Discussion:
Test Failure OpenSSH 7.1 P2 on HPE NSE for key-commands
(too old to reply)
Randall S. Becker
2016-02-09 23:35:18 UTC
Permalink
Thread split from my previous communication. Here is the key-commands logs
on the platform.





***************** failed-regress.log ************



trace: AuthorizedKeysCommand with arguments

FAIL: connect failed



trace: AuthorizedKeysCommand without arguments

FAIL: connect failed





***************** failed-ssh.log ************



trace: AuthorizedKeysCommand with arguments

debug1: Executing proxy command: exec sh
/home/git/openssh-portable/regress/sshd-log-wrapper.sh
/home/git/openssh-portable/regress/sshd.log /home/git/openssh-portable/sshd
-i -f /home/git/openssh-portable/regress/sshd_proxy

debug1: permanently_drop_suid: 65535

debug1: identity file /home/git/openssh-portable/regress/rsa type 1

debug1: key_load_public: No such file or directory

debug1: identity file /home/git/openssh-portable/regress/rsa-cert type -1

debug1: identity file /home/git/openssh-portable/regress/ed25519 type 4

debug1: key_load_public: No such file or directory

debug1: identity file /home/git/openssh-portable/regress/ed25519-cert type
-1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.1

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.1

debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000

debug2: fd 6 setting O_NONBLOCK

debug2: fd 5 setting O_NONBLOCK

debug1: Authenticating to 127.0.0.1:4242 as 'SUPER.SUPER'

debug1: using hostkeyalias: localhost-with-alias

debug3: hostkeys_foreach: reading file
"/home/git/openssh-portable/regress/known_hosts"

debug3: record_hostkey: found key type RSA in file
/home/git/openssh-portable/regress/known_hosts:1

debug3: record_hostkey: found key type ED25519 in file
/home/git/openssh-portable/regress/known_hosts:2

debug3: load_hostkeys: loaded 2 keys from localhost-with-alias

debug3: hostkeys_foreach: reading file
"/home/git/openssh-portable/regress/known_hosts"

debug3: record_hostkey: found key type RSA in file
/home/git/openssh-portable/regress/known_hosts:1

debug3: record_hostkey: found key type ED25519 in file
/home/git/openssh-portable/regress/known_hosts:2

debug3: load_hostkeys: loaded 2 keys from localhost-with-alias

debug3: order_hostkeyalgs: prefer hostkeyalgs:
ssh-ed25519-cert-***@openssh.com,ssh-rsa-cert-***@openssh.com,ssh-ed25519,ss
h-rsa

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit:
curve25519-***@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2
-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange
-sha1,diffie-hellman-group14-sha1

debug2: kex_parse_kexinit:
ssh-ed25519-cert-***@openssh.com,ssh-rsa-cert-***@openssh.com,ssh-ed25519,ss
h-rsa,ecdsa-sha2-nistp256-cert-***@openssh.com,ecdsa-sha2-nistp384-cert-v01@
openssh.com,ecdsa-sha2-nistp521-cert-***@openssh.com,ecdsa-sha2-nistp256,ecd
sa-sha2-nistp384,ecdsa-sha2-nistp521

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b
lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.l
iu.se

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b
lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.l
iu.se

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-***@o
penssh.com,hmac-ripemd160-***@openssh.com,hmac-sha1-96-***@openssh.com,hmac-
md5-96-***@openssh.com,hmac-md5,hmac-ripemd160,hmac-***@openssh.com,hm
ac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-***@o
penssh.com,hmac-ripemd160-***@openssh.com,hmac-sha1-96-***@openssh.com,hmac-
md5-96-***@openssh.com,hmac-md5,hmac-ripemd160,hmac-***@openssh.com,hm
ac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,***@openssh.com,zlib

debug2: kex_parse_kexinit: none,***@openssh.com,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: first_kex_follows 0

debug2: reserved 0

debug2: kex_parse_kexinit:
curve25519-***@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2
-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit: none,***@openssh.com

debug2: kex_parse_kexinit: none,***@openssh.com

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: first_kex_follows 0

debug2: reserved 0

debug1: kex: server->client chacha20-***@openssh.com <implicit> none

debug1: kex: client->server chacha20-***@openssh.com <implicit> none

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: ssh-ed25519
SHA256:lxDml05WuoE61IZePHCwjGYK3aZfa8URdyghBnnBMlA

debug1: using hostkeyalias: localhost-with-alias

debug3: hostkeys_foreach: reading file
"/home/git/openssh-portable/regress/known_hosts"

debug3: record_hostkey: found key type RSA in file
/home/git/openssh-portable/regress/known_hosts:1

debug3: record_hostkey: found key type ED25519 in file
/home/git/openssh-portable/regress/known_hosts:2

debug3: load_hostkeys: loaded 2 keys from localhost-with-alias

debug3: hostkeys_foreach: reading file
"/home/git/openssh-portable/regress/known_hosts"

debug3: record_hostkey: found key type RSA in file
/home/git/openssh-portable/regress/known_hosts:1

debug3: record_hostkey: found key type ED25519 in file
/home/git/openssh-portable/regress/known_hosts:2

debug3: load_hostkeys: loaded 2 keys from localhost-with-alias

debug1: Host 'localhost-with-alias' is known and matches the ED25519 host
key.

