User profile for user: joelbald
joelbald Author
User level: Level 1
0 points

SSH Password problem...

Hi...

...bit of a terminal newbie so bear with me...

I'm trying to connect to a remote host using ssh username@hostip

I receive the password prompt but entering the correct password (after 5 attempts) gives 'Permission denied, please try again'.

I have tested using two different existing accounts with the same result...also a bogus username still prompted me for a password?!

My local machine is running 10.5.5 and the host 10.4x. Port forwarding for port 22 is correct for the host machine.

I have tried removing the known_hosts file from my local machine as per some other posts...same result.

Do I need to forward port 22 from my local router to my local machine?

Any pointers much appreciated.

Posted on Oct 20, 2008 5:23 AM

Reply
9 replies
User profile for user: BobHarris
BobHarris
User level: Level 9
56,825 points

Oct 20, 2008 8:32 AM in response to joelbald

You would not get a password prompt unless you were talking to an sshd daemon on the other end. No port forwarding is needed on the local system. Port forwarding allows the outside world in. It has nothing to do with letting the inside world out.

Experiment 1 

ssh username@localhost

this will log into yourself.

Experiment 2 - getting more diagnostic information out of ssh 

ssh -vvv username@remote.system.address

This is going to spit out a log of debugging information. Look at it carefully and see if you can identify why you are being rejected.

Next, go to the remote system and look in /var/log/system.log (you can do this from Applications -> Utilities -> Console, or from a terminal session on the remote system).

Finally, does the remote system have its Firewall enabled? I suspect not, as you were able to talk to the sshd daemon, but check anyway.
Reply
User profile for user: joelbald
joelbald Author
User level: Level 1
0 points

Oct 21, 2008 3:09 AM in response to Tim Haigh

Thanks for all of your responses...

I tried the verbose login with the following results:

joel:~ joelwork$ ssh -vvv user@hostip
OpenSSH_5.1p1, OpenSSL 0.9.7l 28 Sep 2006
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to hostip port 22.
debug1: Connection established.
debug1: identity file /Users/joelwork/.ssh/identity type -1
debug1: identity file /Users/joelwork/.ssh/id_rsa type -1
debug1: identity file /Users/joelwork/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2 MSGKEXINIT sent
debug1: SSH2 MSGKEXINIT received
debug2: kex parsekexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie- hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex parsekexinit: ssh-rsa,ssh-dss
debug2: kex parsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex parsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex parsekexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.co m,hmac-sha1-96,hmac-md5-96
debug2: kex parsekexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.co m,hmac-sha1-96,hmac-md5-96
debug2: kex parsekexinit: none,zlib@openssh.com,zlib
debug2: kex parsekexinit: none,zlib@openssh.com,zlib
debug2: kex parsekexinit:
debug2: kex parsekexinit:
debug2: kex parsekexinit: first kexfollows 0
debug2: kex parsekexinit: reserved 0
debug2: kex parsekexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie- hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex parsekexinit: ssh-rsa,ssh-dss
debug2: kex parsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex parsekexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes1 92-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex parsekexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.co m,hmac-sha1-96,hmac-md5-96
debug2: kex parsekexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.co m,hmac-sha1-96,hmac-md5-96
debug2: kex parsekexinit: none,zlib@openssh.com
debug2: kex parsekexinit: none,zlib@openssh.com
debug2: kex parsekexinit:
debug2: kex parsekexinit:
debug2: kex parsekexinit: first kexfollows 0
debug2: kex parsekexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2 MSG_KEX_DH_GEXREQUEST(1024<1024<8192) sent
debug1: expecting SSH2 MSG_KEX_DH_GEXGROUP
debug2: dh genkey: priv key bits set: 143/256
debug2: bits set: 515/1024
debug1: SSH2 MSG_KEX_DH_GEXINIT sent
debug1: expecting SSH2 MSG_KEX_DH_GEXREPLY
debug3: check host_inhostfile: filename /Users/joelwork/.ssh/known_hosts
debug3: check host_inhostfile: match line 1
debug3: check host_inhostfile: filename /Users/joelwork/.ssh/known_hosts
debug3: check host_inhostfile: match line 4
debug1: Host 'hostip' is known and matches the RSA host key.
debug1: Found key in /Users/joelwork/.ssh/known_hosts:1
debug2: bits set: 534/1024
debug1: ssh rsaverify: signature correct
debug2: kex derivekeys
debug2: set_newkeys: mode 1
debug1: SSH2 MSGNEWKEYS sent
debug1: expecting SSH2 MSGNEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2 MSGNEWKEYS received
debug1: SSH2 MSG_SERVICEREQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2 MSG_SERVICEACCEPT received
debug2: key: /Users/joelwork/.ssh/identity (0x0)
debug2: key: /Users/joelwork/.ssh/id_rsa (0x0)
debug2: key: /Users/joelwork/.ssh/id_dsa (0x0)
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod isenabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/joelwork/.ssh/identity
debug3: no such identity: /Users/joelwork/.ssh/identity
debug1: Trying private key: /Users/joelwork/.ssh/id_rsa
debug3: no such identity: /Users/joelwork/.ssh/id_rsa
debug1: Trying private key: /Users/joelwork/.ssh/id_dsa
debug3: no such identity: /Users/joelwork/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod isenabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input userauth_inforeq
debug2: input userauth_inforeq: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 18 padlen 14 extra_pad 64)
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input userauth_inforeq
debug2: input userauth_inforeq: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 18 padlen 14 extra_pad 64)
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input userauth_inforeq
debug2: input userauth_inforeq: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 18 padlen 14 extra_pad 64)
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod isenabled password
debug1: Next authentication method: password
user@hostip password:
debug3: packet_send2: adding 64 (len 53 padlen 11 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
Permission denied, please try again.
debug3: packet_send2: adding 64 (len 53 padlen 11 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
Permission denied, please try again.
debug3: packet_send2: adding 64 (len 53 padlen 11 extra_pad 64)
debug2: we sent a password packet, wait for reply
Received disconnect from hostip: 2: Too many authentication failures for motd
joel:~ joelwork$

