From blindcat at gmail.com Thu Sep 7 09:18:51 2023 From: blindcat at gmail.com (Amirul Islam) Date: Thu, 7 Sep 2023 13:18:51 +0600 Subject: LibSSH2 password expire issue Message-ID: Greetings! I am having a little problem, I checked around online, but could not find a reasonable explanation. I am trying to authenticate a session with a linux box. The user password is expired, but the functions "libssh2_userauth_password_ex" or "libssh2_userauth_publickey_fromfile_ex" never fails with LIBSSH2_ERROR_PASSWORD_EXPIRED, following is my code. void session::login(std::string username, std::string password) { int code; if ((code = libssh2_userauth_password_ex(this->_session, username.c_str(), username.size(), password.c_str(), password.size(), NULL)) != 0) { std::string _errstr; if (code == LIBSSH2_ERROR_ALLOC) _errstr = "An internal memory allocation call failed"; else if (code == LIBSSH2_ERROR_SOCKET_SEND) _errstr = "Unable to send data on socket"; else if (code == LIBSSH2_ERROR_PASSWORD_EXPIRED) _errstr = "The password for the user has expired"; else if (code == LIBSSH2_ERROR_AUTHENTICATION_FAILED) _errstr = "Invalid username/password or public/private key"; else _errstr = "Generic failure"; throw axon::exception(__FILENAME__, __LINE__, __PRETTY_FUNCTION__, "libssh2_userauth_password() - " + _errstr); } } Following is a debug output from terminal 'ssh' command for your reference. FYI long log dump ahead. since the error is not reported at auth stage, getting error at libssh2_sftp_init stage, snd that also unknown error. any help would be appreciated. OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 58: Applying options for * debug2: resolving "localhost" port 22 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to localhost [::1] port 22. debug1: Connection established. debug1: identity file /home/username/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/username/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/username/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/username/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/username/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/username/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/username/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /home/username/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4 debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to localhost:22 as 'username' debug3: hostkeys_foreach: reading file "/home/username/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /home/username/.ssh/known_hosts:15 debug3: load_hostkeys: loaded 1 keys from localhost debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01 at openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss debug2: ciphers ctos: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc debug2: ciphers stoc: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc debug2: MACs ctos: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib at openssh.com,zlib debug2: compression stoc: none,zlib at openssh.com,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc debug2: ciphers stoc: chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm at openssh.com,aes256-gcm at openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc debug2: MACs ctos: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm at openssh.com,umac-128-etm at openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib at openssh.com debug2: compression stoc: none,zlib at openssh.com debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305 at openssh.com MAC: compression: none debug1: kex: client->server cipher: chacha20-poly1305 at openssh.com MAC: compression: none debug1: kex: curve25519-sha256 need=64 dh_need=64 debug1: kex: curve25519-sha256 need=64 dh_need=64 debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: Server host key: ecdsa-sha2-nistp256 SHA256:BXC23OnWOw8SACSzZLkrtuE7AQAWuscwwG4514kZe/4 debug3: hostkeys_foreach: reading file "/home/username/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /home/username/.ssh/known_hosts:15 debug3: load_hostkeys: loaded 1 keys from localhost debug1: Host 'localhost' is known and matches the ECDSA host key. debug1: Found key in /home/username/.ssh/known_hosts:15 debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey after 134217728 blocks debug2: key: /home/username/.ssh/id_rsa (0x560879a45e30) debug2: key: /home/username/.ssh/id_dsa ((nil)) debug2: key: /home/username/.ssh/id_ecdsa ((nil)) debug2: key: /home/username/.ssh/id_ed25519 ((nil)) debug3: send packet: type 5 debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs= debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information debug1: Unspecified GSS failure. Minor code may provide more information debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/username/.ssh/id_rsa debug3: send_pubkey_test debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Trying private key: /home/username/.ssh/id_dsa debug3: no such identity: /home/username/.ssh/id_dsa: No such file or directory debug1: Trying private key: /home/username/.ssh/id_ecdsa debug3: no such identity: /home/username/.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /home/username/.ssh/id_ed25519 debug3: no such identity: /home/username/.ssh/id_ed25519: No such file or directory debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password username at localhost's password: debug3: send packet: type 50 debug2: we sent a password packet, wait for reply debug3: receive packet: type 52 debug1: Authentication succeeded (password). Authenticated to localhost ([::1]:22). