Version of SSH
How can I determine what version of SSH my OS v10.3.9 my server is running?
I don't know the "official" way, but attempting to run 'sshd' with an invalid argument seems to spit out the version number among the usage notes (at least in 10.4)... Eg.:<pre>/usr/sbin/sshd -x</pre>
Similar Messages
-
I get the following output when I type in ssh -V on the console...I am using Solaris 9.
SSH Version Sun_SSH_1.0, protocol versions 1.5/2.0.
Does this mean tht the ssh version is ssh protocol v 2.It means that your SSH version is "Suns SSH 1.0". However Suns SSH is just a certain version of OpenSSH (can't remember which one) with a new name.
The SSH in question supports the SSH protocols 1.5 and 2.0.
Currently there are three SSH protocols that i know of, the first one was 1 (highly insecure), followed by 1.5 (not to secure either) and lastly 2.0 (fairly secure unless you got one with a security bug in :-)
//Magnus -
PCI Audit - SSH version 3 & above
Hi,
Suggest which version of ASA IOS version supports SSH ver. 3.0 & above. I'm currently having IOS 8.2 (5) version.
Regards
Alexander MHi Alex,
ASA currently support only version 1 & 2.
Thanks,
Varun Rao
Security Team,
Cisco TAC -
Difference ssh version 1and version 2
Hi,Can anyone say what is the difference ssh version 1and version 2
SSH protocol, version 2
SSH protocol, version 1
Separate transport, authentication, and connection protocols
One monolithic protocol
Strong cryptographic integrity check
Weak CRC-32 integrity check; admits an insertion attack in conjunction with some bulk ciphers.
Supports password changing
N/A
Any number of session channels per connection (including none)
Exactly one session channel per connection (requires issuing a remote command even when you don't want one)
Full negotiation of modular cryptographic and compression algorithms, including bulk encryption, MAC, and public-key
Negotiates only the bulk cipher; all others are fixed
Encryption, MAC, and compression are negotiated separately for each direction, with independent keys
The same algorithms and keys are used in both directions (although RC4 uses separate keys, since the algorithm's design demands that keys not be reused)
Extensible algorithm/protocol naming scheme allows local extensions while preserving interoperability
Fixed encoding precludes interoperable additions
User authentication methods:
publickey (DSA, RSA*, OpenPGP)
hostbased
password
(Rhosts dropped due to insecurity)
Supports a wider variety:
public-key (RSA only)
RhostsRSA
password
Rhosts (rsh-style)
TIS
Kerberos
Use of Diffie-Hellman key agreement removes the need for a server key
Server key used for forward secrecy on the session key
Supports public-key certificates
N/A
User authentication exchange is more flexible, and allows requiring multiple forms of authentication for access.
Allows for exactly one form of authentication per session.
hostbased authentication is in principle independent of client network address, and so can work with proxying, mobile clients, etc. (though this is not currently implemented).
RhostsRSA authentication is effectively tied to the client host address, limiting its usefulness.
periodic replacement of session keys
N/A -
SSH Version Supported by Access Points
Hi,
I'm hoping this is an easy question...so apologies if it appears facile, but I can't find a definitive answer in any Cisco docs I've looked through.
When access points are used with a WLC, its possible to allow the access points to accept SSH connections (Under the advanced tab of the AP config).
My question is this: which version of SSH will be used when SSH sessions are created to the AP? (SSH v2?)
All of the data sheets etc. talk about SSH support, but give now version details.
Thanks in advance.
Nigel.Hi Nigel,
Scott is right (as usual )
Just to confirm, I accessed a CAPWAP AP and looked at the #sh derived-config and this was the only SSH output shown, with SSH enabled on the AP:
ip ssh version 2
So, it looks like only SSH2 is allowed. Just to let you know the code ver was 7.0.116.0
Rocky -
Not able to login to router using ssh when TACACS server is down
When TACACS server is not reachable router is not allowing the local password to login using ssh. Router's SSH debug says authentication is successful but ssh client gets % Authorization failed meassage and disconnects.
kindly see below debug output and config
SSH server end:
Sep 1 13:25:10.161: SSH1: starting SSH control process
Sep 1 13:25:10.165: SSH1: sent protocol version id SSH-1.5-Cisco-1.25
Sep 1 13:25:10.241: SSH1: protocol version id is - SSH-1.5-Cisco-1.25
Sep 1 13:25:10.241: SSH1: SSH_SMSG_PUBLIC_KEY msg
Sep 1 13:25:10.397: SSH1: SSH_CMSG_SESSION_KEY msg - length 112, type 0x03
Sep 1 13:25:10.397: SSH: RSA decrypt started
Sep 1 13:25:10.925: SSH: RSA decrypt finished
Sep 1 13:25:10.925: SSH: RSA decrypt started
Sep 1 13:25:11.165: SSH: RSA decrypt finished
Sep 1 13:25:11.197: SSH1: sending encryption confirmation
Sep 1 13:25:11.197: SSH1: keys exchanged and encryption on
Sep 1 13:25:11.269: SSH1: SSH_CMSG_USER message received
Sep 1 13:25:11.269: SSH1: authentication request for userid rao
Sep 1 13:25:16.297: SSH1: SSH_SMSG_FAILURE message sent
Sep 1 13:25:17.313: SSH1: SSH_CMSG_AUTH_PASSWORD message received
Sep 1 13:25:17.317: SSH1: authentication successful for rao
Sep 1 13:25:17.413: SSH1: requesting TTY
Sep 1 13:25:17.413: SSH1: setting TTY - requested: length 25, width 80; set: le
ngth 25, width 80
Sep 1 13:25:17.525: SSH1: SSH_CMSG_EXEC_SHELL message received
Sep 1 13:25:17.525: SSH1: starting shell for vty
Sep 1 13:25:25.033: SSH1: Session terminated normally
SSH Client end Log:
% Authorization failed.
[Connection to 10.255.15.2 closed by foreign host]
COnfig:
aaa authentication login default group tacacs+ line local
aaa authentication login NO_AUTH line
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization configuration default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
ip domain-name cbi.co.in
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 3
line vty 0 4
password xxxx
transport input telnet ssh
Kindly reply your viewsI believe that the key to understanding your problem is to recognize the subtle difference between authentication and authorization. The authentication process appears that it does succeed but the authorization process has failed according to your error message:
% Authorization failed.
I see that most of your authorization commands include the parameter if-authenticated. But this command does not:
aaa authorization config-commands
I would suggest that you add the if-authenticated parameter to this command and see if it does not fix your problem.
HTH
Rick -
Cisco ASA 5505 - problem with ssh, icmp on OUTSIDE interface
Hi all,
I have a very strange problem with OUTSIDE interface and remote ssh. Well, I have followed documentation and configure remote access for ssh like this [1.]. If I want to connect from internet to OUTSIDE interface [2.] get no response and in log I can see this message [3.]. I really do not understand why is ssh connection dropped by OUTSIDE access-list [4.]? If I understand documentation correctly there is no impact for remote mangement/access like icmp, ssh, http(s) by interface access-list. So, why?
When I try ssh connection form internal network to INSIDE interface everything works fine and I can log in to ASA. If I try allow ssh in OUTSIDE access-list still no success and a get this message [5.]? It is strange, isn't?
The same problem with icmp if I want to "ping" OUTSIDE interface from internet a get thish message in log [6.] and configuration for ICMP like this [7.].
Full ASA config is in attachment.
Can anybody help how to fix it and explain what is exactly wrong.Thanks.
Regards,
Karel
[1.]
ssh stricthostkeycheck
ssh 10.0.0.0 255.255.255.0 INSIDE
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
ASA-FW01# show ssh
Timeout: 60 minutes
Version allowed: 2
10.0.0.0 255.255.255.0 INSIDE
0.0.0.0 0.0.0.0 OUTSIDE
[2.]
