How to debug a SSH session
From Wiki-UX.info
Information
This article explains how to enable Secure Shell daemon (sshd) in debug mode to troubleshoot SSH sessions. The procedure starts a new sshd process using an arbitrary TCP port and enables debugging for a single client connection. When the client connection ends, the process dies and is not re-spawned, finishing the test.
Technical Work Instruction
1. Start a sshd daemon in debug mode at arbitrary port on the SSH server. Use the full path /opt/ssh/sbin/sshd .
# /opt/ssh/sbin/sshd -d -p <port#>
Example:
# /opt/ssh/sbin/sshd -d -p 54231
debug1: Config token is protocol
debug1: Config token is kerberosauthentication
debug1: Config token is usepam
debug1: Config token is x11forwarding
debug1: Config token is subsystem
debug1: HPN Buffer Size: 65536
debug1: RCV Buffer Size: 131072
debug1: sshd version OpenSSH_5.2p1+sftpfilecontrol-v1.3-hpn13v5 [ HP-UX Secure Shell-A.05.20.015 ]
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
debug1: rexec_argv[0]='/opt/ssh/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='54231'
debug1: Bind to port 54231 on ::.
debug1: Server TCP RWIN socket size: 131072
debug1: HPN Buffer Size: 65536
Server listening on :: port 54231.
debug1: Bind to port 54231 on 0.0.0.0.
debug1: Server TCP RWIN socket size: 131072
debug1: HPN Buffer Size: 65536
Server listening on 0.0.0.0 port 54231.
Generating 1024 bit RSA key.
RSA key generation complete.
- Note: The console will be display debug data until the client session closes.
2. Open a SSH session from client using the desired user login and the same arbitrary port. Use the FQDN for the guest.
# ssh -p <port#> amarin@gse3600.alf.cpqcorp.net
Example:
# ssh -p 54231 amarin@gse3600.alf.cpqcorp.net
Password:
Last successful login: Sun Oct 11 14:12:57 EDT 2009 localhost
Last login: Sun Oct 11 14:13:09 2009
Environment:
USER=amarin
LOGNAME=amarin
HOME=/home/amarin
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/ssh/bin
MAIL=/var/mail/amarin
SHELL=/usr/bin/sh
TZ=EST5EDT
SSH_CLIENT=16.90.154.246 64538 54231
SSH_CONNECTION=16.90.154.246 64538 16.113.11.136 54231
SSH_TTY=/dev/pts/0
TERM=xterm
SFTP_UMASK=
SFTP_PERMIT_CHMOD=1
SFTP_PERMIT_CHOWN=1
(c)Copyright 1983-2006 Hewlett-Packard Development Company, L.P.
(c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California
(c)Copyright 1980, 1984, 1986 Novell, Inc.
(c)Copyright 1986-2000 Sun Microsystems, Inc.
(c)Copyright 1985, 1986, 1988 Massachusetts Institute of Technology
(c)Copyright 1989-1993 The Open Software Foundation, Inc.
(c)Copyright 1990 Motorola, Inc.
(c)Copyright 1990, 1991, 1992 Cornell University
(c)Copyright 1989-1991 The University of Maryland
(c)Copyright 1988 Carnegie Mellon University
(c)Copyright 1991-2006 Mentat Inc.
(c)Copyright 1996 Morning Star Technologies, Inc.
(c)Copyright 1996 Progressive Systems, Inc.
Confidential computer software. Valid license from HP required for
possession, use or copying. Consistent with FAR 12.211 and 12.212,
Commercial Computer Software, Computer Software Documentation, and
Technical Data for Commercial Items are licensed to the U.S. Government
under vendor's standard commercial license.
$
3. Close the ssh client session using the exit command.
$ exit
logout
Connection to gse3600.alf.cpqcorp.net closed.
4. Review the debug information. The SSH server debug session date will be look similar to the following output:
...
