RSSH not working after AIX 6.1 upgrade

Eddie Lee
2012-06-11
2013-04-16
  • Eddie Lee
    Eddie Lee
    2012-06-11

    Hi,
    I have a problem with my AIX 6.1. In AIX 5.3, I have successfully implemented rssh for the caging of my SFTP users. Since we just upgraded to AIX 6.1 TL6 SP7, the rssh does not work. The SFTP works when the user\'s shell is set to ksh, but just refuses to work when we change to rssh shell.

    Below are the OpenSSH version installed for the AIX 6.1:-

    # lslpp -L | grep open

    openssh.base.client 5.4.0.6100 C F Open Secure Shell Commands 
    openssh.base.server 5.4.0.6100 C F Open Secure Shell Server 
    openssh.license 4.3.0.5301 C F Open Secure Shell License 
    openssh.man.en_US 5.4.0.6100 C F Open Secure Shell 
    openssh.msg.DE_DE 5.4.0.6100 C F Open Secure Shell Messages - 
    openssh.msg.de_DE 5.4.0.6100 C F Open Secure Shell Messages - 
    openssh.msg.en_US 5.4.0.6100 C F Open Secure Shell Messages - 
    openssl.base 0.9.8.1300 C F Open Secure Socket Layer 
    openssl 0.9.7d-2 C R Secure Sockets Layer and

    The rssh version is 2.3.2.

    I have detailed below the logs from the sftp. Appreciate your help to guide me on how this problem can be resolved.

