Ubuntu

SSH block-out after a few incorrect login attempts (DOH!)

Asked by Lord Zos

I'm having problems SSH logging-in to my remote xubuntu box ... I'm connecting from a Gentoo box. I have a key-pair setup, that was working perfectly with my remote box. However, I needed to dynamically map (-D) a privileged port, so I temporarily enabled root login through SSH (/etc/ssh/sshd_config). At this time, I also temporarily set the PasswordAuthentication and ChallengeResponseAuthentication to 'yes' in the /etc/ssh/sshd_config - these were both explicitly set to 'no' in the original setup I was using. Originally, the only method I was accepting was PubkeyAuthentication which, as already mentioned, was working without hitch earlier and allowed me initial access to the remote server this morning.

So, with the above changes set, using my original SSH session, I restarted the SSH instance: /etc/init.d/ssh restart.

I tried logging in as root a few times, without success - even though I was using the correct root password. I even reset the root password in the other session I had open AND restarted SSH just to be sure. Still no luck logging in as root.

Then, dumber than dumb, I logged out all sessions to the remote server ... thinking that maybe something was cached somewhere .... I don't really know why. The result of this: I'm now locked out of the remote server!

What happens, and I'll paste in the ssh -vvv info below - is it asks me for my keyboard-interactive password three times. Then it falls back to asking me for my password three times. Then it exits. It doesn't seem to be even addressing the keypair any longer.

Any idea of what the problem is here and ways I can resolve it? I can get access to the remote machine, although if it can be resolved from my computer here that would be much easier. However, if changes are required on the remote server side, then this can be arranged.

Thanks a lot for your help with this, I really appreciate it!

LZ

$ ssh -vvv <remote_server_ip> -p <remote_server_port>
OpenSSH_4.7p1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: cipher ok: aes256-cbc [aes256-cbc,aes192-cbc,blowfish-cbc]
debug3: cipher ok: aes192-cbc [aes256-cbc,aes192-cbc,blowfish-cbc]
debug3: cipher ok: blowfish-cbc [aes256-cbc,aes192-cbc,blowfish-cbc]
debug3: ciphers ok: [aes256-cbc,aes192-cbc,blowfish-cbc]
debug2: mac_setup: found hmac-sha1
debug3: mac ok: hmac-sha1 [hmac-sha1,hmac-ripemd160]
debug2: mac_setup: found hmac-ripemd160
debug3: mac ok: hmac-ripemd160 [hmac-sha1,hmac-ripemd160]
debug3: macs ok: [hmac-sha1,hmac-ripemd160]
debug2: ssh_connect: needpriv 0
debug1: Connecting to <remote_server_ip> [<remote_server_ip>] port <remote_server_port>.
debug2: fd 3 setting O_NONBLOCK
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug3: Not a RSA1 key file <$HOME>/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file <$HOME>/.ssh/id_rsa type 1
debug1: identity file <$HOME>/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.6p1 Debian-5ubuntu0.1
debug1: match: OpenSSH_4.6p1 Debian-5ubuntu0.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.7
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes256-cbc,aes192-cbc,blowfish-cbc
debug2: kex_parse_kexinit: aes256-cbc,aes192-cbc,blowfish-cbc
debug2: kex_parse_kexinit: hmac-sha1,hmac-ripemd160
debug2: kex_parse_kexinit: hmac-sha1,hmac-ripemd160
debug2: kex_parse_kexinit: <email address hidden>,zlib,none
debug2: kex_parse_kexinit: <email address hidden>,zlib,none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes256-cbc,aes192-cbc,blowfish-cbc
debug2: kex_parse_kexinit: aes256-cbc,aes192-cbc,blowfish-cbc
debug2: kex_parse_kexinit: hmac-sha1,hmac-ripemd160,hmac-md5
debug2: kex_parse_kexinit: hmac-sha1,hmac-ripemd160,hmac-md5
debug2: kex_parse_kexinit: none,<email address hidden>
debug2: kex_parse_kexinit: none,<email address hidden>
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes256-cbc hmac-sha1 <email address hidden>
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes256-cbc hmac-sha1 <email address hidden>
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<4096<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 258/512
debug2: bits set: 2065/4096
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: put_host_port: [<remote_server_ip>]:<remote_server_port>
debug3: put_host_port: [<remote_server_ip>]:<remote_server_port>
debug3: check_host_in_hostfile: filename <$HOME>/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug3: check_host_in_hostfile: filename <$HOME>/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 2
debug1: Host '[<remote_server_ip>]:<remote_server_port>' is known and matches the RSA host key.
debug1: Found key in <$HOME>/.ssh/known_hosts:2
debug2: bits set: 2011/4096
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: <$HOME>/.ssh/id_rsa (0x66c0c0)
debug2: key: <$HOME>/.ssh/id_dsa ((nil))
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering public key: <$HOME>/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: <$HOME>/.ssh/id_dsa
debug3: no such identity: <$HOME>/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 28 padlen 4 extra_pad 64)
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 28 padlen 4 extra_pad 64)
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: packet_send2: adding 32 (len 28 padlen 4 extra_pad 64)
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
<user>@<remote_server_ip>'s password:
debug3: packet_send2: adding 48 (len 64 padlen 16 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
<user>@<remote_server_ip>'s password:
debug3: packet_send2: adding 48 (len 64 padlen 16 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
<user>@<remote_server_ip>'s password:
debug3: packet_send2: adding 48 (len 64 padlen 16 extra_pad 64)
debug2: we sent a password packet, wait for reply
Received disconnect from <remote_server_ip>: 2: Too many authentication failures for <user>

My local /etc/ssh/ssh_config is:

AddressFamily inet
Ciphers aes256-cbc,aes192-cbc,blowfish-cbc
Compression yes
ConnectTimeout 20
ForwardX11 no
MACs hmac-sha1,hmac-ripemd160
Protocol 2
ServerAliveCountMax 3
ServerAliveInterval 15
TCPKeepAlive yes

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Albert Damen (albrt) said : 		#1

Hmm, that's a difficult situation and I have no clear tested answer. It will depend on the client you use and the format of your ssh key.

My first try would be to use a command-line ssh client. Then you can explicitly tell it to use your key. On Ubuntu I can do that using the command:

$ ssh -i key_file_name myname@servername

If you cannot do that, you could try putty. You can tell putty not to use keyboard-interactive authentication (under ssh auth options). With only password and private-key auth, you may stay below the maximum login attempts.

Regarding the failing root logins: root logins are protected by the file /etc/securetty, which defines the terminals allowed for root login. On my system remote login from pty terminals is not allowed. You could try to put pty1 to pty9 in that file, once you have access again. Alternatively, you should be able to do all you want using a normal login and then sudo to become root. If xubuntu does not use sudo by default, you should still be able to install it.

Can you help with this problem?

Provide an answer of your own, or ask Lord Zos for more information if necessary.

To post a message you must log in.