ASA-FW01# show nameif
Interface Name Security
Vlan10 INSIDE 100
Vlan20 EXT-VLAN20 0
Vlan30 EXT-WIFI-VLAN30 10
Vlan100 OUTSIDE 0
ASA-FW01# show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan10 INSIDE 10.0.0.1 255.255.255.0 CONFIG
Vlan20 EXT-VLAN20 10.0.1.1 255.255.255.0 CONFIG
Vlan30 EXT-WIFI-VLAN30 10.0.2.1 255.255.255.0 CONFIG
Vlan100 OUTSIDE 85.71.188.158 255.255.255.255 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan10 INSIDE 10.0.0.1 255.255.255.0 CONFIG
Vlan20 EXT-VLAN20 10.0.1.1 255.255.255.0 CONFIG
Vlan30 EXT-WIFI-VLAN30 10.0.2.1 255.255.255.0 CONFIG
Vlan100 OUTSIDE 85.71.188.158 255.255.255.255 CONFIG
ASA-FW01# show interface OUTSIDE detail
Interface Vlan100 "OUTSIDE", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
Description: >>VLAN pro pripojeni do internetu<<
MAC address f44e.05d0.6c17, MTU 1480
IP address 85.71.188.158, subnet mask 255.255.255.255
Traffic Statistics for "OUTSIDE":
90008 packets input, 10328084 bytes
60609 packets output, 13240078 bytes
1213 packets dropped
1 minute input rate 15 pkts/sec, 994 bytes/sec
[3.]
Jan 13 2015 06:45:30 ASA-FW01 : %ASA-6-106100: access-list OUTSIDE denied tcp OUTSIDE/193.86.236.70(46085) -> OUTSIDE/85.71.188.158(22) hit-cnt 1 first hit [0xb74026ad, 0x0]
[4.]
access-list OUTSIDE remark =======================================================================================
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended deny ip any any log
access-group OUTSIDE in interface OUTSIDE
[5.]
Jan 12 2015 23:00:46 ASA-FW01 : %ASA-2-106016: Deny IP spoof from (193.86.236.70) to 85.71.188.158 on interface OUTSIDE
[6.]
Jan 13 2015 06:51:16 ASA-FW01 : %ASA-4-400014: IDS:2004 ICMP echo request from 193.86.236.70 to 85.71.188.158 on interface OUTSIDE
[7.]
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.0.0.0 255.0.0.0 INSIDE
icmp permit 10.0.0.0 255.0.0.0 EXT-WIFI-VLAN30
icmp permit any OUTSIDEYou're right that the ACL should not affect otherwise allowed communications to the interface address.
Try disabling the ip audit feature on your outside interface.
no ip audit interface OUTSIDE AP_OUTSIDE_INFO
no ip audit interface OUTSIDE AP_OUTSIDE_ATTACK -
SSH - Failure to connect, does not prompt for password,
I have been using SSH on this iMac with 10.5.4 for over a year, upgraded to Leopard when it came out, never a problem with SSH, but now for no apparent reason, SSH fails when trying to connect through VPN into work.
I can still connect to other systems on the internet that are not through the VPN.
I don't suspect this to be a VPN issue because no other employees are having this problem with the VPN, using Mac, Windows or Linux. I can connect vi putty on my windows from the same network... below is my config.
Here is what I'm getting:
I connect as- ssh me@hostname and it returns "Permission denied (publickey)." It makes to attempt to prompt me for a password. I do not use a key on this system so it should prompt me for a password. I changed nothing on the system to cause ssh to break, But it's possible that a apple security update caused something to break.
I have added the following to my ~/.ssh/config file
PasswordAuthentication yes
My /etc/ssh_config file is as follows:
cat /etc/ssh_config
# $OpenBSD: ssh_config,v 1.22 2006/05/29 12:56:33 dtucker Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# GSSAPIKeyExchange no
# GSSAPITrustDNS no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
PermitLocalCommand yes
My /etc/sshd_config is:
cat /etc/sshd_config
# $OpenBSD: sshd_config,v 1.72 2005/07/25 11:59:40 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/sshhostkey
# HostKeys for protocol version 2
#HostKey /etc/sshhost_rsakey
#HostKey /etc/sshhost_dsakey
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
# obsoletes QuietMode and FascistLogging
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/sshknownhosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# SACL options
#SACLSupport yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange yes
# GSSAPI options
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs serverAlso I forgot to mention, I have nulled out the known_hosts file to eliminate any conflicts there, I have verified .ssh is 700 and files config and known_hosts are 600
output using ssh -v
debug1: Reading configuration data /Users/<me>/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to pshx4105a [216.255.177.213] port 22.
debug1: Connection established.
debug1: identity file /Users/<me>/.ssh/identity type -1
debug1: identity file /Users/<me>/.ssh/id_rsa type -1
debug1: identity file /Users/<me>/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.5p1 FreeBSD-20061110
debug1: match: OpenSSH_4.5p1 FreeBSD-20061110 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7
debug1: SSH2MSGKEXINIT sent
debug1: SSH2MSGKEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2MSG_KEX_DH_GEXREQUEST(1024<1024<8192) sent
debug1: expecting SSH2MSG_KEX_DH_GEXGROUP
debug1: SSH2MSG_KEX_DH_GEXINIT sent
debug1: expecting SSH2MSG_KEX_DH_GEXREPLY
debug1: Host 'pshx4105a' is known and matches the DSA host key.
debug1: Found key in /Users/<me>/.ssh/known_hosts:3
debug1: sshdssverify: signature correct
debug1: SSH2MSGNEWKEYS sent
debug1: expecting SSH2MSGNEWKEYS
debug1: SSH2MSGNEWKEYS received
debug1: SSH2MSG_SERVICEREQUEST sent
debug1: SSH2MSG_SERVICEACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/<me>/.ssh/identity
debug1: Trying private key: /Users/<me>/.ssh/id_rsa
debug1: Trying private key: /Users/<me>/.ssh/id_dsa
debug1: No more authentication methods to try. -
Unable to authenticate ssh via krb5 / PAM
Anyone able to help with a PAM / krb5 issue? I've got it to the point where it will generate a ticket with kinit and my principal and password, (shown with klist) when I try to ssh to my test box though, ssh authentication fails. looking through the logs (with debugging on, it looks like it's getting past the password check and then failing on something else? In otherwords, everything from the PAM-KRB5 module is indicating a success in the logs(PAM-KRB5 (auth): end: Success), but immediately after that, I get the following coming from sshd : Keyboard-interactive (PAM) userauth failed[7] while authorizing: Permission denied. Is it authenticating against more than one stack maybe?
Relevant stack lines from pam.conf (as far as I know) are:
sshd-kbdint auth required pam_unix_cred.so.1 debug
sshd-kbdint auth binding pam_krb5.so.1 debug
sshd-kbdint auth required pam_unix_auth.so.1 debug
Note* I've tried using both binding and sufficient for pam_krb5.so.1, keytab check is turned off via krb5.conf (verify_ap_req_nofail = false). I've been digging through man pages, manuals, mailing list archives and whatnot for a day or two, I figure there's just something simple that I'm missing.
Test host box is Solaris 10 update 3
Test client box is Solaris 10 update 3
kinit <principal> on the host prompts me for my password and when I enter it, it generates a ticket successfully (verified with klist)
client-machine$ ssh <kerberosprincipal>@<host>
returns the prompt:
Enter Kerberos password for <principal>
The original Kerberos configuration on my test host was done with a sys-unconfig and then plugging in the appropriate Kerberos info when prompted. I edited the krb5.conf as mentioned earlier to disable the keytab file requirement.
Any and all advice on what to check on this would be appreciated. In the meantime, I'm going to go back to the Sys Admin Docs Security Services guide and read the PAM section cover to cover again in case I missed something.
Thanks!
Below is my full pam.conf and a cut and paste of a full log transaction from the time an ssh request goes in until the login fails.
____begin /etc/pam.conf______
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
# Kerberized rlogin service
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
# Kerberized rsh service
krsh auth required pam_unix_cred.so.1
krsh auth binding pam_krb5.so.1
krsh auth required pam_unix_auth.so.1
# Kerberized telnet service
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
##### - NOTE- This is the section I added
# Kerberized ssh service
sshd-kbdint auth required pam_unix_cred.so.1 debug
sshd-kbdint auth binding pam_krb5.so.1 debug
sshd-kbdint auth required pam_unix_auth.so.1 deb
##### - NOTE - End of the section I added.
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
# passwd command (explicit because of a different authentication module)
passwd auth required pam_passwd_auth.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
______end pam.conf__________
The ssh debug log entries for the entire transaction look like this:
* Sanitized - test host replaced with my.test.host, username replaced with the word principal, ssh client ip replaced with clientip
----- Begin ssh log-----
Feb 22 21:22:46 my.test.host sshd[398]: [ID 800047 auth.debug] debug1: Forked child 1127.
