Passwordless SSH problem with AIX machines

filosophizer · December 27, 2012, 4:35am

Hello,

I am trying to setup passwordless nophrase ssh between two machines for the user id: oraprod

here is what I did for a non-root user: oraprod

whoami:
oraprod

Machine A:

ssh-keygen -t dsa

cat ~/.ssh/id_rsa.pub

# GO TO MACHINE B
create
vi ~/.ssh/authorized_keys
paste from Machine A the contents of the file id_rsa.pub
save the file

cp authorized_keys authorized_keys2
chmod 777 authorized_keys
chmod 777 authorized_keys2

Machine A

drwxrwxrwx   2 oraprod  dba             256 Dec 27 12:51 .ssh

# cd .ssh
#
#
# pwd
/home/oraprod/.ssh
# ls -ltra
total 32
drwxr-xr-x   3 oraprod  dba             256 Dec 27 10:00 ..
-rw-r--r--   1 oraprod  dba             798 Dec 27 12:47 known_hosts
-rwxrwxrwx   1 oraprod  dba             395 Dec 27 12:50 authorized_keys
-rw-r--r--   1 oraprod  dba             397 Dec 27 12:51 id_rsa.pub
-rw-------   1 oraprod  dba            1675 Dec 27 12:51 id_rsa
drwxrwxrwx   2 oraprod  dba             256 Dec 27 12:51 .



Machine B

drwxrwxrwx   2 oraprod  dba             256 Dec 27 15:52 .ssh

$ cd ~/.ssh
$ ls
authorized_keys  id_rsa           id_rsa.pub       known_hosts
$ ls -ltra
total 32
drwxr-xr-x   4 oraprod  dba             256 Dec 27 13:37 ..
-rw-r--r--   1 oraprod  dba             400 Dec 27 15:48 known_hosts
-rw-r--r--   1 oraprod  dba             395 Dec 27 15:49 id_rsa.pub
-rw-------   1 oraprod  dba            1675 Dec 27 15:49 id_rsa
-rwxrwxrwx   1 oraprod  dba             397 Dec 27 15:52 authorized_keys
drwxrwxrwx   2 oraprod  dba             256 Dec 27 15:52 .
$

REPEAT THE SAME FOR MACHINE B

Now, i read that SSH is very particular about permissions so I have changed the permissions to

~/.ssh/authorized_keys  600
~/.ssh                  700
~                       755

Note that home directory permissions are very important as well... if your home directory is writable by other users, SSHD would not accept the key.

I am logged in to Machine A:
ssh Machine_B ls -ltra

it gives me message
connection closed by host 10.x.x.x

what seems to be the issue ?

stopsrc -g ssh and then startsrc -g ssh

Machine A & Machine B /etc/ssh/sshd_config

#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
#  similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
# IgnoreUserKnownHosts yes
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PermitEmptyPasswords yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes


#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

#Banner none


Subsystem       sftp    /usr/libexec/sftp-server

#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server

SSH ON LOCALHOST

# ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 71:3b:ba:cb:d1:bf:94:41:a8:6f:3a:00:10:d0:65:ca.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
Permission denied (publickey,keyboard-interactive).

SSH -V ON MACHINE A FOR MACHINE B


with the username oraprod

machine A
# su - oraprod
$ ssh -v test1
OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so):   0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
        0509-026 System error: A file or directory in the path name does not exist.

debug1: Error loading Kerberos, disabling Kerberos auth.
debug1: Connecting to test1 [10.1.1.120] port 22.
debug1: Connection established.
debug1: identity file /home/oraprod/.ssh/identity type -1
debug1: identity file /home/oraprod/.ssh/id_rsa type 1
debug1: identity file /home/oraprod/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'test1' is known and matches the RSA host key.
debug1: Found key in /home/oraprod/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/oraprod/.ssh/identity
debug1: Offering public key: /home/oraprod/.ssh/id_rsa
Connection closed by 10.1.1.120
$


machine B

# su - oraprod
$ ssh -v standby
OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so):   0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
        0509-026 System error: A file or directory in the path name does not exist.

