SSH – Diagnose Authentication Failures Without Client Access

ssh

We have just upgraded our Infoblox appliance and now the log shipment which occurs via scp is failing with auth issues.

Since this is an appliance and we have no access to the a shell on the box we are having trouble figuring out what is wrong. On the infoblox end all we have in the configuration is hostname, port, username and password. (no option for key 🙁 )

I can invoke scp fine from another host with the credentials.

Any suggestions on finding out what the issue is? (short of putting up a hacked sshd 😉

Best Answer

You don't need a "hacked" sshd. You should be able to run sshd -ddd to put it into debug mode.

For example...

/usr/sbin/sshd -ddd -p 2222

...would listen on 2222 if you can direct client traffic to that port. If not, stop the system sshd and start a debug listener to test the client with.

With any luck, the server-side debug will help you identify the authentication problem.

Related Solutions

SSH Authentication – How to Make SSH Fail Rather Than Prompt for Password

For OpenSSH there is BatchMode, which in addition to disabling password prompting, should disable querying for passphrase(s) for keys.

BatchMode

If set to “yes”, passphrase/password querying will be disabled. This option is useful in scripts and other batch jobs where no user is present to supply the password. The argument must be “yes” or “no”. The default is “no”.

Sample usage:

ssh -oBatchMode=yes -l <user> <host> <dostuff>

Linux – Can you have more than one ~/.ssh/config file

The ~/.ssh/config file don't have a directive for including other files, possibly related to SSH's check for file permissions.

Suggestions around this can include a script to cat several changes together either on the system or via checkin hooks on a repository. One might also look into tools such as Puppet or Augeas.

However you approach it, though, you'll have to concatenate individual files to be a single file from outside of the file.

$ cat ~/.ssh/config_* >> ~/.ssh/config

note: overwrite: > v.s. append: >>

Update December 2017:

From 7.3p1 and up, there is the Include option. Which allows you to include configuration files.

Include
    Include the specified configuration file(s).  Mul‐
    tiple pathnames may be specified and each pathname
    may contain glob(3) wildcards and, for user config‐
    urations, shell-like “~” references to user home
    directories.  Files without absolute paths are
    assumed to be in ~/.ssh if included in a user con‐
    figuration file or /etc/ssh if included from the
    system configuration file.  Include directive may
    appear inside a Match or Host block to perform con‐
    ditional inclusion.

Best Answer

Related Solutions

SSH Authentication – How to Make SSH Fail Rather Than Prompt for Password

Linux – Can you have more than one ~/.ssh/config file

Related Topic