Feb 22 21:22:46 my.test.host sshd[1127]: [ID 800047 auth.info] Connection from clientip port 46175
Feb 22 21:22:46 my.test.host sshd[1127]: [ID 800047 auth.info] Connection from clientip port 46175
Feb 22 21:22:46 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Client protocol version 2.0; client software version Sun_SSH_1.1
Feb 22 21:22:46 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: no match: Sun_SSH_1.1
Feb 22 21:22:46 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Enabling compatibility mode for protocol 2.0
Feb 22 21:22:46 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Local version string SSH-2.0-Sun_SSH_1.1
Feb 22 21:22:46 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: list_hostkey_types: ssh-rsa,ssh-dss
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible
Feb 22 21:22:47 my.test.host Unknown code 0
Feb 22 21:22:47 my.test.host )
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEXINIT sent
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEXINIT received
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: kex: client->server aes128-ctr hmac-md5 none
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: kex: server->client aes128-ctr hmac-md5 none
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Peer sent proposed langtags, ctos: i-default
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Peer sent proposed langtags, stoc: i-default
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: We proposed langtags, ctos: ar-EG,ar-SA,bg-BG,ca-ES,cs-CZ,da-DK,de,de-AT,de-CH,de-DE,de-LU,el-CY,el-GR,en-AU,en-CA,en-GB,en-IE,en-MT,en-NZ,en-US,es,es-AR,es-BO,es-CL,es-CO,es-CR,es-EC,es-ES,es-GT,es-MX,es-NI,es-PA,es-PE,es-PY,es-SV,es-UY,es-VE,et-EE,fi-FI,fr,fr-BE,fr-CA,fr-CH,fr-FR,fr-LU,he-IL,hi-IN,hr-HR,hu-HU,is-IS,it,it-IT,ja-JP,ko,ko-KR,lt-LT,lv-LV,mk-MK,mt-MT,nb-NO,nl-BE,nl-NL,nn-NO,pl,pl-PL,pt-BR,pt-PT,ro-RO,ru,ru-RU,sh-BA,sk-SK,sl-SI,sq-AL,sr-CS,sv,sv-SE,th-TH,tr-TR,zh,zh-CN,zh-HK
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: We proposed langtags, stoc: ar-EG,ar-SA,bg-BG,ca-ES,cs-CZ,da-DK,de,de-AT,de-CH,de-DE,de-LU,el-CY,el-GR,en-AU,en-CA,en-GB,en-IE,en-MT,en-NZ,en-US,es,es-AR,es-BO,es-CL,es-CO,es-CR,es-EC,es-ES,es-GT,es-MX,es-NI,es-PA,es-PE,es-PY,es-SV,es-UY,es-VE,et-EE,fi-FI,fr,fr-BE,fr-CA,fr-CH,fr-FR,fr-LU,he-IL,hi-IN,hr-HR,hu-HU,is-IS,it,it-IT,ja-JP,ko,ko-KR,lt-LT,lv-LV,mk-MK,mt-MT,nb-NO,nl-BE,nl-NL,nn-NO,pl,pl-PL,pt-BR,pt-PT,ro-RO,ru,ru-RU,sh-BA,sk-SK,sl-SI,sq-AL,sr-CS,sv,sv-SE,th-TH,tr-TR,zh,zh-CN,zh-HK
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Negotiated main locale: C
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Negotiated messages locale: C
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: dh_gen_key: priv key bits set: 131/256
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: bits set: 1617/3191
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: bits set: 1617/3191
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: newkeys: mode 1
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS sent
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: expecting SSH2_MSG_NEWKEYS
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: newkeys: mode 0
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS received
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: KEX done
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: userauth-request for user principal service ssh-connection method none
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: attempt 0 initial attempt 0 failures 0 initial failures 0
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.info] Failed none for principal from clientip port 46175 ssh2
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.info] Failed none for principal from clientip port 46175 ssh2
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: userauth-request for user principal service ssh-connection method keyboard-interactive
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: attempt 1 initial attempt 0 failures 1 initial failures 0
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: keyboard-interactive devs
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 549540 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth: start: user='principal'
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 704353 auth.debug] PAM-KRB5 (auth): Forwardable tickets requested
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 912857 auth.debug] PAM-KRB5 (auth): Renewable tickets requested
Feb 22 21:22:58 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: got 1 responses
Feb 22 21:22:58 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: PAM conv function returns PAM_SUCCESS
Feb 22 21:22:58 my.test.host sshd[1127]: [ID 179272 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password returns: SUCCESS
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 833335 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth returning 0
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 914654 auth.debug] PAM-KRB5 (auth): pam_sm_auth finalize ccname env, result =0, env ='KRB5CCNAME=FILE:/tmp/krb5cc_100', age = 0, status = 0
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 525286 auth.debug] PAM-KRB5 (auth): end: Success
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[7] while authorizing: Permission denied
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[7] while authorizing: Permission denied
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 800047 auth.info] Failed keyboard-interactive for principal from clientip port 46175 ssh2
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 800047 auth.info] Failed keyboard-interactive for principal from clientip port 46175 ssh2
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: userauth-request for user principal service ssh-connection method keyboard-interactive
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: attempt 2 initial attempt 1 failures 2 initial failures 1
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: keyboard-interactive devs
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 490997 auth.debug] PAM-KRB5 (auth): krb5_cleanup auth_status = 0
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 549540 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth: start: user='principal'
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 704353 auth.debug] PAM-KRB5 (auth): Forwardable tickets requested
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 912857 auth.debug] PAM-KRB5 (auth): Renewable tickets requested
------ end ssh log -------Downgrade openssh to 5.5p1.
There is another post and a bug report about it. -
Can't use ssh publickey, but only for a single host
I've been using publickeys for a long time to connect my laptop to my server, but lately I can't connect when I'm in this place only.
It is the same key and it works perfectly, except when I'm in this specific network. And it doesn't seem to be a firewall issue, because the remote server actually logs the attempt.
I'm all out of ideas. Nothing I try has any effect.
ssh -vvv
OpenSSH_6.1p1, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/<user>/.ssh/config
debug1: /home/<user>/.ssh/config line 14: Applying options for <host>
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to <host> port 443.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/<user/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/<user>/.ssh/id_rsa type 1
debug1: identity file /home/<user>/.ssh/id_rsa-cert type -1
debug1: identity file /home/<user>/.ssh/id_dsa type -1
debug1: identity file /home/<user>/.ssh/id_dsa-cert type -1
debug1: identity file /home/<user>/.ssh/id_ecdsa type -1
debug1: identity file /home/<user>/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1
debug1: match: OpenSSH_6.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1
debug2: fd 3 setting O_NONBLOCK
debug3: put_host_port: <host>:443
debug3: load_hostkeys: loading entries for host "<host>:443" from file "/home/<user>/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/<user>/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],zlib,none
debug2: kex_parse_kexinit: [email protected],zlib,none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 [email protected]
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 [email protected]
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: <host key>
debug3: put_host_port: <host>:443
debug3: put_host_port: <host>:443
debug3: load_hostkeys: loading entries for host "<host>:443" from file "/home/<user>/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/<user>/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "<host>:443" from file "/home/<user>/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/<user>/.ssh/known_hosts:11
debug3: load_hostkeys: loaded 1 keys
debug1: Host '<host>:443' is known and matches the RSA host key.
debug1: Found key in /home/<user>/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/<user>/.ssh/id_rsa (0x1d61230)
debug2: key: /home/<user>/.ssh/id_dsa ((nil))
debug2: key: /home/<user>/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/<user>/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
and this is the log from journalctl
Mar 27 09:38:29 xen sudo[29258]: pam_unix(sudo:session): session closed for user root
Mar 27 09:38:32 xen sshd[29196]: debug1: Forked child 590.