debug1: Error loading Kerberos, disabling Kerberos auth.
debug1: Connecting to standby [10.1.1.105] port 22.
debug1: Connection established.
debug1: identity file /home/oraprod/.ssh/identity type -1
debug1: identity file /home/oraprod/.ssh/id_rsa type 1
debug1: identity file /home/oraprod/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'standby' is known and matches the RSA host key.
debug1: Found key in /home/oraprod/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/oraprod/.ssh/identity
debug1: Offering public key: /home/oraprod/.ssh/id_rsa
Connection closed by 10.1.1.105
$


with the username root on machine A

#hostname
standby

# ssh -v test1

OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so):   0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
        0509-026 System error: A file or directory in the path name does not exist.

debug1: Error loading Kerberos, disabling Kerberos auth.
debug1: Connecting to test1 [10.1.1.120] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /.ssh/identity type -1
debug1: identity file /.ssh/id_rsa type 1
debug1: identity file /.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'test1' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/identity
debug1: Offering public key: /.ssh/id_rsa
Connection closed by 10.1.1.120
#

#hostname
test1

# ssh -v standby
# ssh -v standby
OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so):   0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
        0509-026 System error: A file or directory in the path name does not exist.

debug1: Error loading Kerberos, disabling Kerberos auth.
debug1: Connecting to standby [10.1.1.105] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /.ssh/identity type -1
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'standby' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/identity
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: password
root@standby's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
1 unsuccessful login attempt since last login.
Last unsuccessful login: Thu Dec 27 13:05:13 SAUST 2012 on ssh from test1
Last login: Thu Dec 27 12:58:04 SAUST 2012 on /dev/pts/2 from testserver
*******************************************************************************
*                                                                             *
*                                                                             *
*  Welcome to AIX Version 5.3!                                                *
*                                                                             *
*                                                                             *
*  Please see the README file in /usr/lpp/bos for information pertinent to    *
*  this release of the AIX Operating System.                                  *
*                                                                             *
*                                                                             *
*******************************************************************************
# hostname
standby

reference:

SSH on AIX | Unix Linux Forums | AIX
Passwordless root authentication via SSH | Unix Linux Forums | AIX
passwordless ssh for non-root user??? | Unix Linux Forums | AIX
Passwordless authentication via SSH | Unix Linux Forums | AIX
http://www.unix.com/aix/105864-passwordless-authentication-aix.html
http://www.ibm.com/developerworks/library/l-keyc/index.html
http://www.ibm.com/developerworks/aix/library/au-sshsecurity/index.html
http://www.ibm.com/developerworks/forums/thread.jspa?threadID=192840
http://www.debian-administration.org/articles/152

http://rcsg-gsir.imsb-dsgi.nrc-cnrc.gc.ca/documents/internet/node31.html
http://unix.ittoolbox.com/groups/technical-functional/ibm-aix-l/how-to-restart-ssh-in-aix-1551784

_XrAy · December 27, 2012, 8:04am

Can You please try:

chmod 644 ~/.ssh/authorized_keys

drwx------    2 root     system          256 Dec 27 14:05 .
drwxr-xr-x    8 root     system         4096 Dec 27 13:04 ..
-rw-r--r--    1 root     system          397 May 10 2012  authorized_keys
-rw-r--r--    1 root     system          396 Nov 28 2011  authorized_keys2
-rw-------    1 root     system          668 Apr 23 2012  id_dsa
-rw-r--r--    1 root     system          604 Apr 23 2012  id_dsa.pub
-rw-------    1 root     system         1679 Apr 23 2012  id_rsa
-rw-r--r--    1 root     system          396 Apr 23 2012  id_rsa.pub
-rw-r--r--    1 root     system         9923 Oct 30 10:10 known_hosts

bakunin · December 27, 2012, 8:37am

Actually this might be the problem: if you have copied and pasted via X-Windows methods (marking it in one window and middle-click in the other) your file "authorized_keys" might have line breaks in it, while the original doesn't. Check this and - in case there are indeed line breaks - remove them by using the "SHIFT-J" (join lines) command in "vi", then remove the space character vi replaces the line break with.

I hope this helps.

bakunin

filosophizer · December 27, 2012, 9:23am

what I did was Ftp the id_rsa.pub_copy to server and renamed it to authorized_keys

$ hostname
standby
$
$ ls -ltra
total 48
drwxr-xr-x   3 oraprod  dba             256 Dec 27 10:00 ..
-rw-r--r--   1 oraprod  dba             798 Dec 27 12:47 known_hosts
-rw-r--r--   1 oraprod  dba             397 Dec 27 12:51 id_rsa.pub
-rw-------   1 oraprod  dba            1675 Dec 27 12:51 id_rsa
-rw-------   1 oraprod  dba             395 Dec 27 15:00 authorized_keys2
-rw-r--r--   1 oraprod  dba             397 Dec 27 17:08 authorized_keys_S_105
-rw-r--r--   1 oraprod  dba             395 Dec 27 17:10 authorized_keys
drwx------   2 oraprod  dba             256 Dec 27 17:12 .

