OpenSSH 3.4p1 hostbased auth - howto?

Gert Doering gert at greenie.muc.de
Thu Jul 25 00:24:29 EST 2002


Hi,

On Wed, Jul 24, 2002 at 03:53:50PM +0200, Markus Friedl wrote:
> > This is the problem. It's a manifestation of the bug I reported a month
> > ago on this list with the subject "privilege separation breaks dns lookups".
> > There is a patch but it hasn't been committed.
> but there should be no DNS lookups in the  unprivileged code...

The protocol 1 / RhostsRSAAuthentication handler seems to be doing reverse
lookups, and fails.  This is how it looks here:

debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_send entering: type 11
debug3: mm_request_receive entering
Failed none for gert from 195.30.1.25 port 760
debug3: mm_auth_password: user not authenticated
debug3: mm_request_receive entering
debug1: Trying rhosts with RSA host authentication for client user gert
debug3: Trying to reverse map address 195.30.1.25.
<long pause (about a minute)>
Could not reverse map address 195.30.1.25.
debug1: Rhosts RSA authentication: canonical host 195.30.1.25
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: monitor_read: checking request 20
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_answer_keyallowed entering
debug3: mm_request_receive_expect entering: type 21
debug3: mm_answer_keyallowed: key_from_blob: 0x80951d0
debug3: mm_request_receive entering
debug3: Trying to reverse map address 195.30.1.25.
debug2: auth_rhosts2: clientuser gert hostname moebius.space.net ipaddr 195.30.1.25
debug1: restore_uid
debug1: restore_uid
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug3: check_host_in_hostfile: filename /home/gert/.ssh/known_hosts
...

Without PrivSep, the log is as follows:

debug1: Attempting authentication for gert.
debug1: Trying rhosts with RSA host authentication for client user gert
debug3: Trying to reverse map address 195.30.1.25.
<no delay here>
debug1: Rhosts RSA authentication: canonical host moebius.space.net
debug2: auth_rhosts2: clientuser gert hostname moebius.space.net ipaddr 195.30.1.25
debug1: restore_uid
debug1: restore_uid
debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
debug3: check_host_in_hostfile: filename /home/gert/.ssh/known_hosts


gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert.doering at physik.tu-muenchen.de



More information about the openssh-unix-dev mailing list