login about faq

We have a need to pull web server logs in order to do all kinds of reporting and charge-back. In order for this to work in an automated fashion, we use public key authentication. On the server where this "pull" process runs, attempts to connect to other servers with public-key authentication start to fail, and are resolved with a reboot, or by recycling the SSHD daemon (or broker daemon?). This has occurred many times already, and is a high priority item for us.

asked Sep 12 '11 at 22:27

ChaimA's gravatar image

ChaimA
1111

edited Sep 21 '11 at 18:24

SSH%20KB's gravatar image

SSH KB ♦
509249246237

In order to understand what is going on could you update your question with the exact error message you get? Preferrably from both SSH client and SSH server. Is it really authentication that fails? Or does it fail to open new channel? Could you provide also the exact client side command that fails? Operating systems and version of SSH server and SSH client are also quite important here.

(Sep 12 '11 at 22:38) Martin Dobsik ♦ Martin%20Dobsik's gravatar image

Can you add more details to your question? such as: - Version of Tectia client in use - Operating system where Tectia client is installed - Example command line - Error message that is shown when failing - When the connections start to fail, are there any processes hanging?

(Sep 12 '11 at 22:42) Roman ♦♦ Roman's gravatar image

There is no error message - we get prompted for a password, whereas before this problem appears, we authenticate successfully without a password.

(Sep 12 '11 at 22:53) ChaimA ChaimA's gravatar image

That is interesting, but still the other questions are quite important and remain unanswered (version, OS, command, ...).

Now I have additional questions: do you use public keys, or certificates? And is there authentication agent forwarding involved?

(Sep 12 '11 at 23:04) Martin Dobsik ♦ Martin%20Dobsik's gravatar image

The client is "6.0.12 on sparc-sun-solaris2.8" although uname -a says "SunOS ... 5.10 Generic"

(Sep 12 '11 at 23:05) ChaimA ChaimA's gravatar image

No error message, just a password prompt instead of a successful connection.

(Sep 12 '11 at 23:07) ChaimA ChaimA's gravatar image

In which process should I check for a hang?

(Sep 12 '11 at 23:20) ChaimA ChaimA's gravatar image

Still the other answers are important too: what command is failing? Is agent forwarding used? Certificates/public keys? Server versions and platforms? Are there many connections opened by the user at the time of falilure ("ssh-broker-ctl list-connections")?

(Sep 12 '11 at 23:21) Martin Dobsik ♦ Martin%20Dobsik's gravatar image

We use public keys, both in Tectia format, as well as converted to OpenSSH format on some servers. The ones in Tectia format are saved within the Tectia directory structure as defined in sshd_config on those servers. On some others, in OpenSSH format in authorized_keys2 in the target user's /home/<user>/.ssh directory

(Sep 12 '11 at 23:23) ChaimA ChaimA's gravatar image

If the server is Tectia 5.0 and newer, then the hanging candidates to look for are mainly: ssh-user-fileio, sft-server-g3, ssh-servant-g3.

On client side, there could be multiple instances of ssh-broker-g3, ssh-broker-cli (both are the same) running for the same user, which would be bad.

(Sep 12 '11 at 23:27) Martin Dobsik ♦ Martin%20Dobsik's gravatar image

Well, I see multiple instances of ssh-servant-g3

(Sep 12 '11 at 23:38) ChaimA ChaimA's gravatar image

Under normal conditions with default configuration server starts 5 ssh-servant-g3 processes on startup. If the load on server is high then it may start more ssh-servant-g3 processes to handle that. So if there are around 5 of them then it is probably OK.

The other processes I mentioned should vanish when all connections to server are closed.

(Sep 13 '11 at 08:13) Martin Dobsik ♦ Martin%20Dobsik's gravatar image
showing 5 of 12 show all

We could try to examine the debug logs of ssh-broker-g3 component at the time of failure and also the server logs, but in the meantime I would advice you to consider workaround for an issue of 32bit binaries on Solaris platforms which I mention in answer to question:

Why do I get "too many connections" from the server after some time?

A link to a page with details is also provided there, but for completness here thery are too. You could try the suggested workaround. Note though, that it is the ssh-broker-g3 process which requires the pre-load to be set not the client itself.

Sorry I forgot to mention that the workaround is only available on Solaris 10 and newer platforms.

link

answered Sep 12 '11 at 23:16

Martin%20Dobsik's gravatar image

Martin Dobsik ♦
599126

edited Sep 12 '11 at 23:18

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×54
×21
×3

Asked: Sep 12 '11 at 22:27

Seen: 5,001 times

Last updated: Sep 21 '11 at 18:24

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.