debug1: Found key in /home/git/openssh-portable/regress/known_hosts:2

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /home/git/openssh-portable/regress/rsa (802e0c0), explicit

debug2: key: /home/git/openssh-portable/regress/ed25519 (8023290), explicit

debug1: Authentications that can continue:
publickey,password,keyboard-interactive

debug3: start over, passed a different list
publickey,password,keyboard-interactive

debug3: preferred publickey

debug3: authmethod_lookup publickey

debug3: remaining preferred:

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /home/git/openssh-portable/regress/rsa

debug3: send_pubkey_test

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue:
publickey,password,keyboard-interactive

debug1: Offering ED25519 public key:
/home/git/openssh-portable/regress/ed25519

debug3: send_pubkey_test

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue:
publickey,password,keyboard-interactive

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

Permission denied (publickey,password,keyboard-interactive).

FAIL: connect failed



trace: AuthorizedKeysCommand without arguments

debug1: Executing proxy command: exec sh
/home/git/openssh-portable/regress/sshd-log-wrapper.sh
/home/git/openssh-portable/regress/sshd.log /home/git/openssh-portable/sshd
-i -f /home/git/openssh-portable/regress/sshd_proxy

debug1: permanently_drop_suid: 65535

debug1: identity file /home/git/openssh-portable/regress/rsa type 1

debug1: key_load_public: No such file or directory

debug1: identity file /home/git/openssh-portable/regress/rsa-cert type -1

debug1: identity file /home/git/openssh-portable/regress/ed25519 type 4

debug1: key_load_public: No such file or directory

debug1: identity file /home/git/openssh-portable/regress/ed25519-cert type
-1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.1

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.1

debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000

debug2: fd 6 setting O_NONBLOCK

debug2: fd 5 setting O_NONBLOCK

debug1: Authenticating to 127.0.0.1:4242 as 'SUPER.SUPER'

debug1: using hostkeyalias: localhost-with-alias

debug3: hostkeys_foreach: reading file
"/home/git/openssh-portable/regress/known_hosts"

debug3: record_hostkey: found key type RSA in file
/home/git/openssh-portable/regress/known_hosts:1

debug3: record_hostkey: found key type ED25519 in file
/home/git/openssh-portable/regress/known_hosts:2

debug3: load_hostkeys: loaded 2 keys from localhost-with-alias

debug3: hostkeys_foreach: reading file
"/home/git/openssh-portable/regress/known_hosts"

debug3: record_hostkey: found key type RSA in file
/home/git/openssh-portable/regress/known_hosts:1

debug3: record_hostkey: found key type ED25519 in file
/home/git/openssh-portable/regress/known_hosts:2

debug3: load_hostkeys: loaded 2 keys from localhost-with-alias

debug3: order_hostkeyalgs: prefer hostkeyalgs:
ssh-ed25519-cert-***@openssh.com,ssh-rsa-cert-***@openssh.com,ssh-ed25519,ss
h-rsa

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit:
curve25519-***@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2
-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange
-sha1,diffie-hellman-group14-sha1

debug2: kex_parse_kexinit:
ssh-ed25519-cert-***@openssh.com,ssh-rsa-cert-***@openssh.com,ssh-ed25519,ss
h-rsa,ecdsa-sha2-nistp256-cert-***@openssh.com,ecdsa-sha2-nistp384-cert-v01@
openssh.com,ecdsa-sha2-nistp521-cert-***@openssh.com,ecdsa-sha2-nistp256,ecd
sa-sha2-nistp384,ecdsa-sha2-nistp521

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b
lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.l
iu.se

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b
lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.l
iu.se

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-***@o
penssh.com,hmac-ripemd160-***@openssh.com,hmac-sha1-96-***@openssh.com,hmac-
md5-96-***@openssh.com,hmac-md5,hmac-ripemd160,hmac-***@openssh.com,hm
ac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-***@o
penssh.com,hmac-ripemd160-***@openssh.com,hmac-sha1-96-***@openssh.com,hmac-
md5-96-***@openssh.com,hmac-md5,hmac-ripemd160,hmac-***@openssh.com,hm
ac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,***@openssh.com,zlib

debug2: kex_parse_kexinit: none,***@openssh.com,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: first_kex_follows 0

debug2: reserved 0

debug2: kex_parse_kexinit:
curve25519-***@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2
-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit: none,***@openssh.com

debug2: kex_parse_kexinit: none,***@openssh.com

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: first_kex_follows 0

debug2: reserved 0

debug1: kex: server->client chacha20-***@openssh.com <implicit> none

debug1: kex: client->server chacha20-***@openssh.com <implicit> none

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: ssh-ed25519
SHA256:lxDml05WuoE61IZePHCwjGYK3aZfa8URdyghBnnBMlA

