This post will show how to put ssh (the client command) and sshd (the server daemon) into debug mode in order to troubleshoot authorization and connection problems. This debug output will be requested by Oracle/Sun technical support agents for ssh/sshd authorization and connection issues when opening service requests.
Steps to Follow
Configure the sshd daemon to run single threaded in debug mode. You have the choice of either:
1. stopping the active sshd on the system so that an sshd running in debug mode can be started.
2. starting a new sshd instance running in debug mode on a free port other than port 22. The example below is for starting a new sshd on a different port (2222 in this case) in debug mode:
ssh_server# /usr/lib/ssh/sshd -p 2222 -ddd debug1: sshd version Sun_SSH_1.1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: Bind to port 2222 on ::. Server listening on :: port 2222
here the output will stop until a client connection on port 2222 is initiated. now that the server is ready to accept a connection; start the debug session from the ssh client:
root@sshclient# /usr/bin/ssh -p 2222 -vvv 192.168.100.33 Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to 192.168.100.33 [192.168.100.33] port 2222. debug1: Connection established. debug1: identity file /.ssh/identity type -1 debug1: identity file /.ssh/id_rsa type -1 debug1: identity file /.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version Sun_SSH_1.1 debug1: no match: Sun_SSH_1.1 debug1: Enabling compatibility mode for protocol 2.0 debug2: . . (snipped for brevity)
Note: the debug output will scroll. Complete (or attempt to complete) the login session so that debug will display on both sides.
for sftp testing use -o options with sftp to specify Port.
# sftp -oPort=2222 192.168.100.33
For more detailed debugging, truss can be used to capture system calls and signals.
On the server
# truss -aefdl -rall -wall -vall -xall -o /var/tmp/sshd.truss /usr/lib/ssh/sshd -p 2222 -ddd
On the client
# truss -aefdl -rall -wall -vall -xall -o /var/tmp/ssh.truss /usr/bin/ssh -p 2222 -vvv 192.168.100.33
Once the connection is made, the server debug window will continue to output debug data:
debug1: Server will not fork when running in debugging mode. Connection from 192.168.100.33 port 56939 debug1: Client protocol version 2.0; client software version Sun_SSH_1.1 debug1: no match: Sun_SSH_1.1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-Sun_SSH_1.1 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug2: (snipped for brevity)
cut/paste, save and provide the debug output from BOTH sides.