Peter Lister
2000-Dec-06  13:04 UTC
openssh-2.3.0p1 (Linux) fails using options with dss key
I'm trying to change my local setup from ssh2 to openssh-2.3.0p1. I need captive comands and specific environments for each key, i.e. the "command=XXX" and "environment=X=y" options. Unfortunately I *also* need to support the existing ssh2 client for a transition period, since it's impractical to change all user's environments to openssh in one go. I have converted the ssh2 public keys OK (see appended authorized_keys2), and WITHOUT OPTIONS I can log in as normal, with the key in authorized_keys2. But as soon as I put options in before "ssh-dss" in authorized_keys2, the connection fails. I append logs of successful and failed connections - the only difference is the whether the environment option is set. As you can see, even during a failure the server seems to parse the file OK and finds a matching key on line 3 of authorized_keys2, but then dies for no apparent reason. It seems that this is an openssh server problem, as the client should not be aware of what is going on on the server side, and the failure seems to be before the authentication. NB - the sshd man page does not seem to know about the ssh-dss keys (it states that all keys begin with numbers, which is clearly not so for dss keys) so I don't know for certain that this is right - an example would be useful. -------------- next part -------------- /usr/local/bin/ssh bennevis -v -p 1022 Development-time debugging not compiled in. To enable, configure with --enable-debug and recompile. debug: connecting to bennevis... debug: entering event loop debug: ssh_client_wrap: creating transport protocol debug: ssh_client_wrap: creating userauth protocol debug: Remote version: SSH-1.99-OpenSSH_2.3.0p1 debug: Host key found from the database. FATAL: ssh_conn_received_packet: bad DISCONNECT -------------- next part -------------- /usr/sbin/sshd -p 1022 -d debug1: sshd version OpenSSH_2.3.0p1 debug1: Seeding random number generator debug1: read DSA private key done debug1: Seeding random number generator debug1: Bind to port 1022 on 0.0.0.0. Server listening on 0.0.0.0 port 1022. Generating 768 bit RSA key. debug1: Seeding random number generator debug1: Seeding random number generator RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 62.232.14.113 port 3589 debug1: Client protocol version 1.99; client software version 2.0.13 (non-commer cial) debug1: match: 2.0.13 (non-commercial) pat ^2\.0\. Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_2.3.0p1 debug1: send KEXINIT debug1: done debug1: wait KEXINIT debug1: got kexinit: diffie-hellman-group1-sha1 debug1: got kexinit: ssh-dss debug1: got kexinit: 3des-cbc,blowfish-cbc,none debug1: got kexinit: 3des-cbc,blowfish-cbc,none debug1: got kexinit: hmac-md5,md5-8,none debug1: got kexinit: hmac-md5,md5-8,none debug1: got kexinit: none,zlib debug1: got kexinit: none,zlib debug1: got kexinit: debug1: got kexinit: debug1: first kex follow: 1 debug1: reserved: 0 debug1: done debug1: kex: client->server 3des-cbc hmac-md5 none debug1: kex: server->client 3des-cbc hmac-md5 none debug1: bits set: 514/1024 debug1: bits set: 515/1024 debug1: sig size 20 20 debug1: datafellows debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: Wait SSH2_MSG_NEWKEYS. debug1: GOT SSH2_MSG_NEWKEYS. debug1: done: KEX2. debug1: userauth-request for user prl service ssh-connection method none debug1: attempt #1 Failed none for prl from 62.232.14.113 port 3589 ssh2 debug1: userauth-request for user prl service ssh-connection method publickey debug1: attempt #2 debug1: test whether pkalg/pkblob are acceptable debug1: Adding to environment: ONE=two debug1: matching key found: file /users/prl/.ssh/authorized_keys2, line 1 Postponed publickey for prl from 62.232.14.113 port 3589 ssh2 fatal: Read from socket failed: Broken pipe debug1: Calling cleanup 0x805d608(0x0) -------------- next part -------------- /usr/local/bin/ssh bennevis -v -p 1022 Development-time debugging not compiled in. To enable, configure with --enable-debug and recompile. debug: connecting to bennevis... debug: entering event loop FATAL: Connecting to bennevis failed: Connection Refused [prl at tomintoul ~]$ /usr/local/bin/ssh bennevis -v -p 1022 Development-time debugging not compiled in. To enable, configure with --enable-debug and recompile. debug: connecting to bennevis... debug: entering event loop debug: ssh_client_wrap: creating transport protocol debug: ssh_client_wrap: creating userauth protocol debug: Remote version: SSH-1.99-OpenSSH_2.3.0p1 debug: Host key found from the database. debug: Ssh2AuthPubKeyClient/authc-pubkey.c:368/ssh_client_auth_pubkey_send_signature: ssh_client_auth_pubkey_send_signature debug: Ssh2/ssh2.c:304/client_authenticated: client_authenticated debug: Requesting X11 forwarding with authentication spoofing. Last login: Wed Dec 6 12:31:59 2000 from tomintoul.sychron.com Environment: USER=prl LOGNAME=prl HOME=/users/prl PATH=/usr/bin:/bin:/usr/sbin:/sbin MAIL=/var/spool/mail/prl SHELL=/bin/tcsh SSH_CLIENT=62.232.14.113 3596 1022 SSH_TTY=/dev/ttyp2 TERM=xterm [prl at bennevis ~]$ -------------- next part -------------- /usr/sbin/sshd -p 1022 -d debug1: sshd version OpenSSH_2.3.0p1 debug1: Seeding random number generator debug1: read DSA private key done debug1: Seeding random number generator debug1: Bind to port 1022 on 0.0.0.0. Server listening on 0.0.0.0 port 1022. Generating 768 bit RSA key. debug1: Seeding random number generator debug1: Seeding random number generator RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 62.232.14.113 port 3596 debug1: Client protocol version 1.99; client software version 2.0.13 (non-commer cial) debug1: match: 2.0.13 (non-commercial) pat ^2\.0\. Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_2.3.0p1 debug1: send KEXINIT debug1: done debug1: wait KEXINIT debug1: got kexinit: diffie-hellman-group1-sha1 debug1: got kexinit: ssh-dss debug1: got kexinit: 3des-cbc,blowfish-cbc,none debug1: got kexinit: 3des-cbc,blowfish-cbc,none debug1: got kexinit: hmac-md5,md5-8,none debug1: got kexinit: hmac-md5,md5-8,none debug1: got kexinit: none,zlib debug1: got kexinit: none,zlib debug1: got kexinit: debug1: got kexinit: debug1: first kex follow: 1 debug1: reserved: 0 debug1: done debug1: kex: client->server 3des-cbc hmac-md5 none debug1: kex: server->client 3des-cbc hmac-md5 none debug1: Wait SSH2_MSG_KEXDH_INIT. debug1: bits set: 499/1024 debug1: bits set: 525/1024 debug1: sig size 20 20 debug1: datafellows debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: Wait SSH2_MSG_NEWKEYS. debug1: GOT SSH2_MSG_NEWKEYS. debug1: done: KEX2. debug1: userauth-request for user prl service ssh-connection method none debug1: attempt #1 Failed none for prl from 62.232.14.113 port 3596 ssh2 debug1: userauth-request for user prl service ssh-connection method publickey debug1: attempt #2 debug1: test whether pkalg/pkblob are acceptable debug1: matching key found: file /users/prl/.ssh/authorized_keys2, line 2 Postponed publickey for prl from 62.232.14.113 port 3596 ssh2 debug1: userauth-request for user prl service ssh-connection method publickey debug1: attempt #3 debug1: matching key found: file /users/prl/.ssh/authorized_keys2, line 2 debug1: len 40 datafellows 31 debug1: dsa_verify: signature correct Accepted publickey for prl from 62.232.14.113 port 3596 ssh2 debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 10000 max 512 debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: confirm session debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 channel 0 request pty-req reply 0 debug1: session_pty_req: session 0 alloc /dev/ttyp2 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 channel 0 request x11-req reply 0 debug1: X11 forwarding disabled in server configuration file. debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 channel 0 request auth-agent-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 channel 0 request shell reply 1 debug1: fd 7 setting O_NONBLOCK debug1: fd 3 IS O_NONBLOCK debug1: Setting controlling tty using TIOCSCTTY. -------------- next part -------------- #environment="ONE=two" ssh-dss AAAAB3NzaC1kc3MAAACBAOV2zL1T2+0bl8FTtultv/oIBz4WRZ9aOOB/sXPoPQE6P/0+ldToN+ulUgb6zs3lU0ESnZyXOPv7pszDu3LceKfld3Mn6RnPyv4FDRgjnN/obMtAxDUIfPKI+MmEFFsIClxaTs8xZ1LBLdHDNh/h/xp+/QpXRihHjV22ekgktzk7AAAAFQC1KGpxg+Gtvd5HmSvJjKkfsqBlJwAAAIB1N/8AKP2mpDU/dHhKdd1IsH9nBCmqj2RyAunC5tEXr1jbj/Y4jAJtfc93KpqlykyZJo3C2NBs6iiFzUyzGWGbLuw7MEHinev30BBRPKFowTdW6bN+FdZHJiltSyMqHzMdLyyWSss+aiI7BUPjgKcogPEwXwcpzxhFl+4ZV9YIVAAAAIAA6q55UAsiH50jQbQJTwsRvyWneG6txUKEbfqyuJk/pFJuw9rIkD3oI49SNwJKA0HKfMEbGSCyrddp0kDqo0v6u+peea/l9tm6JSvu1+8W/WywBTMtUtwKScKT0LP+xiwu56Ze9vN90LRmQyZBYuUUdFNPMICQgi75FnVsuSnTMw=-------------- next part -------------- Peter Lister P.Lister at sychron.com PGP (RSA): 0xE4D85541 Sychron Ltd http://www.sychron.com PGP (DSS): 0xBC1D7258 1 Cambridge Terrace Voice: +44 1865 200211 Oxford OX1 1UR UK FAX: +44 1865 249666
Markus Friedl
2000-Dec-06  20:29 UTC
openssh-2.3.0p1 (Linux) fails using options with dss key
On Wed, Dec 06, 2000 at 01:04:06PM +0000, Peter Lister wrote:> FATAL: ssh_conn_received_packet: bad DISCONNECTi can confirm this for SSH.COM/F-Secure versions 2.0.12, 2.0.12, 2.1.0 However, the auth-options work fine for SSH.COM versions 2.2.0, 2.3.0 the problem is that the SSH.COM client is confused if it receives a DEBUG message during authentication. could you please try this patch? it disables all DEBUG messages: Index: packet.c ==================================================================RCS file: /home/markus/cvs/ssh/packet.c,v retrieving revision 1.38 diff -U10 -r1.38 packet.c --- packet.c 2000/10/12 14:21:12 1.38 +++ packet.c 2000/12/06 20:20:04 @@ -1094,20 +1094,22 @@ * authentication problems. The length of the formatted message must not * exceed 1024 bytes. This will automatically call packet_write_wait. */ void packet_send_debug(const char *fmt,...) { char buf[1024]; va_list args; +return; + va_start(args, fmt); vsnprintf(buf, sizeof(buf), fmt, args); va_end(args); if (compat20) { packet_start(SSH2_MSG_DEBUG); packet_put_char(0); /* bool: always display */ packet_put_cstring(buf); packet_put_cstring(""); } else {