Step 5.1 General Troubleshooting

The primary purpose of this guide is to provide basic, step-by-step instructions for quickly installing, configuring, and using OpenSSH. Of course, as with most new ventures , you will most likely run into unexpected problems along the way. OpenSSH runs on numerous platforms so of course it would be an incredible, if not impossible , task to address all known problems encountered on every platform. This section was never intended to address every known problem but rather is intended to be a guide to help with general troubleshooting of SSH issues and also to address specific common problems.

You may have other troubleshooting techniques to share or may learn of solutions to new problems you encounter “ if you would like to share your findings, you are encouraged to do so via e-mail to openssh@sans.org.

Action 5 1 1 Verify download and installation configuration of software

If you are encountering problems just getting OpenSSH to run, and/or are receiving error messages that indicate an install or configure problem, then of course the first place to start is to review the installation/configuration steps for the OpenSSH pre-requisite software and for OpenSSH itself (see Section I). Remember that certain software - such as Zlib and OpenSSL - must be installed before OpenSSH, since OpenSSH relies on them.

Before you get into specific install reviews, it's a good idea to make sure that you have a valid download file. It might appear obvious that you don't have a download problem if you were able to "unpack", install and compile the source code “ but stranger things have happened . Make sure that the size of the downloaded file (typically .tar, .Z, .gz, .zip) is equal to that provided (usually) by the download site. If you performed an FTP download, check the site to determine if it was necessary to perform a BIN (binary) transfer ” and if so, make sure that you did so (To perform a binary transfer, enter "BIN" at the "ftp>" prompt). You should also verify any checksums provided for downloaded files.

To ensure that the OpenSSH content is complete and has not been corrupted in transit or maliciously modified, the PGP signature should also be checked. Note that a trojaned version of OpenSSH has previously been placed on hacked mirror FTP sites (See CERT CA-2002-24 for details). Unfortunately, the where- abouts of the OpenSSH public key are not well publicized at the time of this writing. The public key currently used to sign OpenSSH belongs to Damien Miller (Personal Key) and may be retrieved from PGP key servers using id 86FF9C48. The following example commands use the open source GNU Privacy Guard (GPG) from http://www.gnupg.org/.

The key is also available from the mirror FTP sites, however, if you retrieve it from the same FTP server from which you downloaded the software, you run the risk that both have been maliciously altered . Once the key is imported, the tar bundle can be verified . It is not necessary to assign any trust to the key.

$> gpg --keyserver wwwkeys.pgp.net --recv-keys 86FF9C48

 $> gpg --list-keys 86FF9C48
 pub 1024D/86FF9C48 2001-02-26 Damien Miller (Personal Key) 
 sub 2048g/AA2B1C41 2001-02-26
 $> gpg --verify openssh-3.5p1.tar.gz.sig openssh-3.5p1.tar.gz
 gpg: Signature made Thu Oct 3 21:34:43 2002 EDT using DSA key ID 86FF9C48
 gpg: Good signature from "Damien Miller (Personal Key) "

 Could not find a valid trust path to the key. Let's see whether we can assign some missing owner
 trust values.

 No path leading to one of our keys found.

 gpg: WARNING: This key is not certified with a trusted signature!
 gpg: There is no indication that the signature belongs to the owner.
 gpg: Fingerprint: 3981 992A 1523 ABA0 79DB FC66 CE8E CB03 86FF 9C48

Many open-source tools provide a significant amount of verbose output when they are installed, so it can be easy to overlook error messages. Therefore, it's a good idea to review any install messages/logs for the pre-requisite software if you still have them. If these are not available, then you may still be able to validate the installations “ most of the open-source tools come with helpful installation/configuration documentation. Check for INSTALL and README files within the directories where you stored the source code for each package. These files frequently provide good detail and can be of great help. For example, notice the INSTALL and README files that are provided with the OpenSSL distribution:

# pwd
 /usr/local/openssl-0.9.6g
 # ls
 CHANGES MacOS apps include perl
 CHANGES.SSLeay Makefile bugs install.com rehash.time
 Configure Makefile.org certs libRSAglue.a rsaref
 FAQ Makefile.ssl config libcrypto.a shlib
 INSTALL NEWS crypto libssl.a ssl
 INSTALL.MacOS PROBLEMS demos makevms.com test
 INSTALL.VMS README doc ms times
 INSTALL.W32 README.ENGINE e_os.h openssl.doxy tools
 LICENSE VMS e_os2.h openssl.spec util


