Martin Knoblauch
2005-May-18 18:05 UTC
Problems with RhostRSAAuthecntication and UsePrivilegeSeparation (RH9, 2.4.20-42.9.legacybigmem)
Hi, for some days now I am/was fighting with an annoying problem. I have to support an environment where RhostRSAAuthecntication via /etc/ssh/sshd_known_hosts is used for password-less login. This works fine with RH7.3 (and RH8) and openssh versions openssh-3.1p1-3 (and openssh-3.4p1-2). Our customer has now requested an upgrade to RH9. That comes with openssh-3.5p-11 and the password-less stuff (from the outside) does not work any more. $ ssh -v lpsdm05 date OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 43922 geteuid 0 anon 1 debug1: Connecting to lpsdm05 [160.48.88.26] port 22. debug1: temporarily_use_uid: 43922/1000 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 43922/1000 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /home/qx29340/.ssh/identity type -1 debug1: identity file /home/qx29340/.ssh/id_rsa type 1 debug1: identity file /home/qx29340/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1 debug1: match: OpenSSH_3.9p1 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.1p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'lpsdm05' is known and matches the RSA1 host key. debug1: Found key in /etc/ssh/ssh_known_hosts:4450 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: cipher_init: set keylen (16 -> 32) debug1: cipher_init: set keylen (16 -> 32) debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying rhosts or /etc/hosts.equiv with RSA host authentication. debug1: Remote: Accepted for lpsdm21.muc [160.48.88.10] by /etc/hosts.equiv. debug1: Remote: Your host key cannot be verified: unknown or invalid host key. debug1: Server refused our rhosts authentication or host key. debug1: Doing challenge response authentication. debug1: No challenge. debug1: Doing password authentication. qx29340 at lpsdm05's password: The interesting part is the "unknown or invalid host key". The ssh-known_hosts file ist maintained centrally and is good. First I suspected reverse lookup and added the IP-Adress of the client to ssh_known_hosts. And password-less started to work again. But all other tests I did showed that reverse lookup was working for all other purposes. So I played a bit more and found that setting "UsePrivilegeSeparation no" in sshd_config "solved" my problem. Unfortunatelly that option is not documented very well. Any ideas why it should make RhostsRSAA fail? While I am kind of happy now, I like to understand what goes on :-) The problem also happens when I am running a plain 2.4.30 kernel and openssh-3.9p1. Thanks a lot in advance Please CC me, as I am not on the list Martin ------------------------------------------------------ Martin Knoblauch email: k n o b i AT knobisoft DOT de www: http://www.knobisoft.de
Apparently Analagous Threads
- Good value for /proc/sys/vm/min_free_kbytes
- Problems with Adobe flash-plugin and Firefox-3.5.x under CentOs-5.3 (yum up to date)
- Centos-4.3: Filelocking problems under high [network related] load with kernel 2.6.9-42.0.3.ELsmp
- Problems with Adobe flash-plugin and Firefox-3.5.x under CentOs-5.3 (yum up to date) => libcurl.so.3/libcurl.so.4 missing
- [Bug 283] New: UsePrivilegeSeparation fails on AIX, Couldn't set usrinfo: