Message: system failure: exception during auth {RemoteManager:

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Viper786
Posts: 19
Joined: Sat Sep 13, 2014 3:03 am

Message: system failure: exception during auth {RemoteManager:

Postby Viper786 » Wed Jan 04, 2017 2:28 am

Hello, I am running Zimbra 8.7.1 FOSS on Ubuntu 16.04. It has been running fine for a few weeks, I am sending/receiving emails as expected, however, today I noticed when trying to view Mail Queues, I get the following error:

Code: Select all

Message: system failure: exception during auth {RemoteManager: mail.MYDOMAINNAME.net->zimbra@mail.MYDOMAINNAME.net:22} Error code: service.FAILURE Method: [unknown] Details:soap:Receiver


(I have redacted my domain name from the error message.

Upon doing some research on this issue, I found: https://wiki.zimbra.com/wiki/Mail_Queue_Monitoring

Per the Wiki, I have tried to fix permissions, I have tried to regenerate/redeploy the ssh keys, however when I try to run the test SSH command: ssh -i .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@mail.MYDOMAINNAME.net it asks for a password (I am using my actual domain name, it is once again redacted for this post)

Per the wiki, I should not be prompted for a password so here's where my issue lies. I am running sshd on port 22, my Zimbra hostname matches my server's hostname.

While checking for my Zimbra account in /etc/shadow, it shows: zimbra:!:17159::::::

Per the wiki, I ran usermod -U zimbra which gave the following message:

Code: Select all

usermod: unlocking the user's password would result in a passwordless account.
You should set a password with usermod -p to unlock this user's password.


I verified in my sshd_config that Pubkeyauthentication is set to yes

The wiki recommends disabling SELinux but I don't use SELinux (/etc/selinux/config does not exist)

Anyone have any ideas on what I am missing? It seems the issue is my SSH keys aren't working and running zmsshkeygen and zmupdateauthkeys as the zimbra user did not seem to help.

Any help is appreciated.


rm-rf
Posts: 14
Joined: Thu Dec 01, 2016 4:34 pm

Re: Message: system failure: exception during auth {RemoteManager:

Postby rm-rf » Wed Jan 04, 2017 8:32 pm

You did everything I'd recommend.

I'd double check ~/.ssh is 700 and owned by zimbra.zimbra. I'd also make sure all files inside .ssh are 600 and also owned by zimbra.zimbra.

Then I'd try running ssh -v -i .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@mail.MYDOMAINNAME.net and also check /var/log/secure (or the Ubuntu equivalent). Pasting the ssh -v command here might be helpful if you can't figure it out from there.
Viper786
Posts: 19
Joined: Sat Sep 13, 2014 3:03 am

Re: Message: system failure: exception during auth {RemoteManager:

Postby Viper786 » Fri Jan 06, 2017 11:25 am

Thank you for the reply. I have been doing some more testing and installed a fresh ubuntu 14.04 with Zimbra 8.7.1 on a test server and I am having the same issue there as well. Looking at the Zimbra log, this is what happens right when this error pops up:

sshd[4836]: fatal: no matching mac found: client hmac-sha1-96,hmac-sha1,hmac-md5-96,hmac-md5 server hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 [preauth]

and that message is repeated 4 more times.

When I run ssh -v -i .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@mail.MYDOMAINNAME.net I get:

Code: Select all

zimbra@mail:/root$ ssh -v -i .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@mail.MYDOMAIN.net
Warning: Identity file .ssh/zimbra_identity not accessible: Permission denied.
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to mail.MyDomain.net [2607:5300:60:5686::] port 22.
debug1: Connection established.
debug1: identity file /opt/zimbra/.ssh/id_rsa type -1
debug1: identity file /opt/zimbra/.ssh/id_rsa-cert type -1
debug1: identity file /opt/zimbra/.ssh/id_dsa type -1
debug1: identity file /opt/zimbra/.ssh/id_dsa-cert type -1
debug1: identity file /opt/zimbra/.ssh/id_ecdsa type -1
debug1: identity file /opt/zimbra/.ssh/id_ecdsa-cert type -1
debug1: identity file /opt/zimbra/.ssh/id_ed25519 type -1
debug1: identity file /opt/zimbra/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 pat OpenSSH_6.6.1* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr umac-128-etm@openssh.com none
debug1: kex: client->server aes128-ctr umac-128-etm@openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: ED25519 6f:00:4a:b3:35:32:07:7a:31:a8:4d:53:db:ca:5d:b9
debug1: Host 'mail.MyDomain.net' is known and matches the ED25519 host key.
debug1: Found key in /opt/zimbra/.ssh/known_hosts:1
debug1: ssh_ed25519_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /opt/zimbra/.ssh/id_rsa
debug1: Trying private key: /opt/zimbra/.ssh/id_dsa
debug1: Trying private key: /opt/zimbra/.ssh/id_ecdsa
debug1: Trying private key: /opt/zimbra/.ssh/id_ed25519
debug1: Next authentication method: password
zimbra@mail.MyDomain.net's password:


and it asks for a password again.

Also ~/.ssh is 700 and owned by zimbra, the files within it are 644 and owned by zimbra. Should I update that to 600?

Anyone have any ideas on what I can try next?
Viper786
Posts: 19
Joined: Sat Sep 13, 2014 3:03 am

Re: Message: system failure: exception during auth {RemoteManager:

Postby Viper786 » Mon Jan 09, 2017 1:57 am

Any ideas on this?
Viper786
Posts: 19
Joined: Sat Sep 13, 2014 3:03 am

Re: Message: system failure: exception during auth {RemoteManager:

Postby Viper786 » Tue Jan 10, 2017 1:15 am

Finally figured this out. If anyone stumbles across this in the future, the way I resolved this issue was by going to /etc/ssh/sshd_config and commenting out the following line:

Code: Select all

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160


Once I commented that out, I reloaded SSH and I can now access my mail queues. I'm not sure what the ramifications of commenting that out is. Anyone know?
adrastos2006
Posts: 5
Joined: Fri Feb 17, 2017 7:00 am

Re: Message: system failure: exception during auth {RemoteManager:

Postby adrastos2006 » Fri Feb 17, 2017 7:10 am

I had the same issue and hunting around didn't help until I found your post about the editing of the sshd_config file.

That reminded me that I had locked down the sshd access to only 2 usernames on the system. I had also locked sshd server down to those in the sudo group.

So, I added the zimbra user to the users able to use the sshd server and added zimbra user to the sudo group. If I were you, I would uncomment the line you commented out in the sshd_config file and add make sure the user zimbra has access to sshd server.

Problem solved.
ijk987
Posts: 5
Joined: Fri May 13, 2016 5:41 am
Location: Russia, Altai Krai, Barnaul
Contact:

Re: Message: system failure: exception during auth {RemoteManager:

Postby ijk987 » Tue Apr 23, 2019 3:36 am

You should do the following (at least in ZCS 8.7.11)
- set PubkeyAuthentication to Yes
- add zimbra@127.0.0.1 to allowed users
- add diffie-hellman-group-exchange-sha1 to KeyAlgorithms
- add hmac-sha1-96 to MACs

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 10 guests