bugzilla-daemon at mindrot.org
2002-Aug-07 18:03 UTC
[Bug 382] New: Privilege Separation breaks HostbasedAuthentication
http://cvs-mirror.mozilla.org/webtools/bugzilla/show_bug.cgi?id=382 Summary: Privilege Separation breaks HostbasedAuthentication Product: Portable OpenSSH Version: -current Platform: Sparc OS/Version: Solaris Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: rlebar at erac.com With privsep disabled (UsePrivilegeSeparation no) HostbasedAuthenticatoin works. With it turned on below is what I get from sshd. Note the mm_answer_keyverify: bad signature data blob near the end. Also note that our OpenSSH is compiled with the config directory as /opt/erac/etc. -----8<----------------------------------------------------------------- debug3: Seeding PRNG from /opt/erac//libexec/ssh-rand-helper This platform does not support both privilege separation and compression Compression disabled debug1: sshd version OpenSSH_3.4p1 debug3: Not a RSA1 key file /opt/erac/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Not a RSA1 key file /opt/erac/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Server will not fork when running in debugging mode. Connection from 10.49.191.9 port 34890 debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 debug3: privsep user:group 60001:1 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman- group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128- cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128- cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac- ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac- ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman- group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128- cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128- cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac- ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac- ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug2: Network child is on pid 3990 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 2048 8192 WARNING: /opt/erac/etc/moduli does not exist, using old modulus debug3: mm_request_send entering: type 1 debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 139/256 debug1: bits set: 469/1024 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug1: bits set: 547/1024 debug3: mm_key_sign entering debug3: mm_request_send entering: type 4 debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 5 debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_sign debug3: mm_answer_sign: signature 121938(143) debug3: mm_request_send entering: type 5 debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user rjl01 service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for rjl01 debug3: mm_start_pam entering debug3: mm_request_send entering: type 37 debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug2: input_userauth_request: try method none debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: monitor_read: checking request 37 debug1: Starting up PAM with username "rjl01" debug3: Trying to reverse map address 10.49.191.9. debug1: PAM setting rhost to "evereska.wan.erac.com" debug2: monitor_read: 37 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, styledebug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 Failed none for rjl01 from 10.49.191.9 port 34890 ssh2 debug3: mm_request_receive entering debug3: mm_auth_password: user not authenticated Failed none for rjl01 from 10.49.191.9 port 34890 ssh2 debug1: userauth-request for user rjl01 service ssh-connection method hostbased debug1: attempt 1 failures 1 debug2: input_userauth_request: try method hostbased debug1: userauth_hostbased: cuser rjl01 chost evereska. pkalg ssh-dss slen 55 debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 1245e0 debug2: userauth_hostbased: chost evereska. resolvedname evereska.wan.erac.com ipaddr 10.49.191.9 debug2: auth_rhosts2: clientuser rjl01 hostname evereska. ipaddr evereska. debug1: temporarily_use_uid: 503/5005 (e=0) debug1: restore_uid debug2: userauth_hostbased: access allowed by auth_rhosts2 debug3: check_host_in_hostfile: filename /opt/erac/etc/ssh_known_hosts debug1: temporarily_use_uid: 503/5005 (e=0) debug3: check_host_in_hostfile: filename /export/home/rjl01/.ssh/known_hosts debug1: restore_uid debug2: check_key_in_hostfiles: key not found for evereska. debug3: check_host_in_hostfile: filename /opt/erac/etc/ssh_known_hosts2 debug3: key_read: type mismatch debug1: temporarily_use_uid: 503/5005 (e=0) debug3: check_host_in_hostfile: filename /export/home/rjl01/.ssh/known_hosts2 debug1: restore_uid debug2: check_key_in_hostfiles: key not found for evereska. debug3: mm_answer_keyallowed: key 1245e0 is disallowed debug3: mm_append_debug: Appending debug messages for child debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug3: mm_send_debug: Sending debug: Accepted for evereska. [evereska.] by /opt/erac/etc/shosts.equiv. debug2: userauth_hostbased: authenticated 0 Failed hostbased for rjl01 from 10.49.191.9 port 34890 ssh2 debug1: userauth-request for user rjl01 service ssh-connection method hostbased debug1: attempt 2 failures 2 debug2: input_userauth_request: try method hostbased debug1: userauth_hostbased: cuser rjl01 chost evereska. pkalg ssh-rsa slen 143 debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 1245e0 debug2: userauth_hostbased: chost evereska. resolvedname evereska.wan.erac.com ipaddr 10.49.191.9 debug2: auth_rhosts2: clientuser rjl01 hostname evereska. ipaddr evereska. debug1: temporarily_use_uid: 503/5005 (e=0) debug1: restore_uid debug2: userauth_hostbased: access allowed by auth_rhosts2 debug3: check_host_in_hostfile: filename /opt/erac/etc/ssh_known_hosts debug1: temporarily_use_uid: 503/5005 (e=0) debug3: check_host_in_hostfile: filename /export/home/rjl01/.ssh/known_hosts debug1: restore_uid debug2: check_key_in_hostfiles: key not found for evereska. debug3: check_host_in_hostfile: filename /opt/erac/etc/ssh_known_hosts2 debug3: check_host_in_hostfile: match line 2 debug2: check_key_in_hostfiles: key ok for evereska. debug3: mm_answer_keyallowed: key 1245e0 is allowed debug3: mm_append_debug: Appending debug messages for child debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug3: mm_send_debug: Sending debug: Accepted for evereska. [evereska.] by /opt/erac/etc/shosts.equiv. debug3: mm_key_verify entering debug3: mm_request_send entering: type 22 debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY debug3: mm_request_receive_expect entering: type 23 debug3: mm_request_receive entering debug3: monitor_read: checking request 22 mm_answer_keyverify: bad signature data blob debug1: Calling cleanup 0x38d24(0x0) debug1: Calling cleanup 0x53eb0(0x0) debug1: Calling cleanup 0x53eb0(0x0) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.