$ ls -ltra
total 72
drwx------   2 oraprod  dba             256 Dec 27 17:12 .ssh

$ ssh standby date
Connection closed by 10.1.1.105
$


$ hostname
test1
$
$
$ ls -ltra
total 48
drwxr-xr-x   4 oraprod  dba             256 Dec 27 13:37 ..
-rw-r--r--   1 oraprod  dba             400 Dec 27 15:48 known_hosts
-rw-r--r--   1 oraprod  dba             395 Dec 27 15:49 id_rsa.pub
-rw-------   1 oraprod  dba            1675 Dec 27 15:49 id_rsa
-rw-------   1 oraprod  dba             397 Dec 27 18:00 authorized_keys2
-rw-r--r--   1 oraprod  dba             395 Dec 27 20:07 authorized_keys_S
-rw-r--r--   1 oraprod  dba             397 Dec 27 20:10 authorized_keys
drwx------   2 oraprod  dba             256 Dec 27 20:12 .


$ ls -ltra
drwx------   2 oraprod  dba             256 Dec 27 20:12 .ssh

$ ssh standby date
Connection closed by 10.1.1.105

same problem even after changing the permissions and copying the file
it is not even asking for the password.

_XrAy · December 27, 2012, 9:51am

Please post the log from the SSH-Server

/var/adm/authlog

and

lsuser -a login rlogin oraprod

filosophizer · December 27, 2012, 10:36am

Machine A:

$ exit
# cat /var/adm/authlog
cat: 0652-050 Cannot open /var/adm/authlog.

# lsuser -a login rlogin oraprod
oraprod login=true rlogin=true

# ls -ltra /var/adm/authlog
ls: 0653-341 The file /var/adm/authlog does not exist.

Machine B:

# cat /var/adm/authlog
cat: 0652-050 Cannot open /var/adm/authlog.

# lsuser -a login rlogin oraprod
oraprod login=true rlogin=true

# ls -ltra /var/adm/authlog
ls: 0653-341 The file /var/adm/authlog does not exist.

_XrAy · December 27, 2012, 11:15am

Please verify your Syslog-Setup (if you use syslog)

cat /etc/syslog.conf | grep auth
#       kern,user,mail,daemon, auth,... (see syslogd(AIX Commands Reference))
*.info;mail.none;user.notice;auth.none   /var/adm/syslog rotate size 5m files 10
auth.info                                /var/adm/authlog rotate size 5m files 10

If you need to change Your config, You can restart the syslogd with

stopsrc -s syslogd

and start again with

startsrc -s syslog

filosophizer · December 27, 2012, 3:09pm

On both machines

# cat /etc/syslog.conf | grep auth
#       kern,user,mail,daemon, auth,... (see syslogd(AIX Commands Reference))
#

So I edited the syslog.conf and added as requested

on machine A : 10.1.1.105 = standby
after doing few ssh from the user oraprod & root

# cat /var/adm/authlog

Dec 27 22:31:49 standby sshd[1237032]: warning: /etc/hosts.allow, line 1: missing ":" separator
Dec 27 22:31:51 standby sshd[1237032]: Accepted password for root from 10.1.1.120 port 34557 ssh2
Dec 27 22:32:07 standby sshd[1237038]: warning: /etc/hosts.allow, line 1: missing ":" separator
Dec 27 22:32:09 standby sshd[1237038]: Failed password for root from 10.1.1.120 port 34558 ssh2
Dec 27 22:32:09 standby syslog: ssh: failed login attempt for root from test1
Dec 27 22:32:11 standby sshd[1237038]: Failed password for root from 10.1.1.120 port 34558 ssh2
Dec 27 22:32:11 standby syslog: ssh: failed login attempt for root from test1
Dec 27 22:32:13 standby sshd[1237038]: Failed password for root from 10.1.1.120 port 34558 ssh2
Dec 27 22:32:13 standby sshd[1245272]: syslog: fopen on /dev/null failed, errno 2
Dec 27 22:32:13 standby syslog: ssh: failed login attempt for root from test1
Dec 27 22:32:45 standby sshd[1241136]: warning: /etc/hosts.allow, line 1: missing ":" separator
Dec 27 22:32:46 standby sshd[1245282]: syslog: fopen on /dev/null failed, errno 2
Dec 27 22:33:53 standby sshd[1241154]: warning: /etc/hosts.allow, line 1: missing ":" separator
Dec 27 22:33:53 standby sshd[213108]: syslog: fopen on /dev/null failed, errno 2
Dec 27 22:34:22 standby sshd[213118]: warning: /etc/hosts.allow, line 1: missing ":" separator
Dec 27 22:34:25 standby sshd[213118]: Accepted password for root from 10.1.1.120 port 34563 ssh2
Dec 27 22:34:36 standby su: from root to oraprod at /dev/pts/2
#

