Portál AbcLinuxu, 26. dubna 2024 03:42
journalctl -u sshd.service -f mi dá pouze úspěšná připojení. A ausearch -x "/usr/sbin/sshd" sice dá i neuspěšné, ale není to log sshd s důvody. Moje otázka je jak to tedy v systemd udělat? získat logy obdobné včetně neuspěšných připojení a důvodů jako byly v /var/log/auth.log. (a nebo jak původní log zapnout vedle systemd)
Řešení dotazu:
journalctl -u sshd zobrazí kompletní log sshd:
Mar 25 22:46:02 example.com sshd[2798]: Connection closed by 109.169.67.58 [preauth] Mar 25 22:47:21 example.com sshd[2798]: Connection closed by 109.251.138.236 [preauth] Mar 25 22:48:07 example.com sshd[2798]: Invalid user admin from 116.246.27.145 Mar 25 22:48:07 example.com sshd[2798]: input_userauth_request: invalid user admin [preauth] Mar 25 22:48:07 example.com sshd[2798]: Connection closed by 116.246.27.145 [preauth] Mar 25 22:50:20 example.com sshd[2798]: Did not receive identification string from 109.251.138.236 Mar 25 22:50:53 example.com sshd[2798]: Connection closed by 109.169.67.58 [preauth] Mar 25 22:54:33 example.com sshd[2798]: Accepted publickey for xxx from 10.0.85.123 port 63370 ssh2: RSA Mar 25 22:54:33 example.com sshd[23218]: pam_unix(sshd:session): session opened for user xxx by (uid=0)Když v logu pokus o připojení nevidíte, klient asi spojení se správným serverem vůbec nenaváže – což nejspíš bude ta hledaná chyba.
ssh -vvv root@noraza OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to noraza [2001:xxxx:xxxx:xxxx::561] port 22. debug1: Connection established. debug1: identity file /var/lib/BackupPC/.ssh/identity type -1 debug1: identity file /var/lib/BackupPC/.ssh/identity-cert type -1 debug3: Not a RSA1 key file /var/lib/BackupPC/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /var/lib/BackupPC/.ssh/id_rsa type 1 debug1: identity file /var/lib/BackupPC/.ssh/id_rsa-cert type -1 debug1: identity file /var/lib/BackupPC/.ssh/id_dsa type -1 debug1: identity file /var/lib/BackupPC/.ssh/id_dsa-cert type -1 debug1: identity file /var/lib/BackupPC/.ssh/id_ecdsa type -1 debug1: identity file /var/lib/BackupPC/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1 debug1: match: OpenSSH_6.6.1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug3: Wrote 960 bytes for a total of 981 debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug3: Wrote 24 bytes for a total of 1005 debug2: dh_gen_key: priv key bits set: 109/256 debug2: bits set: 503/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: Wrote 144 bytes for a total of 1149 Connection closed by 2001:xxxx:xxxx:xxxx::561A pomrví se to někde kolem Diffie-Hellman protokolu na výměnu klíče. Nicméně ssh se nahazovalo a nedojelo až do autentizace a potřebuji vědět proč to noraza típla. Z výpisu plyne, že to zavřel server. Ale v journalctl je až výsledek po autentizaci. Ten samý klient připojující se na 3. dopadne správně.
