Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

OpenSSH pubkey problem w/ Solaris 10

from [Erich Weiler] Network Security [Permanent Link]
Subject: OpenSSH pubkey problem w/ Solaris 10
Date: Thu, 29 Jun 2006 14:38:23 -0700 
Hi ya'll-

I've got this odd openssh problem with Solaris 10 I was hoping someone could shed some light on. Basically I'm trying to use pubkeys as an auth method, but am having issues. I can log in using passwords no problem, but as soon as it notices a matching public key it closes the connection. I ran the sshd server (on Solaris 10 box) in debug mode and got this output when I tried to log in:

% sshd -d
debug1: sshd version OpenSSH_4.3p2
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: rexec_argv[0]='/usr/local/openssh.10/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: fd 6 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 11
debug1: inetd sockets after dupping: 4, 4
Connection from 128.114.48.86 port 49490
debug1: Client protocol version 2.0; client software version OpenSSH_3.8.1p1
debug1: match: OpenSSH_3.8.1p1 pat OpenSSH_3.*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_4.3
debug1: permanently_set_uid: 22/22
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user weiler service ssh-connection method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "weiler"
debug1: PAM: setting PAM_RHOST to "banshee.cse.ucsc.edu"
debug1: PAM: setting PAM_TTY to "ssh"
Failed none for weiler from 128.114.48.86 port 49490 ssh2
Failed none for weiler from 128.114.48.86 port 49490 ssh2
debug1: userauth-request for user weiler service ssh-connection method publickey
debug1: attempt 1 failures 1
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 3495/100 (e=0/0)
debug1: trying public key file /cse/tstaff/weiler/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 3495/100 (e=0/0)
debug1: trying public key file /cse/tstaff/weiler/.ssh/authorized_keys2
debug1: matching key found: file /cse/tstaff/weiler/.ssh/authorized_keys2, line 2
Found matching RSA key: 4d:c0:33:3b:dd:75:89:bb:d1:36:e7:17:2b:85:34:9c
debug1: restore_uid: 0/0
Postponed publickey for weiler from 128.114.48.86 port 49490 ssh2
debug1: userauth-request for user weiler service ssh-connection method publickey
debug1: attempt 2 failures 1
debug1: temporarily_use_uid: 3495/100 (e=0/0)
debug1: trying public key file /cse/tstaff/weiler/.ssh/authorized_keys
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 3495/100 (e=0/0)
debug1: trying public key file /cse/tstaff/weiler/.ssh/authorized_keys2
debug1: matching key found: file /cse/tstaff/weiler/.ssh/authorized_keys2, line 2
Found matching RSA key: 4d:c0:33:3b:dd:75:89:bb:d1:36:e7:17:2b:85:34:9c
debug1: restore_uid: 0/0
debug1: ssh_rsa_verify: signature correct
debug1: do_pam_account: called
Access denied for user weiler by PAM account configuration
debug1: do_cleanup
debug1: PAM: cleanup
Failed publickey for weiler from 128.114.48.86 port 49490 ssh2
debug1: do_cleanup
debug1: PAM: cleanup
%

Again, If I move my public key out of the way and try to log in with a password it works fine. Since it mentions my PAM configuration, here's my /etc/pam.conf file:

login auth requisite          pam_authtok_get.so.1
login auth required           pam_unix_cred.so.1
login auth sufficient         pam_unix_auth.so.1
login auth sufficient         pam_krb5.so.1
login auth sufficient         pam_ldap.so.1
#
dtsession       auth sufficient         pam_unix_auth.so.1
dtsession       auth sufficient         pam_krb5.so.1
dtsession       auth sufficient         pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth binding            pam_krb5.so.1
krlogin auth required           pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth binding            pam_krb5.so.1
krsh    auth required           pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth binding            pam_krb5.so.1
ktelnet auth required           pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite          pam_authtok_get.so.1
other auth required           pam_unix_cred.so.1
other auth sufficient         pam_unix_auth.so.1
other auth sufficient         pam_krb5.so.1
other auth sufficient         pam_ldap.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth sufficient         pam_passwd_auth.so.1
passwd  auth sufficient         pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
passwd   account sufficient        pam_unix_account.so.1
passwd   account sufficient        pam_ldap.so.1
#
other   account sufficient        pam_unix_account.so.1
other   account sufficient        pam_ldap.so.1
other   account sufficient        pam_krb5.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session sufficient      pam_unix_session.so.1
other   session sufficient      pam_ldap.so.1
other   session sufficient      pam_krb5.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1

Would any of you guys happen to have a clue as to where I'm going wrong? Thanks a million in advance!

ciao, erich

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • OpenSSH pubkey problem w/ Solaris 10, Erich Weiler <=
Previous by Date:  RE: Unique ssh/sftp requirement, Patrick Morris
Next by Date:  key login, Aaron Peterson
Previous by Thread:  Remote system not accepting a new key, Joshua Lewis
Next by Thread:  key login, Aaron Peterson
Indexes:  [Date] [Thread] [Top] [All Lists]