Ssh bug in 10.5.5

For some of my ssh sessions, I get:
ssh host.corporate.com
xmalloc: zero size
This looks the same as https://bugzilla.mindrot.org/show_bug.cgi?id=1496
Jonathan
Message was edited by: jlemon

For what it is worth, MacFixIt _http://www.macfixit.com_ reported on this today--
*SSH not working, fix* Some users have discovered that remote logins using SSH no longer function after updating to Mac OS X 10.5.5.
The fix, per MacFixIt reader TJ: Launch the Terminal (located in /Applications/Utilities and enter the command:
sudo chown root /private/var/empty
This changes the ownership of /private/var/empty from NOBODY to ROOT, as it should be.

Similar Messages

WiSM rebooting randomly

I have 3 WiSMs two of them (WiSM-a and WiSM-b) are seated on the CORE1 switch (6509) and the WiSM-c is seated on CORE2 also a 6509 .
One of the controllers from WiSM-a/b keeps rebooting let's called it Con-1a and Con-2b reboots but usually more than the other one the controllers (WiSM located on CORE2 never reboot .
Both COREs have the same software code. The WiSM have been online for about a year with 4.2.99.0 version and they never rebooted until 3 months from now so a Cisco Tech suggested upgrading to 4.2.176.0 but it keeps doing it .
""IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(18)SXF9, REL"
Thank you
Vic

It took Cisco's TAC people months of studying several crash files and reproducing our configuration in their labs, and only the fifth (or so) patch at last worked. And speaking of security, we noticed many many ssh connections from the wired Internet to this controller port which apparently slipped through the firewall - you might call it a continuous DoS attack that every few weeks succeeds. So, a hole in our firewall revealed an obscure ssh bug in the controllers. Ssh connections from the WLAN did not seem to have any impact.

OpenSSH v4 vulnerabilities in 4400 WLC (WiSM)

Hi,
I recently did a vulnerability scan of a 4400 (4404) series wireless LAN controller running 7.0.116.0 and it showed SSH running on port 22 of the management interface. The problem I have is that the vulernability scanner (Nessus) showed the version to be OpenSSH 4.0 according to the SSH banner. Based on this version it has highlighed a large number of potential vulnerabilities including denial of service and privilege escalation issues. I've researched each of these vulnerabilities and they do indeed affect this version of OpenSSH and some of them are quite serious. However, I can find absolutely no reference on the web to this device (or indeed any Cisco device) being vulnerable to these OpenSSH bugs. I can find references to other SSH bugs but these are not the same ones that appear to affect OpenSSH 4.0 and the version of software on the device is not vulnerable to those other ones. I would have imagined with both the popularity of the device and of the vulnerabilitiy scanner that someone would have encountered this before. I'm starting to think now that this is a false positive on the scanner's part or else that Cisco fixes these bugs individually without upgrading the version of OpenSSH in the banner and so it is not affected - but I would have thought there would still be reference to these somewhere online. I'd appreciate any thoughts anyone would have on this.
Some of the vulnearbilities that the scanner are showing against this version of OpenSSH are as follows:
X11 trusted cookie forwarding issue -> (CVE-2007-4752)
Potential denial of service by crashing ssh service-> (CVE-2006-4925)
Privilege escalation via weak verification of authentication -> (CVE-2006-5794)
DoS by forcing keys to be recreated -> (CVE-2007-0726)
Uncover 32 bits of plain text from arbitrary block of ciphertext -> (CVE-2008-1483)
Hijack X11 session due to binding TCP ports to IPv6 interface instead of IPv4 when IPv4 is in use - CVE-2008-1483
Execute arbitrary commands if a user copies a malicious crafted file via scp -CVE-2008-1483
Execution of commands using weakness in the ForceCommand directive - CVE-2008-1657
Thanks.

Please have a look at CSCsx46691
Symptom:
Several security scanners mistakenly identify Cisco Wireless LAN Controllers as
being affected by multiple OpenSSH related vulnerabilities.
Conditions:
A security scanner that identifies vulnerable software by the banner that is
returned when a connection is made to a services listening port may misidentify
the Cisco Wireless LAN Controller as being vulnerable. This occurs because the
WLC returns a banner of OpenSSH v4.0.
Workaround:
Ignore the warnings from the scanner software.
Further Problem Description:
The OpenSSH codebase is patched and maintained by Cisco Engineering to address
known security vulnerabilities in OpenSSH version 4.0. Because the banner
returned by the WLC does not reflect this, security scanners may mistakenly
flag the devices as being vulnerable

Problem using Time Capsule as Router

I just purchased an Airport Time.Capsule.802.11AC 2TB router for my home, which for the last year worked happily with a an inexpensive router. My home system is reasonably complex, with a guest house with an Airport Express used as an wireless access point, and and Airport used in another part of the house. Both the Express and Airport extend the network (and have done so in the past).
Since installing the Time Capsule 2 days ago, I have had no end of problems, first with getting devices to connect wirelessly; I seem to have (generally) solved this problem by deleting the old wireless details and entering the new wireless access details (even though the access point name and password remains the same).
Still, problems plague me. The Airport seems to intermittently report that it cannot extend the network; internet access speeds are sometimes slow or non existent (last night, download speed was 2MB/S, upload speeds noon existent). I suspect this must be because of some conflict within my system: I use a cable modem, and right now all wireless clients gain access via DHCP.
I've attached my 'settings' for the router.
Is there a setting which is obviously out of place, or some other idea as to how to debug? I wonder if the router is using a new wireless protocol what older iPads/laptops/etc cannot speak to as quickly, but dismissed that as somewhat illogical.

