#132002 ssh: Problems connecting FreeBSD 4.5 (no password authentication mode is done)

#132002#5
Date:
2002-02-02 22:56:35 UTC
From:
To:
Hi!

When I want to connect to my new FreeBSD box, the following happens:
(Only using ssh protocol 2)

debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try privkey: /home/gjasny/.ssh/id_rsa
debug1: try pubkey: /home/gjasny/.ssh/id_dsa
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is keyboard-interactive
otp-md5 269 da3152 ext
S/Key Password:

Shouldn't be tried password before keyboard-interactive?

On a Slackware with OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f it looks like this:

debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try privkey: /root/.ssh/id_rsa
debug1: try privkey: /root/.ssh/id_dsa
debug1: next auth method to try is password
gjasny@daemon's password:


The sshd on FreeBSD doesn't report anything weird.

Best Regards,
-G. Jasny

#132002#10
Date:
2002-02-03 09:06:19 UTC
From:
To:
tags 132002 moreinfo
severity 132002 normal
quit

Gregor Jasny writes:
 > Package: ssh
 > Version: 1:3.0.2p1-4
 > Severity: important
 >
 > Hi!
 >
 > When I want to connect to my new FreeBSD box, the following happens:
 > (Only using ssh protocol 2)

You don't tell me: a) what software you're running on the BSD server;
b) what the sshd_config on the server looks like.

Matthew

#132002#19
Date:
2002-02-03 09:48:05 UTC
From:
To:
Am Sonntag, 3. Februar 2002 10:06 schrieben Sie:
OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL
0x0090601f
I've attached the BSD server config and the debian ssh config.

#132002#24
Date:
2002-02-05 17:31:15 UTC
From:
To:
I have duplicated this bug with:

FreeBSD hand.dotat.at 4.5-RC-20020115 FreeBSD 4.5-RC-20020115 #10: Tue Jan 15 21:01:51 GMT 2002     fanf@hand.dotat.at:/FreeBSD/obj/FreeBSD/releng4/sys/SHARP  i386

SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20011202

connecting from

OpenSSH_3.0.2p1 Debian 1:3.0.2p1-5, SSH protocols 1.5/2.0, OpenSSL 0x0090603f

Tony.

#132002#29
Date:
2002-02-05 17:38:31 UTC
From:
To:
Oops, missed some debugging options from sshd...
#132002#34
Date:
2002-02-05 17:49:45 UTC
From:
To:
 If I make a similar attempt from ming to arborlon then you will note that
it tries keyboard-interactive before password, but doesn't find anything
on the remote end supporting keyboard-interactive.  This order (key,
interactive, passwd) appears to agree with the documentation:

#                         the client will try to authenticate first using
#   the hostbased method; if this method fails public key authentication is
#   attempted, and finally if this method fails keyboard-interactive and
#   password authentication are tried.

 OTOH the debugging output suggests that password should be tried before
keyboard-interactive (which is, really, quite a silly idea - since
keyboard-interactive is supposed to be more secure than passwords).

 Therefore I think that the debugging output should be fixed.

 Debug log follows:

ming.empire.pick.ucam.org:~/                            # [02/02/05.17:42:16] $
: pts/16[1] bash[803] ; ssh -vvv arborlon.lab.dotat.at
OpenSSH_3.0.2p1 Debian 1:3.0.2p1-6, SSH protocols 1.5/2.0, OpenSSL 0x0090601f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Seeding random number generator
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 1007 geteuid 0 anon 1
debug1: Connecting to arborlon.lab.dotat.at [192.168.124.34] port 22.
debug1: temporarily_use_uid: 1007/1007 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 1007/1007 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /home/jdamery/.ssh/identity type 0
debug1: identity file /home/jdamery/.ssh/id_rsa type -1
debug1: identity file /home/jdamery/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.0.2p1 Debian 1:3.0.2p1-5
debug1: match: OpenSSH_3.0.2p1 Debian 1:3.0.2p1-5 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.0.2p1 Debian 1:3.0.2p1-6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 144/256
debug1: bits set: 1556/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename /home/jdamery/.ssh/known_hosts2
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts2
debug3: check_host_in_hostfile: filename /home/jdamery/.ssh/known_hosts2
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts2
debug3: check_host_in_hostfile: filename /home/jdamery/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 38
debug3: check_host_in_hostfile: filename /home/jdamery/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 41
debug1: Host 'arborlon.lab.dotat.at' is known and matches the RSA host key.
debug1: Found key in /home/jdamery/.ssh/known_hosts:38
debug1: bits set: 1572/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug3: start over, passed a different list publickey,password,keyboard-interactive,hostbased
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug1: try privkey: /home/jdamery/.ssh/id_rsa
debug3: no such identity: /home/jdamery/.ssh/id_rsa
debug1: try privkey: /home/jdamery/.ssh/id_dsa
debug3: no such identity: /home/jdamery/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: next auth method to try is keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: next auth method to try is password
jdamery@arborlon.lab.dotat.at's password: