ssh-agent and id_dsa

Markus Friedl Markus.Friedl at informatik.uni-erlangen.de
Wed Feb 21 08:58:37 EST 2001 

On Tue, Feb 20, 2001 at 11:35:36AM +0100, Lutz Jaenicke wrote:
> On Tue, Feb 20, 2001 at 11:12:19AM +0100, Markus Friedl wrote:
> > why don't you rename the key? :)
> 
> Because I use ssh-agent when I sit in front of my workstation (automatic
> startup via CDE, really practical thing). When I log in from remote via
> slogin, I don't always startup ssh-agent and then it is ok to be asked :-)
> 
> > does the protocol-1 implementation remember keys?
> 
> Hmm, you tend to ask difficult questions...

well, it does not remember the key.

however, the problems you see are due to the fact that
protocol 1 and 2 are different :)

perhaps i add handling of  SSH2_MSG_USERAUTH_PK_OK to the
ssh client, but i'm not sure. 

the ssh client uses just the public key to check whether the
server will accept the 'indentity' file. currently in ssh2 you need
access to the private key, this is why you will be asked about
the passphrase. with SSH2_MSG_USERAUTH_PK_OK you need the passphrase
only if the server accepts the public key.

> ws01 23: slogin -v -p 24 -l root ws01
> OpenSSH_2.5.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f
> debug: Reading configuration data /home/aet/serv01/jaenicke/.ssh/config
> debug: Reading configuration data /etc/ssh/ssh_config
> debug: Applying options for *
> debug: ssh_connect: getuid 11019 geteuid 0 anon 0
> debug: Connecting to ws01 [141.43.132.151] port 24.
> debug: Seeding random number generator
> debug: Allocated local port 601.
> debug: Connection established.
> debug: identity file /home/aet/serv01/jaenicke/.ssh/identity type 0
> debug: identity file /home/aet/serv01/jaenicke/.ssh/id_dsa type 3
> debug: Remote protocol version 1.99, remote software version OpenSSH_2.5.1p1
> debug: match: OpenSSH_2.5.1p1 pat ^OpenSSH
> debug: Local version string SSH-1.5-OpenSSH_2.5.1p1
> debug: Waiting for server public key.
> debug: Received server public key (768 bits) and host key (1024 bits).
> debug: Host 'ws01' is known and matches the RSA1 host key.
> debug: Found key in /etc/ssh/ssh_known_hosts:23
> debug: Seeding random number generator
> debug: Encryption type: 3des
> debug: Sent encrypted session key.
> debug: Installing crc compensation attack detector.
> debug: Received encrypted confirmation.
> debug: Trying RSA authentication via agent with 'jaenicke at emserv1'
> debug: Server refused our key.
> debug: RSA authentication using agent refused.
> debug: Trying RSA authentication with key 'jaenicke at emserv1'
> debug: Server refused our key.
> debug: Doing password authentication.
> root at ws01's password:
> ...
> On the server this looks like:
> debug1: Bind to port 24 on 0.0.0.0.
> Server listening on 0.0.0.0 port 24.
> Generating 768 bit RSA key.
> debug1: Seeding random number generator
> RSA key generation complete.
> debug1: Server will not fork when running in debugging mode.
> Connection from 141.43.132.151 port 601
> debug1: Client protocol version 1.5; client software version OpenSSH_2.5.1p1
> debug1: match: OpenSSH_2.5.1p1 pat ^OpenSSH
> debug1: Local version string SSH-1.99-OpenSSH_2.5.1p1
> debug1: Sent 768 bit server key and 1024 bit host key.
> debug1: Encryption type: 3des
> debug1: Received session key; encryption turned on.
> debug1: Installing crc compensation attack detector.
> debug1: Attempting authentication for root.
> Failed rsa for ROOT from 141.43.132.151 port 601
> Failed rsa for ROOT from 141.43.132.151 port 601
> ...
> 
> So obviously, it remembers the key...
> identity file /home/aet/serv01/jaenicke/.ssh/identity type 0
> is the RSA1 key I am using. It is passphrase protected and loaded into
> ssh-agent.
> ws01 23: ssh-add -l
> 1024 30:a7:58:3e:f5:bc:a2:0e:f5:16:09:71:b6:56:1e:ec jaenicke at emserv1 (RSA1)
> 1024 de:f8:a8:98:4b:18:9f:5f:d0:6f:67:91:1d:f7:c4:6a /home/aet/serv01/jaenicke/.ssh/id_dsa (DSA)
> 
> If I try the same with protocol 2:
> ...
> debug: authentications that can continue: publickey,password,keyboard-interactive
> debug: next auth method to try is publickey
> debug: userauth_pubkey_agent: trying agent key /home/aet/serv01/jaenicke/.ssh/id_dsa
> debug: authentications that can continue: publickey,password,keyboard-interactive
> debug: next auth method to try is publickey
> debug: try pubkey: /home/aet/serv01/jaenicke/.ssh/id_dsa
> debug: PEM_read_PrivateKey failed
> debug: read SSH2 private key done: name <no key> success 0
> Enter passphrase for key '/home/aet/serv01/jaenicke/.ssh/id_dsa': 
> debug: read SSH2 private key done: name dsa w/o comment success 1
> debug: sig size 20 20
> debug: authentications that can continue: publickey,password,keyboard-interactive
> debug: next auth method to try is publickey
> debug: next auth method to try is password
> root at ws01's password:
> ...
> 
> and on the server:
> ...
> debug1: userauth-request for user root service ssh-connection method none
> debug1: attempt 0 failures 0
> Failed none for ROOT from 141.43.132.151 port 813 ssh2
> debug1: userauth-request for user root service ssh-connection method publickey
> debug1: attempt 1 failures 1
> Failed publickey for ROOT from 141.43.132.151 port 813 ssh2
> debug1: userauth-request for user root service ssh-connection method publickey
> debug1: attempt 2 failures 2
> Failed publickey for ROOT from 141.43.132.151 port 813 ssh2
> ...
> 
> Best regards,
> 	Lutz
> -- 
> Lutz Jaenicke                             Lutz.Jaenicke at aet.TU-Cottbus.DE
> BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
> Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
> Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153

More information about the openssh-unix-dev mailing list