ssh -vvv root@dnopytle OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to dnopytle [10.0.0.10] port 22. debug1: Connection established. debug1: identity file /var/lib/BackupPC/.ssh/identity type -1 debug1: identity file /var/lib/BackupPC/.ssh/identity-cert type -1 debug3: Not a RSA1 key file /var/lib/BackupPC/.ssh/id_rsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: missing keytype debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug3: key_read: missing whitespace debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: missing keytype debug1: identity file /var/lib/BackupPC/.ssh/id_rsa type 1 debug1: identity file /var/lib/BackupPC/.ssh/id_rsa-cert type -1 debug1: identity file /var/lib/BackupPC/.ssh/id_dsa type -1 debug1: identity file /var/lib/BackupPC/.ssh/id_dsa-cert type -1 debug1: identity file /var/lib/BackupPC/.ssh/id_ecdsa type -1 debug1: identity file /var/lib/BackupPC/.ssh/id_ecdsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1 debug1: match: OpenSSH_6.6.1 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.3 debug2: fd 3 setting O_NONBLOCK debug1: SSH2_MSG_KEXINIT sent debug3: Wrote 960 bytes for a total of 981 debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: found hmac-md5 debug1: kex: server->client aes128-ctr hmac-md5 none debug2: mac_setup: found hmac-md5 debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug3: Wrote 24 bytes for a total of 1005 debug2: dh_gen_key: priv key bits set: 127/256 debug2: bits set: 504/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: Wrote 144 bytes for a total of 1149 debug3: check_host_in_hostfile: host dnopytle filename /var/lib/BackupPC/.ssh/known_hosts debug3: check_host_in_hostfile: host dnopytle filename /var/lib/BackupPC/.ssh/known_hosts debug3: check_host_in_hostfile: match line 2 debug3: check_host_in_hostfile: host 10.0.0.10 filename /var/lib/BackupPC/.ssh/known_hosts debug3: check_host_in_hostfile: host 10.0.0.10 filename /var/lib/BackupPC/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host 'dnopytle' is known and matches the RSA host key. debug1: Found key in /var/lib/BackupPC/.ssh/known_hosts:2 debug2: bits set: 528/1024 debug1: ssh_rsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: Wrote 16 bytes for a total of 1165 debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug3: Wrote 48 bytes for a total of 1213 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /var/lib/BackupPC/.ssh/identity ((nil)) debug2: key: /var/lib/BackupPC/.ssh/id_rsa (0x1b7bcf0) debug2: key: /var/lib/BackupPC/.ssh/id_dsa ((nil)) debug2: key: /var/lib/BackupPC/.ssh/id_ecdsa ((nil)) debug3: Wrote 64 bytes for a total of 1277 debug1: Authentications that can continue: publickey,keyboard-interactive debug3: start over, passed a different list publickey,keyboard-interactive debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Trying private key: /var/lib/BackupPC/.ssh/identity debug3: no such identity: /var/lib/BackupPC/.ssh/identity debug1: Offering public key: /var/lib/BackupPC/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug3: Wrote 368 bytes for a total of 1645 debug1: Server accepts key: pkalg ssh-rsa blen 277 debug2: input_userauth_pk_ok: SHA1 fp 6c:03:0a:d2:6b:bf:99:4e:57:06:66:1e:d3:83:b8:4d:20:f1:ee:d4 debug3: sign_and_send_pubkey: RSA 6c:03:0a:d2:6b:bf:99:4e:57:06:66:1e:d3:83:b8:4d:20:f1:ee:d4 debug1: read PEM private key done: type RSA debug3: Wrote 640 bytes for a total of 2285 debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug3: Wrote 128 bytes for a total of 2413 debug2: callback start debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 1 debug1: Sending environment. debug3: Ignored env HOSTNAME debug3: Ignored env SHELL debug3: Ignored env TERM debug3: Ignored env HISTSIZE debug3: Ignored env QTDIR debug3: Ignored env QTINC debug3: Ignored env USER debug3: Ignored env LS_COLORS debug3: Ignored env MAIL debug3: Ignored env PATH debug3: Ignored env PWD debug1: Sending env LANG = en_US.UTF-8 debug2: channel 0: request env confirm 0 debug3: Ignored env HISTCONTROL debug3: Ignored env SHLVL debug3: Ignored env HOME debug3: Ignored env LOGNAME debug3: Ignored env QTLIB debug3: Ignored env CVS_RSH debug3: Ignored env LESSOPEN debug3: Ignored env G_BROKEN_FILENAMES debug3: Ignored env _ debug2: channel 0: request shell confirm 1 debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug3: Wrote 448 bytes for a total of 2861 debug2: channel_input_status_confirm: type 99 id 0 debug2: PTY allocation request accepted on channel 0 debug2: channel 0: rcvd adjust 2097152 debug2: channel_input_status_confirm: type 99 id 0 debug2: shell request accepted on channel 0 Last login: Fri Mar 18 09:01:17 2016 Have a lot of fun... dnopytle:~ #(a v IPv6 to samozřejmě není když to první neuspěšné spojení udělám s -4 tak stejně neprojde) stejně tak, když se připojuji s 3 na 2 tak to také projde.
