openssh unix dev - Jul 2003 - OpenSSH 3.6.1p2 ON SCO 3.2v4.2 + STRICTMODES -->yes

Greetings,

I have compiled OpenSSH-3.6.1p2 on SCO 3.2v4.2 and
the following problem occurs:

I am unable to login as root using when strictmode is set to yes.

output of debug:

Failed none for root from 192.168.1.1 port 1199 ssh2
debug1: userauth-request for user root service ssh-connection method
publickey
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method publickey
debug1: test whether pkalg/pkblob are acceptable
debug1: trying public key file //.ssh/authorized_keys
debug3: secure_filename: checking '/.ssh'
debug3: secure_filename: checking ''
Authentication refused: bad ownership or modes for directory
debug1: trying public key file //.ssh/authorized_keys2
debug3: secure_filename: checking '/.ssh'
debug3: secure_filename: checking ''
Authentication refused: bad ownership or modes for directory

It seems that the final check is searching for a non-existant directory,
with OpenSSH 3.5p1 this problem does not exist.

Please advise.

Vikash

Vikash Badal - PCS <VikashB at ComparexAfrica.co.za> writes:
> Greetings,
> 
> I have compiled OpenSSH-3.6.1p2 on SCO 3.2v4.2 and
> the following problem occurs:
> 
> I am unable to login as root using when strictmode is set to yes.
> 
> output of debug:
> 
> Failed none for root from 192.168.1.1 port 1199 ssh2
> debug1: userauth-request for user root service ssh-connection method
> publickey
> debug1: attempt 1 failures 1
> debug2: input_userauth_request: try method publickey
> debug1: test whether pkalg/pkblob are acceptable
> debug1: trying public key file //.ssh/authorized_keys
> debug3: secure_filename: checking '/.ssh'
> debug3: secure_filename: checking ''
> Authentication refused: bad ownership or modes for directory
> debug1: trying public key file //.ssh/authorized_keys2
> debug3: secure_filename: checking '/.ssh'
> debug3: secure_filename: checking ''
> Authentication refused: bad ownership or modes for directory
> 
> It seems that the final check is searching for a non-existant directory,
> with OpenSSH 3.5p1 this problem does not exist.
> 
Its not detecting broken dirname/basename. ISTR I put a ticket into
bugzilla for it (Solaris 2.5.1 is similarly busted), but I can't seem
to reach bugzilla.mindrot.org at the moment.

This was my workaround - it worked for Solaris 2.5.1, no idea about
others. I don't believe this is the right fix though:

--- configure.ac	2003/04/29 09:12:08	1.1.1.10
+++ configure.ac	2003/05/09 12:43:25	1.10
@@ -389,7 +389,7 @@
 
 # Checks for header files.
 AC_CHECK_HEADERS(bstring.h crypt.h endian.h floatingpoint.h \
-	getopt.h glob.h ia.h lastlog.h libgen.h limits.h login.h \
+	getopt.h glob.h ia.h lastlog.h limits.h login.h \
 	login_cap.h maillock.h netdb.h netgroup.h \
 	netinet/in_systm.h paths.h pty.h readpassphrase.h \
 	rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
@@ -410,9 +410,6 @@
     fi
 fi
 
-AC_CHECK_FUNC(getspnam, ,
-	AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen"))
-
 AC_ARG_WITH(rpath,
 	[  --without-rpath         Disable auto-added -R linker paths],
 	[
@@ -622,7 +619,6 @@
 )
 
 AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP))
-AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME))
 
 dnl Make sure strsep prototype is defined before defining HAVE_STRSEP
 AC_CHECK_DECL(strsep, [AC_CHECK_FUNCS(strsep)])
@@ -663,6 +659,10 @@
 		fi
 	])
 ])
+
+AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME))
+AC_CHECK_FUNC(getspnam, ,
+	AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen"))
 
 dnl    Checks for time functions
 AC_CHECK_FUNCS(gettimeofday time)