How can I determine if it is a firmware fault?
Because you test precisely for where the fault is..
To do that you measure local lan speeds, connectivity and reliability using ethernet and wireless.
And then do the same with WAN.. you will discover where the problem exists.. if it is wan speed or drop out then you can be very sure it is WAN bugs.
This is as I stated an issue with the AC model.. and all the firmware seem to be affected but you should be on 7.7.3 as the earlier ones are not secure.
Why would Apple ever release such a device with a known fault?
The following is pure speculation .. and might get deleted.. !!
Why did apple release a bad update for iphone 6?? Lack of testing.
http://bgr.com/2014/09/25/iphone-6-and-iphone-6-plus-ios-8-0-2-release/
Why do they produce phones that bend? Lack of testing.
http://www.macrumors.com/2014/09/25/apple-responds-to-bending-issues/
This is more typical apple response .. ie in normal usage they are fine. ie it is end users that are at fault. Should not wear tight pants.
In networking there are huge numbers of products in the marketplace. To get reasonable products to market you need to test vigorously and update continually until you find all the bugs.. Since Apple released the AC model there has been two firmware updates.. one on the day of release.. and one recently with the ssh bug.. (one other was withdrawn after a few days.. as typical it caused more problems than it fixed.. which is lack of testing). For a new leading edge product this is totally inadequate. But I am sure it worked fine on the two different cable modems they tested it on.. and 3 different dsl modems and 2 different fibre setups.. unfortunately there are thousands upon thousands of modems and routers out there. A large beta program is required.. but Apple could not do that as it would be releasing hardware without marketing fanfare.
I personally have these issues with the Airport Extreme and Time Capsule on my ADSL.. it simply does not work reliably. No other router I have tested fails. I have tested lots.. but the Apple cannot maintain a pppoe connection to ISP equipment. All other routers can. For some it works perfectly.. for some it doesn't work at all.. for me it drops out at 2min intervals. It is simply unsuited to the task. Find another way to use it .. or return it. Clearly they don't get enough returns to believe the issue is that big.
In the forum we deal with it every day.. eg today.
ISP Speed issue after installing TC
Just do a search for SB6121 or SB6141 which seem particularly prone to the problem.

Ciscoworks lms3.1 -- netconfig job problems

Hi,
LMS 3.1,when i do a netconfig job for more than >5 devices, in the job tab the status is always showing as running. But when i do it for 2 or 3 devices as a batch it comes as successfull. Nevertheless the configurations are updated when more than 5 devices selected. We tried to reboot the server also. All the services are running in the common services>server>admin>processes tab.
Pls find enclosed the netconfigclient & jrm log files. We started the jobs around Tue Nov 17 07:00:03 hrs

Are you using SSH to connect to your devices? If so, then you are most likely seeing a known bug where SSH sessions can lock up either deploying a config, or fetching a config. All of the known SSH bugs are fixed in LMS 3.2, but patches for RME 4.2 are available from TAC. The bugs are CSCsv95235, CSCsx24218, and CSCsw88378.

SSH/PAM login issue with fresh install: edit wiki or raise bug?

I recently encountered an issue while setting up Arch on a headless server, and was wondering if I did something stupid, the documentation should be improved or I found a bug.
The problem was that after adding a new non-root user, I couldn't SSH into that user account. I could still login to root via SSH fine. After some research and playing around I found I was able to login by setting UsePAM to no in /etc/ssh/sshd_config. I later realised that this was because I set the login shell for this account to /usr/bin/bash, and not /bin/bash. The problem is that currently /usr/bin/bash is not in /etc/shells, and the default /etc/ssh/sshd_config sets UsePAM to yes.
As this is a new default install, and I followed the wiki during the install, I feel that this should have been documented somewhere. I don't mind changing the wiki or reporting this as a bug, just I'm not sure which is the correct course of action:
1. Should I have known to use /bin/bash and not /usr/bin/bash, i.e. the login shell needs to be in /etc/shells? => edit the wiki [1]
2. Should /usr/bin/bash be in /etc/shells? => raise a bug against filesystem [2]
Related:
[1] https://wiki.archlinux.org/index.php/Gr … management
[2] https://projects.archlinux.org/svntogit … unk/shells
[3] https://bugs.archlinux.org/task/35724
[4] https://bbs.archlinux.org/viewtopic.php?id=166464
Last edited by quigybo (2013-11-02 17:34:42)

The wiki should be changed. /bin/bash is the correct entry in the list of shells.
I cannot, however, remember off hand in which context this came up. I just remember this was the developers' response. So I can't point you to evidence to confirm even though I do know that is the correct answer.
EDIT: https://bugs.archlinux.org/task/33677
https://bugs.archlinux.org/task/33694
Last edited by cfr (2013-11-03 03:56:49)

Bug between JRockit and X11 forwarding via ssh

I have encountered what appears to be a bug in the interaction of JRockit with X11 ssh forwarding.
When running any Java GUI application on a remote machine using X11 forwarding via ssh, a variety of problems occur. For example:
--- cut here ---
% mitrion-ide
The program '' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAtom (invalid Atom parameter)'.
(Details: serial 189 error_code 5 request_code 20 minor_code 0)
(Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)
--- cut here ---That's the good case. When running the rmmlite application (available at https://rmml.dev.java.net/servlets/ProjectDocumentList?folderID=437&expandFolder=437&folderID=438 ), I experience what appears to be a near-lockup of my local workstation.
Neither of these problems occur if I set my DISPLAY to not use ssh X11 forwarding. Likewise, non-Java applications work just fine with ssh X11 forwarding. Therefore the problem seems to be limited to the Java + ssh X11 forwarding combination.
I have a suitable workaround (i.e. setting the DISPLAY variable to avoid ssh X11 forwarding), but I thought this was worth bringing to BEA's attention. I'd also be curious to know if others have run into similar difficulties.
Here are the configuration details:
Remote X11 client (where applications are hosted)
=================================================
% java -version
java version "1.4.2_12"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_12-b03)
BEA JRockit(R) (build R27.1.0-109-73164-1.4.2_12-20061129-1418-linux-ia32, compiled mode)
% uname -a
Linux earthling 2.6.9-34.ELsmp #1 SMP Fri Feb 24 16:54:53 EST 2006 i686 athlon i386 GNU/Linux
% rpm -qa | grep openssh-server
openssh-server-3.9p1-8.RHEL4.12
This is a vanilla RedHat Linux RHEL 4 Update 3 system, with all other versions of Java removed.
Local workstation (i.e. X11 server)
===================================
% uname -a
FreeBSD somewhere.sgi.com 6.2-RELEASE FreeBSD 6.2-RELEASE #5: Mon Jan 15 08:41:01 CST 2007 [email protected]:/usr/obj/usr/src/sys/somewhere i386
% ssh -v
OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.7e-p1 25 Oct 2004
% pkg_info -Ix xorg-server
xorg-server-6.9.0_3 X.Org X server and related programs
Thank you,
Brent Casavant

Brent,
it would be nice to know if this problem is specific to the JRockit JDK or
if you also can reproduce it using the corresponding Sun JDK 1.4.2. Please
do also try with a later version such as latest JRockit JDK 5.0.
Thanks
/Robert
<Brent Casavant> wrote in message news:[email protected]...
I have encountered what appears to be a bug in the interaction of JRockit
with X11 ssh forwarding.
When running any Java GUI application on a remote machine using X11
forwarding via ssh, a variety of problems occur. For example:
--- cut here ---
% mitrion-ide
The program '' received an X Window System error.
This probably reflects a bug in the program.
The error was 'BadAtom (invalid Atom parameter)'.
(Details: serial 189 error_code 5 request_code 20 minor_code 0)
(Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)
--- cut here ---That's the good case. When running the rmmlite application (available at
https://rmml.dev.java.net/servlets/ProjectDocumentList?folderID=437&expandFolder=437&folderID=438 )
, I experience what appears to be a near-lockup of my local workstation.
Neither of these problems occur if I set my DISPLAY to not use ssh X11
forwarding. Likewise, non-Java applications work just fine with ssh X11
forwarding. Therefore the problem seems to be limited to the Java + ssh X11
forwarding combination.
I have a suitable workaround (i.e. setting the DISPLAY variable to avoid ssh
X11 forwarding), but I thought this was worth bringing to BEA's attention.
I'd also be curious to know if others have run into similar difficulties.
Here are the configuration details:
Remote X11 client (where applications are hosted)
=================================================
% java -version
java version "1.4.2_12"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_12-b03)
BEA JRockit(R) (build R27.1.0-109-73164-1.4.2_12-20061129-1418-linux-ia32,
compiled mode)
% uname -a
Linux earthling 2.6.9-34.ELsmp #1 SMP Fri Feb 24 16:54:53 EST 2006 i686
athlon i386 GNU/Linux
% rpm -qa | grep openssh-server
openssh-server-3.9p1-8.RHEL4.12
This is a vanilla RedHat Linux RHEL 4 Update 3 system, with all other
versions of Java removed.
Local workstation (i.e. X11 server)
===================================
% uname -a
FreeBSD somewhere.sgi.com 6.2-RELEASE FreeBSD 6.2-RELEASE #5: Mon Jan 15
08:41:01 CST 2007
[email protected]:/usr/obj/usr/src/sys/somewhere i386
% ssh -v
OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.7e-p1 25 Oct 2004
% pkg_info -Ix xorg-server
xorg-server-6.9.0_3 X.Org X server and related programs
Thank you,
Brent Casavant

Ssh client bug for Kerberos

Hello,
There is a bug in ssh client that is almost 9 year old and a patch has been included in various distributions, but not (yet?) in Arch Linux. This is the link: https://bugzilla.mindrot.org/show_bug.cgi?id=1008
As I'm in an environment using Round-Robin hosts ('srv' generic host name may actually be 'srv-0001', 'srv-0002'...) and we use Kerberos, I cannot connect without giving a password.
Would it be possible to include the patch in the ssh client package? Thank you in advance for your reply.

Hello. It is unlikely -- Arch tends to use vanilla sources where ever possible. You might create a PKGBUILD to build it with your desired patches, or you can make a request that someone do it in the "AUR Issues, Discussion, and PKGBUILD Request" sub-forum. The best way to make a request that the patch be included in the main line is to contact the developers using the mail lists. You are far more likely to attract the right set of eyeballs there.

[SOLVED] BUG tech preview 2, missing ssh option for CVS

Jdev 11g preview 2 is missing ssh option for CVS.
Message was edited by:
user598691
Jdev was using External Executable option.

Sorry, turns out, jdev started out trying to use an external executable.

