public key: /Users/user1/.ssh/id_rsa
>>> >> debug3: send_pubkey_test
>>> >> debug2: we sent a publickey packet, wait for reply
>>> >>
>>> >> $ ssh -V
>>> >> OpenSSH_6.9p1, LibreSSL 2.1.8
>>> >>
>>> >> Best regards,
>>> >> Jin
>>> >> _______________________________________________
>>> >> openssh-unix-dev mailing list
>>> >> openssh-unix-dev at mindrot.org
>>> >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>> >
>>> >
>>>
>>
>>
>

From dcb314 at hotmail.com  Tue Oct 25 17:18:49 2016
From: dcb314 at hotmail.com (David Binderman)
Date: Tue, 25 Oct 2016 06:18:49 +0000
Subject: port-solaris.c:218: bad compare ?
Message-ID: <VI1PR08MB1022B87A81B0CED185F33E699CA80@VI1PR08MB1022.eurprd08.prod.outlook.com>

Hello there,


port-solaris.c:218]: (style) A pointer can not be negative so it is either pointless or an error to check if it is not.

Source code is

    if ((defaultproject = getdefaultproj(pw->pw_name, &tempproject, &buf,
        sizeof(buf))) > 0) {

Maybe better code

    if ((defaultproject = getdefaultproj(pw->pw_name, &tempproject, &buf,
        sizeof(buf))) != 0) {

Regards

David Binderman




From tnmy44 at gmail.com  Tue Oct 25 19:57:24 2016
From: tnmy44 at gmail.com (Tanmay Tiwari)
Date: Tue, 25 Oct 2016 14:27:24 +0530
Subject: port-solaris.c:218: bad compare ?
In-Reply-To: <VI1PR08MB1022B87A81B0CED185F33E699CA80@VI1PR08MB1022.eurprd08.prod.outlook.com>
References: <VI1PR08MB1022B87A81B0CED185F33E699CA80@VI1PR08MB1022.eurprd08.prod.outlook.com>
Message-ID: <CAH=qcB0b5d8rb+hEGA+Ncg-4WXhP=AQKbjVaegEw=b1kAyBMPw@mail.gmail.com>

Hi David,

Yes, IMO it should be changed to `!= 0`.

> A pointer can not be negative so it is either pointless or an error to
check if it is not.
That's not quite true, C standard doesn't force a valid pointer to be
positive only. It is implementation dependent. All the more reason that the
current code is fragile.

From uri at mit.edu  Tue Oct 25 12:34:32 2016
From: uri at mit.edu (Uri Blumenthal)
Date: Tue, 25 Oct 2016 01:34:32 +0000
Subject: Two problems with OpenSSH
Message-ID: <3CDCD751-CFA1-4023-9568-A2A1A7C31D1D@mit.edu>

My platform: macOS Sierra 10.12.1, Xcode-8.0.0, Macports-2.3.4, Macports-installed OpenSSH_7.3p1.

First problem: OpenSSH seems to ignore PKCS11Provider configuration variable in ~/.ssh/config file (and in the system/global config files as well). It acts as if it hasn?t been set:

$ ssh -V
OpenSSH_7.3p1, OpenSSL 1.0.2j  26 Sep 2016
$ ssh-keygen -D pkcs11 -e
dlopen pkcs11 failed: dlopen(pkcs11, 2): no suitable image found.  Did find:
	/opt/local/lib/pkcs11: not a file
	/Library/OpenSC/lib/pkcs11: not a file
cannot read public key from pkcs11
$ ssh-keygen -D /Library/OpenSC/lib/opensc-pkcs11.so -e

ssh-rsa AAAAB3NzaC1yc2EA . . . . .

$ ssh -I pkcs11 github.com
dlopen pkcs11 failed: dlopen(pkcs11, 2): no suitable image found.  Did find:
	/opt/local/lib/pkcs11: not a file
	/Library/OpenSC/lib/pkcs11: not a file
Permission denied (publickey).
$ ssh -I /Library/OpenSC/lib/opensc-pkcs11.so github.com
Enter PIN for 'PIV Card Holder pin (PIV_II)': 
PTY allocation request failed on channel 0
Hi xxxxxx! You've successfully authenticated, but GitHub does not provide shell access.
Connection to github.com closed.
$ fgrep PKCS11 ~/.ssh/config
PKCS11Provider /Library/OpenSC/lib/opensc-pkcs11.dylib
$

I?d appreciate some guidance on use of PKCS11Provider config parameter (if I?m doing something wrong with it), or fixing the bug of ignoring it (if my attempts to use it were correct).


