Debian Bug report logs - #428968
openssh-server: password based authentication not working following upgrade

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Adar Dembo <adembo@gmail.com>

To: submit@bugs.debian.org

Subject: openssh-server: password based authentication not working following upgrade

Date: Fri, 15 Jun 2007 02:02:00 -0700

Package: openssh-server
Version: 1:4.6p1-1
Severity: grave
Justification: renders package unusable

After upgrading to 1:4.6p1-1 from 1:4.3p2-11, I can no longer login to my
machine using password-based authentication. I've experienced this on two
different machines now, leading me to file this report. I've compared 
the new
versions of /etc/ssh/sshd_config and /etc/pam.d/ssh to the versions prior to
the upgrade, but they're completely identical. Private key 
authentication still
appears to work.

I've also noticed (on both machines) that following the upgrade, I see 
this in
my auth.log when sshd starts up:
Jun 15 01:41:09 localhost sshd[11004]: Received signal 15; terminating.
Jun 15 01:41:09 localhost sshd[23456]: Server listening on :: port 22.
Jun 15 01:41:09 localhost sshd[23456]: error: Bind to port 22 on 0.0.0.0 
failed:
Address already in use.

The error is new to this version. This may be a red herring, though.

Here are the contents of my sshd_config file:

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for 
RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Change to yes to enable tunnelled clear text passwords
PasswordAuthentication no


# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

-- System Information:
Debian Release: lenny/sid
 APT prefers unstable
 APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.20-1-k7 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  adduser  3.102                           Add and remove users and groups
ii  debconf  1.5.13                          Debian configuration 
management sy
ii  dpkg     1.14.4                          package maintenance system 
for Deb
ii  libc6    2.5-11                          GNU C Library: Shared libraries
ii  libcomer 1.39+1.40-WIP-2007.04.07+dfsg-2 common error description 
library
ii  libkrb53 1.6.dfsg.1-4                    MIT Kerberos runtime libraries
ii  libpam-m 0.79-4                          Pluggable Authentication 
Modules f
ii  libpam-r 0.79-4                          Runtime support for the PAM 
librar
ii  libpam0g 0.79-4                          Pluggable Authentication 
Modules l
ii  libselin 2.0.15-2                        SELinux shared libraries
ii  libssl0. 0.9.8e-5                        SSL shared libraries
ii  libwrap0 7.6.dbs-13                      Wietse Venema's TCP 
wrappers libra
ii  lsb-base 3.1-23.1                        Linux Standard Base 3.1 
init scrip
ii  openssh- 1:4.6p1-1                       secure shell client, an 
rlogin/rsh
ii  zlib1g   1:1.2.3-15                      compression library - runtime

openssh-server recommends no packages.

-- debconf information:
 ssh/insecure_rshd:
 ssh/insecure_telnetd:
 ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/disable_cr_auth: false
 ssh/encrypted_host_key_but_no_keygen:

Message #10 received at 428968@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Adar Dembo <adembo@gmail.com>, 428968@bugs.debian.org

Subject: Re: Bug#428968: openssh-server: password based authentication not working following upgrade

Date: Fri, 15 Jun 2007 11:35:04 +0100

On Fri, Jun 15, 2007 at 02:02:00AM -0700, Adar Dembo wrote:
> After upgrading to 1:4.6p1-1 from 1:4.3p2-11, I can no longer login to my
> machine using password-based authentication. I've experienced this on two
> different machines now, leading me to file this report.

Hmm. I can't reproduce this here. Could you stop sshd, run 'sshd -ddd'
(you'll then need to restart sshd afterwards), and try to connect using
'ssh -vvv'? Then send me both verbose logs.

> I've also noticed (on both machines) that following the upgrade, I see
> this in my auth.log when sshd starts up:
> Jun 15 01:41:09 localhost sshd[11004]: Received signal 15; terminating.
> Jun 15 01:41:09 localhost sshd[23456]: Server listening on :: port 22.
> Jun 15 01:41:09 localhost sshd[23456]: error: Bind to port 22 on 0.0.0.0 
> failed: Address already in use.
> 
> The error is new to this version. This may be a red herring, though.

I see that too, and (provisionally) I think it's a red herring, but
we'll see.