Machine B: 10.1.1.120 = test1

# cat /var/adm/authlog

Dec 28 01:34:13 test1 sshd[340120]: warning: /etc/hosts.allow, line 1: missing ":" separator
Dec 28 01:34:16 test1 sshd[335952]: syslog: fopen on /dev/null failed, errno 2
Dec 28 01:34:53 test1 sshd[360646]: warning: /etc/hosts.allow, line 1: missing ":" separator
Dec 28 01:34:53 test1 sshd[340122]: syslog: fopen on /dev/null failed, errno 2
#

Machine A /etc/hosts.allow had the ip address of Machine B which is
cat /etc/hosts.allow
10.1.1.120

and Machine B had the IP address of Machine A
cat /etc/hosts.allow
10.1.1.105

Then i removed the IP addresses from both files and the files are empty and did ssh from Machine A to Machine B and the log file is below

but when I do as a root the ssh log file will catch it
but when i do as oraprod
nothing appears in the log file

Dec 28 02:20:30 test1 sshd[336016]: Authentication refused: bad ownership or modes for file /.ssh/authorized_keys
Dec 28 02:20:30 test1 sshd[336016]: Authentication refused: bad ownership or modes for file /.ssh/authorized_keys
Dec 28 02:20:35 test1 sshd[336018]: Authentication refused: bad ownership or modes for file /.ssh/authorized_keys
Dec 28 02:20:35 test1 sshd[336018]: Authentication refused: bad ownership or modes for file /.ssh/authorized_keys
Dec 28 02:20:40 test1 sshd[364778]: Authentication refused: bad ownership or modes for file /.ssh/authorized_keys

I redited /etc/hosts.allow on both machines and added the following

$ cat /etc/hosts.allow
ALL:ALL

then log file

Machine A
Dec 27 23:34:18 standby sshd[303216]: Received signal 15; terminating.
Dec 27 23:34:21 standby sshd[303218]: Server listening on 0.0.0.0 port 22.
Dec 27 23:34:21 standby sshd[303218]: error: Bind to port 22 on :: failed: The socket name is already in use..
Dec 27 23:34:21 standby sshd[303218]: error: Couldn't create pid file "/usr/local/etc/sshd.pid": A file or directory in the path name does not exist.
Dec 27 23:34:50 standby su: from root to oraprod at /dev/pts/2


Machine B
Dec 27 23:23:54 test1 su: from root to oraprod at /dev/pts/2
Dec 27 23:34:11 test1 sshd[348340]: Received signal 15; terminating.
Dec 27 23:34:14 test1 sshd[348342]: Server listening on 0.0.0.0 port 22.
Dec 27 23:34:14 test1 sshd[348342]: error: Bind to port 22 on :: failed: The socket name is already in use..
Dec 27 23:34:14 test1 sshd[348342]: error: Couldn't create pid file "/usr/local/etc/sshd.pid": A file or directory in the path name does not exist.
Dec 27 23:35:13 test1 su: from root to oraprod at /dev/pts/2

_XrAy · December 28, 2012, 4:18am

I am not familar with the "host.allow" file. We doesn't use them
It is possible to delete this file for testing?

P.S.
To reduce the error messages when sshd starts, You can change the following lines in the sshd config (uncomment them):
ListenAddress 0.0.0.0
PidFile /var/run/sshd.pid

filosophizer · December 28, 2012, 6:45am

Repeated the procedure once again.