debug1: using hostkeyalias: localhost-with-alias

debug3: hostkeys_foreach: reading file
"/home/git/openssh-portable/regress/known_hosts"

debug3: record_hostkey: found key type RSA in file
/home/git/openssh-portable/regress/known_hosts:1

debug3: record_hostkey: found key type ED25519 in file
/home/git/openssh-portable/regress/known_hosts:2

debug3: load_hostkeys: loaded 2 keys from localhost-with-alias

debug3: hostkeys_foreach: reading file
"/home/git/openssh-portable/regress/known_hosts"

debug3: record_hostkey: found key type RSA in file
/home/git/openssh-portable/regress/known_hosts:1

debug3: record_hostkey: found key type ED25519 in file
/home/git/openssh-portable/regress/known_hosts:2

debug3: load_hostkeys: loaded 2 keys from localhost-with-alias

debug1: Host 'localhost-with-alias' is known and matches the ED25519 host
key.

debug1: Found key in /home/git/openssh-portable/regress/known_hosts:2

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /home/git/openssh-portable/regress/rsa (802e0c0), explicit

debug2: key: /home/git/openssh-portable/regress/ed25519 (8023290), explicit

debug1: Authentications that can continue:
publickey,password,keyboard-interactive

debug3: start over, passed a different list
publickey,password,keyboard-interactive

debug3: preferred publickey

debug3: authmethod_lookup publickey

debug3: remaining preferred:

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /home/git/openssh-portable/regress/rsa

debug3: send_pubkey_test

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue:
publickey,password,keyboard-interactive

debug1: Offering ED25519 public key:
/home/git/openssh-portable/regress/ed25519

debug3: send_pubkey_test

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue:
publickey,password,keyboard-interactive

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

Permission denied (publickey,password,keyboard-interactive).

FAIL: connect failed





***************** failed-sshd.log ************



trace: AuthorizedKeysCommand with arguments

debug1: inetd sockets after dupping: 4, 5

Connection from UNKNOWN port 65535 on UNKNOWN port 65535

debug1: Client protocol version 2.0; client software version OpenSSH_7.1

debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.1

debug2: fd 4 setting O_NONBLOCK

debug2: fd 5 setting O_NONBLOCK

debug1: list_hostkey_types: ssh-rsa,ssh-ed25519

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit:
curve25519-***@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2
-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit: none,***@openssh.com

debug2: kex_parse_kexinit: none,***@openssh.com

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: first_kex_follows 0

debug2: reserved 0

debug2: kex_parse_kexinit:
curve25519-***@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2
-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange
-sha1,diffie-hellman-group14-sha1

debug2: kex_parse_kexinit:
ssh-ed25519-cert-***@openssh.com,ssh-rsa-cert-***@openssh.com,ssh-ed25519,ss
h-rsa,ecdsa-sha2-nistp256-cert-***@openssh.com,ecdsa-sha2-nistp384-cert-v01@
openssh.com,ecdsa-sha2-nistp521-cert-***@openssh.com,ecdsa-sha2-nistp256,ecd
sa-sha2-nistp384,ecdsa-sha2-nistp521

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b
lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.l
iu.se

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b
lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.l
iu.se

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-***@o
penssh.com,hmac-ripemd160-***@openssh.com,hmac-sha1-96-***@openssh.com,hmac-
md5-96-***@openssh.com,hmac-md5,hmac-ripemd160,hmac-***@openssh.com,hm
ac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-***@o
penssh.com,hmac-ripemd160-***@openssh.com,hmac-sha1-96-***@openssh.com,hmac-
md5-96-***@openssh.com,hmac-md5,hmac-ripemd160,hmac-***@openssh.com,hm
ac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,***@openssh.com,zlib

debug2: kex_parse_kexinit: none,***@openssh.com,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: first_kex_follows 0

debug2: reserved 0

debug1: kex: client->server chacha20-***@openssh.com <implicit> none

debug1: kex: server->client chacha20-***@openssh.com <implicit> none

debug1: expecting SSH2_MSG_KEX_ECDH_INIT

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: KEX done

debug1: userauth-request for user SUPER.SUPER service ssh-connection method
none

debug1: attempt 0 failures 0

debug2: parse_server_config: config reprocess config len 506

debug2: input_userauth_request: setting up authctxt for SUPER.SUPER

debug2: input_userauth_request: try method none

Failed none for SUPER.SUPER from UNKNOWN port 65535 ssh2

debug3: userauth_finish: failure partial=0 next
methods="publickey,password,keyboard-interactive"

debug1: userauth-request for user SUPER.SUPER service ssh-connection method
publickey