Mar 27 09:38:32 xen sshd[590]: Set /proc/self/oom_score_adj to 0
Mar 27 09:38:32 xen sshd[590]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Mar 27 09:38:32 xen sshd[590]: debug1: inetd sockets after dupping: 3, 3
Mar 27 09:38:32 xen sshd[590]: Connection from <host> port 54330
Mar 27 09:38:32 xen sshd[590]: debug1: Client protocol version 2.0; client software version OpenSSH_6.1
Mar 27 09:38:32 xen sshd[590]: debug1: match: OpenSSH_6.1 pat OpenSSH*
Mar 27 09:38:32 xen sshd[590]: debug1: Enabling compatibility mode for protocol 2.0
Mar 27 09:38:32 xen sshd[590]: debug1: Local version string SSH-2.0-OpenSSH_6.1
Mar 27 09:38:32 xen sshd[590]: debug1: permanently_set_uid: 99/99 [preauth]
Mar 27 09:38:32 xen sshd[590]: debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
Mar 27 09:38:32 xen sshd[590]: debug1: SSH2_MSG_KEXINIT sent [preauth]
Mar 27 09:38:32 xen sshd[590]: debug1: SSH2_MSG_KEXINIT received [preauth]
Mar 27 09:38:32 xen sshd[590]: debug1: kex: client->server aes128-ctr hmac-md5 [email protected] [preauth]
Mar 27 09:38:32 xen sshd[590]: debug1: kex: server->client aes128-ctr hmac-md5 [email protected] [preauth]
Mar 27 09:38:32 xen sshd[590]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
Mar 27 09:38:32 xen sshd[590]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
Mar 27 09:38:32 xen sshd[590]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
Mar 27 09:38:32 xen sshd[590]: debug1: SSH2_MSG_NEWKEYS received [preauth]
Mar 27 09:38:32 xen sshd[590]: debug1: KEX done [preauth]
Mar 27 09:38:32 xen sshd[590]: debug1: userauth-request for user <user> service ssh-connection method none [preauth]
Mar 27 09:38:32 xen sshd[590]: debug1: attempt 0 failures 0 [preauth]
Mar 27 09:38:32 xen sshd[590]: debug1: PAM: initializing for "<user>"
Mar 27 09:38:32 xen sshd[590]: debug1: PAM: setting PAM_RHOST to "<host>"
Mar 27 09:38:32 xen sshd[590]: debug1: PAM: setting PAM_TTY to "ssh"
Mar 27 09:38:32 xen sshd[590]: debug1: userauth-request for user <user> service ssh-connection method publickey [prea
Mar 27 09:38:32 xen sshd[590]: debug1: attempt 1 failures 0 [preauth]
Mar 27 09:38:32 xen sshd[590]: debug1: test whether pkalg/pkblob are acceptable [preauth]
Mar 27 09:38:32 xen sshd[590]: debug1: temporarily_use_uid: 1000/100 (e=0/0)
Mar 27 09:38:32 xen sshd[590]: debug1: trying public key file /home/<user>/.ssh/authorized_keys
Mar 27 09:38:32 xen sshd[590]: debug1: fd 4 clearing O_NONBLOCK
Mar 27 09:38:32 xen sshd[590]: debug1: matching key found: file /home/<user>/.ssh/authorized_keys, line 1
Mar 27 09:38:32 xen sshd[590]: Found matching RSA key: <key>
Mar 27 09:38:32 xen sshd[590]: debug1: restore_uid: 0/0
Mar 27 09:38:32 xen sshd[590]: Postponed publickey for <user> from <host> port 54330 ssh2 [preauth]
And it just hangs there forever.
If I try to use the same key to log in to other servers (one debian and an openWRT router) it works just fine from this location. This key also works to log in to the archlinux server if I'm on other networks, such as my college's or my other workplace.
Any help is very appreciated. As it stands, I have to log in to my debian server and from there I have to log in to my archlinux server. I wish I could just log in directly as I've done many times in the past.Hi,
I don't know whether you've solved the issue in the meantime (your issue was three months ago), but I thought I'd post this reply just to let other people who run into this problem know what happened to me and how I solved it.
I had exactly the same problem as you had. The logging in stopped at exactly the same point in the debugging trace. I too was experiencing the problem from a single network (multiple hosts on the network could not log onto a remote server). Logging into the remote server from other locations (even with the same laptop) worked fine.
The problem turned out to be an MTU problem in my case. I was running an OpenVPN connection to the remote server, and I was logging into it over the VPN. No problems, usually, except for the fact that the network that I was logging in from is a glass fiber network using PPPoE. The MTU on that link is 1460 bytes, not the 1500 bytes that is more common. I had to reconfigure the OpenVPN interfaces (using the OpenVPN configuration options "mssfix 1360", "fragment 1360" and "tun-mtu 1400" on both sides of the connection) to use a smaller MTU on the OpenVPN tunX interface, and everything started working normally again.
Obviously, the MTU was wrong for every connection going over the VPN, but the OpenVPN tunnel was somewhat resistant to this mistake because I turned on LZO compression, which made most packets that were transmitted over the OpenVPN interface (tunX) that were using an MTU of 1500 bytes smaller than the maximum allowed on the actual link. Anyway, the lesson is: set up your MTUs on your links correctly. And turn on "mssfix" so that if you're routing remote hosts' traffic over the OpenVPN tunnel, their TCP stacks will be made aware of the actual MTU of the link.
Hope this helps somebody,
Sven -
Local net ssh failure Tiger (PHP MYSQL Apache Dreamweaver)
I can't be sure, but I think this problem started with the latest security update. I'm 80% done with my first web application using PHP and Mysql in dreamweaver when I began getting an unknown error from dreamweaver when attempting to connect to my DB on my testing server. After 2 days of debugging and re-installing apps I finally wiped the testing server (G4 400 Cube memory topped out 120GB HD, down to the metal) reinstalled Tiger, fully patched, edited the httpd.conf file to enable php 4.4.1. Installed Mysql 4.1 (which was the last general distribution with a packaged install) and the server works fine, so I created myself as a user in mysql @localhost & @localmachinename to replicate root user. Navicat was up and running in no time, so I re-populated my server from my backup. Then I jumped over to my design workstation (G5 2Ghz Dual, 2GB Ram, 250GB HD) only to find navicat can't login to the mysql server because ssh wont connect to the G4. After much testing I discovered ALL of my macs will attach only to external addresses. My linux box, external linux boxes, even windows boxes emulating ssh will attach internally or extenally, the macs won't talk to anything in the local network 10.0.x What the ****! My project is now past due and I'm stuck because I can no longer ssh from any macs to internal machines mac or otherwise. PLEASE HELP!!! is there an SSH pakage so I can re-install? I couldn't find a mac ssh package on apple or ssh.org, Will that even make a difference? Can I uninstall the security update? Can anyone suggest a workaround?
My network
*10.0.1.2 Ganymede (Mandrivia 10 server and Gateway)
*10.0.1.6 Artemis (G5 10.4.7) Web/Video
*10.0.1.10 Miletus (G4 10.4.7) Web Testing
*10.0.1.5 Venus (G4 10.4.7) Photo editing
*10.0.1.4 Hero (G3 ibook 10.4.7) office work
*10.0.1.7 Hermes (iMac 10.4.7) iLife
*10.0.1.3 Apollo (Wintendo XP) Web Testing/The Sims
Here are several ssh logs.
mac to mac (FAIL)
Artemis:~ phil$ ssh -vv 10.0.1.10
OpenSSH_4.2p1, OpenSSL 0.9.7i 14 Oct 2005
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.0.1.10 [10.0.1.10] port 22.
debug1: Connection established.