Second problem - the build seems to require at runtime not only exactly the same version, but exactly the same build of the OpenSSL. Which means that if I make any update or bug fix to OpenSSL that does not affect the interface at all - I still have to re-install OpenSSH. It would be great if OpenSSH could limit its OpenSSL runtime validation to at least the exact version (say, 1.0.2-stable). It really is both inconvenient and unnecessary to have to rebuild OpenSSH every time.

Thank you!

Since I?m not a subscriber to this list (don?t have to contribute much), so please copy the replies to my email. Thanks again!
--
Uri Blumenthal
uri at mit.edu

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1534 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161025/9780428b/attachment.bin>

From dtucker at zip.com.au  Wed Oct 26 08:48:51 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Wed, 26 Oct 2016 08:48:51 +1100
Subject: port-solaris.c:218: bad compare ?
In-Reply-To: <VI1PR08MB1022B87A81B0CED185F33E699CA80@VI1PR08MB1022.eurprd08.prod.outlook.com>
References: <VI1PR08MB1022B87A81B0CED185F33E699CA80@VI1PR08MB1022.eurprd08.prod.outlook.com>
Message-ID: <CALDDTe1tR+nUsC8j=n=b0Pcm1ur26y8ZvVsFpZbR7XKfTJwAJw@mail.gmail.com>

On Tue, Oct 25, 2016 at 5:18 PM, David Binderman <dcb314 at hotmail.com> wrote:
[...]
> Maybe better code
>
>     if ((defaultproject = getdefaultproj(pw->pw_name, &tempproject, &buf,
>         sizeof(buf))) != 0) {

Applied, thanks (although I used NULL rather than bare 0 since that's
what the style guide says).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From dtucker at zip.com.au  Wed Oct 26 11:30:53 2016
From: dtucker at zip.com.au (Darren Tucker)
Date: Wed, 26 Oct 2016 11:30:53 +1100
Subject: use PT_DENY_ATTACH on Mac OS X
Message-ID: <20161026003053.GA6627@gate.dtucker.net>

Hi.

Mac OS X has a PT_DENY_ATTACH argument to ptrace(2) which does what
it says on the tin:

 PT_DENY_ATTACH
           This request is the other operation used by the traced
           process; it allows a process that is not currently being
           traced to deny future traces by its parent.  All other
           arguments are ignored.  If the process is currently being
           traced, it will exit with the exit status of ENOTSUP; oth-
           erwise, it sets a flag that denies future traces.  An
           attempt by the parent to trace a process which has set this
           flag will result in a segmentation violation in the parent

Any reason not to use it in platform_disable_tracing() ?

diff --git a/configure.ac b/configure.ac
index f5e1378..88c4633 100644
--- a/configure.ac
+++ b/configure.ac
@@ -405,6 +405,7 @@ AC_CHECK_HEADERS([ \
 	sys/poll.h \
 	sys/prctl.h \
 	sys/pstat.h \
+	sys/ptrace.h \
 	sys/select.h \
 	sys/stat.h \
 	sys/stream.h \
diff --git a/platform-tracing.c b/platform-tracing.c
index 81020e7..4c80a28 100644
--- a/platform-tracing.c
+++ b/platform-tracing.c
@@ -20,6 +20,9 @@
 #if defined(HAVE_SYS_PRCTL_H)
 #include <sys/prctl.h>	/* For prctl() and PR_SET_DUMPABLE */
 #endif
+#ifdef HAVE_SYS_PTRACE_H
+#include <sys/ptrace.h>
+#endif
 #ifdef HAVE_PRIV_H
 #include <priv.h> /* For setpflags() and __PROC_PROTECT  */
 #endif
@@ -40,4 +43,9 @@ platform_disable_tracing(int strict)
 	if (setpflags(__PROC_PROTECT, 1) != 0 && strict)
 		fatal("unable to make the process untraceable");
 #endif
+#ifdef PT_DENY_ATTACH
+	/* Mac OS X */
+	if (ptrace(PT_DENY_ATTACH, 0, 0, 0) == -1 && strict)
+		fatal("unable to set PT_DENY_ATTACH");
+#endif
 }

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

From fremeneric at gmail.com  Thu Oct 27 15:36:41 2016
From: fremeneric at gmail.com (Eric Tremblay)
Date: Thu, 27 Oct 2016 00:36:41 -0400
Subject: OpenSSH FIPS question
Message-ID: <CANbhLgxvnOX0Loub5icdWM6VB2cZkX3H3XTp8g0T3d-tfdw_nQ@mail.gmail.com>

Hi there,

>From the reading I've done so far OpenSSH doesn't support FIPS.

But, there maybe a patch that can enable it, Am I right ?


