{"id":6799,"date":"2014-04-23T08:06:54","date_gmt":"2014-04-23T08:06:54","guid":{"rendered":"https:\/\/unknownerror.org\/index.php\/2014\/04\/23\/ssh-login-via-ipv6-successfull-while-using-ipv4-to-the-same-host-yields-permission-denied-collection-of-common-programming-errors\/"},"modified":"2014-04-23T08:06:54","modified_gmt":"2014-04-23T08:06:54","slug":"ssh-login-via-ipv6-successfull-while-using-ipv4-to-the-same-host-yields-permission-denied-collection-of-common-programming-errors","status":"publish","type":"post","link":"https:\/\/unknownerror.org\/index.php\/2014\/04\/23\/ssh-login-via-ipv6-successfull-while-using-ipv4-to-the-same-host-yields-permission-denied-collection-of-common-programming-errors\/","title":{"rendered":"SSH login via IPv6 successfull while using IPv4 to the same host yields “Permission denied”-Collection of common programming errors"},"content":{"rendered":"

I’m currently stumped by a strange problem. I have a dual stack host to which I want to SSH. If I connect via IPv6 everything works like expected<\/p>\n

datenwolf@foo ~\/ > ssh -6 bar.example.com\nPassword:\n\ndatenwolf@bar ~\/ >\n<\/code><\/pre>\n
However when doing the same via IPv4 it fails<\/p>\n
datenwolf@foo ~\/ > ssh -4 bar.example.com\nPassword:\nPermission denied (publickey,keyboard-interactive).\n\ndatenwolf@foo ~\/ >\n<\/code><\/pre>\n
Excerpt from \/var\/log\/sshd<\/code> for the failing login<\/p>\n
Apr 24 16:34:03 [sshd] SSH: Server;Ltype: Version;Remote: www.xxx.yyy.zzz-38427;Protocol: 2.0;Client: OpenSSH_5.9p1 Debian-5ubuntu1\nApr 24 16:34:03 [sshd] SSH: Server;Ltype: Kex;Remote: www.xxx.yyy.zzz-38427;Enc: aes128-ctr;MAC: hmac-md5;Comp: none [preauth]\nApr 24 16:34:04 [sshd] SSH: Server;Ltype: Authname;Remote: www.xxx.yyy.zzz-38427;Name: wolfgangd [preauth]\nApr 24 16:34:07 [sshd] pam_access(sshd:account): access denied for user `datenwolf' from `foo.example.com'\nApr 24 16:34:07 [sshd] error: PAM: User account has expired for datenwolf from foo.example.com\nApr 24 16:34:07 [sshd] Connection closed by www.xxx.yyy.zzz [preauth]\n<\/code><\/pre>\n
Of course the account did not expire and I can perfectly log in via IPv6. Using Google I found various reports on the log messages but none of them matched my problem (in the sense that applying the proposed solutions didn’t work for my case).<\/p>\n
I’m pretty much out of ideas here.<\/p>\n
Update<\/h3>\n
\/var\/log\/sshd<\/code> for successfull IPv6 login on the very same target machine<\/em>:<\/p>\n
Apr 24 16:56:42 [sshd] SSH: Server;Ltype: Version;Remote: 2001:x:x:x:x:x:x:x-46025;Protocol: 2.0;Client: OpenSSH_5.9p1 Debian-5ubuntu1\nApr 24 16:56:42 [sshd] SSH: Server;Ltype: Kex;Remote: 2001:x:x:x:x:x:x:x-46025;Enc: aes128-ctr;MAC: hmac-md5;Comp: none [preauth]\nApr 24 16:56:43 [sshd] SSH: Server;Ltype: Authname;Remote: 2001:x:x:x:x:x:x:x-46025;Name: datenwolf [preauth]\nApr 24 16:56:47 [sshd] Accepted keyboard-interactive\/pam for datenwolf from 2001:x:x:x:x:x:x:x port 46025 ssh2\nApr 24 16:56:47 [sshd] pam_unix(sshd:session): session opened for user datenwolf by (uid=0)\n<\/code><\/pre>\n
I tried logging in from various machines all the same result: IPv6 works, IPv4 doesn’t.<\/p>\n
Update 2<\/h3>\n
For reference this are the used IP tables. Note that these are battle tested<\/em>, i.e. they are in use for several years now and were not changed recently. Remote login via IPv4 did<\/em> work with them.<\/p>\n
IPv4 iptables:<\/p>\n
