Call for testing for coming 2.9 release.

Wed Apr 25 05:09:58 EST 2001

On Tue, 24 Apr 2001 mouring at etoh.eviladmin.org wrote:
> If we can get people to test their platforms against the last snapshot/cvs
> tree I'd be greatful. (http://www.openssh.com/portable.html)

[ IMO, lots of this is also worth a read for Markus and the rest of the
original OpenSSH folks ]

Tested on RHL62 and RHL71, built an RPM of the snapshot.

There is zero man page documentation for HostbasedAuthentication, either
in ssh.1 or sshd.8.  This has to be fixed.  Some experimental features
like HostbasedUsesNameFromPacketOnly might be left out, but the main
procedure and the files involved should be added.

HostbasedAuthentication does not seem to consider files like shosts.equiv,
just ~/.shosts.  This is a serious shortcoming in campus-like computing
environments, where traditionally hosts.equiv etc. are used.  The new
functionality could be easily added, just a few extra checks, I think.

hostbased auth in ssh client is tried after password.  Should this be
reversed (at least when this is more tested)?

You can also gather data from the server configuration, like:
---
[...]
debug1: next auth method to try is hostbased
debug1: sig size 20 20
debug1: Remote: Server has been configured to ignore .shosts.
debug1: authentications that can continue: publickey,password,hostbased
debug1: Remote: Server has been configured to ignore .shosts.
[...]
---

Is this notification a feature of the protocol, or some extra information
sshd gives?  Some people might call this an unnecessary disclosure (I'm
not too concerned though), and this has it's uses.

With:

$ ssh -o HostbasedAuthentication=yes -o PasswordAuthentication=no -v
pekkas at netcore.fi

---
[...]
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,hostbased
debug1: next auth method to try is publickey
debug1: try privkey: /home/psavola/.ssh/id_rsa
debug1: try pubkey: /home/psavola/.ssh/id_dsa
debug1: authentications that can continue: publickey,password,hostbased
debug1: next auth method to try is hostbased
debug1: sig size 20 20
debug1: Remote: Accepted by .shosts.
debug1: authentications that can continue: publickey,password,hostbased
debug1: Remote: Accepted by .shosts.
debug1: authentications that can continue: publickey,password,hostbased
debug1: no more auth methods to try
Permission denied (publickey,password,hostbased).
debug1: Calling cleanup 0x8063580(0x0)
[...]
---

Somehow the hostbased ends up being refused after all; dunno why (can't
run sshd -d -d -d at the moment).  HostbasedAuthentication is enabled in
sshd_config.

Also: shouldn't the list of authentications that can continue reduce when
previous ones fail or does this list have some other meaning?  What I
mean, is the output like:

---
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,hostbased
debug1: next auth method to try is publickey
debug1: try privkey: /home/psavola/.ssh/id_rsa
debug1: try pubkey: /home/psavola/.ssh/id_dsa
debug1: authentications that can continue: hostbased
debug1: next auth method to try is hostbased
debug1: sig size 20 20
debug1: Remote: Accepted by .shosts.
debug1: authentications that can continue: hostbased
debug1: Remote: Accepted by .shosts.
debug1: authentications that can continue: [none]
debug1: no more auth methods to try
---

Also, perhaps it might be a good idea to remove noreplace from sshd_config
in contrib/redhat/openssh.spec %files?  It was added by djm, but if you
upgrade (esp. unattended), you may find yourself in a situation where your
sshd_config changes radically and you can no longer log in.

whew.  a long one.

-- 
Pekka Savola                  "Tell me of difficulties surmounted,
Netcore Oy                    not those you stumble over and fall"
Systems. Networks. Security.   -- Robert Jordan: A Crown of Swords