I'm trying to get OpenSSH set up on this box, so I can connect into it
for doing "stuff" when I'm working away.

I've compiled and installed OpenSSH (3.7p1), including PAM support
(./configure --with-pam), and added a PAM control file (/etc/pam.d/sshd).

I /think/ I've got things right so far, because on this machine (the
server) I can type:

$ ssh servername

.... and when it prompts for my password, I type it in, and I connect as
expected.

However, when I try to connect from another machine, using the same
method[1], it always refuses the password.

The most information I can get from running sshd in debug mode
(sshd -ddd) is:

debug3: mm_request_receive entering
debug3: mm_auth_password: user not authenticated
Failed password for [username] from [ipaddress] port 3602

.... which basically tells me everything I already knew, but doesn't
really tell me *why* the user's not authenticated.

Anybody like to give me a hint to set me looking in the right direction?


[1] Using PuTTY or F-Secure SSH Client[2]
[2] Yes, it's a W*nd*ws box
--
Eddie mailto:eddie@deguello.org

In article <lptarb.8sl.ln@deguello.org>, Eddie wrote:
I'm assuming you don't have a firewall stopping you.

You might try to connect from elsewhere with Linux, (eg., using Knoppix if
you don't have Linux installed on your work machine) When using the
openssh client, if you invoke "-v", "-vv", etc. you get instant feedback
on the client side.

If you compiled with libwrap, you may need to put some entries in
/etc/hosts.allow (see 'man 5 hosts_access'). I don't know if libwrap
is a default compile option or not.

And you might post your /etc/pam.d/sshd file. (I suppose if you wanted to
check to see if it's a pam problem, you could make all the entries
"optional".)

--
Dave Brown Austin, TX

Dave Brown wrote:
I've had this after upgrading OpenSSH. I'm pretty sure the "fix" was to
upgrade the clients to the same version (yes they were Linux, but I
didn't try Putty yet).

So this would be high up my list.

.....and check the other log files in /var/log...

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/2X0aGFXfHI9FVgYRAjLiAKDQwFZXbM4TgPHHHr+TxZTboylsiw CfYarc
yTWeZFvTlZ2a/6IAz0Uv3Sk=
=wmTJ
-----END PGP SIGNATURE-----

Eddie wrote:
< snip >
Well, somebody said something that got me going: I tried F-Secure's
command-line ssh client, and that worked (much to my surprise).

So, comparing the debug output from a successful and a failed connection
attempt, I noticed that the successful attempts were using "method
keyboard-interactive", but the failed attempts were using "method password".

I double-checked my pam.d/sshd, but that looked fine.

Then I thought I'd try compiling --with-md5-passwords... and it all
started working.

Now that's very odd, isn't it? The INSTALL documentation says:
--with-md5-passwords will enable the use of MD5 passwords. Enable this
if your operating system uses MD5 passwords without using PAM.

So, does "method keyboard-interactive" use PAM, but "method password"
bypass it somehow? Or is there something else wrong somewhere?

--
Eddie mailto:eddie@deguello.org