[FreeNX-kNX] Initial sshd connection failing for user nx with nxclient, but not with ssh

Sat Jul 3 20:38:50 UTC 2010

Op zaterdag 3 juli 2010 19:27:41 schreef chris at ccburton.com:
> > "ssh -i <that-file-name> nx@<nxserver>". In the log you can see that the
> > publickey was OK, but pam refused the access. The problem is why. Doing
> > the same to another nxserver with its own private key, the access was OK.
> > I can't find the difference between the two servers, apart from the fact
> > the one which gives acces is openSUSE 11.1 and the one with the problem is
> > openSUSE 11.3-RC1.
> 
> Hmmm
> 
> you are connecting to the same sshd both times ie. the same port is set in
> the nxclient, (or you don't have two sshds running) ??
> and
> you are connecting from the same workstation both times ?? aren't you

These are two different machines, but I do not use nxclient to connect but
ssh -i <file-with-private-key> nx@<nxserver>

> What do you get logged when you run ssh -i file nx at server
> in the same debug mode ???
Below is the log when it is OK from the same point in the log as the previous 
message.
Jul  3 22:25:40 ktmhost sshd[9217]: debug1: restore_uid: 0/0
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_answer_keyallowed: key 
0xb7910bb8 is allowed
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_append_debug: Appending debug 
messages for child
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_request_send entering: type 21
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_request_receive entering
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: monitor_read: checking request 22
Jul  3 22:25:40 ktmhost sshd[9217]: debug1: ssh_dss_verify: signature correct
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_answer_keyverify: key 
0xb7910ca8 signature verified
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_request_send entering: type 23
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_request_receive_expect 
entering: type 46
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_request_receive entering
Jul  3 22:25:40 ktmhost sshd[9217]: debug1: do_pam_account: called
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: PAM: do_pam_account pam_acct_mgmt 
= 0 (Success)
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_request_send entering: type 47
Jul  3 22:25:40 ktmhost sshd[9217]: Accepted publickey for nx from 
213.10.98.183 port 61863 ssh2
Jul  3 22:25:40 ktmhost sshd[9217]: debug1: monitor_child_preauth: nx has been 
authenticated by privileged process
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_get_keystate: Waiting for new 
keys
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_request_receive_expect 
entering: type 24
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_request_receive entering
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_newkeys_from_blob: 
0xb7913178(118)
Jul  3 22:25:40 ktmhost sshd[9217]: debug2: mac_setup: found hmac-md5

The difference is in the do_pam_account: called, in the next line I got a 
succes.

Maybe I have to check for differences in the files in /etc/pam.d/
But I can make ssh calls to other accounts than nx on both machines using 
publickey access. I checked the entries for nx both in /etc/passwd and 
/etc/shadow which are essentially the same in both systems.

-- 
fr.gr.

Freek de Kruijf