I cant sshd to work after upgrading to MDK10.1CE from MDK9.1

I recently performed the upgrade (upgrade? actually I reformatted and
did a clean install) on a two boxes, my personal notebook and my
internet gateway. After the upgrade, I started having a few problems,
which I have so far solved all but two. I will only mention one to
this group.

Sshd stopped working. This was actually the worst problem I had, and
it is the only one that can force me to return to mdk9.1 while I get a
different distro.

Anyway, this is the output of running ssh -vvv gw (my server's name)
on cpqpres1200 (my notebook's name):

-----(log on cpqpres1200 starts here)-----
OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to gw [192.168.1.1] port 22.
debug1: Connection established.
debug1: identity file /home/victor/.ssh/identity type -1
debug1: identity file /home/victor/.ssh/id_rsa type 1
debug1: identity file /home/victor/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version
OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9p1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-(E-Mail Removed),aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-(E-Mail Removed),aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-(E-Mail Removed),hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-(E-Mail Removed),hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-(E-Mail Removed),aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-(E-Mail Removed),aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-(E-Mail Removed),hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-(E-Mail Removed),hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 127/256
debug2: bits set: 528/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/victor/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug3: check_host_in_hostfile: filename /home/victor/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug1: Host 'gw' is known and matches the RSA host key.
debug1: Found key in /home/victor/.ssh/known_hosts:2
debug2: bits set: 525/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/victor/.ssh/identity ((nil))
debug2: key: /home/victor/.ssh/id_rsa (0x808bc10)
debug2: key: /home/victor/.ssh/id_dsa ((nil))
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug3: start over, passed a different list
publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/victor/.ssh/identity
debug3: no such identity: /home/victor/.ssh/identity
debug1: Offering public key: /home/victor/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Trying private key: /home/victor/.ssh/id_dsa
debug3: no such identity: /home/victor/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
debug3: packet_send2: adding 32 (len 22 padlen 10 extra_pad 64)
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 0
debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64)
debug1: Authentication succeeded (keyboard-interactive).
debug2: fd 5 setting O_NONBLOCK
debug3: fd 6 is O_NONBLOCK
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t3 r-1 i0/0 o0/0 fd 4/5 cfd -1)

debug3: channel 0: close_fds r 4 w 5 e 6 c -1
debug1: fd 1 clearing O_NONBLOCK
debug3: fd 2 is not O_NONBLOCK
Read from remote host gw: Connection reset by peer
Connection to gw closed.
debug1: Transferred: stdin 0, stdout 0, stderr 78 bytes in 0.0 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 2129.5
debug1: Exit status -1
-----(log on cpqpres1200 ends here)-----

This are the referent lines in the server's log:

-----(log on gw starts here)-----
Jan 22 11:11:49 vrrivaro sshd [11646] Accepted
keyboard-interactive/pam for victor from 192.168.1.5 port 32827 ssh2
Jan 22 11:11:49 vrrivaro sshd(pam_unix)[11654]: session opened for
user victor by (uid=0)
Jan 22 11:11:49 vrrivaro sshd[11654]: fatal: PAM: pam_setcred():
Critical error - immediate abort
Jan 22 11:11:49 vrrivaro sshd[11654]: session closed for user victor

-----(log on gw ends here)-----

I know its not a Mandrake to Mandrake problem, since I booted Windows
and tried with PuTTY, same results.

I executed this commands on gw just in case it was firewall provoked:

# for p in udp tcp;
> do
> iptables -I INPUT -p $p --dport 22 -i eth1 -j ACCEPT
> done
# for p in 6010 6011 6012 6013 6014 6015;
> do
> iptables -I INPUT -p tcp --dport $p -i eth1 -j ACCEPT
> done

Same results.

I then disconnected myself from the internet and completly shut down
the firewall, same results. Besides, I wouldn't see a thing in the
server's log if it where firewall related. Device eth1 is connected to
a crossover cable that ends up in my notebook, no HUB, eth0 is
connected to the internet. Same results.

Any help will be much appreciated.

Thanks.

Victor Rafael Rivarola

(E-Mail Removed) (Victor Rafael Rivarola) writes:

>I recently performed the upgrade (upgrade? actually I reformatted and
>did a clean install) on a two boxes, my personal notebook and my
>internet gateway. After the upgrade, I started having a few problems,
>which I have so far solved all but two. I will only mention one to
>this group.

>Sshd stopped working. This was actually the worst problem I had, and
>it is the only one that can force me to return to mdk9.1 while I get a
>different distro.

ssh works extremely well on 10.1. It is an order or magnitude faster in the
negotiation than it was before.