PuTTY / SSH in Solaris 10

When someone tries to login to a SOLARIS 10 server via SSH in PuTTY the details are limited to the following:
login as: testacct
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
New Password:
Using keyboard-interactive authentication.
Re-enter new Password:
Access denied
Using keyboard-interactive authentication.
Password:
Using keyboard-interactive authentication.
New Password:
Using keyboard-interactive authentication.
Re-enter new Password:
I don't know if this is a feature of PuTTY or Solaris 10 that is disabled but what I would expect to see above are messages such as:
Warning: Your password has expired, please change it now.
or
The first 8 characters of the password must contain at least 1 numeric or special character(s).
(depending on your /etc/default/passwd)
Where is this information being suppressed? I am looking to enable that extra information so when, for example, "Access Denied" appears, the user has some clue as to why and can take corrective action to properly login.
Thanks.
PS- I ran ssh -vvv user@host and saw that the "extra info" above was being generated, but it's not making it over to the PuTTY client side.
Edited by: dubitancy on Dec 12, 2008 9:37 AM

janp2 wrote:
I hit this issue right now so I'm pasting a part of my reply to another list.
It might help other people:
==
The "Warning: Your password has expired, please change it now." comes in a
separate SSH_MSG_USERAUTH_INFO_REQUEST packet. This packet in general has an
"instructions" field, and some "prompt" fields. SunSSH server sends the warning
in a separate info-request packet, with 0 prompts, and with the warning message
in the instruction field. That's fine according to the spec (rfc 4256):
The num-prompts field may be `0', in which case there will be no
prompt/echo fields in the message, but the client SHOULD still
display the name and instruction fields (as described below).
however, when the number of prompts is 0, putty ignores the instruction field.
SunSSH client does the right thing, OpenSSH client as well. In theory, we could
put the warning message in the next info-request packet together with the "New
Password" prompt but that decision was intentional, we would be really "fixing"
stuff to workaround problems somewhere else.
so, my conclusion is that they should file a bug againt those SSH clients they
use. It's not a problem in the SunSSH server at all.
==
BTW, the putty's file is ssh.c, the instruction field is set on line 7474:
s->cur_prompt->instruction = ...
but add_prompt() function that prints the stuff out is called inside of the
following loop:
for (i = 0; i < s->num_prompts; i++)
so, as we can see, if the number of prompts is 0, we get no instruction
field printed.
Jan.Thank you very much, Jan. That was very helpful - at least now I have confirmation.
Update: I contacted the dev team for PuTTY and they let me know that this bug has been fixed in the latest Development version of PuTTY but there isn't a firm release date planned. Anyway, it'll be fixed in the next release of PuTTY
Edited by: dubitancy on Jan 7, 2010 6:33 AM

SG300 ssh strange error: "A client is already connected"

Hi,
I've got a few SG300-52 switches running software version 1.3.0.62 which I configured for ssh management access with public key authentication via:
ip ssh server
ip ssh pubkey-auth auto-login
username mgmt password ... privilege 15
crypto key pubkey-chain ssh
user-key mgmt rsa
key-string ...
This is working fine if I connect interactively from my management system with:
ssh -i mgmt_id_rsa mgmt@switch
where mgmt_id_rsa is the name of a file containing the private key.
I get a privileged command prompt as intended, without being asked for a password.
However if I try to pass a command on the ssh command line like this:
ssh -i mgmt_id_rsa mgmt@switch show version
the command just hangs until I hit the Enter key a second time, and then emits the strange message:
Received disconnect from 10.11.12.13: 2:
A client is already connected
(Exactly like that, including the line break after the "2:" and the blank before "A client".)The same happens if I pipe the command I want to send into ssh like this:
echo show version | ssh -i mgmt_id_rsa mgmt@switch
except the error message appears immediately and I don't have to hit Enter a second time.
This is unfortunate as the objective of the whole exercise is to send commands to the switch from a script.
Can anyone shed some light on why this is so? What is that strange message "a client is already connected" trying to tell me? Is that another bug in Cisco's ssh implementation? Ideas for a workaround, anyone?
Thanks,
Tilman
PS: I already asked that question over in the "big business" support community before noticing there's a separate small business section, but got no answer there.
PPS: The real objective of the exercise is to make scripted backups and updates of the switches' configurations, ie. what would be naturally expressed as
scp -i mgmt_id_rsa mgmt@switch:running-config /var/backup/switch.config
and
scp -i mgmt_id_rsa /var/conf/switch.configchange mgmt@switch:running-config
except it doesn't work that way because the SG300's ssh server lacks scp support. Trying to replace that by
ssh -i mgmt_id_rsa mgmt@switch copy running-config scp://server/var/backup/switch.config
and
ssh -i mgmt_id_rsa mgmt@switch copy scp://server/var/conf/switch.configchange running-config
led me straight to the problem above. Just in case someone feels inclined to ask the standard forum question: "Why do you want that anyway?" :-)