-- 
Alex Kiernan, Principal Engineer, Development, THUS plc

> -----Original Message-----
> From: Paul L. Allen [mailto:paul.l.allen at boeing.com]
> Sent: 09 July 2003 07:11
> To: Vikash Badal - PCS
> Subject: Re: OpenSSH 3.6.1p2 ON SCO 3.2v4.2 + STRICTMODES -->yes
> 
> 
> Vikash Badal - PCS wrote:
> > Greetings,
> > 
> > I have compiled OpenSSH-3.6.1p2 on SCO 3.2v4.2 and
> > the following problem occurs:
> > 
> > I am unable to login as root using when strictmode is set to yes.
> > 
> > output of debug:
> > 
> > Failed none for root from 192.168.1.1 port 1199 ssh2
> > debug1: userauth-request for user root service ssh-connection method
> > publickey
> > debug1: attempt 1 failures 1
> > debug2: input_userauth_request: try method publickey
> > debug1: test whether pkalg/pkblob are acceptable
> > debug1: trying public key file //.ssh/authorized_keys
> > debug3: secure_filename: checking '/.ssh'
> > debug3: secure_filename: checking ''
> > Authentication refused: bad ownership or modes for directory
> > debug1: trying public key file //.ssh/authorized_keys2
> > debug3: secure_filename: checking '/.ssh'
> > debug3: secure_filename: checking ''
> > Authentication refused: bad ownership or modes for directory
> > 
> > It seems that the final check is searching for a 
> non-existant directory,
> > with OpenSSH 3.5p1 this problem does not exist.
> > 
> > Please advise.
> 
> The error you're getting is "bad ownership or modes".  For 
> completeness,
> you should say what the permissions are on root's /.ssh directory and
> on the authorized_keys and authorized_keys2 files inside it.
> 
> Paul Allen
The permissions are :
[root at sco]: / # ls -ld / /.ssh /.ssh/auth*
drwxr-xr-x  19 root     bin          672 Jul 09 09:23 /
drwxr-xr-x   2 root     other        272 Jul 08 10:20 /.ssh
-rw-------   1 root     other       2670 Jul 08 10:20 /.ssh/authorized_keys
-rw-------   1 root     other       4243 Jul 08 10:20 /.ssh/authorized_keys2
[root at sco]: / #

As you can see these perms are okay.

Greetings,
> -----Original Message-----
> From: Paul L. Allen [mailto:paul.l.allen at boeing.com]
> Sent: 10 July 2003 07:50
> To: Vikash Badal - PCS
> Subject: Re: OpenSSH 3.6.1p2 ON SCO 3.2v4.2 + STRICTMODES -->yes
> 
> 
> Vikash Badal - PCS wrote:
> > 
> > 
> >  > -----Original Message-----
> >  > From: Paul L. Allen [mailto:paul.l.allen at boeing.com]
>  >  [...]
> >  > The error you're getting is "bad ownership or
modes".  For
> >  > completeness,
> >  > you should say what the permissions are on root's /.ssh 
> directory and
> >  > on the authorized_keys and authorized_keys2 files inside it.
> >  >
> >  > Paul Allen
> > The permissions are :
> > [root at sco]: / # ls -ld / /.ssh /.ssh/auth*
> > drwxr-xr-x  19 root     bin          672 Jul 09 09:23 /
> > drwxr-xr-x   2 root     other        272 Jul 08 10:20 /.ssh
> > -rw-------   1 root     other       2670 Jul 08 10:20 
> /.ssh/authorized_keys
> > -rw-------   1 root     other       4243 Jul 08 10:20 
> > /.ssh/authorized_keys2
> > [root at sco]: / #
> > 
> > As you can see these perms are okay.
> 
> I'm pretty sure it wants the directory to be secure as well.  Try
> setting /.ssh to 0700 and see if it helps.  If it doesn't, you may
> have a bug.
> 
> Good luck!
> 
> Paul
Tried setting /.ssh to 700 still no success:

debug1: trying public key file //.ssh/authorized_keys2
debug3: secure_filename: checking '/.ssh'
debug3: secure_filename: checking ''
Authentication refused: bad ownership or modes for directory
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
Failed publickey for root from 192.168.1.1 port 1119 ssh2
debug1: userauth-request for user root service ssh-connection method
keyboard-interactive
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=root devsdebug1: kbdint_alloc: devices ''
debug2: auth2_challenge_start: devices
Failed keyboard-interactive for root from 192.168.1.1 port 1119 ssh2
Connection closed by 192.168.1.1
debug1: Calling cleanup 0x24104(0x0)
[root at sco]: /usr/home/dev/openssh-3.6.1p2 # ls -ld / /.ssh /.ssh/auth*
drwxr-xr-x  19 root     bin          672 Jul 09 09:23 /
drwx------   2 root     other        272 Jul 08 10:20 /.ssh
-rw-------   1 root     other       2670 Jul 08 10:20 /.ssh/authorized_keys
-rw-------   1 root     other       4243 Jul 08 10:20 /.ssh/authorized_keys2
[root at sco]: /usr/home/dev/openssh-3.6.1p2 #

The line "debug3: secure_filename: checking ''" seems to be
the problem.
Its checking for a non existent file.

On Unixware 7.1.1 and Openserver, that line is 
==>debug3: secure_filename: checking '/'<=

Vikash