debug1: attempt 1 failures 0

debug2: input_userauth_request: try method publickey

debug1: test whether pkalg/pkblob are acceptable

debug3: subprocess: AuthorizedKeysCommand command
"/var/run/keycommand_SUPER.SUPER SUPER.SUPER blah
AAAAB3NzaC1yc2EAAAADAQABAAABAQC8RV5U3ot4/aEaY8jnK4CDa99WFPi/DmC2RBiTGrGr6IiI
FRvS/JJlYBpYLE6jKcw9dhLOvJKpdII/pvzZwBAlacYQg3P2ODKLEZpccmFB9tYWqWldPFKkXViQ
R5L9azEVn1sZJtUTfasiiP5008YGAdg4BrO6ipQI0x3G2nl5Wj4FT99qluAruqUblTkx+cU5v5ta
yqOrlEeAXWlwqQEuEWy2Kbfe6JtS53F+DniozOQGqw4iD8HrDoSlj4QGjZgcP7hXn5iGKtBB7rHI
mxCz1SvtGzlOJEy8DZzcp77Wl8ZcnxcQbHVhHt+os8rvYSIaEIVnPc1qnMPCNLzGmrYH ssh-rsa
SHA256:MhINGDV8/uc+x3B2JvlET1kfV3ZBdQqFlTca3CE7wNM blah" running as
SUPER.SUPER

debug1: temporarily_use_uid: 65535/255 (e=65535/255)

Unsafe AuthorizedKeysCommand "/var/run/keycommand_SUPER.SUPER": bad
ownership or modes for file /var/run/keycommand_SUPER.SUPER

debug1: restore_uid: 65535/255

debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa

Failed publickey for SUPER.SUPER from UNKNOWN port 65535 ssh2

debug3: userauth_finish: failure partial=0 next
methods="publickey,password,keyboard-interactive"

debug1: userauth-request for user SUPER.SUPER service ssh-connection method
publickey

debug1: attempt 2 failures 1

debug2: input_userauth_request: try method publickey

debug1: test whether pkalg/pkblob are acceptable

debug3: subprocess: AuthorizedKeysCommand command
"/var/run/keycommand_SUPER.SUPER SUPER.SUPER blah
AAAAC3NzaC1lZDI1NTE5AAAAILr++ZVA9K4U+y7msLWKQiiPg9bfje2Y0uhDl60vDVko
ssh-ed25519 SHA256:lxDml05WuoE61IZePHCwjGYK3aZfa8URdyghBnnBMlA blah" running
as SUPER.SUPER

debug1: temporarily_use_uid: 65535/255 (e=65535/255)

Unsafe AuthorizedKeysCommand "/var/run/keycommand_SUPER.SUPER": bad
ownership or modes for file /var/run/keycommand_SUPER.SUPER

debug1: restore_uid: 65535/255

debug2: userauth_pubkey: authenticated 0 pkalg ssh-ed25519

Failed publickey for SUPER.SUPER from UNKNOWN port 65535 ssh2

debug3: userauth_finish: failure partial=0 next
methods="publickey,password,keyboard-interactive"

FAIL: connect failed



trace: AuthorizedKeysCommand without arguments

debug1: inetd sockets after dupping: 4, 5

Connection from UNKNOWN port 65535 on UNKNOWN port 65535

debug1: Client protocol version 2.0; client software version OpenSSH_7.1

debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.1

debug2: fd 4 setting O_NONBLOCK

debug2: fd 5 setting O_NONBLOCK

debug1: list_hostkey_types: ssh-rsa,ssh-ed25519

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit:
curve25519-***@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2
-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit: none,***@openssh.com

debug2: kex_parse_kexinit: none,***@openssh.com

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: first_kex_follows 0

debug2: reserved 0

debug2: kex_parse_kexinit:
curve25519-***@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2
-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange
-sha1,diffie-hellman-group14-sha1

debug2: kex_parse_kexinit:
ssh-ed25519-cert-***@openssh.com,ssh-rsa-cert-***@openssh.com,ssh-ed25519,ss
h-rsa,ecdsa-sha2-nistp256-cert-***@openssh.com,ecdsa-sha2-nistp384-cert-v01@
openssh.com,ecdsa-sha2-nistp521-cert-***@openssh.com,ecdsa-sha2-nistp256,ecd
sa-sha2-nistp384,ecdsa-sha2-nistp521

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b
lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.l
iu.se

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b
lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.l
iu.se

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-***@o
penssh.com,hmac-ripemd160-***@openssh.com,hmac-sha1-96-***@openssh.com,hmac-
md5-96-***@openssh.com,hmac-md5,hmac-ripemd160,hmac-***@openssh.com,hm
ac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-***@o
penssh.com,hmac-ripemd160-***@openssh.com,hmac-sha1-96-***@openssh.com,hmac-
md5-96-***@openssh.com,hmac-md5,hmac-ripemd160,hmac-***@openssh.com,hm
ac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,***@openssh.com,zlib

debug2: kex_parse_kexinit: none,***@openssh.com,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: first_kex_follows 0