Hi all,
I've improved my expect script a bit to:
allow specifying the SSH user and keyfile on the command line
allow sending configuration mode commands
correctly handle very long commands (line wrap) and commands producing no output
Extended usage:
ciscosb-exec confuser@myswitch -i ~/.ssh/confuser_id_rsa -c "ip ssh-client username memyself"
ciscosb-exec confuser@myswitch -i ~/.ssh/confuser_id_rsa "copy scp://myserver/workdir/myswitch.configchange running-config"
The "new and improved" script:
#!/usr/bin/expect
# Script to run an IOS command on a Cisco Small Business Switch via ssh
# Prerequisites:
# - Cisco Sx300 series switch with software version 1.3 or later
# - public key authentication with auto-logon configured
# Usage:
#   ciscosb-exec [] [@]
# Args:
#         username on switch
#         name or IP address of switch
#      command string to execute
# Options:
#   -c          execute in configuration mode
#   -i use SSH private key from
#   -d          activate debugging output
# Result:
#   Switch response will appear on stdout
# debug switches
log_user 0
exp_internal 0
# configurable values
set sshcmd "/usr/bin/ssh -c aes192-cbc"
# end of configurable values
# below matches prompts such as "switch#", "switch>", "switch$"
set prompt "\[>#$\]\ *$"
# getopt implementation snarfed from http://www2.tcl.tk/17342
proc getopt {_argv name {_var ""} {default ""}} {
    upvar 1 $_argv argv $_var var
    set pos [lsearch -regexp $argv ^$name]
    if {$pos>=0} {
        set to $pos
        if {$_var ne ""} {
            set var [lindex $argv [incr to]]
        set argv [lreplace $argv $pos $to]
        return 1
    } else {
        if {[llength [info level 0]] == 5} {set var $default}
        return 0
# parse command line
set configmode [getopt argv -c]
getopt argv -i idfile
if {[getopt argv -d]} {
log_user 1
exp_internal 1
if {[llength $argv] != 2} {
send_user "Usage: ciscosb-exec \[\] \[@\] \"\"\n"
send_user "Arguments:\n"
send_user "        target username (default: current user)\n"
send_user "          target host name or IP address\n"
send_user "         command string to execute\n"
send_user "Options:\n"
send_user "    -c            execute in configuration mode\n"
send_user "    -i    use SSH private key from \n"
send_user "    -d            activate debugging output\n"
exit 1
set target [split [lindex $argv 0] @]
if {[llength $target] == 1} {
set device [lindex $target 0]
set userid "$env(USER)"
} elseif {[llength $target] == 2} {
set userid [lindex $target 0]
set device [lindex $target 1]
} else {
send_user "bad target: [lindex $argv 0]\n"
exit 1
set command [lindex $argv 1]
if {[info exists idfile]} {
set sshcmd "$sshcmd -i $idfile"
eval "spawn $sshcmd -l $userid $device"
match_max [expr 32 * 1024]
# handle initial noise
set timeout 20
while { 1 } {
expect {
    # command prompt
    -nocase -re "$prompt"     {break}
    # confirmations (unknown fingerprint etc.)
    -nocase -re "\$yes/no\$" {send "yes\r"}
    # username prompt
    -nocase -re "name:|^login:" {send "$userid\r"}
    # password prompt
    -nocase -re "word:" {send_user "Public key authentication failed\n"; exit}
    # errors
    timeout     {send_user "Timeout waiting for command prompt\n"; exit}
    eof         {send_user "Connect failed: $expect_out(buffer)\n"; exit}
# disable terminal formatting junk
send "terminal datadump\r"
expect {
    -nocase -re "$prompt"     {}
    timeout     {send_user "Timeout waiting for command prompt\n"; exit}
    eof         {send_user "Connection lost: $expect_out(buffer)\n"; exit}
send "terminal width 0\r"
expect {
    -nocase -re "$prompt"     {}
    timeout     {send_user "Timeout waiting for command prompt\n"; exit}
    eof         {send_user "Connection lost: $expect_out(buffer)\n"; exit}
# switch to desired mode
if {$configmode} {
send "configure terminal\r"
expect {
    -nocase -re "$prompt"     {}
    timeout     {send_user "Timeout waiting for command prompt\n"; exit}
    eof         {send_user "Connection lost: $expect_out(buffer)\n"; exit}
# actual command may take a long time
set timeout 180
send "$command\r"
expect {
    # skip command echo
    -re "$command\[\r\n\]*"   {exp_continue}
    # answer confirmation request
    -nocase -re " \$Y/N\$.*\? *$" {
        # send confirmation, skip echo
        send "Y"
        expect -re "Y\[\r\n\]*"
        exp_continue
    # collect response, excluding next prompt
    -re "\r\n"                {send_user "$expect_out(buffer)"; exp_continue}
    -nocase -re "$prompt"     {send "exit\r"}
    timeout     {send_user "Timeout waiting for command prompt\n"; exit}
    eof         {send_user "Connection lost: $expect_out(buffer)\n"; exit}
set timeout 20
expect {
    # second exit needed for logging out from configuration mode
    -nocase -re "$prompt"     {send "exit\r"}
    timeout     {send_user "Timeout waiting for hangup\n"; exit}
    eof         {exit}
expect {
    -nocase -re "$prompt"     {puts "Failed to log out, disconnecting"; exit}
    timeout                   {puts "Timeout waiting for hangup"; exit}
    eof                       {exit}
HTH
Tilman