debug1: identity file /Users/phil/.ssh/identity type -1
debug1: identity file /Users/phil/.ssh/id_rsa type -1
debug1: identity file /Users/phil/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.2
debug1: match: OpenSSH_4.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.2
debug2: fd 3 setting O_NONBLOCK
debug1: An invalid name was supplied
Cannot determine realm for numeric host address
debug1: An invalid name was supplied
A parameter was malformed
Validation error
debug1: An invalid name was supplied
Cannot determine realm for numeric host address
debug1: An invalid name was supplied
A parameter was malformed
Validation error
debug1: SSH2MSGKEXINIT sent
debug1: SSH2MSGKEXINIT received
debug2: kexparsekexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-g roup1-sha1
debug2: kexparsekexinit: ssh-rsa,ssh-dss
debug2: kexparsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kexparsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kexparsekexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac- md5-96
debug2: kexparsekexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac- md5-96
debug2: kexparsekexinit: none,[email protected],zlib
debug2: kexparsekexinit: none,[email protected],zlib
debug2: kexparsekexinit:
debug2: kexparsekexinit:
debug2: kexparsekexinit: firstkexfollows 0
debug2: kexparsekexinit: reserved 0
debug2: kexparsekexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-g roup1-sha1
debug2: kexparsekexinit: ssh-rsa,ssh-dss
debug2: kexparsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kexparsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kexparsekexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac- md5-96
debug2: kexparsekexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac- md5-96
debug2: kexparsekexinit: none,[email protected]
debug2: kexparsekexinit: none,[email protected]
debug2: kexparsekexinit:
debug2: kexparsekexinit:
debug2: kexparsekexinit: firstkexfollows 0
debug2: kexparsekexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2MSG_KEX_DH_GEXREQUEST(1024<1024<8192) sent
debug1: expecting SSH2MSG_KEX_DH_GEXGROUP
Write failed: Broken pipe
Artemis:~ phil$
Mac to linux internal (FAIL)
Artemis:~ phil$ ssh -vv 10.0.1.2
OpenSSH_4.2p1, OpenSSL 0.9.7i 14 Oct 2005
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.0.1.2 [10.0.1.2] port 22.
debug1: Connection established.
debug1: identity file /Users/phil/.ssh/identity type -1
debug1: identity file /Users/phil/.ssh/id_rsa type -1
debug1: identity file /Users/phil/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.2
debug2: fd 3 setting O_NONBLOCK
debug1: An invalid name was supplied
Cannot determine realm for numeric host address
debug1: An invalid name was supplied
A parameter was malformed
Validation error
debug1: An invalid name was supplied
Cannot determine realm for numeric host address
debug1: An invalid name was supplied
A parameter was malformed
Validation error
debug1: SSH2MSGKEXINIT sent
debug1: SSH2MSGKEXINIT received
debug2: kexparsekexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-g roup1-sha1
debug2: kexparsekexinit: ssh-rsa,ssh-dss
debug2: kexparsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kexparsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kexparsekexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac- md5-96
debug2: kexparsekexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac- md5-96
debug2: kexparsekexinit: none,[email protected],zlib
debug2: kexparsekexinit: none,[email protected],zlib
debug2: kexparsekexinit:
debug2: kexparsekexinit:
debug2: kexparsekexinit: firstkexfollows 0
debug2: kexparsekexinit: reserved 0
debug2: kexparsekexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-g roup1-sha1
debug2: kexparsekexinit: ssh-rsa,ssh-dss
debug2: kexparsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kexparsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kexparsekexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac- md5-96
debug2: kexparsekexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac- md5-96
debug2: kexparsekexinit: none,[email protected]
debug2: kexparsekexinit: none,[email protected]
debug2: kexparsekexinit:
debug2: kexparsekexinit:
debug2: kexparsekexinit: firstkexfollows 0
debug2: kexparsekexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2MSG_KEX_DH_GEXREQUEST(1024<1024<8192) sent
debug1: expecting SSH2MSG_KEX_DH_GEXGROUP
Write failed: Broken pipe
mac to linux external (Success)
Artemis:~ phil$ ssh -vv 69.253.x.x
OpenSSH_4.2p1, OpenSSL 0.9.7i 14 Oct 2005
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 69.253.x.x [69.253.x.x] port 22.
debug1: Connection established.
debug1: identity file /Users/phil/.ssh/identity type -1
debug1: identity file /Users/phil/.ssh/id_rsa type -1
debug1: identity file /Users/phil/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.2
debug2: fd 3 setting O_NONBLOCK
debug1: Miscellaneous failure
No credentials cache found
debug1: Miscellaneous failure
No credentials cache found
debug1: SSH2MSGKEXINIT sent
debug1: SSH2MSGKEXINIT received
debug2: kexparsekexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-g roup1-sha1
debug2: kexparsekexinit: ssh-rsa,ssh-dss
debug2: kexparsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kexparsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kexparsekexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac- md5-96
debug2: kexparsekexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac- md5-96
debug2: kexparsekexinit: none,[email protected],zlib
debug2: kexparsekexinit: none,[email protected],zlib
debug2: kexparsekexinit:
debug2: kexparsekexinit:
debug2: kexparsekexinit: firstkexfollows 0
debug2: kexparsekexinit: reserved 0
debug2: kexparsekexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-g roup1-sha1
debug2: kexparsekexinit: ssh-rsa,ssh-dss
debug2: kexparsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kexparsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kexparsekexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac- md5-96
debug2: kexparsekexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac- md5-96
debug2: kexparsekexinit: none,[email protected]
debug2: kexparsekexinit: none,[email protected]
debug2: kexparsekexinit:
debug2: kexparsekexinit:
debug2: kexparsekexinit: firstkexfollows 0
debug2: kexparsekexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2MSG_KEX_DH_GEXREQUEST(1024<1024<8192) sent
debug1: expecting SSH2MSG_KEX_DH_GEXGROUP
debug2: dhgenkey: priv key bits set: 130/256
debug2: bits set: 514/1024
debug1: SSH2MSG_KEX_DH_GEXINIT sent
debug1: expecting SSH2MSG_KEX_DH_GEXREPLY
debug1: Host '69.253.239.85' is known and matches the RSA host key.
debug1: Found key in /Users/phil/.ssh/known_hosts:3
debug2: bits set: 516/1024
debug1: sshrsaverify: signature correct
debug2: kexderivekeys
debug2: set_newkeys: mode 1
debug1: SSH2MSGNEWKEYS sent
debug1: expecting SSH2MSGNEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2MSGNEWKEYS received
debug1: SSH2MSG_SERVICEREQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2MSG_SERVICEACCEPT received
debug2: key: /Users/phil/.ssh/identity (0x0)
debug2: key: /Users/phil/.ssh/id_rsa (0x0)
debug2: key: /Users/phil/.ssh/id_dsa (0x0)
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/phil/.ssh/identity
debug1: Trying private key: /Users/phil/.ssh/id_rsa
debug1: Trying private key: /Users/phil/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
[email protected]'s password:
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Entering interactive session.
debug2: callback start
debug2: clientsession2setup: id 0
debug2: channel 0: request pty-req confirm 0
debug2: channel 0: request shell confirm 0
debug2: fd 3 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 131072
Last login: Tue Aug 15 12:56:42 2006 from artemis.ganymedia.net
[phil@ganymede ~]$
G5 Dual 2G Mac OS X (10.4.7)Mac comes with a fully functioning Apache web server with all the scripting languages (except VB). You need to enable them in the configuration file.
You need some light weight UNIX administration skills to do this. Use the system restore disk to set the password for the root account.
Open a terminal screen from the Utilities folder in Applications. Type "su", press return, then enter the root password you set using the system restore disk.
Make a backup copy of the Apache configuration file with the following command (type this in with no mistakes and press the return key).
cp /etc/httpd/httpd.conf /etc/httpd/httpd.conf.copy
Enter the following to open the Apache configuration (type this in with no mistakes and hit the return key).
/Applications/TextEdit.app/Contents/MacOS/TextEdit /etc/httpd/httpd.conf &
Locate and remove the # comment symbol from the following lines and save the file in /etc/httpd/httpd.conf.
#LoadModule php4_module libexec/httpd/libphp4.so
#AddModule mod_php4.c
Exit the TextEdit application and quit out of the terminal application.
Put the following web page into a file named greetings.php inside the folder Library/WebServer/Documents.
<html>
<head>
<title>Experiment</title>
</head>
<?php
echo "Greetings";
?>
</body>
</html>
Once you have made these changes, you can reboot to activate the changes.
Put the following into your browser to test the configuration.
http://localhost/greetings.php
You should see "Greetings" on a web page titled "Experiment".
MySQL is a separate server that you need to download and configure to complete your web server.
I hope this helps.
