Public Key Authentication Bug

Russell "Elik" Rademacher elik at rademacher.org
Wed Jun 26 12:50:14 EST 2002


    I knew for long time that keys generated by puttygen is problemetic at most.
I usually have the keys generated where the host server is located and set the
public keys in the .ssh/authorized_keys file.

    With that, I did use the RSA1 and DSA Keys and didn't have any problems with
them using the OpenSSH 3.1p1 version, which is before the 3.3p1 appeared.  I
haven't tried the RSA SSH2 key on it yet, but I am not sure if it got problems
with it or not.

    On the F-Serve, I didn't have any problems with all 3 different
key-generated Keys on the OpenSSH 3.1p1 and earlier versions on different
distros either provided they are generated with OpenSSH itself, not from the
client side.

    I am trying out that new build that Ben have produced and see if something
have been changed in there to fix that problem.  We see on that. :)

On Tue Jun 25, 2002 at 09:20:46PM -0400, Russell Elik Rademacher wrote:

>     It does seems to incidiate that the Client SSH other than OpenSSH that
uses
> the Public Key Authentication seems to have a problem with the 3.3p1 version
> compared to the previous versions.

Not necessarily.  I just did some quick testing using putty 0.52
(latest version according to the website).  I don't normally use keys
with putty (I don't really use putty at all), but this is what
happened:

Generated RSA1, RSA2, and DSA2 keys with puttygen.exe.  Imported the
RSA1 public key and the RSA2/DSA2 "openssh strings" that puttygen
outputs into ~/.ssh/authorized_keys on an 8.2 Mandrake box running
3.3p1 and on another 8.2 Mandrake box running 3.1p1.

RSA1 works fine; no issues there.  Both RSA2 and DSA2 keys proved
problematic with putty reporting that it "Couldn't load private key
file".  All three keys were generated by putty.

Then I copied the RSA1, RSA2, and DSA2 private keys from my Mandrake
workstation (all keys generated sometime in the 2.x openssh versions,
don't recall exactly, but it's been quite a while).

Again, RSA1 worked without problem.  RSA2 and DSA2, both keys again
couldn't be loaded.

This seems to me like it's a problem with putty, not openssh.  With
both putty-generated and openssh-generated keys, only the RSA1 key
worked properly.  I have not tried F-Serve.

>     I have been using both F-Serve and Putty to connect and authenticate by
> Public Key Authentication for long time.  Just when I did the update to patch
> the system to 3.3p1, that when it failed.  Maybe it is the client or it may be
> something else in the OpenSSH implemention that got changed somewhat that
caused
> this problems to manifest itself.

Out of curiousity (actually, it would help a lot), which version of
openssh did you upgrade *from*.  Did you upgrade from 3.1p1 or an
earlier version?

>     I am going to build a new one on the vanilla Redhat 7.2 system and see if
> this problem is reproducable as well.  If it is, then it is the OpenSSH itself
> that got the problem with it, or if it works, then one of the patches that
went
> into the Mandrake's OpenSSH version got something changed to make it break
> entirely.  I will let you know tomorrow on this.  I am sort of beat doing the
> OpenSSH upgrade over 21 servers of various linux distros in various ages, like
> Slackware, Redhat, Debian, and Mandrake, plus Solaris 8.

Again, I don't think it's our (Mandrake's) packaging, but you never
know.  I'm going to build vanilla 3.3p1 openssh's for my workstation a
little later on, and will also try using some older version (2.9 or
something), just for comparison's sake, and will see if putty works
with either of them.

I didn't bother to test on Mandrake 7.2 using a 2.2 kernel because
this really doesn't look to me to be an issue with openssh 3.3p1.

>     I haven't had the chance to test the public key on any of them yet, since
> they are on internal network and we use OpenSSH to connect to them from
outside
> though a gateway server.

It would be good to see how it works on these.  I've got openbsd 3.0
in vmware and will give it a try also later (with the new openssh) to
see if putty will work there.

--
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import"
{GnuPG: 1024D/FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7  66F9 2043 D0E5 FE6F 2AFD}

Current Linux kernel 2.4.18-6.10mdk uptime: 17 days 22 hours 33 minutes.




More information about the openssh-unix-dev mailing list