Debian Bug report logs - #429619
openssh-server upgrade kills ability to login using password

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Andy Gardner <andy@navigator.co.nz>

To: submit@bugs.debian.org

Subject: openssh-server upgrade kills ability to login using password

Date: Tue, 19 Jun 2007 02:03:44 -0500

Package: openssh-server
Version: 1:4.6p1-1

Upgraded openssh-server from 1:4.3p2-10

openssh-server installed new version of /etc/init.d/ssh

openssh-client upgraded at same time , installing new version of /etc/ 
ssh/ssh_config

Problem is, I upgraded kernel at same time, so did a reboot.

Now, when I try to login to the server (from an OSX machine) using  
password, I get "Permission denied (publickey).

Can't get to the server anymore.

What changed between 1:4.3p2-10 and 1:4.6p1-1 that broke password  
based login?

Here's the tail end of ssh -vvv user@host

xxxxxxxxxxxxx

debug1: Found key in /root/.ssh/known_hosts:8
debug2: bits set: 505/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /root/.ssh/identity ((nil))
debug2: key: /root/.ssh/id_rsa ((nil))
debug2: key: /root/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug3: no such identity: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug3: no such identity: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug3: no such identity: /root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).

xxxxxxxxxxxxxxx

Message #10 received at 429619@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Andy Gardner <andy@navigator.co.nz>, 429619@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#429619: openssh-server upgrade kills ability to login using password

Date: Tue, 19 Jun 2007 18:07:36 +0100

severity 429619 grave
merge 428968 429619
thanks

On Tue, Jun 19, 2007 at 02:03:44AM -0500, Andy Gardner wrote:
> Upgraded openssh-server from 1:4.3p2-10
> 
> openssh-server installed new version of /etc/init.d/ssh
> 
> openssh-client upgraded at same time , installing new version of /etc/ 
> ssh/ssh_config
> 
> Problem is, I upgraded kernel at same time, so did a reboot.
> 
> Now, when I try to login to the server (from an OSX machine) using  
> password, I get "Permission denied (publickey).

This is bug #428968; I've found the upstream fix and will upload a
backport shortly.

-- 
Colin Watson                                       [cjwatson@debian.org]

Message #19 received at 429619@bugs.debian.org (full text, mbox, reply):

From: Petr Vandrovec <petr@vmware.com>

To: 429619@bugs.debian.org

Subject: openssh-server: password based authentication not working following upgrade

Date: Thu, 21 Jun 2007 18:06:24 -0700

Hello,
  it is still not quite right.  To work around 4.6p1-1 bug I enabled 
'PasswordAuthenticaion yes' in sshd config file, and it worked great. 
But for 4.6p1-2 I'm prompted for password, and then thing crashes (Works 
fine with key based authentication):

petr-dev3:/var/log# ssh localhost -l petr
Password:
Read from remote host localhost: Connection reset by peer
Connection to localhost closed.
petr-dev3:/var/log# tail auth.log
Jun 21 17:50:28 petr-dev3 sshd[5445]: fatal: PAM: pam_setcred(): 
Permission denied
Jun 21 17:50:41 petr-dev3 login[5411]: (pam_unix) session opened for 
user root by (uid=0)
Jun 21 17:50:41 petr-dev3 login[5448]: ROOT LOGIN  on 'tty1'
Jun 21 17:56:21 petr-dev3 login[5412]: (pam_unix) session opened for 
user root by (uid=0)
Jun 21 17:56:21 petr-dev3 login[5490]: ROOT LOGIN  on 'tty2'
Jun 21 17:56:56 petr-dev3 sshd[5496]: (pam_unix) authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost.localdomain  user=petr
Jun 21 17:57:00 petr-dev3 sshd[5496]: Accepted keyboard-interactive/pam 
for petr from 127.0.0.1 port 53393 ssh2
Jun 21 17:57:00 petr-dev3 sshd[5499]: (pam_unix) session opened for user 
petr by (uid=0)
Jun 21 17:57:00 petr-dev3 sshd[5499]: fatal: PAM: pam_setcred(): 
Permission denied
Jun 21 17:57:00 petr-dev3 sshd[5499]: (pam_unix) session closed for user 
petr
petr-dev3:/var/log#

After I put 'PasswordAuthentication no' back into sshd config file, 
things look better... (though I do not understand how PAM can work 
without PasswordAuthentication, as server definitely needs my cleartext 
password to be able to send it to PAM...)
							Petr

Message #24 received at 429619@bugs.debian.org (full text, mbox, reply):

From: Colin Watson <cjwatson@debian.org>

To: Petr Vandrovec <petr@vmware.com>, 429619@bugs.debian.org

Subject: Re: Bug#429619: openssh-server: password based authentication not working following upgrade

Date: Fri, 22 Jun 2007 10:22:09 +0100

On Thu, Jun 21, 2007 at 06:06:24PM -0700, Petr Vandrovec wrote:
>   it is still not quite right.  To work around 4.6p1-1 bug I enabled 
> 'PasswordAuthenticaion yes' in sshd config file, and it worked great. 
> But for 4.6p1-2 I'm prompted for password, and then thing crashes (Works 
> fine with key based authentication):
> 
> petr-dev3:/var/log# ssh localhost -l petr
> Password:
> Read from remote host localhost: Connection reset by peer
> Connection to localhost closed.
> petr-dev3:/var/log# tail auth.log
> Jun 21 17:50:28 petr-dev3 sshd[5445]: fatal: PAM: pam_setcred(): 
> Permission denied
> Jun 21 17:50:41 petr-dev3 login[5411]: (pam_unix) session opened for 
> user root by (uid=0)
> Jun 21 17:50:41 petr-dev3 login[5448]: ROOT LOGIN  on 'tty1'
> Jun 21 17:56:21 petr-dev3 login[5412]: (pam_unix) session opened for 
> user root by (uid=0)
> Jun 21 17:56:21 petr-dev3 login[5490]: ROOT LOGIN  on 'tty2'
> Jun 21 17:56:56 petr-dev3 sshd[5496]: (pam_unix) authentication failure; 
> logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost.localdomain  user=petr
> Jun 21 17:57:00 petr-dev3 sshd[5496]: Accepted keyboard-interactive/pam 
> for petr from 127.0.0.1 port 53393 ssh2
> Jun 21 17:57:00 petr-dev3 sshd[5499]: (pam_unix) session opened for user 
> petr by (uid=0)
> Jun 21 17:57:00 petr-dev3 sshd[5499]: fatal: PAM: pam_setcred(): 
> Permission denied
> Jun 21 17:57:00 petr-dev3 sshd[5499]: (pam_unix) session closed for user 
> petr
> petr-dev3:/var/log#

This looks like an entirely separate bug. Could you please check
/var/log/auth.log on the server to see if there's anything logged there,
and if not file this separately?

> After I put 'PasswordAuthentication no' back into sshd config file, 
> things look better... (though I do not understand how PAM can work 
> without PasswordAuthentication, as server definitely needs my cleartext 
> password to be able to send it to PAM...)

Look up ChallengeResponseAuthentication.

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]

Send a report that this bug log contains spam.