PDA

View Full Version : sshd not running after update (FreeBSD 5.3)



Atlantis95
01-07-2007, 10:05 AM
I have a problem using FreeBSD 5.3. Direct Admin is sending me e-mails with: 'New Message: The service 'sshd' on server XXXXXXX.org is currently down '

The cause of the problem started a while ago, probably after updating the server using the 'portsreport'. So, I think that the sshd daemon became corrupt while doing the update.

Does anybody know which steps must be done to reinstall the sshd package? By this problem I am not able to access the server remote by telnet of sshd :(
The Directadmin http, MySQL, etc services are running fine (that is at least something positive).

Please advice with teh steps to reinstall.

bjseiler
01-08-2007, 06:59 AM
Does your system have a lot of users (on an underpowered machine)? I had the same thing happen once and removing most of the AllowUsers from sshd_config solved the problem.

Atlantis95
01-08-2007, 12:58 PM
It is not likely that that is the problem. So far I see it occured after installing a patch. The only user active using a sshed session is myself.

The system is PIV-3GHz, 2GB internal memory. It do not expect that the hardware gives any problem (I think)

kke
01-08-2007, 10:14 PM
Checkout sshd_config under DA files_editor

Then try restart sshd service via DA services monitor

Check error/message log via DA log viewer

Atlantis95
01-09-2007, 02:31 PM
I checked out sshd_config file. There are 14
'AllowUsers'.
After reducing it to three lines, the problem still occures. The three lines look like the following
AllowUsers root
AllowUsers admin
AllowUsers anOtherUser

I am just wondering or the line should not look like 'AllowUsers root admin anOtherUser'.

Note: All other configuration lines from the sshd_config file are commented out. Is this correct?

nobaloney
01-09-2007, 04:22 PM
DA adds separate lines for each allowed user; it works fine.

I can't speak for all the other lines being commented out because I don't use FreeBSD, but it doesn't seem right.

I've moved the thread to a FreeBSD forum; hopefully you'll get a better response.

Jeff

kke
01-09-2007, 08:03 PM
Originally posted by Atlantis95
I checked out sshd_config file. There are 14
'AllowUsers'.
After reducing it to three lines, the problem still occures. The three lines look like the following
AllowUsers root
AllowUsers admin
AllowUsers anOtherUser

I am just wondering or the line should not look like 'AllowUsers root admin anOtherUser'.

Note: All other configuration lines from the sshd_config file are commented out. Is this correct?

sshd will fail to start with AllowUsers root admin anOtherUser in one line
Must use separate lines
AllowUsers root
AllowUsers admin
AllowUsers anOtherUser

Some uncommented line may cause the problem try to commented some line or post your sshd_config here.

here is mine most line is commented
Take care about user to su root must in wheel group, you may turn PermitRootLogin yes + AllowUsers root to solve.



# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

#VersionAddendum FreeBSD-20040419

Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

LoginGraceTime 1m
PermitRootLogin no
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
#PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication (via challenge-response)
# and session processing.
#UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server

#AllowUsers root
AllowUsers user1
AllowUsers user2

Atlantis95
01-10-2007, 09:24 AM
Not any success.
The line 'Port 22' is now uncommented
The line 'Protocol 2' is now uncommented
'PermitRootLogin no' changed to PermitRootLogin yes

Stopping and Starting the sshd service has no result. It is not starting. The 'AllowUsers' lines have always been separated.



# $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $
# $FreeBSD: src/crypto/openssh/sshd_config,v 1.40 2004/04/20 09:37:29 des Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

#VersionAddendum FreeBSD-20040419

Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
#PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication (via challenge-response)
# and session processing.
#UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
AllowUsers root
AllowUsers admin
AllowUsers mike
#AllowUsers f1man
#AllowUsers f1man2
#AllowUsers slaap1
#AllowUsers ef1
#AllowUsers jaap
#AllowUsers a1manager
#AllowUsers arjenh
#AllowUsers vcleeuw
#AllowUsers ministry


When Is start the service I get a


An error has occurred

Details


It does not display any error message or something like that .
:mad:

kke
01-10-2007, 09:39 AM
Originally posted by kke
Checkout sshd_config under DA files_editor

Then try restart sshd service via DA services monitor

Check error/message log via DA log viewer

After fail starting sshd service use log viewer to see error in /var/log/message

However whatever the error log said it seem to be fix under console (goto noc :( )

Atlantis95
01-10-2007, 02:44 PM
The log shows the following:



Jan 10 18:12:59 wes named[584]: couldn't add command channel 127.0.0.1#953: file not found
Jan 10 18:12:59 wes named[584]: none:0: open: /etc/namedb/rndc.key: file not found
Jan 10 18:12:59 wes named[584]: couldn't add command channel ::1#953: file not found
Jan 10 18:12:59 wes named[584]: zone 0.0.127.IN-ADDR.ARPA/IN: loading master file localhost.rev: file not found
Jan 10 18:12:59 wes named[584]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA/IN: loading master file localhost-v6.rev: file not found
Jan 10 18:12:59 wes named[584]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT/IN: loading master file localhost-v6.rev: file not found
Jan 10 18:12:59 wes named[584]: dns_master_load: /etc/namedb/ministry-of-sound.org.db:15: empty label
Jan 10 18:12:59 wes named[584]: zone ministry-of-sound.org/IN: loading master file /etc/namedb/ministry-of-sound.org.db: empty label
Jan 10 18:13:52 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 18:15:54 wes ntpd[355]: time reset -140.117750 s
Jan 10 18:15:54 wes ntpd[355]: kernel time sync disabled 2041
Jan 10 18:16:45 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 18:23:00 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 18:27:20 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 18:27:44 wes ntpd[355]: kernel time sync enabled 2001
Jan 10 18:34:05 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 18:37:24 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 18:45:56 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 18:48:09 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 18:59:08 wes last message repeated 2 times
Jan 10 19:08:49 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 19:10:30 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 19:18:37 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 19:23:10 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 19:35:58 wes last message repeated 2 times
Jan 10 19:47:19 wes last message repeated 2 times
Jan 10 19:49:35 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 19:59:50 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 20:10:12 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 20:20:31 wes last message repeated 2 times
Jan 10 20:31:01 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 20:42:49 wes last message repeated 2 times
Jan 10 20:55:37 wes last message repeated 2 times
Jan 10 21:01:45 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 21:12:19 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 21:22:23 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 21:35:53 wes last message repeated 2 times
Jan 10 21:49:00 wes last message repeated 2 times
Jan 10 21:58:43 wes last message repeated 2 times
Jan 10 22:04:33 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 22:14:09 wes last message repeated 2 times
Jan 10 22:25:14 wes last message repeated 2 times
Jan 10 22:37:16 wes last message repeated 2 times
Jan 10 22:45:04 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 22:55:13 wes last message repeated 2 times
Jan 10 23:05:37 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 23:05:47 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 23:15:37 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 23:17:52 wes kernel: arplookup 81.171.33.193 failed: host is not on local network
Jan 10 23:26:51 wes kernel: arplookup 81.171.33.193 failed: host is not on local network


I don't think that this arplookup has to do with it. These are all messages.

nobaloney
01-10-2007, 03:07 PM
I can't remember everything so I did some man reading ...

The sshd configuration files have default entries in them, commented out. To change them you uncomment them and change them.

Other than that, I don't have any answers for the differences between Linux and FreeBSD, nor for any default or other settings :( .

Jeff

Atlantis95
01-10-2007, 03:34 PM
I tried to uncomment the lines

HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_dsa_key

I tried the lines separated uncommented, both uncommented .. without succes.

So far I can see I need to visit the server to get any access to it. (The only advantage is that the normal services are running normal).

When I visit the server space, what must I do to get sshd messages visible?

For example, the sshd file looks as following below, but all messages will be sent to ">&/dev/null". That's is also the reason (I think) that no any error messages are reported.


#!/bin/sh
#
# Init file for OpenSSH server daemon
#
# description: OpenSSH server daemon
#
# processname: sshd
# config: /etc/ssh/ssh_host_key
# config: /etc/ssh/ssh_host_key.pub
# config: /etc/ssh/ssh_random_seed
# config: /etc/ssh/sshd_config
# pidfile: /var/run/sshd.pid

# source function library
. /usr/local/etc/rc.d/functions

RETVAL=0
prog="sshd"

# Some functions to make the below more readable
KEYGEN=/usr/bin/ssh-keygen
SSHD=/usr/sbin/sshd
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
PID_FILE=/var/run/sshd.pid
LOCK_FILE=/var/spool/lock/sshd

do_rsa1_keygen() {
if [ ! -s $RSA1_KEY ]; then
echo -n $"Generating SSH1 RSA host key: "
if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA1_KEY
chmod 644 $RSA1_KEY.pub
success $"RSA1 key generation"
echo
else
failure $"RSA1 key generation"
echo
exit 1
fi
fi
}

do_rsa_keygen() {
if [ ! -s $RSA_KEY ]; then
echo -n $"Generating SSH2 RSA host key: "
if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $RSA_KEY
chmod 644 $RSA_KEY.pub
success $"RSA key generation"
echo
else
failure $"RSA key generation"
echo
exit 1
fi
fi
}

do_dsa_keygen() {
if [ ! -s $DSA_KEY ]; then
echo -n $"Generating SSH2 DSA host key: "
if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
chmod 600 $DSA_KEY
chmod 644 $DSA_KEY.pub
success $"DSA key generation"
echo
else
failure $"DSA key generation"
echo
exit 1
fi
fi
}

start()
{
# Create keys if necessary
do_rsa1_keygen
do_rsa_keygen
do_dsa_keygen

echo -n $"Starting $prog:"
$SSHD $OPTIONS
RETVAL=$?
[ "$RETVAL" = 0 ] && touch $LOCK_FILE
echo
}


stop()
{
echo -n $"Stopping $prog:"
killall -TERM $prog
RETVAL=$?
[ "$RETVAL" = 0 ] && rm -f $LOCK_FILE
echo
}

reload()
{
echo -n $"Reloading $prog:"
kill -HUP `cat $PID_FILE`
RETVAL=$?
echo
}

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
reload)
reload
;;
condrestart)
if [ -f $LOCK_FILE ] ; then
stop
# avoid race
sleep 3
start
fi
;;
status)
status $prog
RETVAL=$?
;;
*)
echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
RETVAL=1
esac
exit $RETVAL

kke
01-10-2007, 11:33 PM
Not quite sure....

/var/log/auth.log should say something
#tail -n 100 /var/log/auth.log | grep sshd

reinstall openssh (never try)
#cd /usr/ports/security/openssh
#make deinstall reinstall clean

try to Start it
#/etc/rc.d/sshd restart

Check log again
#tail /var/log/auth.log | grep sshd

Atlantis95
01-11-2007, 02:22 PM
I will try to visit the server Monday.

So, follwing two lines should not be executed:
2. #cd /usr/ports/security/openssh
3. #make deinstall reinstall clean

Which other dependencies is sshd depending on? I want to exclde possible causes so I know what to do when I am on the location.

I will check the log Monday.