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #15 received at 428968@bugs.debian.org (full text, mbox, reply):

From: Daniel Hulme <st@istic.org>

To: Debian Bug Tracking System <428968@bugs.debian.org>

Subject: openssh-server: I also get failed pw auth after upgrade; logs included

Date: Fri, 15 Jun 2007 13:05:40 +0100

[Message part 1 (text/plain, inline)]

Package: openssh-server
Version: 1:4.6p1-1
Followup-For: Bug #428968

I get the same problem on my AMD64 box. I attach the logs of running
sshd -ddd and connecting thereto with ssh -vvv. Ignore the bit about
running sshd on port 23: I run it on a non-default port as an obscurity
mechanism to stop worms eating my bandwidth with futile dictionary
attacks.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (400, 'testing'), (100, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.18 (PREEMPT)
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  adduser  3.102                           Add and remove users and groups
ii  debconf  1.5.13                          Debian configuration management sy
ii  dpkg     1.14.4                          package maintenance system for Deb
ii  libc6    2.5-11                          GNU C Library: Shared libraries
ii  libcomer 1.39+1.40-WIP-2007.04.07+dfsg-2 common error description library
ii  libkrb53 1.6.dfsg.1-4                    MIT Kerberos runtime libraries
ii  libpam-m 0.79-4                          Pluggable Authentication Modules f
ii  libpam-r 0.79-4                          Runtime support for the PAM librar
ii  libpam0g 0.79-4                          Pluggable Authentication Modules l
ii  libselin 2.0.15-2                        SELinux shared libraries
ii  libssl0. 0.9.8e-5                        SSL shared libraries
ii  libwrap0 7.6.dbs-13                      Wietse Venema's TCP wrappers libra
ii  lsb-base 3.1-23.1                        Linux Standard Base 3.1 init scrip
ii  openssh- 1:4.6p1-1                       secure shell client, an rlogin/rsh
ii  zlib1g   1:1.2.3-15                      compression library - runtime

openssh-server recommends no packages.

-- debconf information:
  ssh/insecure_rshd:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/encrypted_host_key_but_no_keygen:
  ssh/disable_cr_auth: false

-- 
"After all, one can't complain.  I have my friends. Somebody spoke to me
only  yesterday.  And was it  last week or  the week before  that Rabbit
bumped into  me and said  'Bother!'  The Social Round.  Always something
going on."  -- A. A. Milne, 'Winnie-the-Pooh'  http://surreal.istic.org/

[ssh.log (text/plain, attachment)]

[sshd.log (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 428968@bugs.debian.org (full text, mbox, reply):

From: "Adar Dembo" <adembo@gmail.com>

To: "Colin Watson" <cjwatson@debian.org>

Cc: 428968@bugs.debian.org

Subject: Re: Bug#428968: openssh-server: password based authentication not working following upgrade

Date: Fri, 15 Jun 2007 12:58:10 -0700

[Message part 1 (text/plain, inline)]

> > After upgrading to 1:4.6p1-1 from 1:4.3p2-11, I can no longer login to
> my
> > machine using password-based authentication. I've experienced this on
> two
> > different machines now, leading me to file this report.
>
> Hmm. I can't reproduce this here. Could you stop sshd, run 'sshd -ddd'
> (you'll then need to restart sshd afterwards), and try to connect using
> 'ssh -vvv'? Then send me both verbose logs.
>
>

I've attached both logs. For what it's worth, you can probably downgrade the
severity on this, because if I set PasswordAuthentication to "yes" in
sshd_config, it does ask for my password and I'm able to login successfully.

[Message part 2 (text/html, inline)]

[sshd.log (text/x-log, attachment)]

[ssh.log (text/x-log, attachment)]

Message #25 received at 428968@bugs.debian.org (full text, mbox, reply):

From: Good Times <aaron@rdu90.com>

To: Debian Bug Tracking System <428968@bugs.debian.org>

Subject: openssh-server: logging in using my shared keys no longer working after upgrade

Date: Sun, 17 Jun 2007 16:28:43 -0500

[Message part 1 (text/plain, inline)]

Package: openssh-server
Version: 1:4.6p1-1
Followup-For: Bug #428968

After upgrading, I cannot log into my machine. 

 $ ssh zoe
 Permission denied (publickey).

i wanted to append this case to this bug because it seems like the two
things are related

i'm attaching a sshd -ddd and my ssh -vvv output


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.21-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  adduser  3.102                           Add and remove users and groups
ii  debconf  1.5.13                          Debian configuration management sy
ii  dpkg     1.14.4                          package maintenance system for Deb
ii  libc6    2.5-11                          GNU C Library: Shared libraries
ii  libcomer 1.39+1.40-WIP-2007.04.07+dfsg-2 common error description library
ii  libkrb53 1.6.dfsg.1-4                    MIT Kerberos runtime libraries
ii  libpam-m 0.79-4                          Pluggable Authentication Modules f
ii  libpam-r 0.79-4                          Runtime support for the PAM librar
ii  libpam0g 0.79-4                          Pluggable Authentication Modules l
ii  libselin 2.0.15-2                        SELinux shared libraries
ii  libssl0. 0.9.8e-5                        SSL shared libraries
ii  libwrap0 7.6.dbs-13                      Wietse Venema's TCP wrappers libra
ii  lsb-base 3.1-23.1                        Linux Standard Base 3.1 init scrip
ii  openssh- 1:4.6p1-1                       secure shell client, an rlogin/rsh
ii  zlib1g   1:1.2.3-15                      compression library - runtime

openssh-server recommends no packages.

