Summary

This article describes in detail how password authentication works in the BoKS SSH server. It uses debug output from boks_sshd to illustrate what it is happening at each stage. The other process involved is boks_servc which runs on the Master and all Replicas and is the process that handles authentication and authorization.

boks_sshd is the BoKS SSH server process to which users connect with any SSH client (BoKS or 3rd party). This example assumes that correct Access Routes are already in place.


Reference Information

To enable debug on boks_sshd you need to start a new instance of it on a different port than the normal port 22 to avoid disrupting access to the server (assuming default installation path):

# /opt/boksm/lib/boks_sshd -ddd -p 2222 > \

/var/opt/boksm/tmp/sshd_debug.txt 2>&1

This will start a new SSH server running on port 2222. It will accept one connection and terminate after the session ends. Debug output will be redirected to /var/opt/boksm/tmp/sshd_debug.txt, but it can be any file or even stdout.

When a user connects, boks_sshd sends an authentication request to boks_servc, using either broadcast or the list of BoKS servers defined in $BOKS_etc/bcastaddr:

boks_sshd@centos56x6401[6] 09 Oct 01:38:30:385402 in servc_call_str: To server: {FUNC=auth\001CVER=6.7.0\001FROMUSER=foo\001ROUTE=SSH:foo@192.168.99
.1->?HOST\001TOHOST=?HOST\001TOUSER=foo\001FROMHOST=192.168.99.1}

boks_servc responds with NEED=psw and hash algorithm: HASHALG=SHA512 and also sends over the salt to use: SALT=$6$U4xy2NF5 as well as the max password length set in BoKS: PSWMAXLEN=32.

boks_sshd@centos56x6401[6] 09 Oct 01:38:30:387523 in servc_call_str: Return: {FUNC=auth\001CVER=6.7.0\001FROMUSER=foo\001ROUTE=SSH:foo@gw.demo.local
->centos56x6401\001TOHOST=centos56x6401\001TOUSER=foo\001FROMHOST=192.168.99.1\001$BOKSVERSION=6.7.0\001$OSREL=RedHat-EL5.0-x86_64\001$HOSTSYM=centos5
6x6401\001$ADDR=192.168.99.70\001$SERVCADDR=192.168.99.70\001$ORIG_FROMHOST_IP=192.168.99.1\001WC=#$*-./?_\001UKEY=TRUSTED:foo\001RMATCH=SSH*:ANY/*->*
\001MOD_CONV=1\001AMETHOD=psw\001NEED=psw\001PROMPT=Password: \001HASHALG=SHA512\001SALT=$6$U4xy2NF5\001PSWMAXLEN=32\001VTYPE=psw\001MODLIST=ssh_hb=+1,p
rompt=-1,timeout=+1,login=+1,noroute=-1,usrqual=+1,add_fromuser=+1,verbose=+1,qual=+1\001$STATE=4\001ERROR=2\001$SERVCVER=6.7.0}

boks_sshd hashes the clear text password with the salt provided and sends the hash back to boks_servc for verification:

boks_sshd@centos56x6401[6] 09 Oct 01:38:34:044145 in servc_call_str: To server: {FUNC=auth\001CVER=6.7.0\001FROMUSER=foo\001ROUTE=SSH:foo@gw.demo.local->centos56x6401\001TOHOST=centos56x6401\001TOUSER=foo\001FROMHOST=192.168.99.1\001$BOKSVERSION=6.7.0\001$OSREL=RedHat-EL5.0-x86_64\001$HOSTSYM=centos56x6401\001$ADDR=192.168.99.70\001$SERVCADDR=192.168.99.70\001$ORIG_FROMHOST_IP=192.168.99.1\001WC=#$*-./?_\001UKEY=TRUSTED:foo\001RMATCH=SSH*:ANY/*->*\001MOD_CONV=1\001AMETHOD=psw\001PROMPT=Password: \001HASHALG=SHA512\001PSWMAXLEN=32\001VTYPE=psw\001MODLIST=ssh_hb=+1,prompt=-1,timeout=+1,login=+1,noroute=-1,usrqual=+1,add_fromuser=+1,verbose=+1,qual=+1\001$STATE=4\001$SERVCVER=6.7.0\001PSW=$6$U4xy2NF5$RlxSUW.CeNRZpRyUbQCEB/jafpCSWWJ.ig8CFmmchKlGca.XK0XQUpo3qFDKYQwyb036ikavRk8LW0p3wD5iO/}

If the password is correct, boks_servc responds $PSW=ok and $STATE=9 which indicates that it is done and the password authentication was successful:

boks_sshd@centos56x6401[6] 09 Oct 01:38:34:046131 in servc_call_str: Return: {FUNC=auth\001CVER=6.7.0\001FROMUSER=foo\001ROUTE=SSH:foo@gw.demo.local->centos56x6401\001TOHOST=centos56x6401\001TOUSER=foo\001FROMHOST=192.168.99.1\001$BOKSVERSION=6.7.0\001$OSREL=RedHat-EL5.0-x86_64\001$HOSTSYM=centos56x6401\001$ADDR=192.168.99.70\001$SERVCADDR=192.168.99.70\001$ORIG_FROMHOST_IP=192.168.99.1\001WC=#$*-./?_\001UKEY=TRUSTED:foo\001RMATCH=SSH*:ANY/*->*\001MOD_CONV=1\001AMETHOD=psw\001PROMPT=Password: \001HASHALG=SHA512\001PSWMAXLEN=32\001VTYPE=psw\001MODLIST=ssh_hb=+1,prompt=-1,timeout=+1,login=+1,noroute=-1,usrqual=+1,add_fromuser=+1,verbose=+1,qual=+1\001$STATE=9\001$SERVCVER=6.7.0\001PSW=$6$U4xy2NF5$RlxSUW.CeNRZpRyUbQCEB/jafpCSWWJ.ig8CFmmchKlGca.XK0XQUpo3qFDKYQwyb036ikavRk8LW0p3wD5iO/\001$BOKSVERSION=6.7.0\001$OSREL=RedHat-EL5.0-x86_64\001$PSW=ok\001RETRY=0}


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: August 28, 2019