[Bug 342] RhostsRSAAuthentication does not work with 3.4p1

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Jul 31 09:14:26 EST 2002


http://bugzilla.mindrot.org/show_bug.cgi?id=342

djast at cs.toronto.edu changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |



------- Additional Comments From djast at cs.toronto.edu  2002-07-31 09:14 -------
When PrivilegeSeparation is enabled, RhostsRSAAuthentication seems to look up
the connecting host in the known_hosts file by IP address rather than by name.

The tests below were run as root on the client side, so setuid is not an issue.

With UsePrivilegeSeparation=yes, sshd -d -d -d reports:
[...]
debug1: Attempting authentication for root.
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 10
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 11
debug3: mm_request_receive entering
debug2: monitor_read: 6 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 10
debug3: mm_answer_authpassword: sending result 0
debug3: mm_request_send entering: type 11
debug3: mm_auth_password: user not authenticated
Failed none for root from 128.100.2.31 port 56036
debug3: mm_request_receive entering
debug1: Trying rhosts with RSA host authentication for client user root
debug3: Trying to reverse map address 128.100.2.31.
debug1: Rhosts RSA authentication: canonical host 128.100.2.31
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 1414a0
debug3: Trying to reverse map address 128.100.2.31.
debug2: auth_rhosts2: clientuser root hostname jane.cs ipaddr 128.100.2.31
debug1: temporarily_use_uid: 0/1 (e=0/1)
debug1: restore_uid: 0/1
debug1: temporarily_use_uid: 0/1 (e=0/1)
debug1: restore_uid: 0/1
debug3: check_host_in_hostfile: filename /usr/slocal/etc/ssh_known_hosts
debug1: temporarily_use_uid: 0/1 (e=0/1)
debug3: check_host_in_hostfile: filename /.ssh/known_hosts
debug1: restore_uid: 0/1
debug2: check_key_in_hostfiles: key not found for 128.100.2.31
debug3: mm_answer_keyallowed: key 1414a0 is disallowed
debug3: mm_append_debug: Appending debug messages for child
debug3: mm_request_send entering: type 21
debug3: mm_send_debug: Sending debug: Accepted by .rhosts.
debug3: mm_send_debug: Sending debug: Accepted host jane.cs ip 128.100.2.31
client_user root server_user root
debug1: Rhosts with RSA host authentication denied: unknown or invalid host key
Failed rhosts-rsa for root from 128.100.2.31 port 56036 ruser root

With UsePrivilegeSeparation=no:
[...]
debug1: Attempting authentication for root.
debug1: Trying rhosts with RSA host authentication for client user root
debug3: Trying to reverse map address 128.100.2.31.
debug1: Rhosts RSA authentication: canonical host jane.cs
debug2: auth_rhosts2: clientuser root hostname jane.cs ipaddr 128.100.2.31
debug1: temporarily_use_uid: 0/1 (e=0/1)
debug1: restore_uid: 0/1
debug1: temporarily_use_uid: 0/1 (e=0/1)
debug1: restore_uid: 0/1
debug3: check_host_in_hostfile: filename /usr/slocal/etc/ssh_known_hosts
debug3: check_host_in_hostfile: match line 11
debug2: check_key_in_hostfiles: key ok for jane.cs
Rhosts with RSA host authentication accepted for root, root on jane.cs.
Accepted rhosts-rsa for root from 128.100.2.31 port 56048 ruser root


The first case fails and the second succeeds, because the sshd_known_hosts file
contains an entry for *.cs but not for 128.100.2.31.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the openssh-unix-dev mailing list