Machine A and repeated the same on machine B

$hostname
standby
$whoami
oraprod
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/oraprod/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/oraprod/.ssh/id_rsa.
Your public key has been saved in /home/oraprod/.ssh/id_rsa.pub.
The key fingerprint is:
48:9a:0a:d5:6d:55:ab:8e:87:48:9a:09:64:23:65:54 oraprod@standby
The key's randomart image is:
+--[ RSA 2048]----+
| .+.E   ...      |
| o . . .   .     |
|.+. . +   .      |
|+..  = . .       |
|o   + . S        |
| o * . +         |
|  = . o o        |
|       .         |
|                 |
+-----------------+
$ cd .ssh

$ ls
id_rsa      id_rsa.pub

$ cat id_rsa.pub >> ~/.ssh/authorized_keys_4SecondaryServer

$ ls
authorized_keys_4SecondaryServer  id_rsa           id_rsa.pub

$ cat authorized_keys_4SecondaryServer
ssh-rsa <<deleted by the poster...line too big>>

FTP from the SecondaryServer the file authorized_keys

$ ls
authorized_keys_authorized_keys_4SecondaryServer  id_rsa
authorized_keys    id_rsa.pub

$ cp authorized_keys_4standby authorized_keys

$ chmod 600 authorized_keys

$ ls -ltra
total 48
drwxr-xr-x   3 oraprod  dba             256 Dec 28 14:19 ..
-rw-r--r--   1 oraprod  dba             397 Dec 28 14:20 id_rsa.pub
-rw-------   1 oraprod  dba            1675 Dec 28 14:20 id_rsa
-rw-------   1 oraprod  dba             395 Dec 28 14:29 authorized_keys
-rw-r--r--   1 oraprod  dba             398 Dec 28 14:32 known_hosts
drwx------   2 oraprod  dba             256 Dec 28 14:32 .

$ ls -ltra
total 80
-rwxr-----   1 oraprod  dba             254 Nov 30 21:15 .profile
drwxr-xr-x   6 bin      bin             256 Dec 02 18:30 ..
-rw-r--r--   1 oraprod  dba             205 Dec 10 19:24 smit.transaction
-rw-r--r--   1 oraprod  dba              81 Dec 10 19:24 smit.script
-rw-------   1 root     system          100 Dec 10 19:30 .bash_history
-rw-r--r--   1 oraprod  dba            3663 Dec 27 23:23 smit.log
-rw-r--r--   1 oraprod  dba             674 Dec 28 14:19 standby.txt
drwxr-xr-x   3 oraprod  dba             256 Dec 28 14:19 .
drwx------   2 oraprod  dba             256 Dec 28 14:32 .ssh
-rw-------   1 oraprod  dba           13942 Dec 28 14:38 .sh_history

$ ls -ltra
total 16
drwxr-xr-x   2 guest    usr             256 Dec 05 2004  guest
drwx------   2 root     system          256 Nov 29 20:15 lost+found
-rw-r--r--   1 root     system            1 Dec 02 18:30 .profile
drwxr-xr-x   6 bin      bin             256 Dec 02 18:30 .
drwxr-xr-x   2 applprod dba             256 Dec 07 17:26 applprod
drwxr-xr-x  26 root     system         4096 Dec 28 14:08 ..
drwxr-xr-x   3 oraprod  dba             256 Dec 28 14:19 oraprod


$ ssh test1 date
The authenticity of host 'test1 (10.1.1.120)' can't be established.
RSA key fingerprint is 71:3b:ba:cb:d1:bf:94:41:a8:6f:3a:00:10:d0:65:ca.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'test1,10.1.1.120' (RSA) to the list of known hosts.
Connection closed by 10.1.1.120

$ ssh test1 date
Connection closed by 10.1.1.120

Check the authlog on Machine B:

Dec 28 13:35:29 test1 sshd[348342]: Received signal 15; terminating.
Dec 28 13:38:52 test1 sshd[233588]: Server listening on 0.0.0.0 port 22.
Dec 28 13:38:52 test1 sshd[233588]: error: Bind to port 22 on :: failed: The socket name is already in use..
Dec 28 13:38:52 test1 sshd[233588]: error: Couldn't create pid file "/usr/local/etc/sshd.pid": A file or directory in the path name does not exist.
Dec 28 13:38:52 test1 tsm: 3004-035 TSM: write to /dev/vty2 failed.
Dec 28 14:09:23 test1 su: from root to oraprod at /dev/pts/0