It appears that everything runs 'fine' until the password. It attempts other authentication methods first but is happy to attempt 'password' in the end.

With the remote machine being Tiger..ssh is v1.99 whereas my local machine is v2.0. Does this have a bearing?

The remote machine is abroad so I can't get the logs from that end easily...

Any ideas?

Thanks,

Joel.
Reply
User profile for user: Tim Haigh
Tim Haigh
User level: Level 7
24,198 points

Oct 21, 2008 4:39 AM in response to joelbald

Does the server have something like denyhosts installed?

Also it would be best if your configured /etc/sshd_config to use public keys only. This would negate the need for password authentication and make your ssh connections more secure and not vulnerable to brute force attacks.

You should also turn off authentication protocols you don't use in the sshd_config.

As you don't have access to the server right now this is a problem.

I can ssh into a Tiger mac from a leopard mac over the internet so this rules out a ssh compatibility issue.
Reply
User profile for user: Tim Haigh
Tim Haigh
User level: Level 7
24,198 points

Oct 21, 2008 6:28 AM in response to joelbald

aha if your colleague can follow some instructions then you may be in luck

first of all I would delete your current .ssh directory on your mac so when you create a public and private key it will make a clean setup.

open your terminal and issue the following command

rm -rf ~/.ssh


press enter

copy paste the command into your terminal if your like.

Then issue the following command

ssh-keygen -b 1024 -t dsa



# When prompted for a location save the key, press enter to use the default location.
# When prompted for a passphrase, press return twice. this will create a key that has no passphrase associated with it.

Your mac will now create a public and private key.

now issue the following command



cp ~/.ssh/id_dsa.pub ~/Desktop/



the file id_dsa.pub should now appear on your desktop

email that file to your colleague

Then your colleague needs to login to your account on the server. If they copy r id_dsa.pub file to the desktop they can then open the terminal and issue the following command

cat ~/Desktop/id_dsa.pub >> ~/.ssh/authorized_keys2




Once that is done you should be ssh into the server without entering a password as it will do a key exchange.
Reply
User profile for user: BobHarris
BobHarris
User level: Level 9
56,825 points

Oct 21, 2008 8:27 AM in response to joelbald

I think you need to get your friend to look in 

sudo cat /var/log/secure.log

and see if there is information in his security log telling you why the ssh login was rejected.

I will also mention that ssh may reject a login, if the destination account has badly set permission on $HOME, $HOME/.ssh, $HOME/.ssh/config.

See *man ssh* and search for permission, then make sure that the destination account's ssh related files have recommended permissions.

Message was edited by: BobHarris
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

SSH Password problem...

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up