openssh unix dev - Mar 2002 - Compatibility issue: OpenSSH v2.3.0p1 vs. 3.0.2: RSA keys

Hello,

I think I found a problem that should not happen:

An OpenSSH client v3.0.2 on Solaris and an OpenSSH server 2.3.0p1 on HP-
UX had a problem when authenticating:

Password login worked fine, but a password for an existing and 
configured RSA1 key was never asked, the key never tried. It always 
fell back to plain password authentication.

After fiddling with the client configuration without success, I found 
out that using "ssh -1" made the client succeed.

So I can only guess that this is a failure to negotiate a common 
protocol.

I thin kthat my installation is correct, but I found some odd messages 
in syslog of the server during these tests:

sshd[24574]: WARNING: /usr/local/etc/primes does not exist, using old 
prime
sshd[4319]: bad pkalg ssh-rsa
sshd[7157]: Bad options in .ssh/authorized_keys file, line 2: ssh-rsa 
AAAAB3NzaC1yc2EAAAABIwAAAIEA2lTEPCqTfl5Umv

Regards,
Ulrich

Hi,

On Wed, Mar 06, 2002 at 08:42:38AM +0100, Ulrich Windl
wrote:
> Password login worked fine, but a password for an existing and 
> configured RSA1 key was never asked, the key never tried. It always 
> fell back to plain password authentication.
> 
> After fiddling with the client configuration without success, I found 
> out that using "ssh -1" made the client succeed.
RSA1 keys won't be used on "-2" connections, they're protocol
1 only.

So without "-1" you effectively do not *have* a key, and thus ssh
won't
ask you for a password.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at
greenie.muc.de
fax: +49-89-35655025                        gert.doering at
physik.tu-muenchen.de

On 6 Mar 2002, at 9:29, Gert Doering wrote:
> Hi,
> 
> On Wed, Mar 06, 2002 at 08:42:38AM +0100, Ulrich Windl wrote:
> > Password login worked fine, but a password for an existing and 
> > configured RSA1 key was never asked, the key never tried. It always 
> > fell back to plain password authentication.
> > 
> > After fiddling with the client configuration without success, I found 
> > out that using "ssh -1" made the client succeed.
> 
> RSA1 keys won't be used on "-2" connections, they're
protocol 1 only.
> 
> So without "-1" you effectively do not *have* a key, and thus ssh
won't
> ask you for a password.
However if you disable plain password in the client's configuration, no 
connection can be made using the auto-negotiated protocol, while the v1 
protocol would work just fine.

The problem seems to be that OpenSSH uses version numbers to decide 
about features, while an explicit feature list would be the way to go.
OpenSSH will never know all the implementations of the SSH protocol.

Ulrich