Not able to HTTP to SUB and SSH is not allowing any command to execute

Hi All,
I came across an issue, where CUCM SUB is not accessible by HTTP/S and SSH is giving following output while trying to re-start or executing any command :
admin:utils service list
/usr/java/jdk1.6.0_24/jre/lib/rt.jar: error reading zip file
Exception in thread "main" java.lang.NoClassDefFoundError: java/net/ConnectException
        at com.cisco.iptplatform.cli.CliClassLauncher.<init>(CliClassLauncher.java:86)
        at sdMain.main(sdMain.java:1824)
Caused by: java.lang.ClassNotFoundException: java.net.ConnectException
        at java.net.URLClassLoader$1.run(URLClassLoader.java:199)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
        at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
        ... 2 more
Caused by: java.util.zip.ZipException: error reading zip file
        at java.util.zip.ZipFile.read(Native Method)
        at java.util.zip.ZipFile.access$1200(ZipFile.java:31)
        at java.util.zip.ZipFile$ZipFileInputStream.read(ZipFile.java:460)
        at sun.misc.Resource.getBytes(Resource.java:108)
        at java.net.URLClassLoader.defineClass(URLClassLoader.java:257)
        at java.net.URLClassLoader.access$000(URLClassLoader.java:58)
        at java.net.URLClassLoader$1.run(URLClassLoader.java:197)
        ... 7 more
Any inputs please ?? Waiting for a hard re-boot to the device bit not sure if that would resolve the issue, Also when I first logged into SUB using SSH , I got the following :
Command Line Interface is starting up, please wait ...
java.io.FileNotFoundException: /var/log/active/platform/log/cli.bin (Read-only f                             ile system)
        at java.io.RandomAccessFile.open(Native Method)
        at java.io.RandomAccessFile.<init>(RandomAccessFile.java:212)
        at com.cisco.iptplatform.fappend.ciscoRollingFileAppender.restoreIndex(c                             iscoRollingFileAppender.java:100)
        at com.cisco.iptplatform.fappend.ciscoRollingFileAppender.setFile(ciscoR                             ollingFileAppender.java:43)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.                             java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces                             sorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.apache.log4j.config.PropertySetter.setProperty(PropertySetter.jav                             a:196)
        at org.apache.log4j.config.PropertySetter.setProperty(PropertySetter.jav                             a:155)
        at org.apache.log4j.xml.DOMConfigurator.setParameter(DOMConfigurator.jav                             a:530)
        at org.apache.log4j.xml.DOMConfigurator.parseAppender(DOMConfigurator.ja                             va:182)
        at org.apache.log4j.xml.DOMConfigurator.findAppenderByName(DOMConfigurat                             or.java:140)
        at org.apache.log4j.xml.DOMConfigurator.findAppenderByReference(DOMConfi                             gurator.java:153)
        at org.apache.log4j.xml.DOMConfigurator.parseChildrenOfLoggerElement(DOM                             Configurator.java:415)
        at org.apache.log4j.xml.DOMConfigurator.parseRoot(DOMConfigurator.java:3                             84)
        at org.apache.log4j.xml.DOMConfigurator.parse(DOMConfigurator.java:783)
        at org.apache.log4j.xml.DOMConfigurator.doConfigure(DOMConfigurator.java                             :666)
        at org.apache.log4j.xml.DOMConfigurator.doConfigure(DOMConfigurator.java                             :616)
        at org.apache.log4j.xml.DOMConfigurator.doConfigure(DOMConfigurator.java                             :584)
        at org.apache.log4j.xml.DOMConfigurator.configure(DOMConfigurator.java:6                             87)
        at sdMain.initialize(sdMain.java:479)
        at sdMain.main(sdMain.java:646)
java.lang.NullPointerException
        at com.cisco.iptplatform.fappend.ciscoRollingFileAppender.updateIndex(ci                             scoRollingFileAppender.java:117)
        at com.cisco.iptplatform.fappend.ciscoRollingFileAppender.nextFileName(c                             iscoRollingFileAppender.java:92)
        at com.cisco.iptplatform.fappend.ciscoRollingFileAppender.append(ciscoRo                             llingFileAppender.java:74)
        at org.apache.log4j.AppenderSkeleton.doAppend(AppenderSkeleton.java:221)
        at org.apache.log4j.helpers.AppenderAttachableImpl.appendLoopOnAppenders                             (AppenderAttachableImpl.java:57)
        at org.apache.log4j.Category.callAppenders(Category.java:187)
        at org.apache.log4j.Category.forcedLog(Category.java:372)
        at org.apache.log4j.Category.debug(Category.java:241)
        at com.cisco.iptplatform.cli.CliSettings.getInstance(CliSettings.java:10                             6)
        at sdMain.initialize(sdMain.java:491)
        at sdMain.main(sdMain.java:646)
log4j:ERROR No output stream or file set for the appender named [CLI_LOG].
/usr/java/jdk1.6.0_24/jre/lib/rt.jar: error reading zip file
Exception in thread "Thread-9" java.lang.NoClassDefFoundError: java/net/URI$Pars                             er
        at java.net.URI.<init>(URI.java:578)
        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:350)
        at java.net.Socket.connect(Socket.java:529)
        at java.net.Socket.connect(Socket.java:478)
        at java.net.Socket.<init>(Socket.java:375)
        at java.net.Socket.<init>(Socket.java:189)
        at com.cisco.ccm.util.ncs.NcsClient.connect(NcsClient.java:342)
        at com.cisco.ccm.util.ncs.NcsClient$ReceiveThread.run(NcsClient.java:447                             )
   Welcome to the Platform Command Line Interface
    WARNING:
        The /common file system is mounted read only.
        Please use Recovery Disk to check the file system using fsck.
Cheers
Anjali

Check this Bug: CSCti52867 - https://supportforums.cisco.com/docs/DOC-12955
I have a customer with this same problem, we use to use the Callmanager Recovery DVD, as Amine said, to recover the HD. But some times reseting the server resolved the problem.
Mártin

Problem with ssh and bash-completion

I and a co-worker are having a weird problem with ssh and bash-completion. We have a local config in .ssh/config with hosts we connect everyday. An example:
host foo
hostname foo.org
user foobar
host foobar
hostname foobar.org
user foobar
When we try to type
ssh foo<tab><tab>b<tab>
the console just freeze and we can't type anything, everything we type is ignored, but after about 30 seconds the host is completed.
This works a some time ago, so some upgrade make this happen. Anyone can reproduce this?

quigybo wrote:
Actually thinking about it, rather than using the semi-dodgy fix posted on the bug tracker, we can just test if the daemon is running since we are not on MacOS X. It is cleaner and 250 ms quicker.
--- bash_completion.orig 2010-09-14 05:33:22.000000000 +0930
+++ bash_completion 2010-09-14 05:45:04.000000000 +0930
@@ -1316,10 +1316,12 @@
# contains ";", it may mistify the result. But on Gentoo (at least),
# -k isn't available (even if mentioned in the manpage), so...
if type avahi-browse >&/dev/null; then
- COMPREPLY=( "${COMPREPLY[@]}" $( \
- compgen -P "$prefix$user" -S "$suffix" -W \
- "$( avahi-browse -cpr _workstation._tcp 2>/dev/null | \
- awk -F';' '/^=/ { print $7 }' | sort -u )" -- "$cur" ) )
+ if [ -n "$(pidof avahi-daemon)" ]; then
+ COMPREPLY=( "${COMPREPLY[@]}" $( \
+ compgen -P "$prefix$user" -S "$suffix" -W \
+ "$( avahi-browse -cpr _workstation._tcp 2>/dev/null | \
+ awk -F';' '/^=/ { print $7 }' | sort -u )" -- "$cur" ) )
+ fi
fi
# Add results of normal hostname completion, unless
This is the same test as was used in bash-completion 1.1.
Thanks quigybo, I use your patch, the issue is gone
Why does so many packages depends on Avahi? Maybe make it optdepends is
enough?
my laptop $ pacman -Qi avahi
Required By : gnome-disk-utility gnome-vfs libcups mpd sane

Terminal.app resize bug?