debug2: reserved 0

debug1: kex: client->server chacha20-***@openssh.com <implicit> none

debug1: kex: server->client chacha20-***@openssh.com <implicit> none

debug1: expecting SSH2_MSG_KEX_ECDH_INIT

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: KEX done

debug1: userauth-request for user SUPER.SUPER service ssh-connection method
none

debug1: attempt 0 failures 0

debug2: parse_server_config: config reprocess config len 484

debug2: input_userauth_request: setting up authctxt for SUPER.SUPER

debug2: input_userauth_request: try method none

Failed none for SUPER.SUPER from UNKNOWN port 65535 ssh2

debug3: userauth_finish: failure partial=0 next
methods="publickey,password,keyboard-interactive"

debug1: userauth-request for user SUPER.SUPER service ssh-connection method
publickey

debug1: attempt 1 failures 0

debug2: input_userauth_request: try method publickey

debug1: test whether pkalg/pkblob are acceptable

debug3: subprocess: AuthorizedKeysCommand command
"/var/run/keycommand_SUPER.SUPER SUPER.SUPER" running as SUPER.SUPER

debug1: temporarily_use_uid: 65535/255 (e=65535/255)

Unsafe AuthorizedKeysCommand "/var/run/keycommand_SUPER.SUPER": bad
ownership or modes for file /var/run/keycommand_SUPER.SUPER

debug1: restore_uid: 65535/255

debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa

Failed publickey for SUPER.SUPER from UNKNOWN port 65535 ssh2

debug3: userauth_finish: failure partial=0 next
methods="publickey,password,keyboard-interactive"

debug1: userauth-request for user SUPER.SUPER service ssh-connection method
publickey

debug1: attempt 2 failures 1

debug2: input_userauth_request: try method publickey

debug1: test whether pkalg/pkblob are acceptable

debug3: subprocess: AuthorizedKeysCommand command
"/var/run/keycommand_SUPER.SUPER SUPER.SUPER" running as SUPER.SUPER

debug1: temporarily_use_uid: 65535/255 (e=65535/255)

Unsafe AuthorizedKeysCommand "/var/run/keycommand_SUPER.SUPER": bad
ownership or modes for file /var/run/keycommand_SUPER.SUPER

debug1: restore_uid: 65535/255

debug2: userauth_pubkey: authenticated 0 pkalg ssh-ed25519

Failed publickey for SUPER.SUPER from UNKNOWN port 65535 ssh2

debug3: userauth_finish: failure partial=0 next
methods="publickey,password,keyboard-interactive"

FAIL: connect failed





***************** regress.log ************



trace: AuthorizedKeysCommand without arguments

FAIL: connect failed



***************** ssh.log ************



trace: AuthorizedKeysCommand without arguments

debug1: Executing proxy command: exec sh
/home/git/openssh-portable/regress/sshd-log-wrapper.sh
/home/git/openssh-portable/regress/sshd.log /home/git/openssh-portable/sshd
-i -f /home/git/openssh-portable/regress/sshd_proxy

debug1: permanently_drop_suid: 65535

debug1: identity file /home/git/openssh-portable/regress/rsa type 1

debug1: key_load_public: No such file or directory

debug1: identity file /home/git/openssh-portable/regress/rsa-cert type -1

debug1: identity file /home/git/openssh-portable/regress/ed25519 type 4

debug1: key_load_public: No such file or directory

debug1: identity file /home/git/openssh-portable/regress/ed25519-cert type
-1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.1

debug1: Remote protocol version 2.0, remote software version OpenSSH_7.1

debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000

debug2: fd 6 setting O_NONBLOCK

debug2: fd 5 setting O_NONBLOCK

debug1: Authenticating to 127.0.0.1:4242 as 'SUPER.SUPER'

debug1: using hostkeyalias: localhost-with-alias

debug3: hostkeys_foreach: reading file
"/home/git/openssh-portable/regress/known_hosts"

debug3: record_hostkey: found key type RSA in file
/home/git/openssh-portable/regress/known_hosts:1

debug3: record_hostkey: found key type ED25519 in file
/home/git/openssh-portable/regress/known_hosts:2

debug3: load_hostkeys: loaded 2 keys from localhost-with-alias

debug3: hostkeys_foreach: reading file
"/home/git/openssh-portable/regress/known_hosts"

debug3: record_hostkey: found key type RSA in file
/home/git/openssh-portable/regress/known_hosts:1

debug3: record_hostkey: found key type ED25519 in file
/home/git/openssh-portable/regress/known_hosts:2

debug3: load_hostkeys: loaded 2 keys from localhost-with-alias

debug3: order_hostkeyalgs: prefer hostkeyalgs:
ssh-ed25519-cert-***@openssh.com,ssh-rsa-cert-***@openssh.com,ssh-ed25519,ss
h-rsa

