>>кроме записи Permission Denied, с опцией verify ssh много еще чего
>>сообщает, ну и плюс логи авторизации на сервере
>
>
>Хорошо, вот:
>
>OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090703f
>debug1: Reading configuration data /etc/ssh/ssh_config
>debug1: Applying options for *
>debug1: Rhosts Authentication disabled, originating port will not be trusted.
>debug1: Connecting to xxxxx.xxxxxxxx.xx [XXX.X.X.XXX] port 22.
>debug1: Connection established.
>debug1: identity file /home/scsi/.ssh/identity type -1
>debug1: identity file /home/scsi/.ssh/id_rsa type -1
>debug1: identity file /home/scsi/.ssh/id_dsa type -1
>debug1: Remote protocol version 2.0, remote software version OpenSSH_3.9p1
>debug1: match: OpenSSH_3.9p1 pat OpenSSH*
>debug1: Enabling compatibility mode for protocol 2.0
>debug1: Local version string SSH-2.0-OpenSSH_3.6.1p2
>debug1: SSH2_MSG_KEXINIT sent
>debug1: SSH2_MSG_KEXINIT received
>debug1: kex: server->client aes128-cbc hmac-md5 none
>debug1: kex: client->server aes128-cbc hmac-md5 none
>debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
>debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
>debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
>debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
>debug1: Host 'xxxxx.xxxxxxxx.xx' is known and matches the RSA host key.
>debug1: Found key in /home/scsi/.ssh/known_hosts:1
>debug1: ssh_rsa_verify: signature correct
>debug1: SSH2_MSG_NEWKEYS sent
>debug1: expecting SSH2_MSG_NEWKEYS
>debug1: SSH2_MSG_NEWKEYS received
>debug1: SSH2_MSG_SERVICE_REQUEST sent
>debug1: SSH2_MSG_SERVICE_ACCEPT received
>debug1: Authentications that can continue: publickey,password,keyboard-interactive
>debug1: Next authentication method: publickey
>debug1: Trying private key: /home/scsi/.ssh/identity
>debug1: Trying private key: /home/scsi/.ssh/id_rsa
>debug1: Trying private key: /home/scsi/.ssh/id_dsa
>debug1: Next authentication method: keyboard-interactive
>debug1: Authentications that can continue: publickey,password,keyboard-interactive
>debug1: Next authentication method: password
>scsi@xxxxx.xxxxxxxx.xx's password:
>debug1: Authentications that can continue: publickey,password,keyboard-interactive
>Permission denied, please try again.
>scsi@xxxxx.xxxxxxxx.xx's password:
странно авторизация проходит - см.порядок выше, ну и такое ощущение
что чего-то в логе нехватает :(
>А в логах на сервере пишет что Failed password for scsi from
>... port ... ssh2
исходные данные - собран openssh-portable-3.9p1 без Kerberos
[alone]~ > ps -axuww | grep sshd
root 501 0,0 0,3 3028 696 ?? Is 23сен04 0:02,22 /usr/sbin/sshd
root 70995 0,0 0,8 2936 2132 ?? Is 16:18 0:00,09 /usr/local/sbin/sshd
lavr 71040 0,0 0,2 1412 616 p1 R+ 16:25 0:00,00 grep sshd
[alone]~ > telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.6.1p1 FreeBSD-20030924
quit
Protocol mismatch.
Connection closed by foreign host.
[alone]~ > telnet localhost 3022
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.9p1
quit
Protocol mismatch.
Connection closed by foreign host.
[alone]~ >
на порту 3022 висит OpenSSH 3.9p1 который нас интересует.
-------------------------- sshd_config -------------------------------
#Port 22
#--lavr for test openssh3.9
Port 3022
Protocol 2,1
#--lavr, by default sshd bind to all intefaces & ip
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /usr/local/etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /usr/local/etc/ssh/ssh_host_rsa_key
#HostKey /usr/local/etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 1h
ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 2m
#--lavr for enable root-login via ssh
PermitRootLogin yes
#PermitRootLogin no
StrictModes yes
#MaxAuthTries 6
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
#--lavr DONT use RHOST-auth for SSH-1 & SSH-2
# For this to work you will also need host keys in #/usr/local/etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but
#set
# ChallengeResponseAuthentication=no
#--lavr, if you have troubles for login try -> UsePAM no
#UsePAM no
UsePAM yes
#AllowTcpForwarding yes
AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
#PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#--lavr, for disable reverse-check -> UseDNS no
#UseDNS yes
#--lavr change pid for use 2-sshd daemons
PidFile /var/run/sshd39.pid
#MaxStartups 10
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/local/libexec/sftp-server
------------------------------------------------------------------------
1) запускаем клиента с опциями -2 (использовать только протокол-2 с его
допустимыми авторизациями), -4 (использовать IPv4), -p 3022 порт на котором висит новый sshd демон
[unix1]~ > ssh -2 -4 -p 3022 -v alone.dubna.ru
OpenSSH_3.5p1 FreeBSD-20030924, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /home/lavr/.ssh/config
debug1: Applying options for alone.dubna.ru
debug1: Applying options for *
debug1: /home/lavr/.ssh/config line 46: Deprecated option "FallBackToRsh"
debug1: /home/lavr/.ssh/config line 47: Deprecated option "UseRsh"
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to alone.dubna.ru [62.84.100.160] port 3022.
debug1: Connection established.
debug1: identity file /home/lavr/.ssh/identity type 0
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.5p1 FreeBSD-20030924
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 133/256
debug1: bits set: 1034/2048
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'alone.dubna.ru' is known and matches the DSA host key.
debug1: Found key in /home/lavr/.ssh/known_hosts:1
debug1: bits set: 996/2048
debug1: ssh_dss_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password
порядок следования авторизации: сперва публичные ключи для SSH-PROTOCOL-2
RSA и DSA, если не прошла авторизация, тогда по паролю, остальное НЕ ХОЧУ
debug1: next auth method to try is publickey
debug1: userauth_pubkey_agent: testing agent key /home/lavr/.ssh/id_rsa
debug1: authentications that can continue: publickey,password
debug1: userauth_pubkey_agent: testing agent key /home/lavr/.ssh/id_dsa
debug1: authentications that can continue: publickey,password
если бы авторизация прошла, то пустили бы в систему, а так просят пароль
debug1: next auth method to try is password
lavr@alone.dubna.ru's password:
debug1: ssh-userauth2 successful: method password
по паролю пустили - все Ok.
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: channel request 0: pty-req
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: channel request 0: x11-req
debug1: Requesting authentication agent forwarding.
debug1: channel request 0: auth-agent-req@openssh.com
debug1: channel request 0: shell
debug1: fd 3 setting TCP_NODELAY
debug1: channel 0: open confirm rwindow 0 rmax 32768
Last login: Thu Oct 7 16:23:21 2004 from unix1.jinr.ru
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 5.2.1-RELEASE-p9 (ALONE) #1: Fri Jul 23 13:45:31 MSD 2004
Welcome to FreeBSD!
No new messages.
[alone]~ >
у клиента можно в .ssh/config:
...
ChallengeResponseAuthentication no
...
PreferredAuthentications ``publickey,password''
в случае проблем с PAM
Вариант для распечатки
OpenNET: Виртуальная конференция (Public)
(??) on
07-Окт-04, 13:07 (MSK)
