Davis, Ricardo C.
2001-Mar-15 23:35 UTC
Support for here documents with sftp client in OpenSSH 2.5.1p 1-1 (RH Linux 6.2 [2.2.x kernel])
Damien, I was going down the path of public key authentication when I encountered problems. I've been discussing it off-line using the simple example of creating a key pair with no passphrase for an account on "myserver", then trying to connect to myserver using the "ssh -i id_dsa myserver" command. It's not working, so we're debugging now (see below). If you have any insight as to what's going on it would be appreciated. -Ricardo P.S. The mode of id_dsa is 600, the mode of id_dsa.pub is 644. ____________________________________________________________________________ From: Davis, Ricardo C. Sent: Thursday, March 15, 2001 5:52 PM To: 'Markus Friedl' Subject: RE: Support for here documents with sftp client in OpenSSH 2.5.1p 1-1 (RH Linux 6.2 [2.2.x kernel]) -----------ssh monitor window----------------- $ ssh -i id_dsa -p 1234 myserver.com Permission denied (publickey,password,keyboard-interactive). $ -----------sshd monitor window----------------- su - Password: # sshd -d -d -d -p 1234 debug1: sshd version OpenSSH_2.5.1p1 debug1: load_private_key_autodetect: type 0 RSA1 debug3: Bad RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read SSH2 private key done: name dsa w/o comment success 1 debug1: load_private_key_autodetect: type 2 DSA debug3: Bad RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read SSH2 private key done: name rsa w/o comment success 1 debug1: load_private_key_autodetect: type 1 RSA debug1: Seeding random number generator debug1: Bind to port 1234 on 0.0.0.0. Server listening on 0.0.0.0 port 1234. Generating 768 bit RSA key. debug1: Seeding random number generator RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 0.0.0.0 port 724 debug1: Client protocol version 2.0; client software version OpenSSH_2.5.1p1 debug1: match: OpenSSH_2.5.1p1 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_2.5.1p1 debug1: list_hostkey_types: ssh-dss,ssh-rsa debug1: send KEXINIT debug1: done debug1: wait KEXINIT debug1: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug1: got kexinit: ssh-rsa,ssh-dss debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,r ijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,r ijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug1: got kexinit: none debug1: got kexinit: none debug1: got kexinit: debug1: got kexinit: debug1: first kex follow: 0 debug1: reserved: 0 debug1: done debug2: mac_init: found hmac-sha1 debug1: kex: client->server 3des-cbc hmac-sha1 none debug2: mac_init: found hmac-sha1 debug1: kex: server->client 3des-cbc hmac-sha1 none debug1: Wait SSH2_MSG_KEX_DH_GEX_REQUEST. debug1: Sending SSH2_MSG_KEX_DH_GEX_GROUP. debug1: bits set: 1009/2049 debug1: Wait SSH2_MSG_KEX_DH_GEX_INIT. debug1: bits set: 1013/2049 debug2: ssh_rsa_sign: done debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: Wait SSH2_MSG_NEWKEYS. debug1: GOT SSH2_MSG_NEWKEYS. debug1: done: KEX2. debug1: userauth-request for user myaccount service ssh-connection method none debug1: attempt 0 failures 0 debug2: input_userauth_request: setting up authctxt for myaccount debug1: Starting up PAM with username "myaccount" debug1: Trying to reverse map address 0.0.0.0. debug1: PAM setting rhost to "myserver.com" debug2: input_userauth_request: try method none Failed none for myaccount from 0.0.0.0 port 724 ssh2 debug1: userauth-request for user myaccount service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey DSA authentication refused for myaccount: bad ownership or modes for '/home/myaccount/'. debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss Failed publickey for myaccount from 0.0.0.0 port 724 ssh2 Connection closed by 0.0.0.0 debug1: Calling cleanup 0x80514a0(0x0) debug1: Calling cleanup 0x80638a0(0x0) # Ok ... so it appears it doesn't like the account's directory. Here's the info on those: # ls -ld m* drwxrwx--- 10 myaccoun acctAdm 4096 Mar 15 13:42 myaccount # cd myaccount # ls -ld .ssh drwx------ 2 myaccoun myaccoun 4096 Mar 15 16:56 .ssh Strange ... it doesn't appear to me there is a problem. -Ricardo -----Original Message----- From: Markus Friedl [mailto:Markus.Friedl at informatik.uni-erlangen.de] Sent: Thursday, March 15, 