openssh-2.3.0p1 (Linux) fails using options with dss key

Peter Lister P.Lister at sychron.com
Thu Dec 7 00:04:06 EST 2000 

I'm trying to change my local setup from ssh2 to openssh-2.3.0p1. I need
captive comands and specific environments for each key, i.e. the
"command=XXX" and "environment=X=y" options. Unfortunately I *also* need
to support the existing ssh2 client for a transition period, since it's
impractical to change all user's environments to openssh in one go.

I have converted the ssh2 public keys OK (see appended
authorized_keys2), and WITHOUT OPTIONS I can log in as normal, with the
key in authorized_keys2. But as soon as I put options in before
"ssh-dss" in authorized_keys2, the connection fails.

I append logs of successful and failed connections - the only difference
is the whether the environment option is set. As you can see, even
during a failure the server seems to parse the file OK and finds a
matching key on line 3 of authorized_keys2, but then dies for no
apparent reason. It seems that this is an openssh server problem, as the
client should not be aware of what is going on on the server side, and
the failure seems to be before the authentication.

NB - the sshd man page does not seem to know about the ssh-dss keys (it
states that all keys begin with numbers, which is clearly not so for dss
keys) so I don't know for certain that this is right - an example would
be useful.
-------------- next part --------------
/usr/local/bin/ssh bennevis -v -p 1022
Development-time debugging not compiled in.
To enable, configure with --enable-debug and recompile.
debug: connecting to bennevis...
debug: entering event loop
debug: ssh_client_wrap: creating transport protocol
debug: ssh_client_wrap: creating userauth protocol
debug: Remote version: SSH-1.99-OpenSSH_2.3.0p1
debug: Host key found from the database.
FATAL: ssh_conn_received_packet: bad DISCONNECT
-------------- next part --------------
/usr/sbin/sshd -p 1022 -d
debug1: sshd version OpenSSH_2.3.0p1
debug1: Seeding random number generator
debug1: read DSA private key done
debug1: Seeding random number generator
debug1: Bind to port 1022 on 0.0.0.0.
Server listening on 0.0.0.0 port 1022.
Generating 768 bit RSA key.
debug1: Seeding random number generator
debug1: Seeding random number generator
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 62.232.14.113 port 3589
debug1: Client protocol version 1.99; client software version 2.0.13 (non-commer
cial)
debug1: match: 2.0.13 (non-commercial) pat ^2\.0\.

Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_2.3.0p1
debug1: send KEXINIT
debug1: done
debug1: wait KEXINIT
debug1: got kexinit: diffie-hellman-group1-sha1
debug1: got kexinit: ssh-dss
debug1: got kexinit: 3des-cbc,blowfish-cbc,none
debug1: got kexinit: 3des-cbc,blowfish-cbc,none
debug1: got kexinit: hmac-md5,md5-8,none
debug1: got kexinit: hmac-md5,md5-8,none
debug1: got kexinit: none,zlib
debug1: got kexinit: none,zlib
debug1: got kexinit:
debug1: got kexinit:
debug1: first kex follow: 1
debug1: reserved: 0
debug1: done
debug1: kex: client->server 3des-cbc hmac-md5 none
debug1: kex: server->client 3des-cbc hmac-md5 none
debug1: bits set: 514/1024
debug1: bits set: 515/1024
debug1: sig size 20 20
debug1: datafellows
debug1: send SSH2_MSG_NEWKEYS.
debug1: done: send SSH2_MSG_NEWKEYS.
debug1: Wait SSH2_MSG_NEWKEYS.
debug1: GOT SSH2_MSG_NEWKEYS.
debug1: done: KEX2.
debug1: userauth-request for user prl service ssh-connection method none
debug1: attempt #1
Failed none for prl from 62.232.14.113 port 3589 ssh2
debug1: userauth-request for user prl service ssh-connection method publickey
debug1: attempt #2
debug1: test whether pkalg/pkblob are acceptable
debug1: Adding to environment: ONE=two
debug1: matching key found: file /users/prl/.ssh/authorized_keys2, line 1
Postponed publickey for prl from 62.232.14.113 port 3589 ssh2
fatal: Read from socket failed: Broken pipe
debug1: Calling cleanup 0x805d608(0x0)

-------------- next part --------------
/usr/local/bin/ssh bennevis -v -p 1022
Development-time debugging not compiled in.
To enable, configure with --enable-debug and recompile.
debug: connecting to bennevis...
debug: entering event loop
FATAL: Connecting to bennevis failed: Connection Refused
[prl at tomintoul ~]$ /usr/local/bin/ssh bennevis -v -p 1022
Development-time debugging not compiled in.
To enable, configure with --enable-debug and recompile.
debug: connecting to bennevis...
debug: entering event loop
debug: ssh_client_wrap: creating transport protocol
debug: ssh_client_wrap: creating userauth protocol
debug: Remote version: SSH-1.99-OpenSSH_2.3.0p1
debug: Host key found from the database.
debug: Ssh2AuthPubKeyClient/authc-pubkey.c:368/ssh_client_auth_pubkey_send_signature: ssh_client_auth_pubkey_send_signature
debug: Ssh2/ssh2.c:304/client_authenticated: client_authenticated
debug: Requesting X11 forwarding with authentication spoofing.
Last login: Wed Dec  6 12:31:59 2000 from tomintoul.sychron.com
Environment:
  USER=prl
  LOGNAME=prl
  HOME=/users/prl
  PATH=/usr/bin:/bin:/usr/sbin:/sbin
  MAIL=/var/spool/mail/prl
  SHELL=/bin/tcsh
  SSH_CLIENT=62.232.14.113 3596 1022
  SSH_TTY=/dev/ttyp2
  TERM=xterm
[prl at bennevis ~]$
-------------- next part --------------
/usr/sbin/sshd -p 1022 -d
debug1: sshd version OpenSSH_2.3.0p1
debug1: Seeding random number generator
debug1: read DSA private key done
debug1: Seeding random number generator
debug1: Bind to port 1022 on 0.0.0.0.
Server listening on 0.0.0.0 port 1022.
Generating 768 bit RSA key.
debug1: Seeding random number generator
debug1: Seeding random number generator
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 62.232.14.113 port 3596
debug1: Client protocol version 1.99; client software version 2.0.13 (non-commer
cial)
debug1: match: 2.0.13 (non-commercial) pat ^2\.0\.

Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_2.3.0p1
debug1: send KEXINIT
debug1: done
debug1: wait KEXINIT
debug1: got kexinit: diffie-hellman-group1-sha1
debug1: got kexinit: ssh-dss
debug1: got kexinit: 3des-cbc,blowfish-cbc,none
debug1: got kexinit: 3des-cbc,blowfish-cbc,none
debug1: got kexinit: hmac-md5,md5-8,none
debug1: got kexinit: hmac-md5,md5-8,none
debug1: got kexinit: none,zlib
debug1: got kexinit: none,zlib
debug1: got kexinit:
debug1: got kexinit:
debug1: first kex follow: 1
debug1: reserved: 0
debug1: done
debug1: kex: client->server 3des-cbc hmac-md5 none
debug1: kex: server->client 3des-cbc hmac-md5 none
debug1: Wait SSH2_MSG_KEXDH_INIT.
debug1: bits set: 499/1024
debug1: bits set: 525/1024
debug1: sig size 20 20
debug1: datafellows
debug1: send SSH2_MSG_NEWKEYS.
debug1: done: send SSH2_MSG_NEWKEYS.
debug1: Wait SSH2_MSG_NEWKEYS.
debug1: GOT SSH2_MSG_NEWKEYS.
debug1: done: KEX2.
debug1: userauth-request for user prl service ssh-connection method none
debug1: attempt #1
Failed none for prl from 62.232.14.113 port 3596 ssh2
debug1: userauth-request for user prl service ssh-connection method publickey
debug1: attempt #2
debug1: test whether pkalg/pkblob are acceptable
debug1: matching key found: file /users/prl/.ssh/authorized_keys2, line 2
Postponed publickey for prl from 62.232.14.113 port 3596 ssh2
debug1: userauth-request for user prl service ssh-connection method publickey
debug1: attempt #3
debug1: matching key found: file /users/prl/.ssh/authorized_keys2, line 2
debug1: len 40 datafellows 31
debug1: dsa_verify: signature correct
Accepted publickey for prl from 62.232.14.113 port 3596 ssh2
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 10000 max 512
debug1: channel 0: new [server-session]
debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: confirm session
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 channel 0 request pty-req reply 0
debug1: session_pty_req: session 0 alloc /dev/ttyp2
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 channel 0 request x11-req reply 0
debug1: X11 forwarding disabled in server configuration file.
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 channel 0 request auth-agent-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 channel 0 request shell reply 1
debug1: fd 7 setting O_NONBLOCK
debug1: fd 3 IS O_NONBLOCK
debug1: Setting controlling tty using TIOCSCTTY.
-------------- next part --------------
#environment="ONE=two"
ssh-dss AAAAB3NzaC1kc3MAAACBAOV2zL1T2+0bl8FTtultv/oIBz4WRZ9aOOB/sXPoPQE6P/0+ldToN+ulUgb6zs3lU0ESnZyXOPv7pszDu3LceKfld3Mn6RnPyv4FDRgjnN/obMtAxDUIfPKI+MmEFFsIClxaTs8xZ1LBLdHDNh/h/xp+/QpXRihHjV22ekgktzk7AAAAFQC1KGpxg+Gtvd5HmSvJjKkfsqBlJwAAAIB1N/8AKP2mpDU/dHhKdd1IsH9nBCmqj2RyAunC5tEXr1jbj/Y4jAJtfc93KpqlykyZJo3C2NBs6iiFzUyzGWGbLuw7MEHinev30BBRPKFowTdW6bN+FdZHJiltSyMqHzMdLyyWSss+aiI7BUPjgKcogPEwXwcpzxhFl+4ZV9YIVAAAAIAA6q55UAsiH50jQbQJTwsRvyWneG6txUKEbfqyuJk/pFJuw9rIkD3oI49SNwJKA0HKfMEbGSCyrddp0kDqo0v6u+peea/l9tm6JSvu1+8W/WywBTMtUtwKScKT0LP+xiwu56Ze9vN90LRmQyZBYuUUdFNPMICQgi75FnVsuSnTMw==
-------------- next part --------------
Peter Lister         P.Lister at sychron.com    PGP (RSA): 0xE4D85541
Sychron Ltd          http://www.sychron.com  PGP (DSS): 0xBC1D7258
1 Cambridge Terrace  Voice: +44 1865 200211
Oxford OX1 1UR  UK   FAX:   +44 1865 249666

More information about the openssh-unix-dev mailing list