Best regards - Greg -
Ssh X11 forwarding takes too long to start any app. remotely
Hi,
I have a bizzare problem with %subject% for some time already.
Affected are all my Arch linux installations (all with: systemd, openbox (without Display Manager), and latest updates):
1. home desktop (core 2 duo, 2.4GHz, 3GB RAM).
2. one testing desktop in virtualbox on the desktop from prev. point.
3. work laptop (Intel Core i5, 4GB RAM).
All of these are connected via cable to the same home network 100MB router (using openwrt on asus wl-500g).
Normal ssh transmissions, like entering commands, or transfer of data via scp (even large amount of data for testing purposes because of this) works quick like expected.
The problem is, that if I try to start app. remotely via ssh X forwarding from and to any of these (affected also bidirectional), it takes always aprox. 2 minutes to start the app.
Afterwards, it works fast and fine.
Doesn't change anything, whether the X server is running on the server's side or not.
Have been testing it with some lightweight apps too, but makes no difference if it's e.g. mousepad, gedit, thunderbird, always the same 2 min. delay at their start.
Also, some time ago, I had an older (more than 10 years) laptop, also with Arch installed, using LXDE, and connected via wifi to this same router, which worked perfectly without any delay. Also the same time ago, I was yet running Ubuntu on the home desktop, when I installed Arch to the virtualbox mentioned in point 2, and the problem was already present on the virtual pc, but not on the Ubuntu or the older laptop with Arch I had before.
Later, when I switched home desktop to Arch (or I got new laptop in the work), the issue appeared instantly on the new Arch installations.
The sshd configuration is the basic from the package, with X forwarding enabled of course, thus no strange changes of mine.
I monitored the ssh communications with tcpdump, not to read the encrypted data itself , but to see whether the data is flowing, and there are flow outages (absolute quiet except of below mentioned exceptions) in the mentioned 2 minutes duration till app. startup:
- after ssh authentication, there is about 1 minute silence, when after this 1st minute some few data is flowing
- next, there is another 1 minute silence, after which the app. finally starts
I've also gathered ssh debugging informations, from both, server (where I'm connecting and trying to start app. remotely) and client, with description when waiting has been detected.
server:
/usr/sbin/sshd -ddd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 501
debug2: parse_server_config: config /etc/ssh/sshd_config len 501
debug3: /etc/ssh/sshd_config:15 setting ListenAddress 0.0.0.0
debug3: /etc/ssh/sshd_config:16 setting ListenAddress ::
debug3: /etc/ssh/sshd_config:35 setting LogLevel INFO
debug3: /etc/ssh/sshd_config:42 setting PermitRootLogin no
debug3: /etc/ssh/sshd_config:52 setting AuthorizedKeysFile .ssh/authorized_keys
debug3: /etc/ssh/sshd_config:68 setting PermitEmptyPasswords no
debug3: /etc/ssh/sshd_config:71 setting ChallengeResponseAuthentication no
debug3: /etc/ssh/sshd_config:92 setting UsePAM yes
debug3: /etc/ssh/sshd_config:94 setting AllowAgentForwarding yes
debug3: /etc/ssh/sshd_config:95 setting AllowTcpForwarding yes
debug3: /etc/ssh/sshd_config:97 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:98 setting X11DisplayOffset 10
debug3: /etc/ssh/sshd_config:99 setting X11UseLocalhost yes
debug3: /etc/ssh/sshd_config:104 setting UsePrivilegeSeparation sandbox
debug3: /etc/ssh/sshd_config:106 setting Compression delayed
debug3: /etc/ssh/sshd_config:109 setting UseDNS no
debug3: /etc/ssh/sshd_config:120 setting Subsystem sftp /usr/lib/ssh/sftp-server
debug1: sshd version OpenSSH_6.1p1
debug3: Incorrect RSA1 identifier
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Incorrect RSA1 identifier
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug3: Incorrect RSA1 identifier
debug1: read PEM private key done: type ECDSA
debug1: private host key: #2 type 3 ECDSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug3: oom_adjust_setup
Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 3 IPV6_V6ONLY
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 501
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from CLIENT_IP port 43333
debug1: Client protocol version 2.0; client software version OpenSSH_6.1
debug1: match: OpenSSH_6.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1
debug2: fd 3 setting O_NONBLOCK
debug3: ssh_sandbox_init: preparing seccomp filter sandbox
debug2: Network child is on pid 6379
debug3: preauth child monitor started
debug3: privsep user:group 99:99 [preauth]
debug1: permanently_set_uid: 99/99 [preauth]
debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth]
debug3: ssh_sandbox_child: attaching seccomp filter program [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] [preauth]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: none,[email protected] [preauth]
debug2: kex_parse_kexinit: none,[email protected] [preauth]
debug2: kex_parse_kexinit: [preauth]
debug2: kex_parse_kexinit: [preauth]
debug2: kex_parse_kexinit: first_kex_follows 0 [preauth]
debug2: kex_parse_kexinit: reserved 0 [preauth]
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],ssh-rsa,ssh-dss [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected] [preauth]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: none,[email protected],zlib [preauth]
debug2: kex_parse_kexinit: none,[email protected],zlib [preauth]
debug2: kex_parse_kexinit: [preauth]
debug2: kex_parse_kexinit: [preauth]
debug2: kex_parse_kexinit: first_kex_follows 0 [preauth]
debug2: kex_parse_kexinit: reserved 0 [preauth]
debug2: mac_setup: found hmac-md5 [preauth]
debug1: kex: client->server aes128-ctr hmac-md5 none [preauth]
debug2: mac_setup: found hmac-md5 [preauth]
debug1: kex: server->client aes128-ctr hmac-md5 none [preauth]
debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
debug3: mm_key_sign entering [preauth]
debug3: mm_request_send entering: type 4 [preauth]
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect entering: type 5 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_sign
debug3: mm_answer_sign: signature 0x13e3f80(100)
debug3: mm_request_send entering: type 5
debug2: monitor_read: 4 used once, disabling now
debug2: kex_derive_keys [preauth]
debug2: set_newkeys: mode 1 [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug2: set_newkeys: mode 0 [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: KEX done [preauth]
debug1: userauth-request for user USERNAME service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug3: mm_getpwnamallow entering [preauth]
debug3: mm_request_send entering: type 6 [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow
debug2: parse_server_config: config reprocess config len 501
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
debug3: mm_request_receive_expect entering: type 7 [preauth]
debug3: mm_request_receive entering [preauth]
debug2: input_userauth_request: setting up authctxt for USERNAME [preauth]
debug3: mm_start_pam entering [preauth]
debug3: mm_request_send entering: type 45 [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 45
debug1: PAM: initializing for "USERNAME"
debug1: PAM: setting PAM_RHOST to "CLIENT_IP"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 45 used once, disabling now
debug3: mm_inform_authserv entering [preauth]
debug3: mm_request_send entering: type 3 [preauth]
debug2: input_userauth_request: try method none [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug1: userauth-request for user USERNAME service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug1: test whether pkalg/pkblob are acceptable [preauth]
debug3: mm_key_allowed entering [preauth]
debug3: mm_request_send entering: type 20 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect entering: type 21 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x13e1e20
debug1: temporarily_use_uid: 1000/100 (e=0/0)
debug1: trying public key file /home/USERNAME/.ssh/authorized_keys
debug1: Could not open authorized keys '/home/USERNAME/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
Failed publickey for USERNAME from CLIENT_IP port 43333 ssh2
debug3: mm_answer_keyallowed: key 0x13e1e20 is not allowed
debug3: mm_request_send entering: type 21
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss [preauth]
debug1: userauth-request for user USERNAME service ssh-connection method password [preauth]
debug1: attempt 2 failures 1 [preauth]
debug2: input_userauth_request: try method password [preauth]
debug3: mm_auth_password entering [preauth]
debug3: mm_request_send entering: type 10 [preauth]
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD [preauth]
debug3: mm_request_receive_expect entering: type 11 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug1: PAM: password authentication accepted for USERNAME
debug3: mm_answer_authpassword: sending result 1
debug3: mm_request_send entering: type 11
debug3: mm_request_receive_expect entering: type 46
debug3: mm_request_receive entering
debug1: do_pam_account: called
debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success)
debug3: mm_request_send entering: type 47
Accepted password for USERNAME from CLIENT_IP port 43333 ssh2
debug3: mm_auth_password: user authenticated [preauth]
debug3: mm_do_pam_account entering [preauth]
debug3: mm_request_send entering: type 46 [preauth]
debug3: mm_request_receive_expect entering: type 47 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_do_pam_account returning 1 [preauth]
debug3: mm_send_keystate: Sending new keys: 0x13e1c40 0x13e34c0 [preauth]
debug3: mm_newkeys_to_blob: converting 0x13e1c40 [preauth]
debug3: mm_newkeys_to_blob: converting 0x13e34c0 [preauth]
debug3: mm_send_keystate: New keys have been sent [preauth]
debug3: mm_send_keystate: Sending compression state [preauth]
debug3: mm_request_send entering: type 24 [preauth]
debug3: mm_send_keystate: Finished sending state [preauth]
debug1: monitor_read_log: child log fd closed
debug1: monitor_child_preauth: USERNAME has been authenticated by privileged process
debug3: mm_get_keystate: Waiting for new keys
debug3: mm_request_receive_expect entering: type 24
debug3: mm_request_receive entering
debug3: mm_newkeys_from_blob: 0x13f3b20(122)
debug2: mac_setup: found hmac-md5
debug3: mm_get_keystate: Waiting for second key
debug3: mm_newkeys_from_blob: 0x13f3b20(122)
debug2: mac_setup: found hmac-md5
debug3: mm_get_keystate: Getting compression state
debug3: mm_get_keystate: Getting Network I/O buffers
debug3: mm_share_sync: Share sync
debug3: mm_share_sync: Share sync end
debug3: ssh_sandbox_parent_finish: finished
debug1: PAM: establishing credentials
debug3: PAM: opening session
User child is on pid 6387
debug1: PAM: establishing credentials
debug1: permanently_set_uid: 1000/100
debug2: set_newkeys: mode 0
debug2: set_newkeys: mode 1
debug1: Entering interactive session for SSH2.