2001 5:32 PM To: Davis, Ricardo C. Subject: Re: Support for here documents with sftp client in OpenSSH 2.5.1p 1-1 (RH Linux 6.2 [2.2.x kernel]) On Thu, Mar 15, 2001 at 05:26:21PM -0500, Davis, Ricardo C. wrote:> Ok, did a "chmod go-w on ~/.ssh/authorized_keys2" and tried again with the > same results. So next I ran ssh with the -v option.what does sshd -d -d -d -p 1234 say when you connect with ssh -i id_dsa -p 1234 host. ? -m ____________________________________________________________________________ -----Original Message----- From: Damien Miller [mailto:djm at mindrot.org] Sent: Thursday, March 15, 2001 6:26 PM To: Davis, Ricardo C. Cc: openssh-unix-dev at mindrot.org Subject: Re: Support for here documents with sftp client in OpenSSH 2.5.1p1-1 (RH Linux 6.2 [2.2.x kernel]) <snip!> You can use public key authentication - this is exactly what it is designed for :) -d -- | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer
Damien Miller
2001-Mar-15 23:40 UTC
Support for here documents with sftp client in OpenSSH 2.5.1p 1-1 (RH Linux 6.2 [2.2.x kernel])
On Thu, 15 Mar 2001, Davis, Ricardo C. wrote:> Damien, > > I was going down the path of public key authentication when I encountered > problems. I've been discussing it off-line using the simple example of > creating a key pair with no passphrase for an account on "myserver", then > trying to connect to myserver using the "ssh -i id_dsa myserver" command. > It's not working, so we're debugging now (see below). If you have any > insight as to what's going on it would be appreciated. > > -Ricardo > > P.S. The mode of id_dsa is 600, the mode of id_dsa.pub is 644.> DSA authentication refused for myaccount: bad ownership or modes for > '/home/myaccount/'.> # ls -ld m* > drwxrwx--- 10 myaccoun acctAdm 4096 Mar 15 13:42 myaccountThis should be 0750, i.e.> drwxr-x--- 10 myaccoun acctAdm 4096 Mar 15 13:42 myaccount-d -- | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer
Davis, Ricardo C.
2001-Mar-16 15:26 UTC
Support for here documents with sftp client in OpenSSH 2.5.1p 1-1 (RH Linux 6.2 [2.2.x kernel])
That was it! Thank you so much, Markus! It would have been nice if one could easily discern that from the debugging information without looking at the source code. But then, we are talking about Unix here. :) I had not thought of the scenario regarding a compromise through group write permissions. Somebody really ought to put this in the OpenSSH FAQ (perhaps as an example of what not to do) and save another security-newbie a few days trying to figure it out! The account that I'm dealing with is for automated processing and not a "real" user; the account administrators group (basically the sys admins and the ops manager) usually need only read access to check status of processing. The account's home directory was made group writeable so that operational changes could be made "on the fly" without having to log into that account. But it's no great loss not being able to do so. Thanks again! You and others on this list have been very helpful! -Ricardo -----Original Message----- From: Markus Friedl [mailto:Markus.Friedl at informatik.uni-erlangen.de] Sent: Friday, March 16, 2001 3:07 AM To: Davis, Ricardo C. Subject: Re: Support for here documents with sftp client in OpenSSH 2.5.1p 1-1 (RH Linux 6.2 [2.2.x kernel]) On Thu, Mar 15, 2001 at 05:51:54PM -0500, Davis, Ricardo C. wrote:> drwxrwx--- 10 myaccoun acctAdm 4096 Mar 15 13:42 myaccountsshd does not like group writeable homedirectories. everyone from the group can do: $ cd myaccount $ mv .ssh .ssh-disabled $ mkdir .ssh $ echo mykey > .ssh/authorized_keys2> # cd myaccount > # ls -ld .ssh > drwx------ 2 myaccoun myaccoun 4096 Mar 15 16:56 .ssh > > Strange ... it doesn't appear to me there is a problem.homedir is the problem.
Markus Friedl
2001-Mar-16 15:30 UTC
Support for here documents with sftp client in OpenSSH 2.5.1p 1-1 (RH Linux 6.2 [2.2.x kernel])
On Fri, Mar 16, 2001 at 10:26:36AM -0500, Davis, Ricardo C. wrote:> That was it! Thank you so much, Markus! > > It would have been nice if one could easily discern that from the debugging > information without looking at the source code. But then, we are talking > about Unix here. :)the debug output did complain about the permissions. perhaps it should be more verbose.