openssh unix dev - Aug 2002 - Bugzilla bug entry #342

I may have found a similar issue with plain old RSAAuthentication.  After
upgrading to 3.4p1 on Solaris 8, I am no longer able to use RSAAuthentication
with 

PermitRootLogin forced-commands-only

Following is output from sshd -d -d:

Connection from 10.100.100.8 port 39955
debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1
debug1: match: OpenSSH_3.4p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.4p1
debug1: list_hostkey_types: ssh-dss,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss,ssh-rsa
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,ri
jndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,ri
jndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hma
c-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hma
c-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,ri
jndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,ri
jndael-cbc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hma
c-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hma
c-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug2: Network child is on pid 1881
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug2: monitor_read: 0 used once, disabling now
debug1: dh_gen_key: priv key bits set: 126/256
debug1: bits set: 1613/3191
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 1557/3191
debug1: bits set: 1557/3191
debug2: monitor_read: 4 used once, disabling now
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user root service ssh-connection method none
debug1: attempt 0 failures 0
debug2: monitor_read: 6 used once, disabling now
debug2: input_userauth_request: setting up authctxt for root
debug1: Starting up PAM with username "root"
debug1: PAM setting rhost to "remotehost.company.com"
debug2: monitor_read: 37 used once, disabling now
debug2: monitor_read: 3 used once, disabling now
debug2: input_userauth_request: try method none
Failed none for root from 10.100.100.8 port 39955 ssh2
Failed none for root from 10.100.100.8 port 39955 ssh2
debug1: userauth-request for user root service ssh-connection method publickey
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug1: temporarily_use_uid: 0/1 (e=0)
debug1: trying public key file //.ssh/authorized_keys
debug1: trying public key file //.ssh/authorized_keys
debug2: key_type_from_name: unknown key type
'from="remotehost.company.com",command="/usr/local/sbin/rdi
std'
debug2: user_key_allowed: check options:
'from="remotehost.company.com",command="/usr/local/sbin/rdistd
-S",no-port-forwarding,no-pty 1024 35
118666268659798484966286942768944312049369367774475796933061557373
51846115552657285664113128114068567379297579754801391033082429223990779366682362906474664072077746004816
58915227196803274009991119196168112506060960169043410771581121113084522220661468549956396754587779105908
24978905786138489706832425528183011 root at remotehost
'
debug2: key_type_from_name: unknown key type '1024'
debug2: user_key_allowed: advance: '1024 35
118666268659798484966286942768944312049369367774475796933061
55737351846115552657285664113128114068567379297579754801391033082429223990779366682362906474664072077746
00481658915227196803274009991119196168112506060960169043410771581121113084522220661468549956396754587779
10590824978905786138489706832425528183011 root at remotehost
'
debug1: restore_uid
debug2: key not found
debug1: temporarily_use_uid: 0/1 (e=0)
debug1: trying public key file //.ssh/authorized_keys2
debug2: key_type_from_name: unknown key type
'from="remotehost.company.com",command="/usr/local/sbin/rdi
std'
debug2: user_key_allowed: check options:
'from="remotehost.company.com",command="/usr/local/sbin/rdistd
-S",no-port-forwarding,no-pty ssh-dss
AAAAB3NzaC1kc3MAAACBAIauk+vg54JiU36Q/8F2Jlyf7cUMMcrItmETEG/OtOuIIa
jU9FiN6Xa85o1OFMVm6f6dn7XfPC9tE5MGuM2dE6tqVpeRz7qWdbfPDNY/+pqYKzs72NmQSUFfvglogb7CRb/FqG33COB8m5pC9uN/ZT
dHVefy5CpfUZ8qBCjiXdwRAAAAFQDidPKGD0iX/QLo6KahXeFdPX47DwAAAIBwH60/h910+z7Nrcv22bSZI9xjRGeAHzsRtYtHL7VOrB
JPS8GEDsoQfgE1ICWhcx210RcZkBEcFcElZurHlQKDc3rCG3qLGSmirrafUButOygTuvlL57RRjLhjizHgo3Nwn2tXnZZIA177u5wN/X
VO2Zd39d8koYUdh4qwNlt7YgAAAIAV37lsNDP9caqiQYKw9TyCLPOYhmCaiEBxJ0rdCpxrPGVFLdindW9mrCoFkloNGyaykc14A2Ko6NoTvvLZw71XBqkpTHp8BAlVffsyhVTXAmAHuVLhEb7EaHbq4MQKmYqNXGK29mj28duWQpQJ72JD2OqyDDwZf2voyk1BOI3myA=root@
remotehost
'
debug1: matching key found: file //.ssh/authorized_keys2, line 1
Found matching DSA key: f7:a2:2d:a0:c0:ee:4c:3f:1e:47:c3:3c:36:11:b8:e9
debug1: restore_uid
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
Postponed publickey for root from 10.100.100.8 port 39955 ssh2
debug1: userauth-request for user root service ssh-connection method publickey
debug1: attempt 2 failures 1
debug2: input_userauth_request: try method publickey
debug1: temporarily_use_uid: 0/1 (e=0)
debug1: trying public key file //.ssh/authorized_keys
debug2: key_type_from_name: unknown key type
'from="remotehost.company.com",command="/usr/local/sbin/rdistd'
debug2: user_key_allowed: check options:
'from="remotehost.company.com",command="/usr/local/sbin/rdistd
-S",no-port-forwarding,no-pty 1024 35
118666268659798484966286942768944312049369367774475796933061557373
51846115552657285664113128114068567379297579754801391033082429223990779366682362906474664072077746004816
58915227196803274009991119196168112506060960169043410771581121113084522220661468549956396754587779105908
24978905786138489706832425528183011 root at remotehost
'
debug2: key_type_from_name: unknown key type '1024'
debug2: user_key_allowed: advance: '1024 35
118666268659798484966286942768944312049369367774475796933061
55737351846115552657285664113128114068567379297579754801391033082429223990779366682362906474664072077746
00481658915227196803274009991119196168112506060960169043410771581121113084522220661468549956396754587779
10590824978905786138489706832425528183011 root at remotehost
'
debug1: restore_uid
debug2: key not found
debug1: temporarily_use_uid: 0/1 (e=0)
debug1: trying public key file //.ssh/authorized_keys2
debug2: key_type_from_name: unknown key type
'from="remotehost.company.com",command="/usr/local/sbin/rdi
std'
debug2: user_key_allowed: check options:
'from="remotehost.company.com",command="/usr/local/sbin/rdistd
-S",no-port-forwarding,no-pty ssh-dss
AAAAB3NzaC1kc3MAAACBAIauk+vg54JiU36Q/8F2Jlyf7cUMMcrItmETEG/OtOuIIa
jU9FiN6Xa85o1OFMVm6f6dn7XfPC9tE5MGuM2dE6tqVpeRz7qWdbfPDNY/+pqYKzs72NmQSUFfvglogb7CRb/FqG33COB8m5pC9uN/ZT
dHVefy5CpfUZ8qBCjiXdwRAAAAFQDidPKGD0iX/QLo6KahXeFdPX47DwAAAIBwH60/h910+z7Nrcv22bSZI9xjRGeAHzsRtYtHL7VOrB
JPS8GEDsoQfgE1ICWhcx210RcZkBEcFcElZurHlQKDc3rCG3qLGSmirrafUButOygTuvlL57RRjLhjizHgo3Nwn2tXnZZIA177u5wN/X
VO2Zd39d8koYUdh4qwNlt7YgAAAIAV37lsNDP9caqiQYKw9TyCLPOYhmCaiEBxJ0rdCpxrPGVFLdindW9mrCoFkloNGyaykc14A2Ko6N
oTvvLZw71XBqkpTHp8BAlVffsyhVTXAmAHuVLhEb7EaHbq4MQKmYqNXGK29mj28duWQpQJ72JD2OqyDDwZf2voyk1BOI3myA=root
at remotehost
'
debug1: matching key found: file //.ssh/authorized_keys2, line 1
Found matching DSA key: f7:a2:2d:a0:c0:ee:4c:3f:1e:47:c3:3c:36:11:b8:e9
debug1: restore_uid
debug1: ssh_dss_verify: signature correct
Root login accepted for forced command.
debug2: pam_acct_mgmt() = 0
Accepted publickey for root from 10.100.100.8 port 39955 ssh2
debug1: monitor_child_preauth: root has been authenticated by privileged
process
debug2: userauth_pubkey: authenticated 1 pkalg ssh-dss
ROOT LOGIN REFUSED FROM 10.100.100.8
Failed publickey for root from 10.100.100.8 port 39955 ssh2



__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com