dnopytle:~ # ssh -vvv noraza OpenSSH_6.6.1, OpenSSL 1.0.1k-fips 8 Jan 2015 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 20: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to noraza [2001:xxxx:xxxx:xxxx::d39] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug3: Incorrect RSA1 identifier debug3: Could not load "/root/.ssh/id_rsa" as a RSA1 public key debug1: identity file /root/.ssh/id_rsa type 1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1 debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug3: load_hostkeys: loading entries for host "noraza" from file "/root/.ssh/known_hosts" debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:25 debug3: load_hostkeys: loaded 1 keys debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-ed25519,ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: none,zlib@openssh.com debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_setup: setup hmac-md5-etm@openssh.com debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none debug2: mac_setup: setup hmac-md5-etm@openssh.com debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none debug1: sending SSH2_MSG_KEX_ECDH_INIT debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ECDSA 74:58:72:b9:3f:7a:32:e8:d0:21:6b:ae:46:b7:15:cb [MD5] debug3: load_hostkeys: loading entries for host "noraza" from file "/root/.ssh/known_hosts" debug3: load_hostkeys: found key type ECDSA in file /root/.ssh/known_hosts:25 debug3: load_hostkeys: loaded 1 keys debug3: load_hostkeys: loading entries for host "2001:xxxx:xxxx:xxxx::d39" from file "/root/.ssh/known_hosts" debug3: load_hostkeys: loaded 0 keys debug1: Host 'noraza' is known and matches the ECDSA host key. debug1: Found key in /root/.ssh/known_hosts:25 Warning: Permanently added the ECDSA host key for IP address '2001:xxxx:xxxx:xxxx::d39' to the list of known hosts. debug1: ssh_ecdsa_verify: signature correct debug2: kex_derive_keys debug2: set_newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug2: key: /root/.ssh/id_rsa (0x7f343193daf0), debug2: key: /root/.ssh/id_dsa ((nil)), debug2: key: /root/.ssh/id_ecdsa ((nil)), debug2: key: /root/.ssh/id_ed25519 ((nil)), debug1: Authentications that can continue: publickey,keyboard-interactive debug3: start over, passed a different list publickey,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /root/.ssh/id_rsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: Server accepts key: pkalg ssh-rsa blen 535 debug2: input_userauth_pk_ok: fp 33:f3:63:1b:45:f6:3a:bd:ab:e9:6b:e1:01:b1:0e:bb [MD5] debug3: sign_and_send_pubkey: RSA 33:f3:63:1b:45:f6:3a:bd:ab:e9:6b:e1:01:b1:0e:bb [MD5] debug1: key_parse_private2: missing begin marker debug1: read PEM private key done: type RSA debug1: Authentication succeeded (publickey). Authenticated to noraza ([2001:xxxx:xxxx:xxxx::d39]:22). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug2: callback start debug2: fd 3 setting TCP_NODELAY debug3: packet_set_tos: set IPV6_TCLASS 0x10 debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 1 debug1: Sending environment. debug3: Ignored env LESSKEY debug3: Ignored env XDG_VTNR debug3: Ignored env NNTPSERVER debug3: Ignored env MANPATH debug3: Ignored env XDG_SESSION_ID debug3: Ignored env HOSTNAME debug3: Ignored env XKEYSYMDB debug3: Ignored env HOST debug3: Ignored env SHELL debug3: Ignored env TERM debug3: Ignored env PROFILEREAD debug3: Ignored env HISTSIZE debug3: Ignored env MORE debug3: Ignored env JRE_HOME debug3: Ignored env USER debug3: Ignored env LS_COLORS debug3: Ignored env XNLSPATH debug3: Ignored env QEMU_AUDIO_DRV debug3: Ignored env HOSTTYPE debug3: Ignored env CONFIG_SITE debug3: Ignored env FROM_HEADER debug3: Ignored env PAGER debug3: Ignored env CSHEDIT debug3: Ignored env XDG_CONFIG_DIRS debug3: Ignored env MINICOM debug3: Ignored env MAIL debug3: Ignored env PATH debug3: Ignored env CPU debug3: Ignored env JAVA_BINDIR debug3: Ignored env INPUTRC debug3: Ignored env PWD debug3: Ignored env JAVA_HOME debug1: Sending env LANG = cs_CZ.UTF-8 debug2: channel 0: request env confirm 0 debug3: Ignored env PYTHONSTARTUP debug3: Ignored env GPG_TTY debug3: Ignored env AUDIODRIVER debug3: Ignored env QT_SYSTEM_DIR debug3: Ignored env SHLVL debug3: Ignored env XDG_SEAT debug3: Ignored env HOME debug3: Ignored env SDL_AUDIODRIVER debug3: Ignored env ALSA_CONFIG_PATH debug3: Ignored env LESS_ADVANCED_PREPROCESSOR debug3: Ignored env OSTYPE debug3: Ignored env LS_OPTIONS debug3: Ignored env XCURSOR_THEME debug3: Ignored env WINDOWMANAGER debug3: Ignored env G_FILENAME_ENCODING debug3: Ignored env LESS debug3: Ignored env MACHTYPE debug3: Ignored env LOGNAME debug3: Ignored env CVS_RSH debug3: Ignored env XDG_DATA_DIRS debug3: Ignored env LESSOPEN debug3: Ignored env DISPLAY debug3: Ignored env XDG_RUNTIME_DIR debug3: Ignored env XAUTHLOCALHOSTNAME debug3: Ignored env VDPAU_DRIVER debug3: Ignored env LESSCLOSE debug3: Ignored env G_BROKEN_FILENAMES debug3: Ignored env JAVA_ROOT debug3: Ignored env COLORTERM debug3: Ignored env XAUTHORITY debug3: Ignored env BASH_FUNC_mc%% debug3: Ignored env _ debug2: channel 0: request shell confirm 1 debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel_input_status_confirm: type 99 id 0 debug2: PTY allocation request accepted on channel 0 debug2: channel 0: rcvd adjust 2097152 debug2: channel_input_status_confirm: type 99 id 0 debug2: shell request accepted on channel 0 Last login: Tue May 3 23:34:24 2016 from 2001:xxxx:xxxx:xxxx:xxxx:1f61:d3bf:b75c Have a lot of fun... noraza:~ #Taky je podstatné, že to není nový klient, nové spojení. Fungovalo rok. Nicméně poslední záloha proběhla 1.5.2016 a od té doby se připojení nefunguje. Vzhledem k tomu, že na distro na klientu je roling release opensuse tumbleweed a aktualizací je opravdu hodně, tak mám podezření, že některá přinesla změnu pravidel pro povolené šifrovací algoritmy, (generátory prvočísel) nebo něco podobného, a na šifrách se server nedomluví se starším klientem na CentOS 6. S novějším klientem na opensuse 13.2 se domluví. Stejně tak se CentOS dohodne na algoritmech s 13.2. A nemohu najít, co je chybně.
unknown key type '-----BEGIN'Není poškozený ten id_rsa klíč? Mělo by to být '-----BEGIN RSA...'
journalctl je to, co mu z sshd pošlete. Pokud si myslíte, že sshd spojení odmítne, zvyšte si úroveň logování nebo debugovacích výpisů z sshd. Díky journald ani nemusíte sshd spouštět na popředí, protože journald loguje i to, co služby posílají na standardní výstup nebo chybový výstup.
