Public Key Authentication Bug

Russell "Elik" Rademacher elik at rademacher.org
Wed Jun 26 11:20:46 EST 2002 

    It does seems to incidiate that the Client SSH other than OpenSSH that uses
the Public Key Authentication seems to have a problem with the 3.3p1 version
compared to the previous versions.

    I have been using both F-Serve and Putty to connect and authenticate by
Public Key Authentication for long time.  Just when I did the update to patch
the system to 3.3p1, that when it failed.  Maybe it is the client or it may be
something else in the OpenSSH implemention that got changed somewhat that caused
this problems to manifest itself.

    I am going to build a new one on the vanilla Redhat 7.2 system and see if
this problem is reproducable as well.  If it is, then it is the OpenSSH itself
that got the problem with it, or if it works, then one of the patches that went
into the Mandrake's OpenSSH version got something changed to make it break
entirely.  I will let you know tomorrow on this.  I am sort of beat doing the
OpenSSH upgrade over 21 servers of various linux distros in various ages, like
Slackware, Redhat, Debian, and Mandrake, plus Solaris 8.

    I haven't had the chance to test the public key on any of them yet, since
they are on internal network and we use OpenSSH to connect to them from outside
though a gateway server.

On Tue Jun 25, 2002 at 11:45:30AM -0400, Russell Elik Rademacher wrote:

>     I usually don't get involved in the mailing lists unless it is of a major
> importance.  Here is a new problem that came up with the 3.3.p1 version, which
I
> already reported to the Mandrake Developers on their RPM build.  Basically, it
> boils down to this.
>
>     In the Priv Seperation Mode or not, the public Key Authentication is
> throughly broken on all 3 versions of Keys, RSA1, RSA, and DSA versions.  It
> applies to SSH1 and SSH2.  This is reported on 7.2 version Mandrake with the
> 2.2. Kernel Build.  I am still working on testing it on the 2.4 Kernel Build
to
> see how it works out on the Redhat.  This SSH Build have a patch from Solar
> Designer which is made to make it work on 2.2 Kernel.
>
>     But other than that, the functionality of the SSH is perfect and working
as
> usual.  Just no Public Key Authentication.

I don't think this has anything to do with Solar's patch.  You forgot
to mention that you were using Putty and F-Protect as clients (I think
F-Protect is the other you mentioned).

Before we put the Mandrake updates out, both public key and password
authentication were tested on all platforms, with 2.2 and 2.4 kernels
(using openssh as a client, not Putty or anything else).  Both forms
of authentication worked fine.

I still have to hop on a windows machine and test Putty with public
keys to see if I can reproduce your problem; without testing I can
only suspect that Putty and/or F-Protect are the problem, or that
something in openssh changed (doubtful) that prevents it from working
unless an openssh client is used.

As soon as I have a chance to test this, I'll post my findings.

--
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import"
{GnuPG: 1024D/FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7  66F9 2043 D0E5 FE6F 2AFD}

Current Linux kernel 2.4.18-6.10mdk uptime: 17 days 21 hours 8 minutes.

More information about the openssh-unix-dev mailing list