Thanks


Eric

From openssh at mb.sy.gs  Fri Oct 28 19:28:07 2016
From: openssh at mb.sy.gs (openssh at mb.sy.gs)
Date: Fri, 28 Oct 2016 10:28:07 +0200
Subject: tunnel devices with OpenSSH > 7.1
Message-ID: <1233396a-32ba-d65b-32df-9e3d2be9c0be@mb.sy.gs>

Hello,

I have a strange situation using tunnel devices with OpenSSH. I've setup a new machine with OpenSSH 7.3p1. It works fine, but if I try to use a tunnel device with an OpenSSH client newer than 7.1 (tried with 7.2 and 7.3) the tunnel is not working. If I enable debug messages, configuring the devices is replied with the following error message

# ifconfig tun1 10.1.1.1 pointtopoint 10.1.1.2
debug2: channel 0: write failed
debug2: channel 0: close_write
debug2: channel 0: chan_shutdown_write: shutdown() failed for fd 5: Socket operation on non-socket
debug2: channel 0: output open -> closed

The OpenSSH server (7.3p1) can be used with older clients fine but the recent clients (7.2/7.3) can be used with tunneling devices against older OpenSSH servers, too.

It seems to be that there is a strange problem with tunnel devices if client and server are 7.2/7.3

I use packages from the Debian repositories (amd64).

It would be nice to get any hint to solve this issue.

Thanks in advance!

Micha

From alexandre at delvelabs.ca  Sat Oct 29 01:25:53 2016
From: alexandre at delvelabs.ca (=?UTF-8?Q?Alexandre_Gu=C3=A9don?=)
Date: Fri, 28 Oct 2016 10:25:53 -0400
Subject: Feature: ControlPath connection uniqueness with JumpHost
Message-ID: <CAFuAHrZWbsRXbfGgWDoB9-VYX5LXPgKafJrePbGDndOGNm4XXQ@mail.gmail.com>

Hi,

Using Ansible, which takes advantage of ssh's ProxyCommand, I realized I
couldn't make the ControlPath unique in every situation:

If two hosts share the host-port-user in 2 different subnets, you end up
with the same socket name, and there is no %(?) option to differentiate
them.
For example, user at 10.0.0.2:22 via both machineA & machineB are different,
but used sequentially quickly, there is no way for me to make the
ControlPath argument unique while still reusing the connection for speed.

So this is more of a feature / idea:
Could an argument like %C (hash) be introduced, but one that would hash
other options outside of %l%h%p%r, so that connection changing options like
ProxyCommand are taken into account and make the socket name unique?

That way ssh would have a way to create sockets that are unique per
connection, including ProxyCommand, ProxyJump, etc, thus preventing wrong
socket reuse.

Cheers!
Alex

From adam at continusec.com  Mon Oct 31 14:55:54 2016
From: adam at continusec.com (Adam Eijdenberg)
Date: Mon, 31 Oct 2016 14:55:54 +1100
Subject: CertificateFile and related patches
Message-ID: <CAD0Csb5CgCwMEMZcjL-b6FrMY_YEkYA-YAVxjFMmCPcWWjaJXQ@mail.gmail.com>

Hi OpenSSH,

We've started using openssh certificates for server access in our team
and came across a regression (introduced in
https://github.com/openssh/openssh-portable/commit/4e44a79a07d4b88b6a4e5e8c1bed5f58c841b1b8)
whereby our local clients who were able to successfully connect using
version 6.9, were not able to do so with the same configuration on
version 7.2.

Our configs for clients look roughly like:

    IdentityFile /Users/aeijdenberg/.ssh/id_shortlived_rsa
    IdentitiesOnly yes

and in our .ssh directory we have:

id_shortlived_rsa
id_shortlived_rsa-cert.pub

but no "id_shortlived_rsa.pub".

The reason we don't have the "id_shortlived_rsa.pub" is that we didn't
want our users accidentally adding that to any authorized_keys files
or linking to their Git accounts, since it will rotate often.

I wrote some tests demonstrating the issue, and created a patch that I
believe solves the problem. While doing so I came across a few other
issues related to specifying certificates.

For example, while specifying an IdentifyFile will automatically load
a certificate with the same name (and common suffix), the reverse is
not true, which would be convenient for our usage.

Additionally, when a CertificateFile is explicitly listed, if no
IdentifyFiles are listed, then implicit paths such as ~/.ssh/id_rsa
are used, even when IdentitiesOnly=yes is set.

I created tests for each of these, and a series of commits that I
think fixes each one.

I see there is a related bug here for our original issue, so it looks
like we are not the only ones operating in this type of configuration:
https://bugzilla.mindrot.org/show_bug.cgi?id=2617

Appreciate your consideration. I'm a first time openssh contributor,
so apologies if I've missed any steps in the process.

I rolled this up into a pull request here:
https://github.com/openssh/openssh-portable/pull/53

I suspect that isn't how you actually pull the changes in, but thought
it would be a meaningful way to share a link to the patches.

Cheers, Adam