Check the authlog on Machine A

Dec 28 13:35:12 standby sshd[303218]: Received signal 15; terminating.
Dec 28 13:38:55 standby sshd[254156]: Server listening on 0.0.0.0 port 22.
Dec 28 13:38:55 standby sshd[254156]: error: Bind to port 22 on :: failed: The socket name is already in use..
Dec 28 13:38:55 standby sshd[254156]: error: Couldn't create pid file "/usr/local/etc/sshd.pid": A file or directory in the path name does not exist.
Dec 28 13:38:56 standby tsm: 3004-035 TSM: write to /dev/vty2 failed.
Dec 28 13:44:36 standby syslog: pts/1: failed login attempt for UNKNOWN_USER from testserver
Dec 28 13:44:36 standby tsm: 3004-035 TSM: write to /dev/pts/1 failed.
Dec 28 14:08:36 standby su: from root to oraprod at /dev/pts/0

/etc/hosts.allow

Machine A

$ cat /etc/hosts.allow
ALL : ALL : allow
sshd : ALL : allow
$

Machine B
$ cat /etc/hosts.allow
ALL : ALL : allow
sshd : ALL : allow
$

/etc/hosts.deny
empty

Machine A
$ cat /etc/hosts.deny


Machine B
$ cat /etc/hosts.deny

Now making the changes as requested

deleted hosts.allow and hosts.deny

then
# stopsrc -s sshd ; startsrc -s sshd
# stopsrc -s syslogd ; startsrc -s syslogd

Now ssh from one Machine A to Machine B

Machine A
# su - oraprod
$ ssh test1 date
Connection closed by 10.1.1.120

Machine B
# su - oraprod
$ ssh standby date
Connection closed by 10.1.1.105

Machine A : Authlog
Dec 28 14:51:46 standby sshd[254156]: Received signal 15; terminating.
Dec 28 14:51:49 standby sshd[254158]: Server listening on 0.0.0.0 port 22.
Dec 28 14:51:49 standby sshd[254158]: error: Couldn't create pid file "/var/run/sshd.pid": A file or directory in the path name does not exist.
Dec 28 14:54:20 standby su: from root to oraprod at /dev/pts/0

Machine B: Authlog

Dec 28 13:35:29 test1 sshd[348342]: Received signal 15; terminating.
Dec 28 13:38:52 test1 sshd[233588]: Server listening on 0.0.0.0 port 22.
Dec 28 13:38:52 test1 sshd[233588]: error: Bind to port 22 on :: failed: The socket name is already in use..
Dec 28 13:38:52 test1 sshd[233588]: error: Couldn't create pid file "/usr/local/etc/sshd.pid": A file or directory in the path name does not exist.
Dec 28 13:38:52 test1 tsm: 3004-035 TSM: write to /dev/vty2 failed.
Dec 28 14:09:23 test1 su: from root to oraprod at /dev/pts/0
Dec 28 14:50:33 test1 sshd[233588]: Received signal 15; terminating.
Dec 28 14:50:37 test1 sshd[233590]: Server listening on 0.0.0.0 port 22.
Dec 28 14:50:37 test1 sshd[233590]: error: Couldn't create pid file "/var/run/sshd.pid": A file or directory in the path name does not exist.
Dec 28 14:53:53 test1 su: from root to root at /dev/pts/0
Dec 28 14:53:58 test1 su: from root to oraprod at /dev/pts/0

_XrAy · December 28, 2012, 7:31am

I am a little bit confused about your copy- and FTP-actions

on mashine [standby] in the file /home/oraprod/.ssh/authorized_keys
should be an entry like "ssh-rsa .....blablabla... oraprod@test1"

on mashine [test1] in the file /home/oraprod/.ssh/authorized_keys
should be an entry like "ssh-rsa .....blablabla... oraprod@standby"

is this correct?

filosophizer · December 28, 2012, 7:43am

YES

Machine A = standby

$ cd ~/.ssh
$ ls
authorized_keys           authorized_keys_4test1    id_rsa.pub
authorized_keys_4standby  id_rsa                    known_hosts
$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5R/M....gwhw== oraprod@test1

Machine B = test1
$ ls
authorized_keys           authorized_keys_4test1    id_rsa.pub
authorized_keys_4standby  id_rsa                    known_hosts
$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtRNRN.....g4pDYV/w== oraprod@standby

_XrAy · December 28, 2012, 8:11am

okay that looks good

Could you please delete or rename both files (hosts.allow and host.deny) on one server. Then restart the sshd daemon and test again - sorry i currently have no other idea - maybe a mistake in the network configuration

filosophizer · December 30, 2012, 2:11pm

i deleted the files hosst.allow and hosts.deny on both.

but same results.

