Mike Rose
2004-Aug-24 08:30 UTC
Possible problem with hostbased protocol 1 rhosts authentication
I found this problem when working with the Suse9.1 distribution, but have since reproduced it with a vanilla build of Openssh (openssh-3.9p1.tar.gz). Basically I cannot get a command like this: XXXX>ssh -vvv -1 -o "RhostsAuthentication yes" AAAA to work. Yes the appropriate settings are in the servers sshd_config file. Hostbased protocol 1 ssh using rhosts between computers is something we normally do as we have some Dec Alphas, otherwise we would only be using protocol 2 which is fine for hostbased authent using rhosts. " ssh -vvv -1 -o "RhostsAuthentication yes" AAAA OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 1 debug1: Connecting to AAAA [AAAA] port 22. debug1: Allocated local port 1023. debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /u/XXXXXX/mr/.ssh/identity type -1 debug1: Remote protocol version 1.5, remote software version 1.2.27 debug1: no match: 1.2.27 debug1: Local version string SSH-1.5-OpenSSH_3.8p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts debug3: check_host_in_hostfile: match line 73 debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts debug3: check_host_in_hostfile: match line 73 debug1: Host 'AAAA' is known and matches the RSA1 host key. debug1: Found key in /u/XXXXXX/mr/.ssh/known_hosts:73 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug2: cipher_init: set keylen (16 -> 32) debug2: cipher_init: set keylen (16 -> 32) debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Doing password authentication. mr at tcm30's password: " # This is ssh server systemwide configuration file. " Port 22 ListenAddress 0.0.0.0 HostKey /etc/ssh_host_key RandomSeed /etc/ssh_random_seed ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 7200 PermitRootLogin yes IgnoreRhosts no StrictModes yes QuietMode no X11Forwarding yes X11DisplayOffset 10 FascistLogging no PrintMotd yes KeepAlive yes SyslogFacility DAEMON RhostsAuthentication yes RhostsRSAAuthentication yes RSAAuthentication no PasswordAuthentication yes PermitEmptyPasswords no UseLogin no " The rest of the detail is in the attached text file. I hope that is enough info. regards, Mike Rose -------------- next part -------------- . How to reproduce: XXXXX:~> ssh -vvv -1 -o "RhostsAuthentication yes" AAAA OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 1 debug1: Connecting to AAAA [AAAA] port 22. debug1: Allocated local port 1023. debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /u/XXXXXX/mr/.ssh/identity type -1 debug1: Remote protocol version 1.5, remote software version 1.2.27 debug1: no match: 1.2.27 debug1: Local version string SSH-1.5-OpenSSH_3.8p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts debug3: check_host_in_hostfile: match line 73 debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts debug3: check_host_in_hostfile: match line 73 debug1: Host 'AAAA' is known and matches the RSA1 host key. debug1: Found key in /u/XXXXXX/mr/.ssh/known_hosts:73 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug2: cipher_init: set keylen (16 -> 32) debug2: cipher_init: set keylen (16 -> 32) debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Doing password authentication. mr at tcm30's password: 2. This is not working: rhosts based ssh using protocol 1. 3. Error messages and logfiles The server is setup to accept hostbased authentication using rhosts: sshd_config (from DEC Alpha): " # This is ssh server systemwide configuration file. Port 22 ListenAddress 0.0.0.0 HostKey /etc/ssh_host_key RandomSeed /etc/ssh_random_seed ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 7200 PermitRootLogin yes IgnoreRhosts no StrictModes yes QuietMode no X11Forwarding yes X11DisplayOffset 10 FascistLogging no PrintMotd yes KeepAlive yes SyslogFacility DAEMON RhostsAuthentication yes RhostsRSAAuthentication yes RSAAuthentication no PasswordAuthentication yes PermitEmptyPasswords no UseLogin no " The ssh_config file on the client: " # This is the ssh client system-wide configuration file. See ssh(1) # for more information. This file provides defaults for users, and # the values can be changed in per-user configuration files or on the # command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for various options # Host * # ForwardAgent no # ForwardX11 no # RhostsAuthentication yes # RhostsRSAAuthentication yes # RSAAuthentication yes # PasswordAuthentication yes # FallBackToRsh no # UseRsh no # BatchMode no # CheckHostIP yes StrictHostKeyChecking no UsePrivilegedPort yes # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 # Protocol 2,1 # Cipher 3des # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc # EscapeChar ~ Host * ForwardX11 yes # For version 2 hostbased authent using .rhosts/.shosts + known_host entry. HostbasedAuthentication yes ForwardX11Trusted yes # For version 1 hostbased authentication to work UsePrivilegedPort yes " rhosts based authent also does not work with protocol 1 from a Suse 9.1 computer to a suse 9.1 computer. sshd_config on suse ssh server: " # This is the sshd server system-wide configuration file. See sshd(8) # for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. # Changes start here, mr349, 07/01/2004 #Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 3600 #ServerKeyBits 768 # Logging #obsoletes QuietMode and FascistLogging # Use AUTH mode so that ssh messages go into /var/log/messages SyslogFacility AUTH #SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 600 #PermitRootLogin yes #StrictModes yes #RSAAuthentication yes # We do not like this one to be turned on. PubkeyAuthentication no #AuthorizedKeysFile .ssh/authorized_keys # Read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts no # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # (enabled in TCM) RhostsRSAAuthentication yes # similar for protocol version 2 # (enabled in TCM) HostbasedAuthentication yes # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication # IgnoreUserKnownHosts no # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options # KerberosAuthentication automatically enabled if keyfile exists #KerberosAuthentication yes #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # AFSTokenPassing automatically enabled if k_hasafs() is true #AFSTokenPassing yes # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no # Set this to 'yes' to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of 'PasswordAuthentication' #PAMAuthenticationViaKbdInt yes #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #KeepAlive yes #UseLogin no #MaxStartups 10 # no default banner path #Banner /some/path #VerifyReverseMapping no # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server " snippet from /var/adm/messages (on Dec Alpha): " Aug 24 09:05:41 AAAA sshd[126034]: connect from XXXX Aug 24 09:05:41 AAAA sshd[126034]: log: Connection from XXXX port 38875 Aug 24 09:06:06 AAAA sshd[126034]: fatal: Connection closed by remote host. " Our Redhat 7.3 version of Openssh (the ssh exe) happily does protocol 1 hostbased authent from an RH7.3 computer to a DEC Alpha or from a RH7.3 computer to a Suse 9.1 computer. In addition to this if I use the RH7.3 ssh executable on a Suse 9.1 computer and ssh using protocol 1 to a RH7.3 computer or a DEC Alpha: " XXXX:/temp/mr> ./ssh -1 -v -F ./ssh_config BBBB OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x009060df debug1: Reading configuration data ./ssh_config debug1: restore_uid debug1: ssh_connect: getuid 500 geteuid 0 anon 0 debug1: Connecting to BBBB [BBBB] port 22. debug1: Allocated local port 1020. debug1: temporarily_use_uid: 500/266 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /u/blah/mr/.ssh/identity type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.1p1 debug1: match: OpenSSH_3.1p1 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.1p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'BBBB' is known and matches the RSA1 host key. debug1: Found key in /u/blah/mr/.ssh/known_hosts:35 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: cipher_init: set keylen (16 -> 32) debug1: cipher_init: set keylen (16 -> 32) debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying rhosts authentication. debug1: Remote: Accepted for XXXX [XXXX] by /etc/hosts.equiv. debug1: Requesting pty. debug1: Requesting X11 forwarding with authentication spoofing. debug1: fd 3 setting TCP_NODELAY debug1: Requesting shell. debug1: Entering interactive session. Last login: Tue Aug 24 09:12:45 2004 from XXXX Unauthorised access forbidden (Computer Misuse Act 1990) All IT Syndicate Rules apply to this system Red Hat Linux release 7.3 (Valhalla) Linux 2.4.20-34.7.legacy BBBB:~> " The rh7.3 ssh executable will also perform protocol hostbased authent from a Suse9.1 computer to a Suse9.1 computer: " XXXX>./ssh -1 -v -F ./ssh_config BBBB OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x009060df debug1: Reading configuration data ./ssh_config debug1: restore_uid debug1: ssh_connect: getuid 500 geteuid 0 anon 0 debug1: Connecting to BBBB [BBBB] port 22. debug1: Allocated local port 1018. debug1: temporarily_use_uid: 500/266 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /u/blah/mr/.ssh/identity type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8p1 debug1: match: OpenSSH_3.8p1 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.1p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'BBBB' is known and matches the RSA1 host key. debug1: Found key in /u/blah/mr/.ssh/known_hosts:71 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: cipher_init: set keylen (16 -> 32) debug1: cipher_init: set keylen (16 -> 32) debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying rhosts or /etc/hosts.equiv with RSA host authentication. debug1: Remote: Accepted for XXXX [::ffff:XXXX] by /etc/hosts.equiv. debug1: Received RSA challenge for host key from server. debug1: Sending response to host key RSA challenge. debug1: Remote: Rhosts with RSA host authentication accepted. debug1: Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server. debug1: Requesting pty. debug1: Requesting X11 forwarding with authentication spoofing. debug1: fd 3 setting TCP_NODELAY debug1: Requesting shell. debug1: Entering interactive session. Last login: Tue Aug 24 09:15:42 2004 from XXXX Unauthorised access forbidden (Computer Misuse Act 1990) All IT Syndicate Rules apply to this system Suse Linux release 9.1 " Maybe this is a problem with the newer version of Openssh??