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 6 out 6 newsock 6 pipe -1 sock 9
debug1: inetd sockets after dupping: 4, 4
debug1: audit connection from 16.90.154.246 port 64538 euid 0
debug1: failed to load audit reporting function pointer
debug1: Information
Ip:16.90.154.246
Port 64538
Session id:24681
af_family=2
Command=\237\377\377\377\277|\313\320
Connection from 16.90.154.246 port 64538
debug1: HPN Disabled: 0, HPN Buffer Size: 65536
debug1: Client protocol version 2.0; client software version OpenSSH_4.7p1+sftpfilecontrol-v1.2-hpn12v17
SSH: Server;Ltype: Version;Remote: 16.90.154.246-64538;Protocol: 2.0;Client: OpenSSH_4.7p1+sftpfilecontrol-v1.2-hpn12v17
debug1: match: OpenSSH_4.7p1+sftpfilecontrol-v1.2-hpn12v17 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_5.2p1+sftpfilecontrol-v1.3-hpn13v5
debug1: permanently_set_uid: 104/103
debug1: MYFLAG IS 1
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: AUTH STATE IS 0
debug1: REQUESTED ENC.NAME is 'aes128-cbc'
debug1: kex: client->server aes128-cbc hmac-md5 none
SSH: Server;Ltype: Kex;Remote: 16.90.154.246-64538;Enc: aes128-cbc;MAC: hmac-md5;Comp: none
debug1: REQUESTED ENC.NAME is 'aes128-cbc'
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user amarin service ssh-connection method none
SSH: Server;Ltype: Authname;Remote: 16.90.154.246-64538;Name: amarin
debug1: attempt 0 failures 0
debug1: Config token is protocol
debug1: Config token is kerberosauthentication
debug1: Config token is usepam
debug1: Config token is x11forwarding
debug1: Config token is subsystem
debug1: PAM: initializing for "amarin"
debug1: PAM: setting PAM_RHOST to "swtape01.americas.hpqcorp.net"
Failed none for amarin from 16.90.154.246 port 64538 ssh2
debug1: audit event euid 0 user amarin event 3 (AUTH_FAIL_NONE)
debug1: userauth-request for user amarin service ssh-connection method keyboard-interactive
debug1: attempt 1 failures 0
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=amarin devs=
debug1: kbdint_alloc: devices 'pam'
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for amarin from 16.90.154.246 port 64538 ssh2
debug1: do_pam_account: called
Postponed keyboard-interactive/pam for amarin from 16.90.154.246 port 64538 ssh2
debug1: do_pam_account: called
Accepted keyboard-interactive/pam for amarin from 16.90.154.246 port 64538 ssh2
debug1: monitor_child_preauth: amarin has been authenticated by privileged process
debug1: audit event euid 0 user amarin event 2 (AUTH_SUCCESS)
debug1: aud_sav_flag=1
debug1: PAM: establishing credentials
debug1: B.11.31
debug1: 11.31 platform: audit_flag=1
debug1: audit_flag: 1
User child is on pid 2093
debug1: PAM: establishing credentials
debug1: permanently_set_uid: 109/20
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_new: session 0
debug1: session_pty_req: session 0 alloc /dev/pts/0
debug1: server_input_channel_req: channel 0 request shell reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: #### Writing pid 2095 tty /dev/pts/0 to priviledged process ###
debug1: #### Priviledged process: received pid 2095 tty /dev/pts/0 ###
debug1: audit session open euid 0 user amarin tty name /dev/pts/0
debug1: aud_sav_flag=1
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 2095
debug1: session_exit_message: session 0 channel 0 pid 2095
debug1: session_exit_message: release channel 0
debug1: session_by_tty: session 0 tty /dev/pts/0
debug1: session_pty_cleanup: session 0 release /dev/pts/0
debug1: session_by_channel: session 0 channel 0
debug1: session_close_by_channel: channel 0 child 0
debug1: session_close: session 0 pid 0
debug1: #### Writing pid 2095 tty /dev/pts/0 to priviledged process ###
debug1: channel 0: free: server-session, nchannels 1
debug1: #### Priviledged process: received pid for logout 2095 tty /dev/pts/0 ###
Connection closed by 16.90.154.246
SSH: Server;LType: Throughput;Remote: 16.90.154.246-64538;IN: 3024;OUT: 720;Duration: 73.7;tPut_in: 41.1;tPut_out: 9.8
debug1: do_cleanup
Transferred: sent 4392, received 1840 bytes
Closing connection to 16.90.154.246 port 64538
debug1: audit session close euid 0 user amarin tty name /dev/pts/0
debug1: aud_sav_flag=1
debug1: audit event euid 0 user amarin event 11 (CONNECTION_CLOSE)
debug1: aud_sav_flag=1
debug1: PAM: cleanup
debug1: PAM: deleting credentials
debug1: PAM: closing session
Reference
- SSH: The Secure Shell (The Definitive Guide) -Chapter 12 - Troubleshooting and FAQ
- SAW: HP-UX Secure Shell Software - How to debug a SSH session
- WFM: 4604758982
Authors
- Alejandro Marin Badilla, based on previous work published by O'Reilly & Associates.
