Ulrich Windl
2002-Mar-06 07:42 UTC
Compatibility issue: OpenSSH v2.3.0p1 vs. 3.0.2: RSA keys
Hello, I think I found a problem that should not happen: An OpenSSH client v3.0.2 on Solaris and an OpenSSH server 2.3.0p1 on HP- UX had a problem when authenticating: Password login worked fine, but a password for an existing and configured RSA1 key was never asked, the key never tried. It always fell back to plain password authentication. After fiddling with the client configuration without success, I found out that using "ssh -1" made the client succeed. So I can only guess that this is a failure to negotiate a common protocol. I thin kthat my installation is correct, but I found some odd messages in syslog of the server during these tests: sshd[24574]: WARNING: /usr/local/etc/primes does not exist, using old prime sshd[4319]: bad pkalg ssh-rsa sshd[7157]: Bad options in .ssh/authorized_keys file, line 2: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA2lTEPCqTfl5Umv Regards, Ulrich
Gert Doering
2002-Mar-06 08:29 UTC
Compatibility issue: OpenSSH v2.3.0p1 vs. 3.0.2: RSA keys
Hi, On Wed, Mar 06, 2002 at 08:42:38AM +0100, Ulrich Windl wrote:> Password login worked fine, but a password for an existing and > configured RSA1 key was never asked, the key never tried. It always > fell back to plain password authentication. > > After fiddling with the client configuration without success, I found > out that using "ssh -1" made the client succeed.RSA1 keys won't be used on "-2" connections, they're protocol 1 only. So without "-1" you effectively do not *have* a key, and thus ssh won't ask you for a password. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de
Ulrich Windl
2002-Mar-06 09:13 UTC
Compatibility issue: OpenSSH v2.3.0p1 vs. 3.0.2: RSA keys
On 6 Mar 2002, at 9:29, Gert Doering wrote:> Hi, > > On Wed, Mar 06, 2002 at 08:42:38AM +0100, Ulrich Windl wrote: > > Password login worked fine, but a password for an existing and > > configured RSA1 key was never asked, the key never tried. It always > > fell back to plain password authentication. > > > > After fiddling with the client configuration without success, I found > > out that using "ssh -1" made the client succeed. > > RSA1 keys won't be used on "-2" connections, they're protocol 1 only. > > So without "-1" you effectively do not *have* a key, and thus ssh won't > ask you for a password.However if you disable plain password in the client's configuration, no connection can be made using the auto-negotiated protocol, while the v1 protocol would work just fine. The problem seems to be that OpenSSH uses version numbers to decide about features, while an explicit feature list would be the way to go. OpenSSH will never know all the implementations of the SSH protocol. Ulrich