bugzilla-daemon at mindrot.org
2002-Aug-01 15:36 UTC
[Bug 376] New: HostbasedAuthentication, followed snailbook but not working! :-(
http://bugzilla.mindrot.org/show_bug.cgi?id=376
Summary: HostbasedAuthentication, followed snailbook but not
working! :-(
Product: Portable OpenSSH
Version: -current
Platform: UltraSparc
URL:
http://groups.google.com/groups?dq=&hl=en&lr=&ie=UTF-
8&group=comp.security.ssh&selm=d2ddc71a.0207310951.60aba
a6f%40posting.google.com
OS/Version: Solaris
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: openssh-unix-dev at mindrot.org
ReportedBy: rlebar at erac.com
The URL is a link to the Google Group (Usenet News) post I made. No relevant
response to this yet and I double checked against
http://cookbook.linuxsecurity.com/sp/ssh-part2.html#Host-based%20trusts.
Without any clue to indicate otherwise, I have to consider that I have stumbled
across a bug.
The contents of the Usenet News post follow. In addition, evereska is running
Solaris 8 and Endeavor is running Solaris 7. Evereska is an Ultra-10 (333 MHz)
in my cube and Endeavor is a production server and also an Ultra-10 (440 MHz).
Evereska has one interface and Endeavor has three. A co-worker compiled and
created the package (on a Solaris 2.6 system I believe).
------8<----------------------------------------------------------------
I followed http://www.snailbook.com/faq/trusted-host-howto.auto.html
but still no go. Here's the relevant config info. The client is
evereska and the server is endeavor. The ssh executable is suid root,
we are using privilege seperation, and we made our own package
installed to the /opt/erac tree. Any ideas?
SERVER:
/opt/erac/etc/sshd_config (comments removed):
---------------------------------------------
Protocol 2
PermitRootLogin yes
StrictModes yes
HostBasedAuthentication yes
HostbasedUsesNameFromPacketOnly yes
X11Forwarding yesq
X11DisplayOffset 400
Subsystem sftp /opt/erac//libexec/sftp-server
/opt/erac/etc/ssh_known_hosts2:
-------------------------------
evereska,evereska.wan.erac.com,10.49.191.9,evereska. ssh-dss ...
evereska,evereska.wan.erac.com,10.49.191.9,evereska. ssh-rsa ...
/etc/shosts.equiv (chmod 444)
----------------------------:
evereska
evereska.
10.49.191.9
evereska.wan.erac.com
CLIENT:
/opt/erac/etc/ssh_config (comments removed):
--------------------------------------------
Host *
ForwardX11 yes
PreferredAuthentications
hostbased,publickey,keyboard-interactive,password
HostBasedAuthentication yes
UsePrivilegedPort yes
SERVER DEBUG:
============debug3: Seeding PRNG from /opt/erac//libexec/ssh-rand-helper
This platform does not support both privilege separation and
compression
Compression disabled
debug1: sshd version OpenSSH_3.4p1
debug3: Not a RSA1 key file /opt/erac/etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /opt/erac/etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Server will not fork when running in debugging mode.
Connection from 10.49.191.9 port 887
debug1: Client protocol version 2.0; client software version
OpenSSH_3.4p1
debug1: match: OpenSSH_3.4p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.4p1
debug3: privsep user:group 60001:1
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at
openssh.com,hmac-sha1-96,hmac-
md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at
openssh.com,hmac-sha1-96,hmac-
md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at
openssh.com,hmac-sha1-96,hmac-
md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at
openssh.com,hmac-sha1-96,hmac-
md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: Network child is on pid 12348
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug3: mm_request_send entering: type 0
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI
debug3: mm_request_receive_expect entering: type 1
debug3: mm_request_receive entering
debug3: monitor_read: checking request 0
debug3: mm_answer_moduli: got parameters: 1024 2048 8192
WARNING: /opt/erac/etc/moduli does not exist, using old modulus
debug3: mm_request_send entering: type 1
debug3: mm_choose_dh: remaining 0
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 123/256
debug1: bits set: 537/1024
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 509/1024
debug2: monitor_read: 0 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 4
debug3: monitor_read: checking request 4
debug3: mm_answer_sign
debug3: mm_answer_sign: signature 121938(143)
debug3: mm_request_send entering: type 5
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: mm_request_receive_expect entering: type 5
debug3: mm_request_receive entering
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user rjl01 service ssh-connection method
none
debug1: attempt 0 failures 0
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 7
debug3: mm_request_receive entering
debug2: input_userauth_request: setting up authctxt for rjl01
debug3: mm_start_pam entering
debug3: mm_request_send entering: type 37
debug3: monitor_read: checking request 37
debug1: Starting up PAM with username "rjl01"
debug3: Trying to reverse map address 10.49.191.9.
debug1: PAM setting rhost to "evereska.wan.erac.com"
debug2: monitor_read: 37 used once, disabling now
debug3: mm_request_receive entering
debug3: mm_inform_authserv entering
debug3: mm_request_send entering: type 3
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, styledebug2: monitor_read: 3
used once, disabling now
debug3: mm_request_receive entering
debug2: input_userauth_request: try method none
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: monitor_read: checking request 10
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
Failed none for rjl01 from 10.49.191.9 port 887 ssh2
debug3: mm_request_receive entering
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug3: mm_auth_password: user not authenticated
Failed none for rjl01 from 10.49.191.9 port 887 ssh2
debug1: userauth-request for user rjl01 service ssh-connection method
hostbased
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method hostbased
debug1: userauth_hostbased: cuser rjl01 chost evereska. pkalg ssh-dss
slen 55
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 1245e0
debug2: userauth_hostbased: chost evereska. resolvedname
evereska.wan.erac.com ipaddr 10.49.191.9
debug2: auth_rhosts2: clientuser rjl01 hostname evereska. ipaddr
evereska.