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit:
curve25519-***@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2
-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange
-sha1,diffie-hellman-group14-sha1

debug2: kex_parse_kexinit:
ssh-ed25519-cert-***@openssh.com,ssh-rsa-cert-***@openssh.com,ssh-ed25519,ss
h-rsa,ecdsa-sha2-nistp256-cert-***@openssh.com,ecdsa-sha2-nistp384-cert-v01@
openssh.com,ecdsa-sha2-nistp521-cert-***@openssh.com,ecdsa-sha2-nistp256,ecd
sa-sha2-nistp384,ecdsa-sha2-nistp521

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b
lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.l
iu.se

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b
lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.l
iu.se

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-***@o
penssh.com,hmac-ripemd160-***@openssh.com,hmac-sha1-96-***@openssh.com,hmac-
md5-96-***@openssh.com,hmac-md5,hmac-ripemd160,hmac-***@openssh.com,hm
ac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-***@o
penssh.com,hmac-ripemd160-***@openssh.com,hmac-sha1-96-***@openssh.com,hmac-
md5-96-***@openssh.com,hmac-md5,hmac-ripemd160,hmac-***@openssh.com,hm
ac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,***@openssh.com,zlib

debug2: kex_parse_kexinit: none,***@openssh.com,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: first_kex_follows 0

debug2: reserved 0

debug2: kex_parse_kexinit:
curve25519-***@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2
-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit: none,***@openssh.com

debug2: kex_parse_kexinit: none,***@openssh.com

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: first_kex_follows 0

debug2: reserved 0

debug1: kex: server->client chacha20-***@openssh.com <implicit> none

debug1: kex: client->server chacha20-***@openssh.com <implicit> none

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: ssh-ed25519
SHA256:lxDml05WuoE61IZePHCwjGYK3aZfa8URdyghBnnBMlA

debug1: using hostkeyalias: localhost-with-alias

debug3: hostkeys_foreach: reading file
"/home/git/openssh-portable/regress/known_hosts"

debug3: record_hostkey: found key type RSA in file
/home/git/openssh-portable/regress/known_hosts:1

debug3: record_hostkey: found key type ED25519 in file
/home/git/openssh-portable/regress/known_hosts:2

debug3: load_hostkeys: loaded 2 keys from localhost-with-alias

debug3: hostkeys_foreach: reading file
"/home/git/openssh-portable/regress/known_hosts"

debug3: record_hostkey: found key type RSA in file
/home/git/openssh-portable/regress/known_hosts:1

debug3: record_hostkey: found key type ED25519 in file
/home/git/openssh-portable/regress/known_hosts:2

debug3: load_hostkeys: loaded 2 keys from localhost-with-alias

debug1: Host 'localhost-with-alias' is known and matches the ED25519 host
key.

debug1: Found key in /home/git/openssh-portable/regress/known_hosts:2

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /home/git/openssh-portable/regress/rsa (802e0c0), explicit

debug2: key: /home/git/openssh-portable/regress/ed25519 (8023290), explicit

debug1: Authentications that can continue:
publickey,password,keyboard-interactive

debug3: start over, passed a different list
publickey,password,keyboard-interactive

debug3: preferred publickey

debug3: authmethod_lookup publickey

debug3: remaining preferred:

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /home/git/openssh-portable/regress/rsa

debug3: send_pubkey_test

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue:
publickey,password,keyboard-interactive

debug1: Offering ED25519 public key:
/home/git/openssh-portable/regress/ed25519

debug3: send_pubkey_test

debug2: we sent a publickey packet, wait for reply

debug1: Authentications that can continue:
publickey,password,keyboard-interactive

debug2: we did not send a packet, disable method

debug1: No more authentication methods to try.

Permission denied (publickey,password,keyboard-interactive).

FAIL: connect failed



***************** sshd.log ************



trace: AuthorizedKeysCommand without arguments

debug1: inetd sockets after dupping: 4, 5

Connection from UNKNOWN port 65535 on UNKNOWN port 65535

debug1: Client protocol version 2.0; client software version OpenSSH_7.1

debug1: match: OpenSSH_7.1 pat OpenSSH* compat 0x04000000

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.1

debug2: fd 4 setting O_NONBLOCK

debug2: fd 5 setting O_NONBLOCK

debug1: list_hostkey_types: ssh-rsa,ssh-ed25519

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit:
curve25519-***@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2
-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-ed25519

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit: none,***@openssh.com

debug2: kex_parse_kexinit: none,***@openssh.com

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: first_kex_follows 0

debug2: reserved 0

debug2: kex_parse_kexinit:
curve25519-***@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2
-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange
-sha1,diffie-hellman-group14-sha1

debug2: kex_parse_kexinit:
ssh-ed25519-cert-***@openssh.com,ssh-rsa-cert-***@openssh.com,ssh-ed25519,ss
h-rsa,ecdsa-sha2-nistp256-cert-***@openssh.com,ecdsa-sha2-nistp384-cert-v01@
openssh.com,ecdsa-sha2-nistp521-cert-***@openssh.com,ecdsa-sha2-nistp256,ecd
sa-sha2-nistp384,ecdsa-sha2-nistp521