debug2: fd 7 setting O_NONBLOCK
debug2: fd 9 setting O_NONBLOCK
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 2097152 max 32768
debug1: input_session_request
debug1: channel 0: new [server-session]
debug2: session_new: allocate (allocated 0 max 10)
debug3: session_unused: session id 0 unused
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_global_request: rtype [email protected] want_reply 0
debug1: server_input_channel_req: channel 0 request x11-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req x11-req
debug3: sock_set_v6only: set socket 10 IPV6_V6ONLY
debug2: fd 10 setting O_NONBLOCK
debug3: fd 10 is O_NONBLOCK
debug1: channel 1: new [X11 inet listener]
debug2: fd 11 setting O_NONBLOCK
debug3: fd 11 is O_NONBLOCK
debug1: channel 2: new [X11 inet listener]
debug1: server_input_channel_req: channel 0 request exec reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req exec
debug2: fd 3 setting TCP_NODELAY
debug3: packet_set_tos: set IP_TOS 0x10
debug2: fd 14 setting O_NONBLOCK
debug2: fd 13 setting O_NONBLOCK
debug2: fd 16 setting O_NONBLOCK
debug2: channel 0: read 210 from efd 16
debug2: channel 0: rwin 2097152 elen 210 euse 1
debug2: channel 0: sent ext data 210
debug2: channel 0: read 380 from efd 16
debug2: channel 0: rwin 2096942 elen 380 euse 1
debug2: channel 0: sent ext data 380
debug2: channel 0: read 121 from efd 16
debug2: channel 0: rwin 2096562 elen 121 euse 1
debug2: channel 0: sent ext data 121
### Here started the waiting on the server's side, and continued later till the start of app.:
debug1: X11 connection requested.
debug2: fd 12 setting TCP_NODELAY
debug2: fd 12 setting O_NONBLOCK
debug3: fd 12 is O_NONBLOCK
debug1: channel 3: new [X11 connection from 127.0.0.1 port 46968]
debug2: channel 3: open confirm rwindow 2097152 rmax 16384
debug2: channel 0: read 62 from efd 16
debug2: channel 0: rwin 2096441 elen 62 euse 1
debug2: channel 0: sent ext data 62
debug1: X11 connection requested.
debug2: fd 15 setting TCP_NODELAY
debug2: fd 15 setting O_NONBLOCK
debug3: fd 15 is O_NONBLOCK
debug1: channel 4: new [X11 connection from 127.0.0.1 port 46972]
debug2: channel 4: open confirm rwindow 2097152 rmax 16384
debug2: channel 3: rcvd adjust 51268
debug2: channel 3: rcvd adjust 65536
debug2: channel 3: rcvd adjust 65536
debug2: channel 3: rcvd adjust 65536
debug2: channel 3: rcvd adjust 65536
debug2: channel 3: rcvd adjust 32768
debug2: channel 3: rcvd adjust 147456
debug2: channel 3: rcvd adjust 55788
debug2: channel 3: window 32740 sent adjust 32796
client:
ssh -Xvvv USERNAME@SERVER_IP mousepad
OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to SERVER_IP [SERVER_IP] port 22.
debug1: Connection established.
debug1: identity file /home/USERNAME/.ssh/id_rsa type -1
debug1: identity file /home/USERNAME/.ssh/id_rsa-cert type -1
debug1: identity file /home/USERNAME/.ssh/id_dsa type 2
debug1: identity file /home/USERNAME/.ssh/id_dsa-cert type -1
debug1: identity file /home/USERNAME/.ssh/id_ecdsa type -1
debug1: identity file /home/USERNAME/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1
debug1: match: OpenSSH_6.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "SERVER_IP" from file "/home/USERNAME/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/USERNAME/.ssh/known_hosts:4
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],[email protected],[email protected],ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA ABC123...
debug3: load_hostkeys: loading entries for host "SERVER_IP" from file "/home/USERNAME/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/USERNAME/.ssh/known_hosts:4
debug3: load_hostkeys: loaded 1 keys
debug1: Host 'SERVER_IP' is known and matches the ECDSA host key.
debug1: Found key in /home/USERNAME/.ssh/known_hosts:4
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/USERNAME/.ssh/id_rsa ((nil))
debug2: key: /home/USERNAME/.ssh/id_dsa (0x)
debug2: key: /home/USERNAME/.ssh/id_ecdsa ((nil))
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/USERNAME/.ssh/id_rsa
debug3: no such identity: /home/USERNAME/.ssh/id_rsa
debug1: Offering DSA public key: /home/USERNAME/.ssh/id_dsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/USERNAME/.ssh/id_ecdsa
debug3: no such identity: /home/USERNAME/.ssh/id_ecdsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
USERNAME@SERVER_IP's password:
debug3: packet_send2: adding 48 (len 68 padlen 12 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentication succeeded (password).
Authenticated to SERVER_IP ([SERVER_IP]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug2: callback start
debug2: x11_get_proto: /usr/bin/xauth -f /tmp/ssh-mHE6faU7YJF2/xauthfile generate :0 MIT-MAGIC-COOKIE-1 untrusted timeout 1200 2>/dev/null
debug2: x11_get_proto: /usr/bin/xauth -f /tmp/ssh-mHE6faU7YJF2/xauthfile list :0 2>/dev/null
debug1: Requesting X11 forwarding with authentication spoofing.
debug2: channel 0: request x11-req confirm 1
debug2: fd 3 setting TCP_NODELAY
debug3: packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug1: Sending command: mousepad
debug2: channel 0: request exec confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: X11 forwarding request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: exec request accepted on channel 0
### After successful authentication, here above started the first waiting, where after first 1 min. continued with:
debug2: channel 0: rcvd ext data 210
debug2: channel 0: rcvd ext data 380
debug2: channel 0: rcvd ext data 121
debug3: Copy environment: XDG_SESSION_COOKIE=0d937ee20c7e42bdbf828421a30eaa2f-1357144247.348263-1841400888
debug3: Copy environment: XDG_SESSION_ID=5
debug3: Copy environment: XDG_RUNTIME_DIR=/run/user/1000
debug2: channel 0: written 711 to efd 6
### After another 1 min. continued with + started the app.
debug1: client_input_channel_open: ctype x11 rchan 3 win 65536 max 16384
debug1: client_request_x11: request from 127.0.0.1 46968
debug2: fd 7 setting O_NONBLOCK
debug3: fd 7 is O_NONBLOCK
debug1: channel 1: new [x11]
debug1: confirm x11
debug2: channel 0: rcvd ext data 62
Xlib: extension "RANDR" missing on display "localhost:10.0".