debug1: temporarily_use_uid: 503/5005 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 503/5005 (e=0)
debug1: restore_uid
debug3: mm_answer_keyallowed: key 1245e0 is disallowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug2: userauth_hostbased: authenticated 0
Failed hostbased for rjl01 from 10.49.191.9 port 887 ssh2
debug1: userauth-request for user rjl01 service ssh-connection method
hostbased
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method hostbased
debug1: userauth_hostbased: cuser rjl01 chost evereska. pkalg ssh-rsa
slen 143
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 1245f8
debug2: userauth_hostbased: chost evereska. resolvedname
evereska.wan.erac.com ipaddr 10.49.191.9
debug2: auth_rhosts2: clientuser rjl01 hostname evereska. ipaddr
evereska.
debug1: temporarily_use_uid: 503/5005 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 503/5005 (e=0)
debug1: restore_uid
debug3: mm_answer_keyallowed: key 1245f8 is disallowed
debug3: mm_request_send entering: type 21
debug3: mm_request_receive entering
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug2: userauth_hostbased: authenticated 0
Failed hostbased for rjl01 from 10.49.191.9 port 887 ssh2
debug1: userauth-request for user rjl01 service ssh-connection method
keyboard-interactive
debug1: attempt 3 failures 3
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=rjl01 devsdebug1: kbdint_alloc: devices ''
debug2: auth2_challenge_start: devices
Failed keyboard-interactive for rjl01 from 10.49.191.9 port 887 ssh2
Connection closed by 10.49.191.9
debug1: Calling cleanup 0x53eb0(0x0)
debug1: Calling cleanup 0x38d24(0x0)
debug1: Calling cleanup 0x53eb0(0x0)
CLIENT DEBUG (removed some carriage returns):
============================================OpenSSH_3.4p1, SSH protocols
1.5/2.0, OpenSSL 0x0090605f
debug1: Reading configuration data /opt/erac/etc/ssh_config
debug1: Applying options for *
debug3: RNG is ready, skipping seeding
debug1: ssh_connect: needpriv 1
debug1: Connecting to endeavor [10.49.191.121] port 22.
debug3: RNG is ready, skipping seeding
debug1: Allocated local port 620.
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /export/home/rjl01/.ssh/identity type -1
debug1: identity file /export/home/rjl01/.ssh/id_rsa type -1
debug1: identity file /export/home/rjl01/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version
OpenSSH_3.4p1
debug1: match: OpenSSH_3.4p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.4p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at
openssh.com,hmac-sha1-96,hmac-
md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at
openssh.com,hmac-sha1-96,hmac-
md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-
cbc,rijndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at
openssh.com,hmac-sha1-96,hmac-
md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at
openssh.com,hmac-sha1-96,hmac-
md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 128/256
debug1: bits set: 518/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug3: check_host_in_hostfile: filename
/export/home/rjl01/.ssh/known_hosts2
debug3: check_host_in_hostfile: filename
/opt/erac/etc/ssh_known_hosts2
debug3: key_read: type mismatch
debug3: check_host_in_hostfile: match line 2
debug3: check_host_in_hostfile: filename
/export/home/rjl01/.ssh/known_hosts2
debug3: check_host_in_hostfile: filename
/opt/erac/etc/ssh_known_hosts2
debug3: key_read: type mismatch
debug3: check_host_in_hostfile: match line 2
debug1: Host 'endeavor' is known and matches the RSA host key.
debug1: Found key in /opt/erac/etc/ssh_known_hosts2:2
debug1: bits set: 532/1024
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug3: start over, passed a different list
publickey,password,keyboard-interactive,hostbased
debug3: preferred hostbased,publickey,keyboard-interactive,password
debug3: authmethod_lookup hostbased
debug3: remaining preferred: publickey,keyboard-interactive,password
debug3: authmethod_is_enabled hostbased
debug1: next auth method to try is hostbased
debug2: userauth_hostbased: chost evereska.
debug2: we sent a hostbased packet, wait for reply
debug1: authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug2: userauth_hostbased: chost evereska.
debug2: we sent a hostbased packet, wait for reply
debug1: authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug1: userauth_hostbased: no more client hostkeys
debug2: we did not send a packet, disable method
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: next auth method to try is publickey
debug1: try privkey: /export/home/rjl01/.ssh/identity
debug3: no such identity: /export/home/rjl01/.ssh/identity
debug1: try privkey: /export/home/rjl01/.ssh/id_rsa
debug3: no such identity: /export/home/rjl01/.ssh/id_rsa
debug1: try privkey: /export/home/rjl01/.ssh/id_dsa
debug3: no such identity: /export/home/rjl01/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: next auth method to try is keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug1: authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug3: userauth_kbdint: disable: no info_req_seen
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: next auth method to try is password
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Possibly Parallel Threads
Wisdom of the Ancients