Action 5 1 2 Verify OpenSSH commands are in the UNIX search path

If you get a "not found" error when trying to invoke one of the OpenSSH executables (ssh, slogin , scp, sftp, etc), then make sure that the UNIX PATH environment variable includes the location of the executables; otherwise the OpenSSH commands' location will have to be provided when the executables are invoked. For example:

$ ssh server.example.com
 ssh: not found
 $ echo $PATH
 /usr/sbin:/usr/bin:/usr/dt/bin:/usr/openwin/bin:/bin:/usr/ucb:/usr/ccs/bin

To update the search PATH, first verify the location of the executables. For example, if you installed the executables in the /usr/local/bin directory, the following commands in a Bourne-, Korn-, or Z-Shell will ensure that this directory will be searched:

$ PATH=$PATH:/usr/local/bin; export PATH
 $ echo $PATH
 /usr/sbin:/usr/bin:/usr/dt/bin:/usr/openwin/bin:/bin:/usr/ucb:/usr/ccs/bin:/usr/local/bin

A subsequent SSH attempt is now successful:

$ ssh server.example.com
 sshuser@server.example.com's password: *******
 Last login: Mon Feb 17 14:05:03 2003 from client.example.com
 $


Action 5 1 3 Utilize verbose option to OpenSSH commands

Sometimes the “v verbose option available with most of the OpenSSH commands can provide insight. This option provides much more detail than is normally received. For example, here is the previous connection attempt using the “v flag:

$ ssh -v server.example.com
 OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f
 debug1: Reading configuration data /usr/local/etc/ssh_config
 debug1: Rhosts Authentication disabled, originating port will not be trusted.
 debug1: ssh_connect: needpriv 0
 debug1: Connecting to server.example.com [172.16.121.6] port 22.
 debug1: Connection established.
 debug1: identity file /home/sshuser/.ssh/id_rsa type 1
 debug1: Remote protocol version 2.0, remote software version OpenSSH_3.4p1
 debug1: match: OpenSSH_3.4p1 pat OpenSSH*
 debug1: Enabling compatibility mode for protocol 2.0
 debug1: Local version string SSH-2.0-OpenSSH_3.5p1
 debug1: SSH2_MSG_KEXINIT sent
 debug1: SSH2_MSG_KEXINIT received
 debug1: kex: server->client aes128-cbc hmac-md5 none
 debug1: kex: client->server aes128-cbc hmac-md5 none
 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
 debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
 debug1: dh_gen_key: priv key bits set: 113/256
 debug1: bits set: 1602/3191
 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
 debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
 debug1: Host 'server.example.com' is known and matches the RSA host key.
 debug1: Found key in /home/sshuser/.ssh/known_hosts:1
 debug1: bits set: 1595/3191
 debug1: ssh_rsa_verify: signature correct
 debug1: kex_derive_keys
		debug1: newkeys: mode
 debug1: SSH2_MSG_NEWKEYS sent
 debug1: waiting for SSH2_MSG_NEWKEYS
 debug1: newkeys: mode 0
 debug1: SSH2_MSG_NEWKEYS received
 debug1: done: ssh_kex2.
 debug1: send SSH2_MSG_SERVICE_REQUEST
 debug1: service_accept: ssh-userauth
 debug1: got SSH2_MSG_SERVICE_ACCEPT
 debug1: authentications that can continue: publickey,password,keyboard-interactive
 debug1: next auth method to try is publickey
 debug1: try pubkey: /export/home/sshuser/.ssh/id_rsa
 debug1: authentications that can continue: publickey,password,keyboard-interactive
 debug1: next auth method to try is keyboard-interactive
 debug1: authentications that can continue: publickey,password,keyboard-interactive
 debug1: next auth method to try is password
 sshuser@server.example.com's password

As you can see, the verbose flag provides helpful debugging information - in this example, the client " knows " about the server (i.e. this is not the first SSH connection attempt), the client and server have "negotiated" to use the SSHv2 protocol, and public key authentication has failed (possibly this type of authentication has not yet been configured or the permissions for the file containing the private key have not been set to a secure level), so the UNIX password authentication is tried next (default behavior for SSH authentication).

