Rhosts Auth Issues with OpenSSH 2.9p1 on Solaris 2.7

Jeff Newton Jeff_Newton at pmc-sierra.com
Wed May 9 02:18:03 EST 2001 

Carson Gaspar wrote:
> 
> By default, ssh is not installed setuid root. Currently, you need to
> install it setuid root or it disables rhosts auth.
> 
> Of course, rhosts auth is a terrible idea. Are you _sure_ you mean rhosts
> auth, or do you mean RSARhosts/Hostbasedauth? These currently _also_
> require that ssh be setuid root, but have far more security.

A configure --help seems to indicate that ssh is installed setuid root
by deafult.  Just to be sure I added the --enable-suid-ssh option to
configure, recompiled, and installed.  

Perms on /opt/openssh-2.9p1/bin are:

newton at odin [21] ls -l
total 23378
-rwxr-xr-x   1 root     other     358376 May  8 09:05 scp
-rwxr-xr-x   1 root     other     753696 May  8 09:05 sftp
lrwxrwxrwx   1 root     other          3 May  8 09:05 slogin -> ssh
-rws--x--x   1 root     other    3955464 May  8 09:05 ssh
-rwxr-xr-x   1 root     other    2012280 May  8 09:05 ssh-add
-rwxr-xr-x   1 root     other    1709948 May  8 09:05 ssh-agent
-rwxr-xr-x   1 root     other    2017460 May  8 09:05 ssh-keygen
-rwxr-xr-x   1 root     other    1078232 May  8 09:05 ssh-keyscan

I still get the following behaviour:

newton at odin [23] ./ssh -v odin
OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f
debug1: Reading configuration data /opt/openssh-2.9p1/etc/ssh_config
debug1: Seeded RNG with 42 bytes from programs
debug1: Seeded RNG with 3 bytes from system calls
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 1412 geteuid 0 anon 1
debug1: Connecting to odin [134.87.115.142] port 22.
debug1: temporarily_use_uid: 1412/67 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 1412/67 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /home/cs/newton/.ssh/identity type -1
debug1: identity file /home/cs/newton/.ssh/id_rsa type -1
debug1: identity file /home/cs/newton/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_2.9p1
debug1: match: OpenSSH_2.9p1 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_2.9p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 112/256
debug1: bits set: 1015/2049
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'odin' is known and matches the RSA host key.
debug1: Found key in /home/cs/newton/.ssh/known_hosts2:4
debug1: bits set: 1024/2049
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug1: next auth method to try is publickey
debug1: try privkey: /home/cs/newton/.ssh/identity
debug1: try privkey: /home/cs/newton/.ssh/id_rsa
debug1: try privkey: /home/cs/newton/.ssh/id_dsa
debug1: next auth method to try is password
newton at odin's password: 

Anyone have any ideas? 

Cheers,

-- 
Jeff Newton
Security Analyst
PMC-Sierra Inc.

More information about the openssh-unix-dev mailing list