Rhosts Auth Issues with OpenSSH 2.9p1 on Solaris 2.7

Markus Friedl markus.friedl at informatik.uni-erlangen.de
Wed May 9 05:20:03 EST 2001


you have to enable privileged ports with
	UsePrivileged yes
in ssh_config if you want to use the rhosts-authentication
(not recommended, should be removed :)

you also need this for rhosts-rsa to legacy servers.
	
On Tue, May 08, 2001 at 09:18:03AM -0700, Jeff Newton wrote:
> Carson Gaspar wrote:
> > 
> > By default, ssh is not installed setuid root. Currently, you need to
> > install it setuid root or it disables rhosts auth.
> > 
> > Of course, rhosts auth is a terrible idea. Are you _sure_ you mean rhosts
> > auth, or do you mean RSARhosts/Hostbasedauth? These currently _also_
> > require that ssh be setuid root, but have far more security.
> 
> A configure --help seems to indicate that ssh is installed setuid root
> by deafult.  Just to be sure I added the --enable-suid-ssh option to
> configure, recompiled, and installed.  
> 
> Perms on /opt/openssh-2.9p1/bin are:
> 
> newton at odin [21] ls -l
> total 23378
> -rwxr-xr-x   1 root     other     358376 May  8 09:05 scp
> -rwxr-xr-x   1 root     other     753696 May  8 09:05 sftp
> lrwxrwxrwx   1 root     other          3 May  8 09:05 slogin -> ssh
> -rws--x--x   1 root     other    3955464 May  8 09:05 ssh
> -rwxr-xr-x   1 root     other    2012280 May  8 09:05 ssh-add
> -rwxr-xr-x   1 root     other    1709948 May  8 09:05 ssh-agent
> -rwxr-xr-x   1 root     other    2017460 May  8 09:05 ssh-keygen
> -rwxr-xr-x   1 root     other    1078232 May  8 09:05 ssh-keyscan
> 
> I still get the following behaviour:
> 
> newton at odin [23] ./ssh -v odin
> OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f
> debug1: Reading configuration data /opt/openssh-2.9p1/etc/ssh_config
> debug1: Seeded RNG with 42 bytes from programs
> debug1: Seeded RNG with 3 bytes from system calls
> debug1: Rhosts Authentication disabled, originating port will not be
> trusted.
> debug1: restore_uid
> debug1: ssh_connect: getuid 1412 geteuid 0 anon 1
> debug1: Connecting to odin [134.87.115.142] port 22.
> debug1: temporarily_use_uid: 1412/67 (e=0)
> debug1: restore_uid
> debug1: temporarily_use_uid: 1412/67 (e=0)
> debug1: restore_uid
> debug1: Connection established.
> debug1: read PEM private key done: type DSA
> debug1: read PEM private key done: type RSA
> debug1: identity file /home/cs/newton/.ssh/identity type -1
> debug1: identity file /home/cs/newton/.ssh/id_rsa type -1
> debug1: identity file /home/cs/newton/.ssh/id_dsa type -1
> debug1: Remote protocol version 1.99, remote software version
> OpenSSH_2.9p1
> debug1: match: OpenSSH_2.9p1 pat ^OpenSSH
> Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_2.9p1
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-cbc hmac-md5 none
> debug1: kex: client->server aes128-cbc hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> debug1: dh_gen_key: priv key bits set: 112/256
> debug1: bits set: 1015/2049
> debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> debug1: Host 'odin' is known and matches the RSA host key.
> debug1: Found key in /home/cs/newton/.ssh/known_hosts2:4
> debug1: bits set: 1024/2049
> debug1: ssh_rsa_verify: signature correct
> debug1: kex_derive_keys
> debug1: newkeys: mode 1
> debug1: SSH2_MSG_NEWKEYS sent
> debug1: waiting for SSH2_MSG_NEWKEYS
> debug1: newkeys: mode 0
> debug1: SSH2_MSG_NEWKEYS received
> debug1: done: ssh_kex2.
> debug1: send SSH2_MSG_SERVICE_REQUEST
> debug1: service_accept: ssh-userauth
> debug1: got SSH2_MSG_SERVICE_ACCEPT
> debug1: authentications that can continue:
> publickey,password,keyboard-interactive,hostbased
> debug1: next auth method to try is publickey
> debug1: try privkey: /home/cs/newton/.ssh/identity
> debug1: try privkey: /home/cs/newton/.ssh/id_rsa
> debug1: try privkey: /home/cs/newton/.ssh/id_dsa
> debug1: next auth method to try is password
> newton at odin's password: 
> 
> Anyone have any ideas? 
> 
> Cheers,
> 
> -- 
> Jeff Newton
> Security Analyst
> PMC-Sierra Inc.



More information about the openssh-unix-dev mailing list