Chain INPUT (policy ACCEPT 2144 packets, 336K bytes)\n pkts bytes target     prot opt in     out     source               destination         \n  132 20762 fail2ban-SSH  tcp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            tcp dpt:22\n  12M   14G ACCEPT     all  --  ppp0   *       0.0.0.0\/0            0.0.0.0\/0            ctstate RELATED,ESTABLISHED\n 3111 95984 ACCEPT     icmp --  ppp0   *       0.0.0.0\/0            0.0.0.0\/0           \n18692 1123K ACCEPT     tcp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            tcp dpt:22\n    2   112 ACCEPT     udp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            udp dpt:1194\n    0     0 ACCEPT     tcp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            tcp dpt:1194\n 4633  288K ACCEPT     udp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            udp dpts:6880:6899\n 2826  154K ACCEPT     tcp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            tcp dpts:6880:6899\n    4   160 ACCEPT     udp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            udp dpt:123\n    0     0 ACCEPT     tcp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            tcp dpt:123\n44165 3069K REJECT     all  --  ppp0   *       0.0.0.0\/0            0.0.0.0\/0            reject-with icmp-port-unreachable\n\nChain FORWARD (policy ACCEPT 48032 packets, 44M bytes)\n pkts bytes target     prot opt in     out     source               destination         \n    0     0 REJECT     udp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            udp dpt:631 reject-with icmp-port-unreachable\n    0     0 REJECT     udp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            udp dpt:515 reject-with icmp-port-unreachable\n    0     0 REJECT     tcp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            tcp dpt:631 reject-with icmp-port-unreachable\n    0     0 REJECT     tcp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            tcp dpt:515 reject-with icmp-port-unreachable\n    0     0 REJECT     all  --  ppp0   ppp0    0.0.0.0\/0            0.0.0.0\/0            reject-with icmp-port-unreachable\n 133K 8347K TCPMSS     tcp  --  *      ppp0    0.0.0.0\/0            0.0.0.0\/0            tcp flags:0x06\/0x02 TCPMSS clamp to PMTU\n\nChain OUTPUT (policy ACCEPT 14378 packets, 2172K bytes)\n pkts bytes target     prot opt in     out     source               destination         \n\nChain fail2ban-SSH (1 references)\n pkts bytes target     prot opt in     out     source               destination         \n  132 20762 RETURN     all  --  *      *       0.0.0.0\/0            0.0.0.0\/0 \n<\/code><\/pre>\n
IPv6 ip6tables<\/p>\n
Chain INPUT (policy DROP 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n    0     0 DROP       all      *      *       ::\/0                 ::\/0                 rt type:0 segsleft:0\n 484K   86M ACCEPT     icmpv6   *      *       ::\/0                 ::\/0                \n 105K 7943K ACCEPT     tcp      *      *       ::\/0                 ::\/0                 tcp dpt:22\n    0     0 ACCEPT     udp      *      *       ::\/0                 ::\/0                 udp dpt:1194\n    0     0 ACCEPT     tcp      *      *       ::\/0                 ::\/0                 tcp dpt:1194\n    0     0 ACCEPT     udp      *      *       ::\/0                 ::\/0                 udp dpts:6880:6899\n    0     0 ACCEPT     tcp      *      *       ::\/0                 ::\/0                 tcp dpts:6880:6899\n    0     0 ACCEPT     tcp      *      *       ::\/0                 ::\/0                 tcp dpt:123\n    0     0 ACCEPT     udp      *      *       ::\/0                 ::\/0                 udp dpt:123\n    0     0 ACCEPT     all      ppp0,sixxs *       ::\/0                 ::\/0                 ctstate RELATED,ESTABLISHED\n4164K  466M ACCEPT     all      !ppp0,sixxs *       ::\/0                 ::\/0                \n    0     0 REJECT     all      *      *       ::\/0                 ::\/0                 reject-with icmp6-port-unreachable\n\nChain FORWARD (policy DROP 0 packets, 0 bytes)\n pkts bytes target     prot opt in     out     source               destination         \n    0     0 DROP       all      *      *       ::\/0                 ::\/0                 rt type:0 segsleft:0\n 2864  311K ACCEPT     icmpv6   *      *       ::\/0                 ::\/0                \n    0     0 REJECT     tcp      *      *       ::\/0                 ::\/0                 multiport ports 631 reject-with icmp6-port-unreachable\n    0     0 REJECT     udp      *      *       ::\/0                 ::\/0                 multiport ports 631 reject-with icmp6-port-unreachable\n    0     0 REJECT     tcp      *      *       ::\/0                 ::\/0                 multiport ports 515 reject-with icmp6-port-unreachable\n    0     0 REJECT     udp      *      *       ::\/0                 ::\/0                 multiport ports 515 reject-with icmp6-port-unreachable\n    0     0 REJECT     all      ppp0,sixxs ppp0,sixxs  ::\/0                 ::\/0                 reject-with icmp6-port-unreachable\n    0     0 accept_with_pmtu_clamp  tcp      ppp0,sixxs *      !2001:x:x::\/48   2001:x:x::\/48   tcp dpt:22\n  18M   14G accept_with_pmtu_clamp  all      *      *       ::\/0                 ::\/0                 ctstate RELATED,ESTABLISHED\n65503 5289K accept_with_pmtu_clamp  all      !ppp0,sixxs *       ::\/0                 ::\/0                \n    0     0 REJECT     all      *      *       ::\/0                 ::\/0                 reject-with icmp6-port-unreachable\n\nChain OUTPUT (policy ACCEPT 8099K packets, 11G bytes)\n pkts bytes target     prot opt in     out     source               destination         \n    0     0 DROP       all      *      *       ::\/0                 ::\/0                 rt type:0 segsleft:0\n\nChain accept_with_pmtu_clamp (3 references)\n pkts bytes target     prot opt in     out     source               destination         \n    0     0 TCPMSS     tcp      *      ppp0,sixxs  ::\/0                 ::\/0                 tcp flags:0x06\/0x02 TCPMSS clamp to PMTU\n  18M   14G ACCEPT     all      *      *       ::\/0                 ::\/0 \n<\/code><\/pre>\n
Update 3<\/h3>\n
This is \/etc\/sshd\/sshd_config<\/code> of the system I try connect to, stripped of all comments:<\/p>\n
Port 22\nListenAddress 0.0.0.0\nListenAddress ::\n\nPubkeyAuthentication yes\nPasswordAuthentication no\nUsePAM yes\n\nAllowAgentForwarding yes\nAllowTcpForwarding yes\nX11Forwarding yes\nX11DisplayOffset 10\nX11UseLocalhost yes\nPrintMotd no\nPrintLastLog no\nUseDNS yes\n\nSubsystem       sftp    \/usr\/lib64\/misc\/sftp-server\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
I’m currently stumped by a strange problem. I have a dual stack host to which I want to SSH. If I connect via IPv6 everything works like expected datenwolf@foo ~\/ > ssh -6 bar.example.com Password: datenwolf@bar ~\/ > However when doing the same via IPv4 it fails datenwolf@foo ~\/ > ssh -4 bar.example.com Password: Permission […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-6799","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/6799","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/comments?post=6799"}],"version-history":[{"count":0,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/posts\/6799\/revisions"}],"wp:attachment":[{"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/media?parent=6799"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/categories?post=6799"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unknownerror.org\/index.php\/wp-json\/wp\/v2\/tags?post=6799"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}