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug3: send packet: type 90 debug1: Requesting no-more-sessions at openssh.com debug3: send packet: type 80 debug1: Entering interactive session. debug1: pledge: network debug3: receive packet: type 80 debug1: client_input_global_request: rtype hostkeys-00 at openssh.com want_reply 0 debug3: receive packet: type 91 debug2: callback start debug2: fd 3 setting TCP_NODELAY debug3: ssh_packet_set_tos: set IPV6_TCLASS 0x10 debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 1 debug3: send packet: type 98 debug1: Sending environment. debug3: Ignored env CPLUS_INCLUDE_PATH debug3: Ignored env NVM_INC debug3: Ignored env MANPATH debug3: Ignored env XDG_SESSION_ID debug3: Ignored env HOSTNAME debug3: Ignored env NVM_CD_FLAGS debug3: Ignored env SHELL debug3: Ignored env TERM debug3: Ignored env HISTSIZE debug3: Ignored env HADOOP_HOME debug3: Ignored env KRB5_KTNAME debug3: Ignored env SSH_CLIENT debug3: Ignored env LIBRARY_PATH debug3: Ignored env OLDPWD debug3: Ignored env SSH_TTY debug3: Ignored env X_SCLS debug3: Ignored env USER debug3: Ignored env http_proxy debug3: Ignored env NVM_DIR debug3: Ignored env PCP_DIR debug3: Ignored env LS_COLORS debug3: Ignored env LD_LIBRARY_PATH debug3: Ignored env ORACLE_SID debug3: Ignored env HADOOP_COMMON_LIB_JARS_DIR debug3: Ignored env ORACLE_BASE debug3: Ignored env HADOOP_TOOLS_LIB_JARS_DIR debug3: Ignored env HADOOP_TOOLS_HOME debug3: Ignored env PATH debug3: Ignored env MAIL debug3: Ignored env HADOOP_COMMON_LIB_NATIVE_DIR debug3: Ignored env KRB5_TRACE debug3: Ignored env C_INCLUDE_PATH debug3: Ignored env PWD debug3: Ignored env HADOOP_COMMON_HOME debug3: Ignored env JAVA_HOME debug1: Sending env LANG = en_US.UTF-8 debug2: channel 0: request env confirm 0 debug3: send packet: type 98 debug3: Ignored env HADOOP_CONF_DIR debug3: Ignored env HADOOP_TOOLS_DIR debug3: Ignored env PS1 debug3: Ignored env HADOOP_OPTS debug3: Ignored env HADOOP_COMMON_DIR debug3: Ignored env https_proxy debug3: Ignored env HISTCONTROL debug3: Ignored env KRB5CCNAME debug3: Ignored env HOME debug3: Ignored env SHLVL debug3: Ignored env KRB5_CLIENT_KTNAME debug3: Ignored env ORACLE_PASSWORD debug3: Ignored env LOGNAME debug3: Ignored env SSH_CONNECTION debug3: Ignored env CLASSPATH debug3: Ignored env LESSOPEN debug3: Ignored env PKG_CONFIG_PATH debug3: Ignored env NVM_BIN debug3: Ignored env FSIZE debug3: Ignored env INFOPATH debug3: Ignored env XDG_RUNTIME_DIR debug3: Ignored env ORACLE_HOME debug3: Ignored env ORACLE_USERNAME debug3: Ignored env _ debug2: channel 0: request shell confirm 1 debug3: send packet: type 98 debug2: callback done debug2: channel 0: open confirm rwindow 0 rmax 32768 debug3: receive packet: type 99 debug2: channel_input_status_confirm: type 99 id 0 debug2: PTY allocation request accepted on channel 0 debug2: channel 0: rcvd adjust 2097152 debug3: receive packet: type 99 debug2: channel_input_status_confirm: type 99 id 0 debug2: shell request accepted on channel 0 You are required to change your password immediately (root enforced) Last login: Thu Sep 7 12:12:41 2023 from localhost WARNING: Your password has expired. You must change your password now and login again! Changing password for user username. Changing password for username. (current) UNIX password: debug3: receive packet: type 2 debug3: Received SSH2_MSG_IGNORE debug3: receive packet: type 96 debug2: channel 0: rcvd eof debug2: channel 0: output open -> drain debug2: channel 0: obuf empty debug2: channel 0: close_write debug2: channel 0: output drain -> closed debug3: receive packet: type 98 debug1: client_input_channel_req: channel 0 rtype exit-signal reply 0 debug3: receive packet: type 98 debug1: client_input_channel_req: channel 0 rtype eow at openssh.com reply 0 debug2: channel 0: rcvd eow debug2: channel 0: close_read debug2: channel 0: input open -> closed debug3: receive packet: type 97 debug2: channel 0: rcvd close debug3: channel 0: will not send data after close debug2: channel 0: almost dead debug2: channel 0: gc: notify user debug2: channel 0: gc: user detached debug2: channel 0: send close debug3: send packet: type 97 debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: client-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1) debug3: send packet: type 1 Connection to localhost closed. Transferred: sent 2952, received 2884 bytes, in 2.1 seconds Bytes per second: sent 1379.7, received 1347.9 debug1: Exit status -1 Regards, Amirul From dan at coneharvesters.com Fri Sep 8 18:49:12 2023 From: dan at coneharvesters.com (Dan Fandrich) Date: Fri, 8 Sep 2023 09:49:12 -0700 Subject: LibSSH2 password expire issue In-Reply-To: References: Message-ID: On Thu, Sep 07, 2023 at 01:18:51PM +0600, Amirul Islam via libssh2-devel wrote: > I am having a little problem, I checked around online, but could not find a reasonable explanation. I am trying to authenticate a session with a linux box. The user password is expired, but the functions "libssh2_userauth_password_ex" or "libssh2_userauth_publickey_fromfile_ex" never fails with LIBSSH2_ERROR_PASSWORD_EXPIRED, following is my code. There is a specific SSH protocol message code (60) that the server needs to send for this to happen. Based on the logs, it seems the server does not send it. Instead, it sends SSH_MSG_USERAUTH_SUCCESS (i.e. it allows the login) then asks the user to change it interactively instead. Dan