I use the Terminal.app to log into a Linux machine. I usually open up multiple tabs per window, and I run emacs in some of the terminal window. The problem is that when I resize the windows, often the window can not remember what size it's supposed to be, and sometimes switching from one tab to another triggers the window to resize to previous dimensions. It's particularly annoying when I start emacs in a tab that's confused in this way, because the window width that emacs thinks it is is incorrect, so emacs can not format the display properly. If I manually resize the window with emacs running, it snaps into place, but then the other tab gets confused.
I didn't have this problem, or it wasn't as noticeable on OSX 10.6.
Is there something I can do about this? This problem is really annoying, and Apple hasn't fixed the other Terminal.app bug I reported to them yet.

You could try iterm or iterm2
<http://iterm.sourceforge.net/>
<http://www.iterm2.com/>
You can always ssh -Y (or ssh -X) into your Linux system and export xterm's back to your Mac (although I'm not personally a fan of xterm, some people like it).
And of course there is always the gui version of emacs and have it export its X11 windows back to your Mac.
NOTE: I am not an emacs user, so anything I say about emacs is based on things I read on the intertubes :-)
You could VNC to your Linux box (although that generally speaking requires a rather fast network corrected to be anywhere usable for an editing session), also the build-in Mac OS X VNC client (Screen Sharing) does not always play nice outside the Mac family, so you should consider alternative VNC clients, such as Chicken (formally Chicken of the VNC), JollysFastVNC, tightvnc (via MacPorts.org), to name a few.
Finally, if you feel there is a real bug in Terminal that needs to be addressed, please file a bug report with Apple so they will have a chance to see and maybe fix it
BugReporter
<http://bugreporter.apple.com>
Free ADC (Apple Developer Connection) account needed for BugReporter.
Anyone can get a free account at:
<http://developer.apple.com/programs/register/>

