OESF Portables Forum
Everything Else => General Support and Discussion => Zaurus General Forums => Archived Forums => Security and Networking => Topic started by: dninja on September 25, 2005, 05:44:20 pm
-
This has been asked before but the solution offered before doesn't work for me so I'm asking again...
If I try to ssh from my Zaurus to a linux box running OpenSSH I get the following error:
ssh rast
Host 'rast' is not in the trusted hosts file.
(fingerprint md5 78:3f:8e:61:1d:07:cd:31:fe:65:f1:15:34:f6:9b:df)
Do you want to continue connecting? (y/n)
y
ssh: connection to robin@rast:22 exited: No auth methods could be used.
The other threads I can find on this recommend enabling
PasswordAuthentication yes
in the sshd_config file on the openssh box. That doesn't fix it for me, I've tried it on a linux and a freebsd box and can still connect to neither.
To try to debug this I tried starting the sshd in single run mode on a different port with full debug turned on and here is the result:
/usr/sbin/sshd -p 2244 -ddd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 625
debug2: parse_server_config: config /etc/ssh/sshd_config len 625
debug1: sshd version OpenSSH_4.1p1 Debian-7ubuntu1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-p'
debug1: rexec_argv[2]='2244'
debug1: rexec_argv[3]='-ddd'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 2244 on ::.
Server listening on :: port 2244.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 2244 on 0.0.0.0.
debug3: fd 4 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 625
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
debug1: inetd sockets after dupping: 3, 3
debug3: Normalising mapped IPv4 in IPv6 address
Connection from 192.168.0.10 port 1042
debug1: Client protocol version 2.0; client software version dropbear_0.45
debug1: no match: dropbear_0.45
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.1p1 Debian-7ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug3: privsep user:group 104:65534
debug1: permanently_set_uid: 104/65534
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug2: Network child is on pid 7709
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,blowfish-cbc,twofish-cbc,3des-cbc
debug2: kex_parse_kexinit: aes128-cbc,blowfish-cbc,twofish-cbc,3des-cbc
debug2: kex_parse_kexinit: hmac-sha1,hmac-md5
debug2: kex_parse_kexinit: hmac-sha1,hmac-md5
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-sha1
debug1: kex: client->server aes128-cbc hmac-sha1 none
debug2: mac_init: found hmac-sha1
debug1: kex: server->client aes128-cbc hmac-sha1 none
debug2: dh_gen_key: priv key bits set: 177/320
debug2: bits set: 517/1024
debug1: expecting SSH2_MSG_KEXDH_INIT
debug2: bits set: 525/1024
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 4
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: mm_request_receive_expect entering: type 5
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_sign
debug3: mm_answer_sign: signature 0x809d7d0(143)
debug3: mm_request_send entering: type 5
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user robin service ssh-connection method none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 7
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: mm_request_receive entering
debug2: input_userauth_request: setting up authctxt for robin
debug3: mm_start_pam entering
debug3: mm_request_send entering: type 45
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug2: input_userauth_request: try method none
Failed none for robin from 192.168.0.10 port 1042 ssh2
debug3: monitor_read: checking request 45
debug1: PAM: initializing for "robin"
debug3: Normalising mapped IPv4 in IPv6 address
debug3: Trying to reverse map address 192.168.0.10.
debug1: PAM: setting PAM_RHOST to "192.168.0.10"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 45 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=, role=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
Connection closed by 192.168.0.10
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
and on the client:
ssh -p 2244 rast
Host 'rast' is not in the trusted hosts file.
(fingerprint md5 78:3f:8e:61:1d:07:cd:31:fe:65:f1:15:34:f6:9b:df)
Do you want to continue connecting? (y/n)
y
ssh: connection to robin@rast:2244 exited: No auth methods could be used.
Can anyone suggest any other fixes to the one I found?
Also, I seem to be running up against quite a few little bugs/features like this, I'm on the latest OZ, is it not stable enough yet to be used day to day or are these just things we have to put u pwith?
-
Couple things:
1) What distribution of linux you trying to connect to?
2) What SSH daemon is it running and the version?
3) Are you able to SSH to that box from another linux box or windows box with PuTTy or that FreeBSD box?
It seems like you don't have any authentication methods set for your sshd_config on the linux box except Rhosts authentication through PAM? Hmm... does your sshd_config file have a line that says
UsePAM yes in it?
Might be you've got a funny /etc/pam.d/ssh setup. If your linux box is using PAM for handling authentication for ssh then maybe somehow the config is messed up. Hard to tell.
HMMM.... maybe... maybe it's your dropbear configuration? I've heard of dropbear, and tried it on my Z once on the guyhelm kernel and it just wouldn't work for some reason. I'm not sure if it uses the same configuration or not but you might check your ssh_config file on the Z as it may be that it isn't defining the right auth method to use on outgoing connections and since it can't agree with your other linux box on what auth method it wants to use it just quits.
-
Couple things:
1) What distribution of linux you trying to connect to?
Ubuntu Breezy, Hoary and FreeBSD
2) What SSH daemon is it running and the version?
debug1: sshd version OpenSSH_3.8.1p1 FreeBSD-20040419
debug1: sshd version OpenSSH_4.1p1 Debian-7ubuntu3
3) Are you able to SSH to that box from another linux box or windows box with PuTTy or that FreeBSD box?
I can quite happily ssh from every box to every other box, and from these to the Z, but not the other way round.
It seems like you don't have any authentication methods set for your sshd_config on the linux box except Rhosts authentication through PAM? Hmm... does your sshd_config file have a line that says
UsePAM yes in it?
on the Ubuntu box I have PasswordAuthentication yes and nothing on the freebsd box
Might be you've got a funny /etc/pam.d/ssh setup. If your linux box is using PAM for handling authentication for ssh then maybe somehow the config is messed up. Hard to tell.
All I have is the default config, i've never needed to play wiht it so I haven't.
HMMM.... maybe... maybe it's your dropbear configuration? I've heard of dropbear, and tried it on my Z once on the guyhelm kernel and it just wouldn't work for some reason. I'm not sure if it uses the same configuration or not but you might check your ssh_config file on the Z as it may be that it isn't defining the right auth method to use on outgoing connections and since it can't agree with your other linux box on what auth method it wants to use it just quits.
What do you use for ssh on your Z?
-
I use the regular old openssh package on my Z. Never had any problems with it. You should be able to search around for it just by looking for openssh ipk.
Hmm... do you have an sshd server running on your Z? if you do, are you able to do a:
ssh -vvv localhost and see post the output? Wondering if you can even log into yourself or not.
You might also go to your linux box and try running the same ssh -vvv localhost and posting the output so I can see what auth methods that system is accepting.
Does your sshd_config on the linux box have 'UsePrivilegeSeparation yes' set? You might try setting it to 'no' and restarting your sshd on it just to check and see if you're able to login via the Zaurus.