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b
lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.l
iu.se

debug2: kex_parse_kexinit:
chacha20-***@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-***@op
enssh.com,aes256-***@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,b
lowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-***@lysator.l
iu.se

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-***@o
penssh.com,hmac-ripemd160-***@openssh.com,hmac-sha1-96-***@openssh.com,hmac-
md5-96-***@openssh.com,hmac-md5,hmac-ripemd160,hmac-***@openssh.com,hm
ac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit:
umac-64-***@openssh.com,umac-128-***@openssh.com,hmac-sha2-256-***@openssh.c
om,hmac-sha2-512-***@openssh.com,hmac-sha1-***@openssh.com,umac-***@openssh.c
om,umac-***@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-***@o
penssh.com,hmac-ripemd160-***@openssh.com,hmac-sha1-96-***@openssh.com,hmac-
md5-96-***@openssh.com,hmac-md5,hmac-ripemd160,hmac-***@openssh.com,hm
ac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,***@openssh.com,zlib

debug2: kex_parse_kexinit: none,***@openssh.com,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: first_kex_follows 0

debug2: reserved 0

debug1: kex: client->server chacha20-***@openssh.com <implicit> none

debug1: kex: server->client chacha20-***@openssh.com <implicit> none

debug1: expecting SSH2_MSG_KEX_ECDH_INIT

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: KEX done

debug1: userauth-request for user SUPER.SUPER service ssh-connection method
none

debug1: attempt 0 failures 0

debug2: parse_server_config: config reprocess config len 484

debug2: input_userauth_request: setting up authctxt for SUPER.SUPER

debug2: input_userauth_request: try method none

Failed none for SUPER.SUPER from UNKNOWN port 65535 ssh2

debug3: userauth_finish: failure partial=0 next
methods="publickey,password,keyboard-interactive"

debug1: userauth-request for user SUPER.SUPER service ssh-connection method
publickey

debug1: attempt 1 failures 0

debug2: input_userauth_request: try method publickey

debug1: test whether pkalg/pkblob are acceptable

debug3: subprocess: AuthorizedKeysCommand command
"/var/run/keycommand_SUPER.SUPER SUPER.SUPER" running as SUPER.SUPER

debug1: temporarily_use_uid: 65535/255 (e=65535/255)

Unsafe AuthorizedKeysCommand "/var/run/keycommand_SUPER.SUPER": bad
ownership or modes for file /var/run/keycommand_SUPER.SUPER

debug1: restore_uid: 65535/255

debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa

Failed publickey for SUPER.SUPER from UNKNOWN port 65535 ssh2

debug3: userauth_finish: failure partial=0 next
methods="publickey,password,keyboard-interactive"

debug1: userauth-request for user SUPER.SUPER service ssh-connection method
publickey

debug1: attempt 2 failures 1

debug2: input_userauth_request: try method publickey

debug1: test whether pkalg/pkblob are acceptable

debug3: subprocess: AuthorizedKeysCommand command
"/var/run/keycommand_SUPER.SUPER SUPER.SUPER" running as SUPER.SUPER

debug1: temporarily_use_uid: 65535/255 (e=65535/255)

Unsafe AuthorizedKeysCommand "/var/run/keycommand_SUPER.SUPER": bad
ownership or modes for file /var/run/keycommand_SUPER.SUPER

debug1: restore_uid: 65535/255

debug2: userauth_pubkey: authenticated 0 pkalg ssh-ed25519

Failed publickey for SUPER.SUPER from UNKNOWN port 65535 ssh2

debug3: userauth_finish: failure partial=0 next
methods="publickey,password,keyboard-interactive"

FAIL: connect failed



-- Brief whoami: NonStop&UNIX developer since approximately
UNIX(421664400)/NonStop(211288444200000000)

-- In my real life, I talk too much.
Randall S. Becker
2016-02-10 00:46:45 UTC
Permalink
Subject: Re: Test Failure OpenSSH 7.1 P2 on HPE NSE for key-commands
On Wed, Feb 10, 2016 at 10:35 AM, Randall S. Becker
Post by Randall S. Becker
Thread split from my previous communication. Here is the key-commands
logs on the platform.
[...]
OK, in this case the interesting bit is in the failed-sshd.log.
bad
Post by Randall S. Becker
ownership or modes for file /var/run/keycommand_SUPER.SUPER
debug1: restore_uid: 65535/255
sshd ensures that the AuthorizedKeysCommand can't be modified by a non-
privileged user for obvious reasons.
Based on what you said earlier, your root (equivalent?) user is not uid 0. I
suspect that the permissions on the keycommand file to not match sshd's
expectations. The code that checks this is in
auth2-pubkey.c:subprocess() which calls auth.c:auth_secure_path().
What are the file permissions on /var/run/keycommand_SUPER.SUPER and
its parent directories? Did you run the test with SUDO=sudo? Where did
SUPER.SUPER come from?
SUPERUSER ends up being 65535, which is root on this platform. SUPER.SUPER is the actual name of root. /var and /var/run are both 755, while /var/run/keycommand_SUPER.SUPER is 644.