-- debconf information:
  ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/disable_cr_auth: false
  ssh/encrypted_host_key_but_no_keygen:

[ssh.client.log (text/plain, attachment)]

[sshd.log (text/plain, attachment)]

Message #30 received at 428968@bugs.debian.org (full text, mbox, reply):

From: keith001@writeme.com

To: 428968@bugs.debian.org

Subject: openssh-server: logging in using my shared keys no longer working after upgrade

Date: Mon, 18 Jun 2007 12:19:56 -0400

For what it's worth, I encountered the same problem after updating.

My sshd config used to read:
    ## commented out for password ssh: ChallengeResponseAuthentication no
    PasswordAuthentication no
which I understand:
- don't not process passwords at sshd level
- yes to Challenge/Response (handled by pam if I remember correctly)

Adding:
    ChallengeResponseAuthentication yes
made it work again.

Which would mean that:
- the default value to ChallengeResponseAuthentication switched from Y to N with this update;
- people who report being surprised of having "PasswordAuthentication no" in their config were
probably using challenge/response as I did.

I think I remember there was a reason for using challenge/response through pam instead 
of direct password.
I see some activity about that in the changelog (1:4.1p1-1 for instance, says:
"Disable ChallengeResponseAuthentication in new installations, returning
     to PasswordAuthentication by default, since it now supports PAM and
     apparently works better with a non-threaded sshd (closes: #247521).")

Anybody knowledgeable has an opinion?

Thanks

Message #35 received at 428968@bugs.debian.org (full text, mbox, reply):

From: Ryan Murray <rmurray@debian.org>

To: 428968@bugs.debian.org

Subject: changes needed to config

Date: Mon, 18 Jun 2007 16:39:22 -0700

ssh 4.6p1 defaults to having challenge_response_authentication and
kbd_interaction_authentication to off.  The shipped config file does
not set either option by default.  This means that PAM is disabled by
default.  A KbdInteractiveAuthentication yes or
ChallengeResponseAuthentication yes is needed to enable PAM based
authentication.

Changing PasswordAuthentication enables non-PAM based password
authentication.  Doing this while UsePAM is set to yes ends up
disabling checks for locked accounts and shadow-based expiry, as well
as ignoring any sort of pam config you might have setup.

Message #40 received at 428968@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Ryan Murray <rmurray@debian.org>, 428968@bugs.debian.org

Subject: Re: Bug#428968: changes needed to config

Date: Tue, 19 Jun 2007 17:29:43 +0100

On Mon, Jun 18, 2007 at 04:39:22PM -0700, Ryan Murray wrote:
> ssh 4.6p1 defaults to having challenge_response_authentication and
> kbd_interaction_authentication to off.

Assuming you mean the defaults in the code, where do you see that?
servconf.c:fill_default_server_options() says:

        if (options->password_authentication == -1)
                options->password_authentication = 1;
        if (options->kbd_interactive_authentication == -1)
                options->kbd_interactive_authentication = 0;
        if (options->challenge_response_authentication == -1)
                options->challenge_response_authentication = 1;

... and parse_server_config applies an additional fixup:

        /* challenge-response is implemented via keyboard interactive */
        if (options->challenge_response_authentication == 1)
                options->kbd_interactive_authentication = 1;

It is true that the configuration file shipped with new installations
turns off ChallengeResponseAuthentication.

> The shipped config file does not set either option by default.  This
> means that PAM is disabled by default.  A KbdInteractiveAuthentication
> yes or ChallengeResponseAuthentication yes is needed to enable PAM
> based authentication.

Certainly it seems that some of those suffering from this bug have
ChallengeResponseAuthentication explicitly disabled, but not all; see
for example the configuration file in #428968, noting my comments above
about the defaults.

I haven't yet found any evidence of an intentional change of behaviour
in this area in 4.6p1, and until I do I still consider this a bug. (If
it was an intentional change, I'll add a NEWS item once I figure out
what's going on.)

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #47 received at 428968@bugs.debian.org (full text, mbox, reply):

From: Edouard Bourguignon <dcen-net-bourguignon.consultant@dgi.finances.gouv.fr>

To: 428968@bugs.debian.org

Subject: (pas de sujet)

Date: Wed, 20 Jun 2007 11:17:03 +0200

i had to put PasswordAuthentication to yes in my sshd_config to get sshd 
working, is it correct? (i mean secure?)

