Rhosts Auth Issues with OpenSSH 2.9p1 on Solaris 2.7
Jeff Newton
Jeff_Newton at pmc-sierra.com
Wed May 9 06:20:30 EST 2001
Thanks, that did it.
Cheers,
Markus Friedl wrote:
>
> you have to enable privileged ports with
> UsePrivileged yes
> in ssh_config if you want to use the rhosts-authentication
> (not recommended, should be removed :)
>
> you also need this for rhosts-rsa to legacy servers.
>
> On Tue, May 08, 2001 at 09:18:03AM -0700, Jeff Newton wrote:
> > Carson Gaspar wrote:
> > >
> > > By default, ssh is not installed setuid root. Currently, you need to
> > > install it setuid root or it disables rhosts auth.
> > >
> > > Of course, rhosts auth is a terrible idea. Are you _sure_ you mean rhosts
> > > auth, or do you mean RSARhosts/Hostbasedauth? These currently _also_
> > > require that ssh be setuid root, but have far more security.
> >
> > A configure --help seems to indicate that ssh is installed setuid root
> > by deafult. Just to be sure I added the --enable-suid-ssh option to
> > configure, recompiled, and installed.
> >
> > Perms on /opt/openssh-2.9p1/bin are:
> >
> > newton at odin [21] ls -l
> > total 23378
> > -rwxr-xr-x 1 root other 358376 May 8 09:05 scp
> > -rwxr-xr-x 1 root other 753696 May 8 09:05 sftp
> > lrwxrwxrwx 1 root other 3 May 8 09:05 slogin -> ssh
> > -rws--x--x 1 root other 3955464 May 8 09:05 ssh
> > -rwxr-xr-x 1 root other 2012280 May 8 09:05 ssh-add
> > -rwxr-xr-x 1 root other 1709948 May 8 09:05 ssh-agent
> > -rwxr-xr-x 1 root other 2017460 May 8 09:05 ssh-keygen
> > -rwxr-xr-x 1 root other 1078232 May 8 09:05 ssh-keyscan
> >
> > I still get the following behaviour:
> >
> > newton at odin [23] ./ssh -v odin
> > OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f
> > debug1: Reading configuration data /opt/openssh-2.9p1/etc/ssh_config
> > debug1: Seeded RNG with 42 bytes from programs
> > debug1: Seeded RNG with 3 bytes from system calls
> > debug1: Rhosts Authentication disabled, originating port will not be
> > trusted.
> > debug1: restore_uid
> > debug1: ssh_connect: getuid 1412 geteuid 0 anon 1
> > debug1: Connecting to odin [134.87.115.142] port 22.
> > debug1: temporarily_use_uid: 1412/67 (e=0)
> > debug1: restore_uid
> > debug1: temporarily_use_uid: 1412/67 (e=0)
> > debug1: restore_uid
> > debug1: Connection established.
> > debug1: read PEM private key done: type DSA
> > debug1: read PEM private key done: type RSA
> > debug1: identity file /home/cs/newton/.ssh/identity type -1
> > debug1: identity file /home/cs/newton/.ssh/id_rsa type -1
> > debug1: identity file /home/cs/newton/.ssh/id_dsa type -1
> > debug1: Remote protocol version 1.99, remote software version
> > OpenSSH_2.9p1
> > debug1: match: OpenSSH_2.9p1 pat ^OpenSSH
> > Enabling compatibility mode for protocol 2.0
> > debug1: Local version string SSH-2.0-OpenSSH_2.9p1
> > debug1: SSH2_MSG_KEXINIT sent
> > debug1: SSH2_MSG_KEXINIT received
> > debug1: kex: server->client aes128-cbc hmac-md5 none
> > debug1: kex: client->server aes128-cbc hmac-md5 none
> > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> > debug1: dh_gen_key: priv key bits set: 112/256
> > debug1: bits set: 1015/2049
> > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
> > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
> > debug1: Host 'odin' is known and matches the RSA host key.
> > debug1: Found key in /home/cs/newton/.ssh/known_hosts2:4
> > debug1: bits set: 1024/2049
> > debug1: ssh_rsa_verify: signature correct
> > debug1: kex_derive_keys
> > debug1: newkeys: mode 1
> > debug1: SSH2_MSG_NEWKEYS sent
> > debug1: waiting for SSH2_MSG_NEWKEYS
> > debug1: newkeys: mode 0
> > debug1: SSH2_MSG_NEWKEYS received
> > debug1: done: ssh_kex2.
> > debug1: send SSH2_MSG_SERVICE_REQUEST
> > debug1: service_accept: ssh-userauth
> > debug1: got SSH2_MSG_SERVICE_ACCEPT
> > debug1: authentications that can continue:
> > publickey,password,keyboard-interactive,hostbased
> > debug1: next auth method to try is publickey
> > debug1: try privkey: /home/cs/newton/.ssh/identity
> > debug1: try privkey: /home/cs/newton/.ssh/id_rsa
> > debug1: try privkey: /home/cs/newton/.ssh/id_dsa
> > debug1: next auth method to try is password
> > newton at odin's password:
> >
> > Anyone have any ideas?
> >
> > Cheers,
> >
> > --
> > Jeff Newton
> > Security Analyst
> > PMC-Sierra Inc.
--
Jeff Newton
Security Analyst
PMC-Sierra Inc.
More information about the openssh-unix-dev
mailing list