The tricky part is here:

when I delete everything inside .ssh directory in both machines,
ssh from machine A to Machine B will ask for password and vice versa.. It will work and ask for password.

But with the key : authorized_keys ==> I get the message connection closed !

so why without the key file it asks for password and with key file it doesn't even ask for anything ?

---------- Post updated 12-29-12 at 01:23 AM ---------- Previous update was 12-28-12 at 05:37 AM ----------

Folks, I think I have isolated the problem

When I delete everything in the .ssh folder on Machine A and Machine B
The scenario is

no hosts.allow file
no hosts.deny file
no authorized_keys file

from machine A to machine B
ssh machineB date
> ask for password
> enter password
> works fine

from machine B to machine A
ssh machineA date
> ask for password
> enter password
> works fine

when you delete the authorized_keys and try to login with username and password, you got a valid login/shell? - or will you also disconnected after entering the password?

yes, I will get a valid login/shell.

Tried the same method in the same network on other Machines
Machine C and Machine D
it worked fine, no issues like what is happening with Machine A and Machine B

the difference between Machines C and Machine D is that did that using physical ports, and hostname and ip is registered in the MS DNS Server
Machines C and Machines D are physical machines using physical ports

whereas

Machine A and Machine B are LPARs under VIOS
they are using SEA = Shared Ethernet Adapter
hostname dns is also registered in the MS DNS Server

Could the problem be related to SEA = Shared Ethernet Adapter for LPARS ?
Now from Machine B to VIOS_SERVER ssh works fine
$ whoami
oraprod

$ hostname
test1

$ ssh ibmvios date
Date......

but from VIOS_SERVER to MACHINE B
same problem: connection closed !

The problem looks like in Machine A and Machine B --- how to troubleshoot and look into it ?

---------- Post updated at 08:25 AM ---------- Previous update was at 01:23 AM ----------

This what I did on VIOS server for creating SEA = Shared Ethernet Adapter

May be my SEA configuration is not right ?

# lsdev -Cc adapter
ent0      Available 08-08 2-Port 10/100/1000 Base-TX PCI-X Adapter (14108902)
ent1      Available 08-09 2-Port 10/100/1000 Base-TX PCI-X Adapter (14108902)
ent2      Available       Virtual I/O Ethernet Adapter (l-lan)
ent3      Available       Virtual I/O Ethernet Adapter (l-lan)
ent4      Available       Virtual I/O Ethernet Adapter (l-lan)
ent5      Available       Virtual I/O Ethernet Adapter (l-lan)



$ mkvdev -sea ent1 -vadapter ent2  -default ent2 -defaultid 1

# lsdev -Cc adapter
ent0      Available 08-08 2-Port 10/100/1000 Base-TX PCI-X Adapter (14108902)
ent1      Available 08-09 2-Port 10/100/1000 Base-TX PCI-X Adapter (14108902)
ent2      Available       Virtual I/O Ethernet Adapter (l-lan)
ent3      Available       Virtual I/O Ethernet Adapter (l-lan)
ent4      Available       Virtual I/O Ethernet Adapter (l-lan)
ent5      Available       Virtual I/O Ethernet Adapter (l-lan)
ent6      Available       Shared Ethernet Adapter

$ lsdev -dev ent6 -attr virt_adapters
value

ent2

$ lsdev -dev ent6 -attr real_adapter
value

ent1



$ viosecure -firewall view
Firewall      OFF

                          ALLOWED   PORTS
           Local   Remote
Interface  Port    Port    Service      IPAddress       Expiration Time(seconds)
---------  ----    ----    -------      ---------       ---------------
$

$ netstat -cdlistats | grep "Priority"
  Priority: 1  Active: True
  Priority: 1  Active: True
  Priority: 1  Active: True
  Priority: 1  Active: True

# ifconfig -a
en0: flags=5e080863,1c0<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,CHECKSUM_OFFLOAD(ACTIVE),PSEG,LARGESEND,CHAIN>
        inet 10.1.1.110 netmask 0xffff0000 broadcast 10.1.255.255
         tcp_sendspace 131072 tcp_recvspace 65536 rfc1323 0
en6: flags=1e080863,180<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,CHECKSUM_OFFLOAD(ACTIVE),CHAIN>
        inet 10.1.1.111 netmask 0xffff0000 broadcast 10.1.255.255
         tcp_sendspace 131072 tcp_recvspace 65536 rfc1323 0