Message #52 received at 428968-close@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: 428968-close@bugs.debian.org

Subject: Bug#428968: fixed in openssh 1:4.6p1-2

Date: Wed, 20 Jun 2007 12:17:07 +0000

Source: openssh
Source-Version: 1:4.6p1-2

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_4.6p1-2_powerpc.udeb
  to pool/main/o/openssh/openssh-client-udeb_4.6p1-2_powerpc.udeb
openssh-client_4.6p1-2_powerpc.deb
  to pool/main/o/openssh/openssh-client_4.6p1-2_powerpc.deb
openssh-server-udeb_4.6p1-2_powerpc.udeb
  to pool/main/o/openssh/openssh-server-udeb_4.6p1-2_powerpc.udeb
openssh-server_4.6p1-2_powerpc.deb
  to pool/main/o/openssh/openssh-server_4.6p1-2_powerpc.deb
openssh_4.6p1-2.diff.gz
  to pool/main/o/openssh/openssh_4.6p1-2.diff.gz
openssh_4.6p1-2.dsc
  to pool/main/o/openssh/openssh_4.6p1-2.dsc
ssh-askpass-gnome_4.6p1-2_powerpc.deb
  to pool/main/o/openssh/ssh-askpass-gnome_4.6p1-2_powerpc.deb
ssh-krb5_4.6p1-2_all.deb
  to pool/main/o/openssh/ssh-krb5_4.6p1-2_all.deb
ssh_4.6p1-2_all.deb
  to pool/main/o/openssh/ssh_4.6p1-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 428968@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 20 Jun 2007 11:52:44 +0100
Source: openssh
Binary: ssh-askpass-gnome ssh-krb5 openssh-client-udeb ssh openssh-server openssh-client openssh-server-udeb
Architecture: source powerpc all
Version: 1:4.6p1-2
Distribution: unstable
Urgency: low
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description: 
 openssh-client - secure shell client, an rlogin/rsh/rcp replacement
 openssh-client-udeb - secure shell client for the Debian installer (udeb)
 openssh-server - secure shell server, an rshd replacement
 openssh-server-udeb - secure shell server for the Debian installer (udeb)
 ssh        - secure shell client and server (transitional package)
 ssh-askpass-gnome - interactive X program to prompt users for a passphrase for ssh-ad
 ssh-krb5   - secure shell client and server (transitional package)
Closes: 366814 409788 428968 429531
Changes: 
 openssh (1:4.6p1-2) unstable; urgency=low
 .
   * Fix ordering of SYSLOG_LEVEL_QUIET and SYSLOG_LEVEL_FATAL.
   * Clarify that 'ssh -q -q' still prints errors caused by bad arguments
     (i.e. before the logging system is initialised).
   * Suppress "Connection to <host> closed" and "Connection to master closed"
     messages at loglevel SILENT (thanks, Jaap Eldering; closes: #409788).
   * Suppress "Pseudo-terminal will not be allocated because stdin is not a
     terminal" message at loglevels QUIET and SILENT (closes: #366814).
   * Document the SILENT loglevel in sftp-server(8), ssh_config(5), and
     sshd_config(5).
   * Add try-restart action to init script.
   * Add /etc/network/if-up.d/openssh-server to restart sshd when new
     interfaces appear (LP: #103436).
   * Backport from upstream:
     - Move C/R -> kbdint special case to after the defaults have been
       loaded, which makes ChallengeResponse default to yes again. This was
       broken by the Match changes and not fixed properly subsequently
       (closes: #428968).
     - Silence spurious error messages from hang-on-exit fix
       (http://bugzilla.mindrot.org/show_bug.cgi?id=1306, closes: #429531).
Files: 
 963aabe4b7cd7f788536770b3cf29a3a 1062 net standard openssh_4.6p1-2.dsc
 ebbc68228f4ef2c2f265e3eec625cd86 180214 net standard openssh_4.6p1-2.diff.gz
 f9a1e6f711f5eec8780890742758ef88 1062 net extra ssh_4.6p1-2_all.deb
 4017b22f35fc373b2516ed4353c42407 79284 net extra ssh-krb5_4.6p1-2_all.deb
 9d147e37132b4c565c31deee3b5f0d57 711028 net standard openssh-client_4.6p1-2_powerpc.deb
 0a0848a077e3e3f561d62a15a81d5bb7 266820 net optional openssh-server_4.6p1-2_powerpc.deb
 1c877250f2512889f03001c43e546199 89740 gnome optional ssh-askpass-gnome_4.6p1-2_powerpc.deb
 fb34bb3117dc6eef052da77b133e073a 177614 debian-installer optional openssh-client-udeb_4.6p1-2_powerpc.udeb
 f3667dc614930c7e799da3d7e760e8a0 184628 debian-installer optional openssh-server-udeb_4.6p1-2_powerpc.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGeRdJ9t0zAhD6TNERAuYbAJ9jURU+IqjAiWFan0x7eA40pLLC3wCfTkcY
U62KDF1bc5bcR6OA8ojq3Mw=
=rxlL
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.