    # sftp -vvv surintf@localhost
    OpenSSH_5.4p1, OpenSSL 0.9.8m 25 Feb 2010
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): 0509-022 Cannot load
    module /usr/krb5/lib/libkrb5.a(libkrb5.a.so).
    0509-026 System error: A file or directory in the path name does not exist.
    debug1: Error loading Kerberos, disabling Kerberos auth.
    debug2: ssh_connect: needpriv 0
    debug1: Connecting to localhost  port 22.
    debug1: Connection established.
    debug1: permanently_set_uid: 0/0
    debug1: identity file /.ssh/id_rsa type 1
    debug1: identity file /.ssh/id_rsa-cert type -1
    debug1: identity file /.ssh/id_dsa type -1
    debug1: identity file /.ssh/id_dsa-cert type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.4
    debug1: match: OpenSSH_5.4 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.4
    debug2: fd 4 setting O_NONBLOCK
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-
    exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa-cert-v00@…,ssh-dss-cert-v00@…,ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-
    ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
    cbc,aes256-cbc,arcfour,rijndael-cbc@…
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-
    ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
    cbc,aes256-cbc,arcfour,rijndael-cbc@…
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@…,hmac-ripemd160,hmac-
    ripemd160@…,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@…,hmac-ripemd160,hmac-
    ripemd160@…,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib@…,zlib
    debug2: kex_parse_kexinit: none,zlib@…,zlib
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-
    exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-
    ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
    cbc,aes256-cbc,arcfour,rijndael-cbc@…
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-
    ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-
    cbc,aes256-cbc,arcfour,rijndael-cbc@…
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@…,hmac-ripemd160,hmac-
    ripemd160@…,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@…,hmac-ripemd160,hmac-
    ripemd160@…,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,zlib@…
    debug2: kex_parse_kexinit: none,zlib@…
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: mac_setup: found hmac-md5
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug2: mac_setup: found hmac-md5
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug2: dh_gen_key: priv key bits set: 131/256
    debug2: bits set: 482/1024
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug3: check_host_in_hostfile: host localhost filename /.ssh/known_hosts
    debug3: check_host_in_hostfile: host localhost filename /.ssh/known_hosts
    debug3: check_host_in_hostfile: match line 13
    debug1: Host \'localhost\' is known and matches the RSA host key.
    debug1: Found key in /.ssh/known_hosts:13
    debug2: bits set: 508/1024
    debug1: ssh_rsa_verify: signature correct
    debug2: kex_derive_keys
    debug2: set_newkeys: mode 1
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug2: set_newkeys: mode 0
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Roaming not allowed by server
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug2: service_accept: ssh-userauth
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug2: key: /.ssh/id_rsa (20061b48)
    debug2: key: /.ssh/id_dsa (0)
    debug3: input_userauth_banner
    Access to this server is restricted to authorized personnel only.
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug3: start over, passed a different list publickey,password,keyboard-interactive
    debug3: preferred publickey,keyboard-interactive,password
    debug3: authmethod_lookup publickey
    debug3: remaining preferred: keyboard-interactive,password
    debug3: authmethod_is_enabled publickey
    debug1: Next authentication method: publickey
    debug1: Offering public key: /.ssh/id_rsa
    debug3: send_pubkey_test
    debug2: we sent a publickey packet, wait for reply
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug1: Trying private key: /.ssh/id_dsa
    debug3: no such identity: /.ssh/id_dsa
    debug2: we did not send a packet, disable method
    debug3: authmethod_lookup keyboard-interactive
    debug3: remaining preferred: password
    debug3: authmethod_is_enabled keyboard-interactive
    debug1: Next authentication method: keyboard-interactive
    debug2: userauth_kbdint
    debug2: we sent a keyboard-interactive packet, wait for reply
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug3: userauth_kbdint: disable: no info_req_seen
    debug2: we did not send a packet, disable method
    debug3: authmethod_lookup password
    debug3: remaining preferred:
    debug3: authmethod_is_enabled password
    debug1: Next authentication method: password
    surintf@localhost\'s password:
    debug3: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64)
    debug2: we sent a password packet, wait for reply
    debug1: Authentication succeeded (password).
    debug2: fd 5 setting O_NONBLOCK
    debug3: fd 6 is O_NONBLOCK
    debug1: channel 0: new
    debug3: ssh_session2_open: channel_new: 0
    debug2: channel 0: send open
    debug1: Requesting no-more-sessions@…
    debug1: Entering interactive session.
    debug2: callback start
    debug2: client_session2_setup: id 0
    debug1: Sending subsystem: sftp
    debug2: channel 0: request subsystem confirm 1
    debug2: fd 4 setting TCP_NODELAY
    debug2: callback done
    debug2: channel 0: open confirm rwindow 0 rmax 32768
    debug2: channel 0: rcvd adjust 2097152
    debug2: channel_input_status_confirm: type 99 id 0
    debug2: subsystem request accepted on channel 0
    debug1: client_input_channel_req: channel 0 rtype exit-signal reply 0
    debug1: client_input_channel_req: channel 0 rtype eow@… reply 0
    debug2: channel 0: rcvd eow
    debug2: channel 0: close_read
    debug2: channel 0: input open -> closed
    debug2: channel 0: rcvd eof
    debug2: channel 0: output open -> drain
    debug2: channel 0: obuf empty
    debug2: channel 0: close_write
    debug2: channel 0: output drain -> closed
    debug2: channel 0: rcvd close
    debug3: channel 0: will not send data after close
    debug2: channel 0: almost dead
    debug2: channel 0: gc: notify user
    debug2: channel 0: gc: user detached
    debug2: channel 0: send close
    debug2: channel 0: is dead
    debug2: channel 0: garbage collecting
    debug1: channel 0: free: client-session, nchannels 1
    debug3: channel 0: status: The following connections are open:

    #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1)

    debug3: channel 0: close_fds r -1 w -1 e 7
    debug1: fd 0 clearing O_NONBLOCK
    debug3: fd 1 is not O_NONBLOCK
    Transferred: sent 1784, received 2200 bytes, in 0.0 seconds
    Bytes per second: sent 46361.7, received 57172.5
    debug1: Exit status -1
    Connection closed

    # grep surintf /etc/passwd
    surintf:!:303:502:suri Interface:/home/im3/surintf/in:/usr/local/bin/rssh

    # grep surintf /usr/local/etc/rssh.conf
    user=surintf:017:00010:/home/im3/surintf # suri Interface: sftp

    # ls -ld /home/im3/surintf /home/im3/surint>
    drwxr-x-- 8 surintf r3intfgp 4096 Jun 08 09:23 /home/im3/surintf
    drwxr-x-- 5 surintf r3intfgp 256 Jun 08 09:03 /home/im3/surintf/in
    drwx---- 2 surintf r3intfgp 256 Jun 08 08:12 /home/im3/surintf/in/.ssh


    Thanks & Rgds.
    Eddie