Tech Tip  

You should note that multiple -v options are supported - e.g. ssh -vv server.example.com . For each additional “v provided, more verbose output will be provided.


Action 5 1 4 Utilize OpenSSH server daemon log

By default, the OpenSSH server daemon (sshd) logs certain information, such as authentication failures, to the UNIX syslog facility. These messages can sometimes provide insight, especially if the problem is just an incorrect password or passphrase. For example, here is an entry indicating an authentication failure on an OpenSSH server:

Feb 19 13:37:50 server.example.com sshd[10024]: [ID 800047 auth.crit] fatal: Timeout before
 authentication for 172.16.121.16.

You can get much more verbose output in the OpenSSH server log file by restarting the sshd daemon with the -d (debug) command line option. For example, on the OpenSSH server:

# /usr/local/sbin/sshd -d &
 [1] 14027

If you use the “d flag, be prepared to wade through a lot of detail. The following is the verbose output from a client connection whereby the public key authentication failed and therefore UNIX password authentication was used (which is the default sshd behavior):

debug1: sshd version OpenSSH_3.4p1
 debug1: read PEM private key done: type RSA
 debug1: private host key: #0 type 1 RSA
 debug1: read PEM private key done: type DSA
 debug1: private host key: #1 type 2 DSA
 debug1: Bind to port 22 on ::.
 Server listening on :: port 22.
 debug1: Bind to port 22 on 0.0.0.0.
 Server listening on 0.0.0.0 port 22.
 debug1: Server will not fork when running in debugging mode.
 Connection from 172.16.121.16 port 33672
 debug1: Client protocol version 2.0; client software version OpenSSH_3.5p1
 debug1: match: OpenSSH_3.5p1 pat OpenSSH*
 Enabling compatibility mode for protocol 2.0
 debug1: Local version string SSH-2.0-OpenSSH_3.4p1
 debug1: list_hostkey_types: ssh-rsa,ssh-dss
 debug1: SSH2_MSG_KEXINIT sent
		debug1: SSH2_MSG_KEXINIT received
 debug1: kex: client->server aes128-cbc hmac-md5 none
 debug1: kex: server->client aes128-cbc hmac-md5 none
 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
 debug1: dh_gen_key: priv key bits set: 133/256
 debug1: bits set: 1590/3191
 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
 debug1: bits set: 1617/3191
 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
 debug1: kex_derive_keys
 debug1: newkeys: mode 1
 debug1: SSH2_MSG_NEWKEYS sent
 debug1: waiting for SSH2_MSG_NEWKEYS
 debug1: newkeys: mode 0
 debug1: SSH2_MSG_NEWKEYS received
 debug1: KEX done
 debug1: userauth-request for user sshuser service ssh-connection method none
 debug1: attempt 0 failures 0
 Failed none for sshuser from 172.16.121.16 port 33672 ssh2
 Failed none for sshuser from 172.16.121.16 port 33672 ssh2
 debug1: userauth-request for user sshuser service ssh-connection method publickey
 debug1: attempt 1 failures 1
		debug1: test whether pkalg/pkblob are acceptable
 debug1: temporarily_use_uid: 1009/150 (e=0)
 debug1: trying public key file /home/sshuser/.ssh/authorized_keys
 debug1: matching key found: file /home/sshuser/.ssh/authorized_keys, line 1
 Found matching RSA key: a4:93:99:99:29:9f:41:9d:af:21:54:b6:8f:3e:ce:c6
 debug1: restore_uidPostponed publickey for sshuser from 172.16.121.16 port 33672 ssh2
 debug1: userauth-request for user sshuser service ssh-connection method keyboard-interactive
 debug1: attempt 2 failures 1
 debug1: keyboard-interactive devs
 debug1: auth2_challenge: user=sshuser devs=
 debug1: kbdint_alloc: devices "Failed keyboard-interactive for sshuser from
 172.16.121.16 port 33672 ssh2
 debug1: userauth-request for user sshuser service ssh-connection method password
 debug1: attempt 3 failures 2Failed password for sshuser from 172.16.121.16 port 33672 ssh2Failed password for sshuser from
 172.16.121.16 port 33672 ssh2
 debug1: userauth-request for user sshuser service ssh-connection method password
 debug1: attempt 4 failures 3
 Accepted password for sshuser from 172.16.121.16 port 33672 ssh2
 debug1: monitor_child_preauth: sshuser has been authenticated by privileged process
 Accepted password for sshuser from 172.16.121.16 port 33672 ssh2
 debug1: newkeys: mode 0
 debug1: newkeys: mode 1
 debug1: Entering interactive session for SSH2.
 debug1: fd 4 setting O_NONBLOCK
 debug1: fd 5 setting O_NONBLOCK
 debug1: server_init_dispatch_20
 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
 debug1: input_session_request
 debug1: channel 0: new [server-session]
 debug1: session_new: init
 debug1: session_new: session 0
 debug1: session_open: channel 0
 debug1: session_open: session 0: link with channel 0
 debug1: server_input_channel_open: confirm session
 debug1: server_input_channel_req: channel 0 request pty-req reply 0
 debug1: session_by_channel: session 0 channel 0
 debug1: session_input_channel_req: session 0 req pty-req
 debug1: Allocating pty.
 debug1: session_new: init
 debug1: session_new: session 0
 debug1: session_pty_req: session 0 alloc /dev/pts/22
 debug1: server_input_channel_req: channel 0 request x11-req reply 0
 debug1: session_by_channel: session 0 channel 0
 debug1: session_input_channel_req: session 0 req x11-req
 debug1: fd 12 setting O_NONBLOCK
 debug1: channel 1: new [X11 inet listener]
 debug1: fd 13 setting O_NONBLOCK
 debug1: channel 2: new [X11 inet listener]
 debug1: server_input_channel_req: channel 0 request shell reply 0
 debug1: session_by_channel: session 0 channel 0
 debug1: session_input_channel_req: session 0 req shell
Tech Tip  

