Debugging sshd without impacting existing sshd sessions

Answer

TARGET AUDIENCE:

Users running openssh

OBJECTIVE:

Provide instructions to aid debugging ssh / sshd connection problems.

OVERVIEW:

There are times when additional sshd logging is required to assist in debugging connection issues but it is not possible or desirable to disrupt current ssh operations.

The following procedure address this, and also provides a more targeted debug method since it moves the debug sshd to a non-standard port (the new sshd instance will start on a different port to that of the standard port 22). So the response will be from the incoming ssh connection under investigation .

PROCEDURES:

The following instructions results in the output being sent to STDOUT so a script session needs to be started beforehand to capture the addition log data.

1. On the system hosting the sshd service login as root and start a script session.
# /usr/bin/script /tmp/sshd.{host}.debug

2. Start a new debug sshd instance and use the "-p" option to assign this to a new port to listen on. The following example redirects sshd to listen on port 12345.
# /usr/sbin/sshd -ddd -p 12345

3. The new debug sshd instance will terminate when the client closes the connection, or the connection can be manually terminated using Crtl-C.

4. Once complete end the ssh server debug script session.
# Ctrl-D or exit

To connect to this debug instance you will need to specify the port the ssh client should connect to (-p option).
# ssh -p 12345 user@host

As this will be a debug session use the -v options to increase the verbosity of the ssh client session. This will also generate a lot of data, so it is advisable to use a script session to capture the ssh logs since they will also be sent to STDOUT.

An example debug client session would be
# /usr/bin/script /tmp/ssh.{host}.debug
# /usr/bin/ssh -vvv -p 12345 {hostname / ip of ssh server}

- On end the ssh client debug session close the script session
# Ctrl-D or exit

Since the primary sshd server is untouched there is no need to restart anything, and you can now review the output of /tmp/sshd.{host}.debug and /tmp/ssh.{host}.debug to review.

CATEGORY:

WWNETA,165

SUPPORT:

If additional assistance is required after completing all of the instructions provided in this document, please follow the step-by-step instructions below to contact IBM to open a service request (PMR) for software under warranty or with an active and valid support contract.  The technical support specialist assigned to your support call will confirm that you have completed these steps.

 a.  Document and/or take screen shots of all symptoms, errors, and/or messages that might have occurred

b.  Capture any logs or data relevant to the situation

c.  Contact IBM to open a support call (PMR):

• For electronic support, please visit the web page:

https://www-947.ibm.com/support/servicerequest/newServiceRequest.action
• For telephone support, please visit the web page:

http://www.ibm.com/planetwide
• Please visit the IBM Support Portal web page for additional resources:

https://www-947.ibm.com/support/entry/myportal/support

d.  Provide a good description of your issue and reference this technote

e.  Upload all of the details and data to your support call (PMR):

Please visit this web page for instructions:  https://www.secure.ecurep.ibm.com/app/upload

FEEDBACK:

Quality documentation is important to IBM and its customers.  If you have feedback specific to this article, please send an detailed message to the email address:

• aix_feedback@wwpdl.vnet.ibm.com

- This email address is monitored for feedback purposes only. 
- No support for any IBM products or services will be provided through this email. 
- To receive support, please follow the step-by-step instructions in the above "SUPPORT" section.