>Anyway, this is the output of running ssh -vvv gw (my server's name)
>on cpqpres1200 (my notebook's name):


It is fine that is not where the problem is.



>This are the referent lines in the server's log:

>-----(log on gw starts here)-----
>Jan 22 11:11:49 vrrivaro sshd [11646] Accepted
>keyboard-interactive/pam for victor from 192.168.1.5 port 32827 ssh2
>Jan 22 11:11:49 vrrivaro sshd(pam_unix)[11654]: session opened for
>user victor by (uid=0)
>Jan 22 11:11:49 vrrivaro sshd[11654]: fatal: PAM: pam_setcred():
>Critical error - immediate abort

Did you see the above lines. Pam is rejecting the user/password.

It sounds like it is unable to authenticate that partiticular user.



>Jan 22 11:11:49 vrrivaro sshd[11654]: session closed for user victor

>-----(log on gw ends here)-----

>I know its not a Mandrake to Mandrake problem, since I booted Windows
>and tried with PuTTY, same results.

It is occuring on the server side.

You might run sshd in debug mode.


>I executed this commands on gw just in case it was firewall provoked:

Thanks for your reply. Google changed their web groups interface, so I
might mess up. If it happens, sorry.

No, I didn't notice the PAM related lines. However, I did some
experimenting on that and the results are even more confusing in view
of that fact. I tried to connect once more, but this time I typed junk
instead of the password. The client prompted me for the password again,
so I typed the right passwor this time, and it quit as usual. I
repeated a few times, varying the number on times I gave it junk (not
to more than two, though). The server seems to be validating the
password and, if and only if it is correct, it will quit.

Here is the log of a debugging server:

-----(server)-----
Script iniciado (lun 24 ene 2005 09:38:46 PYST)

root@vrrivaro:~
# /usr/sbin/sshd -ddd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 383
debug2: parse_server_config: config /etc/ssh/sshd_config len 383
debug1: sshd version OpenSSH_3.9p1
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 192.168.1.1.
Server listening on 192.168.1.1 port 22.
debug3: fd 4 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 383
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7

root@vrrivaro:~
#
Script terminado (lun 24 ene 2005 09:40:25 PYST)
-----(server)-----

Here is the output on the client:

-----(client)-----
Script iniciado (lun 24 ene 2005 09:38:03 CET)

victor@cpqpres1200:~
$ ssh -vvv gw
OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to gw [192.168.1.1] port 22.
debug1: Connection established.
debug1: identity file /home/victor/.ssh/identity type -1
debug1: identity file /home/victor/.ssh/id_rsa type 1
debug1: identity file /home/victor/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version
OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.9p1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-(E-Mail Removed),aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-(E-Mail Removed),aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-(E-Mail Removed),hmac-sha1-96,hmac-md5-96debug2:
kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-(E-Mail Removed),hmac-sha1-96,hmac-md5-96debug2:
kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-(E-Mail Removed),aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-(E-Mail Removed),aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-(E-Mail Removed),hmac-sha1-96,hmac-md5-96debug2:
kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-(E-Mail Removed),hmac-sha1-96,hmac-md5-96debug2:
kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 124/256
debug2: bits set: 518/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/victor/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug3: check_host_in_hostfile: filename /home/victor/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug1: Host 'gw' is known and matches the RSA host key.
debug1: Found key in /home/victor/.ssh/known_hosts:2
debug2: bits set: 510/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/victor/.ssh/identity ((nil))
debug2: key: /home/victor/.ssh/id_rsa (0x808bc10)
debug2: key: /home/victor/.ssh/id_dsa ((nil))
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug3: start over, passed a different list
publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/victor/.ssh/identity
debug3: no such identity: /home/victor/.ssh/identity
debug1: Offering public key: /home/victor/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Trying private key: /home/victor/.ssh/id_dsa
debug3: no such identity: /home/victor/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password: ***garbage***
debug3: packet_send2: adding 32 (len 24 padlen 8 extra_pad 64)
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password: ***password***
debug3: packet_send2: adding 32 (len 22 padlen 10 extra_pad 64)
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 0
debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64)
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t3 r-1 i0/0 o0/0 fd 4/5 cfd -1)
debug3: channel 0: close_fds r 4 w 5 e 6 c -1
Read from remote host gw: Connection reset by peer
Connection to gw closed.
debug1: Transferred: stdin 0, stdout 0, stderr 78 bytes in 0.2 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 342.3
debug1: Exit status -1

victor@cpqpres1200:~
$
Script terminado (lun 24 ene 2005 09:38:40 CET)
-----(client)-----

Once again, thank you.

Victor Rivarola