search for: auth_rhosts_rsa_key_allowed

...rsa', which will not work for host based authentication in /etc/ssh/ssh_known_hosts. In monitor.c, at about line 962 the type of the key passed to key_read() is fixed: case MM_RSAHOSTKEY: key->type = KEY_RSA1; /* XXX */ allowed = options.rhosts_rsa_authentication && auth_rhosts_rsa_key_allowed(authctxt->pw, cuser, chost, key); In addition, the host's IP address is required in the key definition in /etc/ssh/ssh_known_hosts; the symbolic host name won't work. Here's a workaround, that could be included in the documentation: Here's a workaround for the problem....

...options.hostbased_authentication && hostbased_key_allowed(authctxt->pw, cuser, chost, key); + auth_method = "hostbased"; break; case MM_RSAHOSTKEY: key->type = KEY_RSA1; /* XXX */ allowed = options.rhosts_rsa_authentication && auth_rhosts_rsa_key_allowed(authctxt->pw, cuser, chost, key); + auth_method = "rsa"; break; default: fatal("%s: unknown key type %d", __func__, type); @@ -1010,6 +1014,9 @@ mm_answer_keyallowed(int sock, Buffer *m key_blobtype = type; hostbased_cuser = cuser; hostbased_chos...

...rsa', which will not work for host based authentication in /etc/ssh/ssh_known_hosts. In monitor.c, at about line 962 the type of the key passed to key_read() is fixed: case MM_RSAHOSTKEY: key->type = KEY_RSA1; /* XXX */ allowed = options.rhosts_rsa_authentication && auth_rhosts_rsa_key_allowed(authctxt->pw, cuser, chost, key); In addition, the host's IP address is required in the key definition in /etc/ssh/ssh_known_hosts; the symbolic host name won't work. Here's a workaround, that could be included in the documentation: Here's a workaround for the problem....

...should be no security degradation. auth_rsa_key_allowed() is called from auth_rsa() only; auth_rsa_verify_response() is called only from auth_rsa_challenge_dialog(), which in turn is called - either from auth_rsa(), right after auth_rsa_key_allowed() call, - or from auth_rhosts_rsa(), right after auth_rhosts_rsa_key_allowed() call, which already calls auth_key_is_revoked(). As result of this change, auth_rsa_key_allowed() will be called earlier on the auth_rsa() path, before starting challenge-response, which is good, and won't be called second time on the auth_rhosts_rsa() path, which is also good. -- Configur...

...adability. + +$OpenBSD$ Index: auth.h =================================================================== RCS file: /cvs/src/usr.bin/ssh/auth.h,v retrieving revision 1.58 diff -u -r1.58 auth.h --- auth.h 18 Aug 2006 09:15:20 -0000 1.58 +++ auth.h 15 Nov 2006 14:14:32 -0000 @@ -115,6 +115,7 @@ int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); int user_key_allowed(struct passwd *, Key *); +int user_cert_key_allowed(struct passwd *, Key *); #ifdef KRB5 int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client,...