Multiple -d options can be utilized when launching the OpenSSH daemon - e.g. usr/local/sbin/sshd -d -d & to provide an additional level of debugging detail.


Action 5 1 5 Run the OpenSSH Server in foreground verbose mode

Running the server in foreground debug mode ( “D “d ) is very useful for debugging a wide variety of connection problems. When run in the foreground, the server will need to be restarted for each connection attempt:

# /usr/local/sbin/sshd -D -d

 debug1: Seeding random number generator
 debug1: sshd version OpenSSH_3.0.1p1
 debug1: private host key: #0 type 0 RSA1
 debug1: read PEM private key done: type RSA
 debug1: private host key: #1 type 1 RSA
 debug1: read PEM private key done: type DSA
 debug1: private host key: #2 type 2 DSA
 debug1: Bind to port 22 on 192.168.102.12.
 Server listening on 192.168.102.12 port 22.
 debug1: Bind to port 22 on 216.55.177.197.
 Server listening on 192.168.102.12 port 22.
 debug1: Server will not fork when running in debugging mode.
 Connection from 10.10.102.84 port 1446
 debug1: Client protocol version 2.0; client software version PuTTY-Release-0.53b
 debug1: no match: PuTTY-Release-0.53b
 Enabling compatibility mode for protocol 2.0
 debug1: Local version string SSH-2.0-OpenSSH_3.0.1p1
 debug1: Rhosts Authentication disabled, originating port 1446 not trusted.
 debug1: list_hostkey_types: ssh-rsa,ssh-dss
 debug1: SSH2_MSG_KEXINIT sent
 debug1: SSH2_MSG_KEXINIT received
 debug1: kex: client->server 3des-cbc hmac-sha1 none
 debug1: kex: server->client 3des-cbc hmac-sha1 none
 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD received
 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
 debug1: dh_gen_key: priv key bits set: 193/384
 debug1: bits set: 1595/3191
 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
 debug1: bits set: 1599/3191
 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
 debug1: kex_derive_keys
 debug1: newkeys: mode 1
 debug1: SSH2_MSG_NEWKEYS sent
 debug1: waiting for SSH2_MSG_NEWKEYS
 debug1: newkeys: mode 0
 debug1: SSH2_MSG_NEWKEYS received
 debug1: KEX done




OpenSSH. A Survival Guide for Secure Shell Handling, Version 1.0
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
ISBN: 0972427384
EAN: 2147483647
Year: 2002
Pages: 90

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net