debug2: channel 0: written 62 to efd 6
debug1: client_input_channel_open: ctype x11 rchan 4 win 65536 max 16384
debug1: client_request_x11: request from 127.0.0.1 46972
debug2: fd 8 setting O_NONBLOCK
debug3: fd 8 is O_NONBLOCK
debug1: channel 2: new [x11]
debug1: confirm x11
debug2: channel 1: window 2045884 sent adjust 51268
debug2: channel 1: window 2031616 sent adjust 65536
debug2: channel 1: window 2031616 sent adjust 65536
debug2: channel 1: window 2031616 sent adjust 65536
debug2: channel 1: window 2031616 sent adjust 65536
debug2: channel 1: window 2031616 sent adjust 32768
debug2: channel 1: window 1949696 sent adjust 147456
debug2: channel 1: window 2041364 sent adjust 55788
debug2: channel 1: rcvd adjust 32796
debug1: client_input_channel_open: ctype x11 rchan 5 win 65536 max 16384
debug1: client_request_x11: request from 127.0.0.1 46974
debug2: fd 9 setting O_NONBLOCK
debug3: fd 9 is O_NONBLOCK
debug1: channel 3: new [x11]
debug1: confirm x11
debug2: channel 1: rcvd adjust 32800
It's quite strange, as I have no more ideas what to check next.
Any ideas pls?
thx in advance.Have finally found a solution for this problem: http://serverfault.com/questions/490352 … w-to-start
Now the applications do start immediately via SSH X11 forwarding as expected.
The following three lines helped:
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT
ip6tables -A FORWARD -i lo -o lo -j ACCEPT
While until now, all ip6 traffic has been forbidden (to drop all ip6 traffic) at the start of the system of course.
Nevertheless, I don't understand it, why the ip6 localhost has to be granted this way even if the /etc/ssh/sshd_config is configured for ip4 only "AddressFamily inet"?
I thought, that this way the sshd will be using ip4 protocol only (including for the X11 forwarding), then why does it still need the ip6? -
After update to Maverick, I can't ssh to remote servers from my Mac.
I can ssh localhost, but I can't ssh to remote servers.
cykuo-MBP:~ cykuo$ ssh root@my_server_ip
Read from socket failed: Connection reset by peer
cykuo-MBP:~ cykuo$ ssh root@my_server_ip
Read from socket failed: Operation timed out
cykuo-MBP:~ cykuo$ ssh -vvv root@my_server_ip
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 51: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to my_server_ip [my_server_ip] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/Users/cykuo/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /Users/cykuo/.ssh/id_rsa type 1
debug1: identity file /Users/cykuo/.ssh/id_rsa-cert type -1
debug1: identity file /Users/cykuo/.ssh/id_dsa type -1
debug1: identity file /Users/cykuo/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH_4*
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "my_server_ip" from file "/Users/cykuo/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie- hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-g roup1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blow fish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blow fish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
Read from socket failed: Operation timed out
cykuo-MBP:~ cykuo$I used to use 2 keyboard keys - It now works with only 1.
So it works now , but different.
Thank you. -
Unable to SSH to Server with terminal, Putty Works (SOLVED)
Hi all,
I am unable to ssh to a remote server from the terminal, when I try with Putty it works, heres the output of ssh -v
OpenSSH_6.3, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /root/.ssh/config
debug1: /root/.ssh/config line 49: Applying options for testing
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: Connecting to ********* [*********] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/************.pem type -1
debug1: identity file /root/.ssh/************ type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.3
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.1
debug1: match: OpenSSH_6.1 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 50:97:e6:ff:44:01:02:ca:e2:b4:38:41:86:42:2c:c2
debug1: Host '************' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:4
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/************.pem
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to ************ ([************]:22).
debug1: channel 0: new [client-session]
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
I suspect it has something to do with my terminal? I am using xfce terminal
Update:
so following advice from other forum members, I am marking this as solved. The situation resulted from me installing a new router and this router blocked SSH connections, I search on stackoverflow and tried this fix at
http://stackoverflow.com/questions/2247 … i-does-not
I applied the setting to /etc/ssh/ssh_config and it started working again.
Last edited by zenwong (2013-10-30 08:47:41)In addition to marking your thread as solved, you should also give a bit of info on how you came to that concolusion and what that confguration does. If you have the expectation that posting in these threads might yeild assistance, you should also assume that there is the expectation that you will have the courtesty to make the thread useful for others in the event that you find the solution on your own. https://wiki.archlinux.org/index.php/Fo … way_Street
-
SSH Key login not working when added to gpg-agent
Hello,
As I use gnupg, I run the gpg-agent. I run it with systemd --user and it works flawlessly. As I already run gpg-agent, I figured I might as well just add my ssh keys to it as well. Therefore I start gpg-agent with --enable-ssh-support. I use my SSH keys a lot and never had any problems with connecting to anything with a simple ssh .... or pushing things to git etc.
As the SOCKS_AUTH_SSH envvar needs to be set for ssh-add to work, I added this line to my .bashrc
export SSH_AUTH_SOCK=~/.gnupg/S.gpg-agent.ssh
Now, adding my SSH Keys with a simple ssh-add seems to work fine (no errors etc).
However, when I try to connect to a server now, the following happens:
ssh -vT [email protected]
OpenSSH_6.8p1, OpenSSL 1.0.2a 19 Mar 2015
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to XXXXXXXXX port XXXXX.
debug1: Connection established.
debug1: identity file /home/XXXXX/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /home/XXXXX/.ssh/id_rsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.8
debug1: match: OpenSSH_6.8 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:Mw5MTDp91yExgStdoMPMwi2yZdoG9MruOm+6XiC5Vks
debug1: Host '[XXXXXXX]:XXX' is known and matches the ECDSA host key.
debug1: Found key in /home/XXXX/.ssh/known_hosts:1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/XXXXX/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug1: No more authentication methods to try.
Permission denied (publickey).
Which is very strange as id_rsa is my (ecrypted) private key. I am also prompted to enter the corresponding password when issuing ssh-add.
What could the problem be in this case? Thanks a lot!!
Last edited by replax (2015-05-18 19:06:58)replax wrote:Well, there is something listed in .gnupg/sshcontrol , I am not sure if it is connected to my own key though. I tried ssh-add -l and it will list my one key, although it is different from the one in sshcontrol. I suspect that that is an issue of presentation though, as ssh-add spews out the SHA256 of my key..
How could I go about verifying that they key is indeed correct? Shouldn't it be added automatically by ssh-add?
Thanks a lot!!
Yes it should be added automatically. I suppose you could try it in a new user just to start fresh and see if it works, at least then you'll have either verified that your steps were correct or incorrect.
Maybe you are looking for
-
LMS 3.2 DFM Import of Devices Failed
Hi, My name is Ashley. I have recently installed LMS 3.2. Everything is working fine, CM, CS,HUM, RME,IPM. However, I am not able to import devices from DCR to DFM. On Auto Allocation Window, I get the following error: Error in getting instance of Tr
-
Missing the Folio Overlay in InDesign CS6 (Mac)
I just got the Folio builder only, and I can't make an updates under the window column, could anyone help this?
-
Here's the story: I have a layer for a pop-up - but I have actions applied to it, making it move onto the page, then back off. I have tried all of the ways described, but I cannot get that pop-up to be centered horizontally on the page. Can someone a
-
hi i am creating my alv report using method cl_salv_table =>factory. i want to color the report lines in red how can i do that?? i only found how to color a column thanks
-
Hi, I have a Late 2009 Imac, 3.06 GHz Intel Core 2 Duo, 8 GB of memory, Yosemite 10.10.1 and am using iPhoto 9.6 version. Iphoto is slow to load, spinning ball misery, almost painful to use. I turned off iCloud because it seems to slow it down even m