Re: [Savannah-hackers] Re: [ 101401 ] SSH connection is dropped (fwd)

[Nic Ferrier]

Mathieu Roy <address@hidden> writes:

> Hi,
> 
> Pavel is right, my answer is boring. I completely missed the
> point. Please accept my apologizes. I rode it to fastly and only
> checked the ssh output, that seemed fine to me:
> 
> > debug1: Trying RSA authentication with key
> > '/home/tmphome/proski/.ssh/identity'
> > debug1: Received RSA challenge from server.
> > debug1: Sending response to host key RSA challenge.
> > debug1: Remote: RSA authentication accepted.
> > debug1: RSA authentication accepted by server.
> 
> Without re-reading the beginning of the mail, I thought that Pavel was
> trying to access the server on an another way that normal user should
> do, as GNU project leaders sometimes try to do (and may need to).

I think he is. I think he's doing entirely the wrong thing.

 
>  cat /var/log/auth.log* | grep proski
> Oct 15 11:31:34 subversions PAM_unix[31958]: authentication failure; (uid=0) 
> -> proski for ssh service
> Oct 15 11:31:36 subversions sshd[31958]: Failed password for proski from 
> 135.207.19.174 port 32930 ssh2
> Oct 15 11:31:44 subversions sshd[31958]: Failed password for proski from 
> 135.207.19.174 port 32930 ssh2
> Oct 15 11:31:44 subversions PAM_unix[31958]: 1 more authentication failure; 
> (uid=0) -> proski for ssh service
> Oct 15 11:36:27 subversions PAM_unix[32410]: authentication failure; (uid=0) 
> -> proski for ssh service
> Oct 15 11:36:29 subversions sshd[32410]: Failed password for proski
> from 216.127.237.131 port 3158 ssh2

But from his debug it shows that he's logging in ok. I think the PAM
message is probably misleading.


> Also, your demonstration about your cvs problem is
> 
> > $ cvs -f -d
> > :ext:address@hidden:/cvsroot/openap co .
> > Connection to subversions.gnu.org closed by remote host.
> > cvs [checkout aborted]: end of file from server
> > (consult above messages if any)

The :ext: is formal syntax for an external method of connection. It's
part of a rarely used CVS url system, it replaces the more widely
known :pserver:.

The :ext: is useless for savannah without the CVS_RSH environment
variable setting to specify how the client will connect.

If the user enters just the command:

  cvs -f -d :ext:address@hidden:/cvsroot/openap co .

Without also specifying CVS_RSH=ssh then cvs will attempt to connect
with RSH and, since RSH is not running on savannah, the connection
will be terminated and the user will get the message:

  "end of file from server".


This seems to be exactly what is happening.


The PAM messages are a concern, either there is something that is
accepting the RSH request and then rejecting it based on a PAM policy
OR (more likely) the erroneous command:

   ssh -1 -v subversions.gnu.org cvs server

is causing an uninformative error message to be sent to the PAM log.

It might be useful if someone who knows about PAM chipped in here, I
only really know the basics.


Nic