openssh-SNAP-20001016

Gert Doering gert at greenie.muc.de
Sat Oct 28 02:20:35 EST 2000 

Hi,

On Fri, Oct 27, 2000 at 03:48:13PM +0200, Gert Doering wrote:
> I finally found time today to start hacking SNAP-20001016 on AIX 4.3.3
> today, and my findings are mixed.

OK, News on this.

If compiling without WITH_AIXAUTHENTICATE, things "seem to work" pretty
well (tested protocol 1 only, and only a few things), especially utmp/wtmp
handling doesn't break anything.

I have one problem remaining that puzzles me - we use /etc/hosts.equiv
extensively, and with sshd from OpenSSH 1.2.3 I can login just fine:

[..]
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
debug: Trying rhosts authentication.
debug: Remote: Accepted for X.Y.Z [172.30.7.7] by /etc/hosts.equiv.
[..]

with the sshd from OpenSSH SNAP-20001016, this doesn't work - both
sshds use the same /etc/sshd_config, just different ports, and
the relevant options are set to "IgnoreRhosts no" and
"RhostsRSAAuthentication yes".   I just get the following in my
client log:

[..]
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
debug: Trying RSA authentication with key 'gd at Y.Z'
debug: Server refused our key.
debug: Doing password authentication.

-> so it seems sshd SNAP-20001016 doesn't even offer rhosts
authentication, no?  (same client machine, same call to ssh, except
the second one has "ssh -p 6022 ...")


Any tips what could cause this, and how to find out why it isn't doing 
rhosts + /etc/hosts.equiv?


Maybe this would be a nice addition for a future release: make the
client print out the authentications that the server does and does not
support, like:

debug: Server refuses rhosts authentication   <<<<<
debug: Trying RSA authentication with key ...

so you know that it's not a client issue but server side.

(After all, there has to be some if() in the client somewhere that
decides whether to print "Trying rhosts authentication"...)

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert.doering at physik.tu-muenchen.de

More information about the openssh-unix-dev mailing list