May 07 12:54:56 noraza.doma sshd[25343]: Connection from 2001:xxxx:xxxx:xxxx:xxxx:4ff:fed8:36f1 port 54470 on 2001:xxxx:xxxx:xxxx::d39 port 22 May 07 12:54:56 noraza.doma sshd[25343]: debug1: Client protocol version 2.0; client software version OpenSSH_5.3 May 07 12:54:56 noraza.doma sshd[25343]: debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000 May 07 12:54:56 noraza.doma sshd[25343]: debug1: Enabling compatibility mode for protocol 2.0 May 07 12:54:56 noraza.doma sshd[25343]: debug1: Local version string SSH-2.0-OpenSSH_6.6.1 May 07 12:54:56 noraza.doma sshd[25343]: debug2: fd 3 setting O_NONBLOCK May 07 12:54:56 noraza.doma sshd[25343]: debug3: ssh_sandbox_init: preparing seccomp filter sandbox May 07 12:54:56 noraza.doma sshd[25343]: debug2: Network child is on pid 25344 May 07 12:54:56 noraza.doma sshd[25343]: debug3: preauth child monitor started May 07 12:54:56 noraza.doma sshd[25343]: debug3: privsep user:group 493:491 [preauth] May 07 12:54:56 noraza.doma sshd[25343]: debug1: permanently_set_uid: 493/491 [preauth] May 07 12:54:56 noraza.doma sshd[25343]: debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth] May 07 12:54:56 noraza.doma sshd[25343]: debug3: ssh_sandbox_child: attaching seccomp filter program [preauth] May 07 12:54:56 noraza.doma sshd[25343]: debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] May 07 12:54:56 noraza.doma sshd[25343]: debug1: SSH2_MSG_KEXINIT sent [preauth] May 07 12:54:56 noraza.doma sshd[25343]: debug1: SSH2_MSG_KEXINIT received [preauth] May 07 12:54:56 noraza.doma sshd[25343]: debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffi May 07 12:54:56 noraza.doma sshd[25343]: debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] May 07 12:54:56 noraza.doma sshd[25343]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes2 May 07 12:54:56 noraza.doma sshd[25343]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes2 May 07 12:54:56 noraza.doma sshd[25343]: debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com, May 07 12:54:56 noraza.doma sshd[25343]: debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com, May 07 12:54:56 noraza.doma sshd[25343]: debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth] May 07 12:54:56 noraza.doma sshd[25343]: debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth] May 07 12:54:56 noraza.doma sshd[25343]: debug2: kex_parse_kexinit: [preauth] May 07 12:54:56 noraza.doma sshd[25343]: debug2: kex_parse_kexinit: [preauth] May 07 12:54:56 noraza.doma sshd[25343]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth] May 07 12:54:56 noraza.doma sshd[25343]: debug2: kex_parse_kexinit: reserved 0 [preauth] May 07 12:54:56 noraza.doma sshd[25343]: debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth] May 07 12:54:56 noraza.doma sshd[25343]: debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss [preauth] May 07 12:54:56 noraza.doma sshd[25343]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth] May 07 12:54:56 noraza.doma sshd[25343]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth] May 07 12:54:56 noraza.doma sshd[25343]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] May 07 12:54:56 noraza.doma sshd[25343]: debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] May 07 12:54:56 noraza.doma sshd[25343]: debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib [preauth] May 07 12:54:56 noraza.doma sshd[25343]: debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib [preauth]Pro úspěšné připojení se systému 3 dopadne část výpis takto:
May 07 13:06:09 noraza.doma sshd[25482]: debug1: Client protocol version 2.0; client software version OpenSSH_6.6.1 May 07 13:06:09 noraza.doma sshd[25482]: debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000 May 07 13:06:09 noraza.doma sshd[25482]: debug1: Enabling compatibility mode for protocol 2.0 May 07 13:06:09 noraza.doma sshd[25482]: debug1: Local version string SSH-2.0-OpenSSH_6.6.1 May 07 13:06:09 noraza.doma sshd[25482]: debug2: fd 3 setting O_NONBLOCK May 07 13:06:09 noraza.doma sshd[25482]: debug3: ssh_sandbox_init: preparing seccomp filter sandbox May 07 13:06:09 noraza.doma sshd[25482]: debug2: Network child is on pid 25483 May 07 13:06:09 noraza.doma sshd[25482]: debug3: preauth child monitor started May 07 13:06:09 noraza.doma sshd[25482]: debug3: privsep user:group 493:491 [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug1: permanently_set_uid: 493/491 [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug3: ssh_sandbox_child: attaching seccomp filter program [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug1: SSH2_MSG_KEXINIT sent [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug1: SSH2_MSG_KEXINIT received [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffi May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519 [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes2 May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes2 