[lug] ssh hang mystery

Hugh Brown hugh at math.byu.edu
Sat Dec 23 19:32:14 MST 2006


D. Stimits wrote:
> I had configured a CentOS 4.4 server with a static non-routable IP 
> address, and worked on it via ssh (password login) for several weeks. I 
> then changed the address to a routable public IP and moved it to a 
> public network. Firewalling has been configured to allow all ports of 
> tcp and udp from my one IP address outside, and the outside world is 
> able to ping the interface or bring up the web server. From inside a 
> local server login, I'm able to ssh to my outside machine as well.
> 
> Well...ssh now hangs when trying to reach the server from the outside. I 
> deleted the keys in the client known_hsots file, and it asks if I want 
> to allow the key, I say yes, it all looks good. Then it just hangs and 
> never finishes logging in. So ssh connects, negotiates keys, and then 
> just sits there. ssh -vvv shows:
> 
> debug1: Authentications that can continue: 
> publickey,gssapi-with-mic,password
> debug3: start over, passed a different list 
> publickey,gssapi-with-mic,password
> debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password
> debug3: authmethod_lookup gssapi-with-mic
> debug3: remaining preferred: publickey,keyboard-interactive,password
> debug3: authmethod_is_enabled gssapi-with-mic
> debug1: Next authentication method: gssapi-with-mic
> debug2: we sent a gssapi-with-mic packet, wait for reply
> 
> That last line is it...it hangs forever, then drops after a long period. 
> I don't know what gssapi is, although it seems to be a protocol that's 
> useful for ssh. I've never changed this setting, the server sshd_config 
> has this though:
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> 
> On the server side, with the daemon set to verbose logging, all I see is 
> this:
> sshd[12092]: Failed none for USERNAME from xxx.xxx.xxx.xxx port 39431 ssh2
> (I substituted the IP address and username)
> 
> It seems that by changing the IP address that something else has become 
> confused (in addition to myself), or in need of other configuration 
> changes. I tried a number of changes, none helped. In order to work on 
> it, I have to drive out to the facility (easier said than done in the 
> snow, I already got stuck once trying), so I wanted to have a good idea 
> of what to change before I go there. Can anyone give any suggestions on 
> this? Is gssapi messing it up? If so, why didn't it mess it up before?
> 
> D. Stimits, stimits AT comcast DOT net


perhaps stating an obvious step, but did you update /etc/hosts?  can the 
ssh server do a reverse lookup of the client's IP?

I don't know that I've ever used gssapi as an auth method.  It appears 
that it is trying to do gssapi as the first auth method.  Can you set 
GSSAPIAuthentication to no and then successfully connect?

Hugh



More information about the LUG mailing list