Public Key Authentication Bug
Russell "Elik" Rademacher
elik at rademacher.org
Wed Jun 26 12:50:14 EST 2002
I knew for long time that keys generated by puttygen is problemetic at most.
I usually have the keys generated where the host server is located and set the
public keys in the .ssh/authorized_keys file.
With that, I did use the RSA1 and DSA Keys and didn't have any problems with
them using the OpenSSH 3.1p1 version, which is before the 3.3p1 appeared. I
haven't tried the RSA SSH2 key on it yet, but I am not sure if it got problems
with it or not.
On the F-Serve, I didn't have any problems with all 3 different
key-generated Keys on the OpenSSH 3.1p1 and earlier versions on different
distros either provided they are generated with OpenSSH itself, not from the
client side.
I am trying out that new build that Ben have produced and see if something
have been changed in there to fix that problem. We see on that. :)
On Tue Jun 25, 2002 at 09:20:46PM -0400, Russell Elik Rademacher wrote:
> It does seems to incidiate that the Client SSH other than OpenSSH that
uses
> the Public Key Authentication seems to have a problem with the 3.3p1 version
> compared to the previous versions.
Not necessarily. I just did some quick testing using putty 0.52
(latest version according to the website). I don't normally use keys
with putty (I don't really use putty at all), but this is what
happened:
Generated RSA1, RSA2, and DSA2 keys with puttygen.exe. Imported the
RSA1 public key and the RSA2/DSA2 "openssh strings" that puttygen
outputs into ~/.ssh/authorized_keys on an 8.2 Mandrake box running
3.3p1 and on another 8.2 Mandrake box running 3.1p1.
RSA1 works fine; no issues there. Both RSA2 and DSA2 keys proved
problematic with putty reporting that it "Couldn't load private key
file". All three keys were generated by putty.
Then I copied the RSA1, RSA2, and DSA2 private keys from my Mandrake
workstation (all keys generated sometime in the 2.x openssh versions,
don't recall exactly, but it's been quite a while).
Again, RSA1 worked without problem. RSA2 and DSA2, both keys again
couldn't be loaded.
This seems to me like it's a problem with putty, not openssh. With
both putty-generated and openssh-generated keys, only the RSA1 key
worked properly. I have not tried F-Serve.
> I have been using both F-Serve and Putty to connect and authenticate by
> Public Key Authentication for long time. Just when I did the update to patch
> the system to 3.3p1, that when it failed. Maybe it is the client or it may be
> something else in the OpenSSH implemention that got changed somewhat that
caused
> this problems to manifest itself.
Out of curiousity (actually, it would help a lot), which version of
openssh did you upgrade *from*. Did you upgrade from 3.1p1 or an
earlier version?
> I am going to build a new one on the vanilla Redhat 7.2 system and see if
> this problem is reproducable as well. If it is, then it is the OpenSSH itself
> that got the problem with it, or if it works, then one of the patches that
went
> into the Mandrake's OpenSSH version got something changed to make it break
> entirely. I will let you know tomorrow on this. I am sort of beat doing the
> OpenSSH upgrade over 21 servers of various linux distros in various ages, like
> Slackware, Redhat, Debian, and Mandrake, plus Solaris 8.
Again, I don't think it's our (Mandrake's) packaging, but you never
know. I'm going to build vanilla 3.3p1 openssh's for my workstation a
little later on, and will also try using some older version (2.9 or
something), just for comparison's sake, and will see if putty works
with either of them.
I didn't bother to test on Mandrake 7.2 using a 2.2 kernel because
this really doesn't look to me to be an issue with openssh 3.3p1.
> I haven't had the chance to test the public key on any of them yet, since
> they are on internal network and we use OpenSSH to connect to them from
outside
> though a gateway server.
It would be good to see how it works on these. I've got openbsd 3.0
in vmware and will give it a try also later (with the new openssh) to
see if putty will work there.
--
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import"
{GnuPG: 1024D/FE6F2AFD : 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
Current Linux kernel 2.4.18-6.10mdk uptime: 17 days 22 hours 33 minutes.
More information about the openssh-unix-dev
mailing list