Unable to authenticate ssh via krb5 / PAM

Anyone able to help with a PAM / krb5 issue? I've got it to the point where it will generate a ticket with kinit and my principal and password, (shown with klist) when I try to ssh to my test box though, ssh authentication fails. looking through the logs (with debugging on, it looks like it's getting past the password check and then failing on something else? In otherwords, everything from the PAM-KRB5 module is indicating a success in the logs(PAM-KRB5 (auth): end: Success), but immediately after that, I get the following coming from sshd : Keyboard-interactive (PAM) userauth failed[7] while authorizing: Permission denied. Is it authenticating against more than one stack maybe?
Relevant stack lines from pam.conf (as far as I know) are:
sshd-kbdint auth required pam_unix_cred.so.1 debug
sshd-kbdint auth binding pam_krb5.so.1 debug
sshd-kbdint auth required pam_unix_auth.so.1 debug
Note* I've tried using both binding and sufficient for pam_krb5.so.1, keytab check is turned off via krb5.conf (verify_ap_req_nofail = false). I've been digging through man pages, manuals, mailing list archives and whatnot for a day or two, I figure there's just something simple that I'm missing.
Test host box is Solaris 10 update 3
Test client box is Solaris 10 update 3
kinit <principal> on the host prompts me for my password and when I enter it, it generates a ticket successfully (verified with klist)
client-machine$ ssh <kerberosprincipal>@<host>
returns the prompt:
Enter Kerberos password for <principal>
The original Kerberos configuration on my test host was done with a sys-unconfig and then plugging in the appropriate Kerberos info when prompted. I edited the krb5.conf as mentioned earlier to disable the keytab file requirement.
Any and all advice on what to check on this would be appreciated. In the meantime, I'm going to go back to the Sys Admin Docs Security Services guide and read the PAM section cover to cover again in case I missed something.
Thanks!
Below is my full pam.conf and a cut and paste of a full log transaction from the time an ssh request goes in until the login fails.
____begin /etc/pam.conf______
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
# Kerberized rlogin service
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
# Kerberized rsh service
krsh auth required pam_unix_cred.so.1
krsh auth binding pam_krb5.so.1
krsh auth required pam_unix_auth.so.1
# Kerberized telnet service
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
##### - NOTE- This is the section I added
# Kerberized ssh service
sshd-kbdint auth required pam_unix_cred.so.1 debug
sshd-kbdint auth binding pam_krb5.so.1 debug
sshd-kbdint auth required pam_unix_auth.so.1 deb
##### - NOTE - End of the section I added.
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
# passwd command (explicit because of a different authentication module)
passwd auth required pam_passwd_auth.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
______end pam.conf__________
The ssh debug log entries for the entire transaction look like this:
* Sanitized - test host replaced with my.test.host, username replaced with the word principal, ssh client ip replaced with clientip
----- Begin ssh log-----
Feb 22 21:22:46 my.test.host sshd[398]: [ID 800047 auth.debug] debug1: Forked child 1127.
Feb 22 21:22:46 my.test.host sshd[1127]: [ID 800047 auth.info] Connection from clientip port 46175
Feb 22 21:22:46 my.test.host sshd[1127]: [ID 800047 auth.info] Connection from clientip port 46175
Feb 22 21:22:46 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Client protocol version 2.0; client software version Sun_SSH_1.1
Feb 22 21:22:46 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: no match: Sun_SSH_1.1
Feb 22 21:22:46 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Enabling compatibility mode for protocol 2.0
Feb 22 21:22:46 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Local version string SSH-2.0-Sun_SSH_1.1
Feb 22 21:22:46 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: list_hostkey_types: ssh-rsa,ssh-dss
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible
Feb 22 21:22:47 my.test.host Unknown code 0
Feb 22 21:22:47 my.test.host )
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEXINIT sent
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEXINIT received
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: kex: client->server aes128-ctr hmac-md5 none
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: kex: server->client aes128-ctr hmac-md5 none
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Peer sent proposed langtags, ctos: i-default
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Peer sent proposed langtags, stoc: i-default
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: We proposed langtags, ctos: ar-EG,ar-SA,bg-BG,ca-ES,cs-CZ,da-DK,de,de-AT,de-CH,de-DE,de-LU,el-CY,el-GR,en-AU,en-CA,en-GB,en-IE,en-MT,en-NZ,en-US,es,es-AR,es-BO,es-CL,es-CO,es-CR,es-EC,es-ES,es-GT,es-MX,es-NI,es-PA,es-PE,es-PY,es-SV,es-UY,es-VE,et-EE,fi-FI,fr,fr-BE,fr-CA,fr-CH,fr-FR,fr-LU,he-IL,hi-IN,hr-HR,hu-HU,is-IS,it,it-IT,ja-JP,ko,ko-KR,lt-LT,lv-LV,mk-MK,mt-MT,nb-NO,nl-BE,nl-NL,nn-NO,pl,pl-PL,pt-BR,pt-PT,ro-RO,ru,ru-RU,sh-BA,sk-SK,sl-SI,sq-AL,sr-CS,sv,sv-SE,th-TH,tr-TR,zh,zh-CN,zh-HK
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: We proposed langtags, stoc: ar-EG,ar-SA,bg-BG,ca-ES,cs-CZ,da-DK,de,de-AT,de-CH,de-DE,de-LU,el-CY,el-GR,en-AU,en-CA,en-GB,en-IE,en-MT,en-NZ,en-US,es,es-AR,es-BO,es-CL,es-CO,es-CR,es-EC,es-ES,es-GT,es-MX,es-NI,es-PA,es-PE,es-PY,es-SV,es-UY,es-VE,et-EE,fi-FI,fr,fr-BE,fr-CA,fr-CH,fr-FR,fr-LU,he-IL,hi-IN,hr-HR,hu-HU,is-IS,it,it-IT,ja-JP,ko,ko-KR,lt-LT,lv-LV,mk-MK,mt-MT,nb-NO,nl-BE,nl-NL,nn-NO,pl,pl-PL,pt-BR,pt-PT,ro-RO,ru,ru-RU,sh-BA,sk-SK,sl-SI,sq-AL,sr-CS,sv,sv-SE,th-TH,tr-TR,zh,zh-CN,zh-HK
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Negotiated main locale: C
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Negotiated messages locale: C
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: dh_gen_key: priv key bits set: 131/256
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: bits set: 1617/3191
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: bits set: 1617/3191
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: newkeys: mode 1
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS sent
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: expecting SSH2_MSG_NEWKEYS
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: newkeys: mode 0
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS received
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: KEX done
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: userauth-request for user principal service ssh-connection method none
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: attempt 0 initial attempt 0 failures 0 initial failures 0
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.info] Failed none for principal from clientip port 46175 ssh2
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.info] Failed none for principal from clientip port 46175 ssh2
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: userauth-request for user principal service ssh-connection method keyboard-interactive
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: attempt 1 initial attempt 0 failures 1 initial failures 0
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: keyboard-interactive devs
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 549540 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth: start: user='principal'
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 704353 auth.debug] PAM-KRB5 (auth): Forwardable tickets requested
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 912857 auth.debug] PAM-KRB5 (auth): Renewable tickets requested
Feb 22 21:22:58 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: got 1 responses
Feb 22 21:22:58 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: PAM conv function returns PAM_SUCCESS
Feb 22 21:22:58 my.test.host sshd[1127]: [ID 179272 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password returns: SUCCESS
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 833335 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth returning 0
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 914654 auth.debug] PAM-KRB5 (auth): pam_sm_auth finalize ccname env, result =0, env ='KRB5CCNAME=FILE:/tmp/krb5cc_100', age = 0, status = 0
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 525286 auth.debug] PAM-KRB5 (auth): end: Success
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[7] while authorizing: Permission denied
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[7] while authorizing: Permission denied
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 800047 auth.info] Failed keyboard-interactive for principal from clientip port 46175 ssh2
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 800047 auth.info] Failed keyboard-interactive for principal from clientip port 46175 ssh2
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: userauth-request for user principal service ssh-connection method keyboard-interactive
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: attempt 2 initial attempt 1 failures 2 initial failures 1
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: keyboard-interactive devs
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 490997 auth.debug] PAM-KRB5 (auth): krb5_cleanup auth_status = 0
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 549540 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth: start: user='principal'
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 704353 auth.debug] PAM-KRB5 (auth): Forwardable tickets requested
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 912857 auth.debug] PAM-KRB5 (auth): Renewable tickets requested
------ end ssh log -------

Downgrade openssh to 5.5p1.
There is another post and a bug report about it.

Ssh bug in 10.5.5

Similar Messages

Maybe you are looking for