Hello ! I think a problem was introduced in openssh-2.3.0p1 which is still there in the latest openssh-2.5.2p1. I just noticed it before my vacation and could not send this mail earlier than today. The problem is: You can't use the Rhosts-RSA authentication based on the hosts.equiv file and the host keys. The only possible way to do rhosts-RSA authentication is to allow the usage of the .rhosts/.shosts file and put the information in there. If you have "IgnoreRhosts yes" in the configuration file for the sshd, no rhosts-RSA authentication is done because it is not configured. The reason are the following wrong lines of source in auth-rh-rsa.c: /* Check if we would accept it using rhosts authentication. */ if (!auth_rhosts(pw, client_user)) return 0; I applied the attached patch and now it works, again. Please advice if this is not the right fix or whether this change was intended. Thanks for providing openssh ! Regards, Norbert. P.S. I am not subscribed to the developer list so a cc: to my mail address is appreciated. -- Norbert Bladt ATAG debis Informatik, ISM-TZ1 / Z302 Industriestrasse 1, CH 3052-Zollikofen E-Mail: norbert.bladt at adi.ch Tel.: +41 31 915 3964 Fax: +41 31 915 3640 <<auth-rh-rsa.diff>> -------------- next part -------------- A non-text attachment was scrubbed... Name: auth-rh-rsa.diff Type: application/octet-stream Size: 529 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010320/f3000ef0/attachment.obj
On Tue, Mar 20, 2001 at 09:53:28AM +0100, Bladt Norbert wrote:> The reason are the following wrong lines of source in auth-rh-rsa.c: > > /* Check if we would accept it using rhosts authentication. */ > if (!auth_rhosts(pw, client_user)) > return 0;what is wrong here?> I applied the attached patch and now it works, again. > Please advice if this is not the right fix or whether this > change was intended.! if (auth_rhosts(pw, client_user)) ! return 1; this is very very very wrong! it makes auth-rhost-rsa behave like auth-rhosts. in fact, this turns off checking of the rsa host keys. make makes auth-rhosts-rsa as unsafe as auth-rhosts. -m
> Markus Friedl [SMTP:Markus.Friedl at informatik.uni-erlangen.de] wrote: > > On Tue, Mar 20, 2001 at 09:53:28AM +0100, Bladt Norbert wrote: >> The reason are the following wrong lines of source in auth-rh-rsa.c: >> >> /* Check if we would accept it using rhosts authentication. */ >> if (!auth_rhosts(pw, client_user)) >> return 0;> what is wrong here?That is easy to tell: auth_rhosts returns 0 if I have "IgnoreRhosts yes" in the sshd_config file. The relevant part of the source in auth-rhosts.c looks like this (around line 249 in 2.3.0p1): if (options.ignore_rhosts) packet_send_debug ("Server has been configured to ignore .%100s", rhosts_file) continue; ... and later: return 0 And the rest of the source is NEVER executed. So, I have to enable the usage of ~/.rhosts to use rhosts-RSA authentication. But I do not want to do this. I want to use shosts.equiv ONLY ! The default of "IgnoreRhosts" is "yes", anyway. Please try to use rhosts RSA authentication based on shosts.equiv and the host keys. It does not work !>> I applied the attached patch and now it works, again. >> Please advice if this is not the right fix or whether this >> change was intended.>! if (auth_rhosts(pw, client_user)) >! return 1;>this is very very very wrong!> it makes auth-rhost-rsa behave like auth-rhosts. in fact, this turns off > checking of the rsa host keys. make makes auth-rhosts-rsa as unsafe as > auth-rhosts.No. If the authentication with ~/.rhosts is not allowed ("IgnoreRhosts yes") it will check the rsa host keys. If "IgnoreRhosts no" is configured, it will use the normal ~/.rhosts authentication and if that passes all the tests, then this is fine. This is true at least for 2.3.0p1 as far as I can see. Trust me, I tried it. The only way to access the target system via ssh is to enable the .rhosts file for every user and put everything in it. I do not want that, though. I am sorry but this is what I experienced in 2.3.0p1. Thanks, Norbert Bladt. -- Norbert Bladt ATAG debis Informatik, ISM-TZ1 / Z302 Industriestrasse 1, CH 3052-Zollikofen E-Mail: norbert.bladt at adi.ch Tel.: +41 31 915 3964 Fax: +41 31 915 3640
On Tue, Mar 20, 2001 at 11:27:05AM +0100, Bladt Norbert wrote:> > Markus Friedl [SMTP:Markus.Friedl at informatik.uni-erlangen.de] wrote: > > > > On Tue, Mar 20, 2001 at 09:53:28AM +0100, Bladt Norbert wrote: > >> The reason are the following wrong lines of source in auth-rh-rsa.c: > >> > >> /* Check if we would accept it using rhosts authentication. */ > >> if (!auth_rhosts(pw, client_user)) > >> return 0; > > > what is wrong here? > That is easy to tell: > auth_rhosts returns 0 if I have "IgnoreRhosts yes" in the > sshd_config file.yes, but only if it finds a match in .rhosts. and this is correct. it does not affect /etc/shosts.equiv. the checks for hosts.equiv/shosts.equiv are much ealier, and they return 1: /* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */ if (pw->pw_uid != 0) { if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr, client_user, pw->pw_name)) { packet_send_debug("Accepted for %.100s [%.100s] by /etc/hosts.equiv.", hostname, ipaddr); return 1; } if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr, client_user, pw->pw_name)) { packet_send_debug("Accepted for %.100s [%.100s] by %.100s.", hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV); return 1; } }> The relevant part of the source in auth-rhosts.c looks like this > (around line 249 in 2.3.0p1): > > if (options.ignore_rhosts) > packet_send_debug ("Server has been configured to ignore .%100s", > rhosts_file) > continue; > > ... and later: > > return 0this is just for .rhosts/.shosts, not for _PATH_SSH_HOSTS_EQUIV or _PATH_RHOSTS_EQUIV> And the rest of the source is NEVER executed. > So, I have to enable the usage of ~/.rhosts to use rhosts-RSA > authentication. > But I do not want to do this. I want to use shosts.equiv ONLY ! > The default of "IgnoreRhosts" is "yes", anyway. > > Please try to use rhosts RSA authentication based on shosts.equiv > and the host keys. > It does not work ! > > >> I applied the attached patch and now it works, again. > >> Please advice if this is not the right fix or whether this > >> change was intended. > > >! if (auth_rhosts(pw, client_user)) > >! return 1; > > >this is very very very wrong! > > > it makes auth-rhost-rsa behave like auth-rhosts. in fact, this turns off > > checking of the rsa host keys. make makes auth-rhosts-rsa as unsafe as > > auth-rhosts. > No. If the authentication with ~/.rhosts is not allowed > ("IgnoreRhosts yes") it will check the rsa host keys. > If "IgnoreRhosts no" is configured, it will use the normal > ~/.rhosts authentication and if that passes all the tests, > then this is fine. > > This is true at least for 2.3.0p1 as far as I can see. > > Trust me, I tried it.i cannot trust you, since the patch is wrong :) -m