Iain Morgan
2004-Aug-24 16:01 UTC
Possible problem with hostbased protocol 1 rhosts authentication
On Tue Aug 24 01:30:10 2004, Mike Rose wrote:> > I found this problem when working with the Suse9.1 distribution, but have > since reproduced it with a vanilla build of Openssh > (openssh-3.9p1.tar.gz). Basically I cannot get a command like this: > > XXXX>ssh -vvv -1 -o "RhostsAuthentication yes" AAAA > > to work. Yes the appropriate settings are in the servers sshd_config file. > > Hostbased protocol 1 ssh using rhosts between computers is something we > normally do as we have some Dec Alphas, otherwise we would only be using > protocol 2 which is fine for hostbased authent using rhosts.Do you mean RhostsRSAAuthentication? I believe that RhostsAuthentication was dropped some time ago. Also, note that the ssh binary is no longer setuid root. (It hasn't been for quite some time.) For version 2, ssh uses the setuid root binary, ssh-keysign, when doing Hostbased authentication. However, ssh does not use this binary when using protocol 1. To use RhostsRSAAuthentication for any user other than root, you must make the ssh binary setuid root and accept any risks therof.> > " > ssh -vvv -1 -o "RhostsAuthentication yes" AAAA > OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug2: ssh_connect: needpriv 1 > debug1: Connecting to AAAA [AAAA] port 22. > debug1: Allocated local port 1023. > debug1: Connection established. > debug1: read PEM private key done: type DSA > debug1: read PEM private key done: type RSA > debug1: identity file /u/XXXXXX/mr/.ssh/identity type -1 > debug1: Remote protocol version 1.5, remote software version 1.2.27 > debug1: no match: 1.2.27 > debug1: Local version string SSH-1.5-OpenSSH_3.8p1 > debug1: Waiting for server public key. > debug1: Received server public key (768 bits) and host key (1024 bits). > debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts > debug3: check_host_in_hostfile: match line 73 > debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts > debug3: check_host_in_hostfile: match line 73 > debug1: Host 'AAAA' is known and matches the RSA1 host key. > debug1: Found key in /u/XXXXXX/mr/.ssh/known_hosts:73 > debug1: Encryption type: 3des > debug1: Sent encrypted session key. > debug2: cipher_init: set keylen (16 -> 32) > debug2: cipher_init: set keylen (16 -> 32) > debug1: Installing crc compensation attack detector. > debug1: Received encrypted confirmation. > debug1: Doing password authentication. > mr at tcm30's password: > " > > # This is ssh server systemwide configuration file. > " > Port 22 > ListenAddress 0.0.0.0 > HostKey /etc/ssh_host_key > RandomSeed /etc/ssh_random_seed > ServerKeyBits 768 > LoginGraceTime 600 > KeyRegenerationInterval 7200 > PermitRootLogin yes > IgnoreRhosts no > StrictModes yes > QuietMode no > X11Forwarding yes > X11DisplayOffset 10 > FascistLogging no > PrintMotd yes > KeepAlive yes > SyslogFacility DAEMON > RhostsAuthentication yes > RhostsRSAAuthentication yes > RSAAuthentication no > PasswordAuthentication yes > PermitEmptyPasswords no > UseLogin no > " > > > The rest of the detail is in the attached text file. > > > I hope that is enough info. > > regards, > > Mike Rose-- Iain Morgan NAS Desktop Support Group
Reasonably Related Threads
- [Bug 281] New: unable to authorize with local shadow password
- [Bug 342] New: RhostsRSAAuthentication does not work with 3.4p1
- [Bug 176] New: OpenSSH_3.1p1 gives X_ShmAttach error on forwarded X11 channel
- Problems with RhostRSAAuthecntication and UsePrivilegeSeparation (RH9, 2.4.20-42.9.legacybigmem)
- kerberosIV authentication is broken in openssh-3.4p1