---------- Post updated at 11:51 AM ---------- Previous update was at 08:25 AM ----------

Now,

From VIO_SERVER = ibmvios to test1

$ whoami
oraprod

$ ssh test1 date
Connection closed by 10.1.1.120
$ hostname
ibmvios
$ ssh -vv test1 date
OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so):   0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
        0509-026 System error: A file or directory in the path name does not exist.

debug1: Error loading Kerberos, disabling Kerberos auth.
debug2: ssh_connect: needpriv 0
debug1: Connecting to test1 [10.1.1.120] port 22.
debug1: Connection established.
debug1: identity file /home/oraprod/.ssh/identity type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/oraprod/.ssh/id_rsa type 1
debug1: identity file /home/oraprod/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug2: fd 4 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: Entering the function :kex_choose_conf

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 128/256
debug2: bits set: 522/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'test1' is known and matches the RSA host key.
debug1: Found key in /home/oraprod/.ssh/known_hosts:1
debug2: bits set: 509/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/oraprod/.ssh/identity (0)
debug2: key: /home/oraprod/.ssh/id_rsa (20032128)
debug2: key: /home/oraprod/.ssh/id_dsa (0)
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: The Key: 0

debug1: Trying private key: /home/oraprod/.ssh/identity
debug1: After function load_identity_file

debug1: The Key: 1

debug1: Offering public key: /home/oraprod/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
Connection closed by 10.1.1.120
$

From test1 to ibmvios


$ whoami
oraprod
$ hostname
test1
$ ssh -vv ibmvios date
OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so):   0509-022 Cannot load module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
        0509-026 System error: A file or directory in the path name does not exist.

debug1: Error loading Kerberos, disabling Kerberos auth.
debug2: ssh_connect: needpriv 0
debug1: Connecting to ibmvios [10.1.1.110] port 22.
debug1: Connection established.
debug1: identity file /home/oraprod/.ssh/identity type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/oraprod/.ssh/id_rsa type 1
debug1: identity file /home/oraprod/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug2: fd 4 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit: none,zlib@openssh.com
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 132/256
debug2: bits set: 511/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'ibmvios' is known and matches the RSA host key.
debug1: Found key in /home/oraprod/.ssh/known_hosts:1
debug2: bits set: 519/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/oraprod/.ssh/identity (0)
debug2: key: /home/oraprod/.ssh/id_rsa (200485b8)
debug2: key: /home/oraprod/.ssh/id_dsa (0)
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/oraprod/.ssh/identity
debug1: Offering public key: /home/oraprod/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 277
debug2: input_userauth_pk_ok: fp 45:1a:60:a1:01:13:a8:57:7d:5a:07:c7:74:1e:ba:d7
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug1: Sending command: date
debug2: channel 0: request exec confirm 1
debug2: fd 4 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: exec request accepted on channel 0
Sat Dec 29 16:50:32 CST 2012
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: rcvd close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2176, received 2328 bytes, in 0.0 seconds
Bytes per second: sent 114484.3, received 122481.4
debug1: Exit status 0
$

---------- Post updated 12-30-12 at 11:11 AM ---------- Previous update was 12-29-12 at 11:51 AM ----------

Still no success...searching on google came across

Did not work. The only thing with the above setup was that , there was no Connection Closed Message, rather it was asking for password.
This is one step ahead only.

binlib · December 30, 2012, 3:43pm

Try to find info on the server side by either trace the sshd server with truss (on aix, strace on linux) "truss -f -p pid-of-sshd" or change LogLevel to DEBUG in the sshd conf file.

filosophizer · December 31, 2012, 4:07am

On All three LPARs

in sshd_config
LogLevel DEBUG

#whoami
root

#stopsrc -s sshd ; startsrc -s sshd


# truss -f -p pid-of-sshd
truss: 0915-021 Invalid process id: pid-of-sshd.

seems like many people have similar issues but still unresolved see here on IBM Forums Legacy Communities - IBM Community and passwordless ssh connection problem

filosophizer · January 2, 2013, 4:06am

Okay, the solution for such problem would be to install the latest open ssl and open ssh and it was resolved. That version of SSH had some issues i guess.