Generating SSL certificate for Apache HTTPD breaks SSH

I have apache web server and SSH installed on a server. I have generated a SSL certificate for the web server http://slacksite.com/apache/certificate.html. When I install the certificate, though, SSH stops accepting incoming connections. Any existing connections continue unmolested, but new connections are not accepted until I reboot the server; luckily, the certificate forces apache to require a manual start, so it's not running (and blocking SSH) after a reboot.

I don't see anything interesting in httpd's various logs. I haven't quite figured out how to access sshd's logs (I'm told they're in the syslog?)

When I login using "slogin -v -l user hostname" I get this output:

=======================================================
sjones[~]$ slogin -v -l gladmin camdevnet02
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to camdevnet02 [10.6.5.214] port 22.
debug1: Connection established.
debug1: identity file /home/sjones/.ssh/identity type -1
debug1: identity file /home/sjones/.ssh/id_rsa type 1
debug1: identity file /home/sjones/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH_3.*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'camdevnet02' is known and matches the RSA host key.
debug1: Found key in /home/sjones/.ssh/known_hosts:4
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received


Authorized Personel Only!
All other will be prosecuted!



debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found

debug1: Next authentication method: publickey
debug1: Trying private key: /home/sjones/.ssh/identity
debug1: Offering public key: /home/sjones/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-with-mic,password
debug1: Trying private key: /home/sjones/.ssh/id_dsa
debug1: Next authentication method: password
gladmin@camdevnet02's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
===========================================

After that last line, the cursor goes to the next line, and hangs. No connection, no rejection, no command line, just flashing cursor. Can't even ctrl-c out of it; have to close the terminal/tab.

Thanks!
-Sam

Further information:

Restarting SSHD gives no change. Also, SCP transfers are not blocked or hindered in any way by this.

On 12/7/06, samljones <sjones@...> wrote:
[snip]
This actually sounds like a system resource issue.  At that point sshd fork()s
your login shell.  Sounds like something is either stopping or slowing down the
fork()ing or exec()ing the shell.

Try waiting a while, to see if the shell prompt eventually appears.

--
And, did Galoka think the Ulus were too ugly to save?
                                         -Centauri

On Thu, 7 Dec 2006, samljones wrote:

> I have apache web server and SSH installed on a server. I have generated a
> SSL certificate for the web server
> http://slacksite.com/apache/certificate.html
> http://slacksite.com/apache/certificate.html . When I install the
> certificate, though, SSH stops accepting incoming connections. Any existing
> connections continue unmolested, but new connections are not accepted until
> I reboot the server; luckily, the certificate forces apache to require a
> manual start, so it's not running (and blocking SSH) after a reboot.

That webpage above teaches how "to remove the pass-phrase from the key".

Are you saying that you can ssh in fine until apache is started?

> sjones[~]$ slogin -v -l gladmin camdevnet02
> OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
...

How do you know there is no connection? Maybe there is a connection, but
no interactive shell (or shell is hanging)?

On Thu, 7 Dec 2006, samljones wrote:

> Further information:
>
> Restarting SSHD gives no change. Also, SCP transfers are not blocked or
> hindered in any way by this.

Maybe there is something wrong with your login shell or dot files used by
your login shell.

Robert Hajime Lanning wrote:
I tend to agree with you. Samljones, how many connections per second and
on what hardware are you reaching? How many of those are ssl? What does
dmesg say?

There is actually no link whatsoever between ssh and apache/mod_ssl
other than the openssl libraries.

This reminds me of some issue i solved some time ago where ssh couln't
accept incoming or outgoing connections, i don't remember exactly,
because of some problem in udev. No sense but there it was.