May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com, May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com, May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: reserved 0 [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffi May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25 May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes2 May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes2 May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com, May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com, May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: first_kex_follows 0 [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_parse_kexinit: reserved 0 [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug2: mac_setup: setup hmac-md5-etm@openssh.com [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug3: mm_request_send entering: type 118 [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug3: mm_request_receive entering May 07 13:06:09 noraza.doma sshd[25482]: debug3: monitor_read: checking request 118 May 07 13:06:09 noraza.doma sshd[25482]: debug3: mm_request_send entering: type 119 May 07 13:06:09 noraza.doma sshd[25482]: debug3: mm_request_receive_expect entering: type 119 [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug3: mm_request_receive entering [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug2: mac_setup: setup hmac-md5-etm@openssh.com [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug3: mm_request_send entering: type 118 [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug3: mm_request_receive entering May 07 13:06:09 noraza.doma sshd[25482]: debug3: monitor_read: checking request 118 May 07 13:06:09 noraza.doma sshd[25482]: debug3: mm_request_send entering: type 119 May 07 13:06:09 noraza.doma sshd[25482]: debug3: mm_request_receive_expect entering: type 119 [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug3: mm_request_receive entering [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug3: mm_key_sign entering [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug3: mm_request_send entering: type 6 [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug3: mm_request_receive_expect entering: type 7 [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug3: mm_request_receive entering [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug3: mm_request_receive entering May 07 13:06:09 noraza.doma sshd[25482]: debug3: monitor_read: checking request 6 May 07 13:06:09 noraza.doma sshd[25482]: debug3: mm_answer_sign May 07 13:06:09 noraza.doma sshd[25482]: debug3: mm_answer_sign: signature 0x55eef95d7800(101) May 07 13:06:09 noraza.doma sshd[25482]: debug3: mm_request_send entering: type 7 May 07 13:06:09 noraza.doma sshd[25482]: debug2: monitor_read: 6 used once, disabling now May 07 13:06:09 noraza.doma sshd[25482]: debug2: kex_derive_keys [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug2: set_newkeys: mode 1 [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug1: SSH2_MSG_NEWKEYS sent [preauth] May 07 13:06:09 noraza.doma sshd[25482]: debug1: expecting SSH2_MSG_NEWKEYS [preauth] May 07 13:06:15 noraza.doma sshd[25482]: debug2: set_newkeys: mode 0 [preauth] May 07 13:06:15 noraza.doma sshd[25482]: debug1: SSH2_MSG_NEWKEYS received [preauth] May 07 13:06:15 noraza.doma sshd[25482]: debug1: KEX done [preauth] May 07 13:06:15 noraza.doma sshd[25482]: debug1: userauth-request for user root service ssh-connection method none [preauth] May 07 13:06:15 noraza.doma sshd[25482]: debug1: attempt 0 failures 0 [preauth] May 07 13:06:15 noraza.doma sshd[25482]: debug3: mm_getpwnamallow entering [preauth] May 07 13:06:15 noraza.doma sshd[25482]: debug3: mm_request_send entering: type 8 [preauth] May 07 13:06:15 noraza.doma sshd[25482]: debug3: mm_request_receive entering May 07 13:06:15 noraza.doma sshd[25482]: debug3: monitor_read: checking request 8 May 07 13:06:15 noraza.doma sshd[25482]: debug3: mm_answer_pwnamallowa pak následuje asi další dvě stránky. Pokud výpisu rozumím dobře, tak první sada kex_parse_kexinit jsou algoritmy serveru a druhá algoritmy klienta (už to bylo i v tom prvním dotazu ve výpisu klienta, ale tam jsem tomu nerozuměl) a problém myslím, že je tento: Noraza (ssh server) má v seznamu hmac jen s Encrypt-then-MAC (etm) zatímco neúspěšný klient nemá žádné. A teď jak přesvědčit jednu nebo druhou stranu.
ssh -Q mac, konkrétní můžete zvolit parametrem -mac. Povolené algoritmy jsou pak v konfiguračním souboru ssh_config. Pokud se nějaký algoritmus stal nedůvěryhodným a distribuce ho v rámci patchování zakázala, předpokládám, že bude zakázaný jen v konfiguraci ale v binárce bude stále zakompilovaný – kompilace bez toho algoritmu se dělá obvykle až v nějaké hlavní verzi.
Ale povolení nedůvěryhodných algoritmů bych bral až jako poslední možnost, snažil bych se spíš dopracovat k novějším verzím OpenSSH s bezpečnějšími algoritmy, než se vracet ke starším verzím s nedůvěryhodnými algoritmy.
Tiskni
Sdílej:
ISSN 1214-1267, (c) 1999-2007 Stickfish s.r.o.