We do have to run the whole test suite under sudo anyway.
Darren Tucker
2016-02-10 00:27:35 UTC
Permalink
On Wed, Feb 10, 2016 at 10:35 AM, Randall S. Becker
Post by Randall S. Becker
Thread split from my previous communication. Here is the key-commands logs
on the platform.
[...]

OK, in this case the interesting bit is in the failed-sshd.log.
Post by Randall S. Becker
Unsafe AuthorizedKeysCommand "/var/run/keycommand_SUPER.SUPER": bad
ownership or modes for file /var/run/keycommand_SUPER.SUPER
debug1: restore_uid: 65535/255
sshd ensures that the AuthorizedKeysCommand can't be modified by a
non-privileged user for obvious reasons.

Based on what you said earlier, your root (equivalent?) user is not
uid 0. I suspect that the permissions on the keycommand file to not
match sshd's expectations. The code that checks this is in
auth2-pubkey.c:subprocess() which calls auth.c:auth_secure_path().

What are the file permissions on /var/run/keycommand_SUPER.SUPER and
its parent directories? Did you run the test with SUDO=sudo? Where
did SUPER.SUPER come from?
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Darren Tucker
2016-02-10 01:04:34 UTC
Permalink
On Tue, Feb 09, 2016 at 07:46:45PM -0500, Randall S. Becker wrote:
[...]
Post by Randall S. Becker
SUPERUSER ends up being 65535, which is root on this platform. SUPER.SUPER
is the actual name of root. /var and /var/run are both 755, while
/var/run/keycommand_SUPER.SUPER is 644.
OK, I think the ownership is the problem.

auth2-pubkey.c:subprocess() does this:

if (stat(av[0], &st) < 0)
[...]
if (auth_secure_path(av[0], &st, NULL, 0,
errmsg, sizeof(errmsg)) != 0) {
error("Unsafe %s \"%s\": %s", tag, av[0], errmsg);

The 4th arg to auth_secure_path is the UID we expect the file to be owned by.

If you apply the following and compile with -DROOT_UID=65535 does it work?
What does ./config.guess report the platform as?

diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 41b34ae..bdcb2c2 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -420,7 +420,7 @@ subprocess(const char *tag, struct passwd *pw, const char *command,
restore_uid();
return 0;
}
- if (auth_secure_path(av[0], &st, NULL, 0,
+ if (auth_secure_path(av[0], &st, NULL, ROOT_UID,
errmsg, sizeof(errmsg)) != 0) {
error("Unsafe %s \"%s\": %s", tag, av[0], errmsg);
restore_uid();
diff --git a/defines.h b/defines.h
index a438ddd..7489fef 100644
--- a/defines.h
+++ b/defines.h
@@ -857,4 +857,8 @@ struct winsize {
# define USE_SYSTEM_GLOB
#endif

+#ifndef ROOT_UID
+# define ROOT_UID 0
+#endif
+
#endif /* _DEFINES_H */
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Randall S. Becker
2016-02-10 15:12:45 UTC
Permalink
Subject: Re: Test Failure OpenSSH 7.1 P2 on HPE NSE for key-commands
[...]
Post by Randall S. Becker
SUPERUSER ends up being 65535, which is root on this platform.
SUPER.SUPER is the actual name of root. /var and /var/run are both
755, while /var/run/keycommand_SUPER.SUPER is 644.
OK, I think the ownership is the problem.
Confirmed.
if (stat(av[0], &st) < 0)
[...]
if (auth_secure_path(av[0], &st, NULL, 0,
errmsg, sizeof(errmsg)) != 0) {
error("Unsafe %s \"%s\": %s", tag, av[0], errmsg);
The 4th arg to auth_secure_path is the UID we expect the file to be owned
by.
If you apply the following and compile with -DROOT_UID=65535 does it
work?
Replacing
if (auth_secure_path(av[0], &st, NULL, 0,
with
if (auth_secure_path(av[0], &st, NULL, SUPERUSER,

Causes the keys-command test to pass! I would prefer this change to
introducing ROOT_UID as a duplicate since we already have SUPERUSER. What
I'm not sure about is whether SUPERUSER originated with a branch of ours or
not. To be investigated later. The original #define we had was in include.h
#define SUPERUSER 0, which we wrapped defining SUPERUSER 65535 on our
platform and it is used throughout. No real issue changing it to ROOT_UID if
we must .
What does ./config.guess report the platform as?
From config.status:
S["host_os"]="nsk"
S["host_vendor"]="tandem"
S["host_cpu"]="nse"
S["host"]="nse-tandem-nsk"
S["build_os"]="nsk"
S["build_vendor"]="tandem"
S["build_cpu"]="nse"
S["build"]="nse-tandem-nsk"

Cheers,
Randall

-- Brief whoami: NonStop&UNIX developer since approximately
UNIX(421664400)/NonStop(211288444200000000)
-- In my real life, I talk too much.

Loading...