Hello all, It seems that RhostsAuthentication does not work on non-default port no matter what when connecting from OpenSSH (2.1.1, 2.2.0 tried) either with protocol 1 or protocol 2 (shouldn't work either..). _However_ when connecting with SSH.COM Ltd's ssh, RhostsAuthentication works just fine! Checking the port number of ssh client you can see that OpenSSH doesn't assign privileged port for this, but SSH Ltd's ssh does. Connecting to port 22 works with OpenSSH too. Is this a feature? If so, I wonder why? A little configuration and log: --- sshd_config --- IgnoreRhosts yes #IgnoreUserKnownHosts yes RhostsAuthentication yes RhostsRSAAuthentication yes RSAAuthentication yes --- --- .ssh/config --- Protocol 1 RhostsAuthentication yes --- --- sshd log when connecting w/ OpenSSH --- Connection from x.y.z.w port 4624 <---- NOTE PORT NUMBER! debug1: Client protocol version 1.5; client software version OpenSSH_2.2.0p1 debug1: match: OpenSSH_2.2.0p1 pat ^OpenSSH_2\.2 debug1: Local version string SSH-1.99-OpenSSH_2.3.0p1 debug1: Sent 768 bit public key and 1024 bit host key. debug1: Encryption type: blowfish debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Starting up PAM with username "pekkas" debug1: Attempting authentication for pekkas. [ trying password entries ... ] --- --- connection from a.b.c.d port 1005 debug1: Client protocol version 1.5; client software version 1.2.25 debug1: no match: 1.2.25 debug1: Local version string SSH-1.99-OpenSSH_2.3.0p1 debug1: Sent 768 bit public key and 1024 bit host key. debug1: Encryption type: blowfish debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Starting up PAM with username "pekkas" debug1: Attempting authentication for pekkas. Failed rhosts for pekkas from a.b.c.d port 1005 ruser pjsavol3 debug1: Trying rhosts with RSA host authentication for client user pjsavol3 Failed rhosts-rsa for pekkas from a.b.c.d port 1005 ruser pjsavol3 --- -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall"
On Mon, Oct 30, 2000 at 09:17:28PM +0200, Pekka Savola wrote:> Hello all, > > It seems that RhostsAuthentication does not work on non-default port no > matter what when connecting from OpenSSH (2.1.1, 2.2.0 tried) either with > protocol 1 or protocol 2 (shouldn't work either..). > > _However_ when connecting with SSH.COM Ltd's ssh, RhostsAuthentication > works just fine! > > Checking the port number of ssh client you can see that OpenSSH doesn't > assign privileged port for this, but SSH Ltd's ssh does. Connecting to > port 22 works with OpenSSH too. > > Is this a feature? If so, I wonder why?is the openssh client setuid root?
On Tue, 31 Oct 2000, Markus Friedl wrote:> i have not looked into this. > perhaps a bug, perhaps a feature inherited from ssh-1.2.12. > > On Tue, Oct 31, 2000 at 03:27:39PM +0200, Pekka Savola wrote: > > On Tue, 31 Oct 2000, Markus Friedl wrote: > > > > > try a serverport below 1024. > > > does this work? > > > > Yes. > > > > I'm not sure if this is an (old?) intentional "security measure". Even if > > some evil user ran sshd on some non-privileged port, the authentication > > would have to happen with root privileges anyway..Yes. This is an obsolete check from ssh-1.2.12. It only proves the server was started as root, but root can have servers running on other ports too (e.g. 2022 for debugging :). Anyway, there are other authorization methods which deal with this. Also, it seems this check has been removed in newer "commercial" ssh versions too. The patch attached will fix the problem, and also make sshd a little more informative about what it's doing. What are those verbose levels for anyway if they're not used ;-) -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" -------------- next part -------------- --- sshconnect.c.orig Sat Sep 23 09:15:57 2000 +++ sshconnect.c Tue Oct 31 18:33:16 2000 @@ -249,9 +249,9 @@ /* Create a socket for connecting. */ sock = ssh_create_socket(original_real_uid, #ifdef HAVE_CYGWIN - !anonymous && port < IPPORT_RESERVED, + !anonymous, #else - !anonymous && geteuid() == 0 && port < IPPORT_RESERVED, + !anonymous && geteuid() == 0, #endif ai->ai_family); if (sock < 0) --- sshd.c.orig Sat Oct 14 08:23:13 2000 +++ sshd.c Tue Oct 31 18:57:21 2000 @@ -1065,6 +1065,7 @@ */ if (remote_port >= IPPORT_RESERVED || remote_port < IPPORT_RESERVED / 2) { + debug("Rhosts Authentication methods disabled, originating port not trusted."); options.rhosts_authentication = 0; options.rhosts_rsa_authentication = 0; } --- ssh.c.orig Sat Oct 28 06:19:58 2000 +++ ssh.c Tue Oct 31 19:17:31 2000 @@ -590,6 +590,7 @@ #else if (original_effective_uid != 0 || !options.use_privileged_port) { #endif + debug("Rhosts Authentication methods disabled, originating port will not be trusted."); options.rhosts_authentication = 0; options.rhosts_rsa_authentication = 0; }