Possible problem with hostbased protocol 1 rhosts authentication
Mike Rose
mr349 at cam.ac.uk
Tue Aug 24 18:30:10 EST 2004
I found this problem when working with the Suse9.1 distribution, but have
since reproduced it with a vanilla build of Openssh
(openssh-3.9p1.tar.gz). Basically I cannot get a command like this:
XXXX>ssh -vvv -1 -o "RhostsAuthentication yes" AAAA
to work. Yes the appropriate settings are in the servers sshd_config file.
Hostbased protocol 1 ssh using rhosts between computers is something we
normally do as we have some Dec Alphas, otherwise we would only be using
protocol 2 which is fine for hostbased authent using rhosts.
"
ssh -vvv -1 -o "RhostsAuthentication yes" AAAA
OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 1
debug1: Connecting to AAAA [AAAA] port 22.
debug1: Allocated local port 1023.
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /u/XXXXXX/mr/.ssh/identity type -1
debug1: Remote protocol version 1.5, remote software version 1.2.27
debug1: no match: 1.2.27
debug1: Local version string SSH-1.5-OpenSSH_3.8p1
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 73
debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 73
debug1: Host 'AAAA' is known and matches the RSA1 host key.
debug1: Found key in /u/XXXXXX/mr/.ssh/known_hosts:73
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug2: cipher_init: set keylen (16 -> 32)
debug2: cipher_init: set keylen (16 -> 32)
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Doing password authentication.
mr at tcm30's password:
"
# This is ssh server systemwide configuration file.
"
Port 22
ListenAddress 0.0.0.0
HostKey /etc/ssh_host_key
RandomSeed /etc/ssh_random_seed
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 7200
PermitRootLogin yes
IgnoreRhosts no
StrictModes yes
QuietMode no
X11Forwarding yes
X11DisplayOffset 10
FascistLogging no
PrintMotd yes
KeepAlive yes
SyslogFacility DAEMON
RhostsAuthentication yes
RhostsRSAAuthentication yes
RSAAuthentication no
PasswordAuthentication yes
PermitEmptyPasswords no
UseLogin no
"
The rest of the detail is in the attached text file.
I hope that is enough info.
regards,
Mike Rose
-------------- next part --------------
. How to reproduce:
XXXXX:~> ssh -vvv -1 -o "RhostsAuthentication yes" AAAA
OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 1
debug1: Connecting to AAAA [AAAA] port 22.
debug1: Allocated local port 1023.
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /u/XXXXXX/mr/.ssh/identity type -1
debug1: Remote protocol version 1.5, remote software version 1.2.27
debug1: no match: 1.2.27
debug1: Local version string SSH-1.5-OpenSSH_3.8p1
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 73
debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 73
debug1: Host 'AAAA' is known and matches the RSA1 host key.
debug1: Found key in /u/XXXXXX/mr/.ssh/known_hosts:73
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug2: cipher_init: set keylen (16 -> 32)
debug2: cipher_init: set keylen (16 -> 32)
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Doing password authentication.
mr at tcm30's password:
2. This is not working:
rhosts based ssh using protocol 1.
3. Error messages and logfiles
The server is setup to accept hostbased authentication using rhosts:
sshd_config (from DEC Alpha):
"
# This is ssh server systemwide configuration file.
Port 22
ListenAddress 0.0.0.0
HostKey /etc/ssh_host_key
RandomSeed /etc/ssh_random_seed
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 7200
PermitRootLogin yes
IgnoreRhosts no
StrictModes yes
QuietMode no
X11Forwarding yes
X11DisplayOffset 10
FascistLogging no
PrintMotd yes
KeepAlive yes
SyslogFacility DAEMON
RhostsAuthentication yes
RhostsRSAAuthentication yes
RSAAuthentication no
PasswordAuthentication yes
PermitEmptyPasswords no
UseLogin no
"
The ssh_config file on the client:
"
# This is the ssh client system-wide configuration file. See ssh(1)
# for more information. This file provides defaults for users, and
# the values can be changed in per-user configuration files or on the
# command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for various options
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsAuthentication yes
# RhostsRSAAuthentication yes
# RSAAuthentication yes
# PasswordAuthentication yes
# FallBackToRsh no
# UseRsh no
# BatchMode no
# CheckHostIP yes
StrictHostKeyChecking no
UsePrivilegedPort yes
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
Host *
ForwardX11 yes
# For version 2 hostbased authent using .rhosts/.shosts + known_host entry.
HostbasedAuthentication yes
ForwardX11Trusted yes
# For version 1 hostbased authentication to work
UsePrivilegedPort yes
"
rhosts based authent also does not work with protocol 1 from a Suse 9.1 computer to a suse 9.1 computer.
sshd_config on suse ssh server:
"
# This is the sshd server system-wide configuration file. See sshd(8)
# for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
# Changes start here, mr349, 07/01/2004
#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
# Use AUTH mode so that ssh messages go into /var/log/messages
SyslogFacility AUTH
#SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 600
#PermitRootLogin yes
#StrictModes yes
#RSAAuthentication yes
# We do not like this one to be turned on.
PubkeyAuthentication no
#AuthorizedKeysFile .ssh/authorized_keys
# Read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts no
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
# (enabled in TCM)
RhostsRSAAuthentication yes
# similar for protocol version 2
# (enabled in TCM)
HostbasedAuthentication yes
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
# IgnoreUserKnownHosts no
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
# KerberosAuthentication automatically enabled if keyfile exists
#KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# AFSTokenPassing automatically enabled if k_hasafs() is true
#AFSTokenPassing yes
# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no
# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
"
snippet from /var/adm/messages (on Dec Alpha):
"
Aug 24 09:05:41 AAAA sshd[126034]: connect from XXXX
Aug 24 09:05:41 AAAA sshd[126034]: log: Connection from XXXX port 38875
Aug 24 09:06:06 AAAA sshd[126034]: fatal: Connection closed by remote host.
"
Our Redhat 7.3 version of Openssh (the ssh exe) happily does protocol 1 hostbased authent from an RH7.3 computer to a DEC Alpha or from a RH7.3 computer to a Suse 9.1 computer. In addition to this if I use the RH7.3 ssh executable on a Suse 9.1 computer and ssh using protocol 1 to a RH7.3 computer or a DEC Alpha:
"
XXXX:/temp/mr> ./ssh -1 -v -F ./ssh_config BBBB
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x009060df
debug1: Reading configuration data ./ssh_config
debug1: restore_uid
debug1: ssh_connect: getuid 500 geteuid 0 anon 0
debug1: Connecting to BBBB [BBBB] port 22.
debug1: Allocated local port 1020.
debug1: temporarily_use_uid: 500/266 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /u/blah/mr/.ssh/identity type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.1p1
debug1: match: OpenSSH_3.1p1 pat OpenSSH*
debug1: Local version string SSH-1.5-OpenSSH_3.1p1
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'BBBB' is known and matches the RSA1 host key.
debug1: Found key in /u/blah/mr/.ssh/known_hosts:35
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: cipher_init: set keylen (16 -> 32)
debug1: cipher_init: set keylen (16 -> 32)
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying rhosts authentication.
debug1: Remote: Accepted for XXXX [XXXX] by /etc/hosts.equiv.
debug1: Requesting pty.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: fd 3 setting TCP_NODELAY
debug1: Requesting shell.
debug1: Entering interactive session.
Last login: Tue Aug 24 09:12:45 2004 from XXXX
Unauthorised access forbidden (Computer Misuse Act 1990)
All IT Syndicate Rules apply to this system
Red Hat Linux release 7.3 (Valhalla)
Linux 2.4.20-34.7.legacy
BBBB:~>
"
The rh7.3 ssh executable will also perform protocol hostbased authent from a Suse9.1 computer to a Suse9.1 computer:
"
XXXX>./ssh -1 -v -F ./ssh_config BBBB
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x009060df
debug1: Reading configuration data ./ssh_config
debug1: restore_uid
debug1: ssh_connect: getuid 500 geteuid 0 anon 0
debug1: Connecting to BBBB [BBBB] port 22.
debug1: Allocated local port 1018.
debug1: temporarily_use_uid: 500/266 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /u/blah/mr/.ssh/identity type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.8p1
debug1: match: OpenSSH_3.8p1 pat OpenSSH*
debug1: Local version string SSH-1.5-OpenSSH_3.1p1
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'BBBB' is known and matches the RSA1 host key.
debug1: Found key in /u/blah/mr/.ssh/known_hosts:71
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: cipher_init: set keylen (16 -> 32)
debug1: cipher_init: set keylen (16 -> 32)
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
debug1: Remote: Accepted for XXXX [::ffff:XXXX] by /etc/hosts.equiv.
debug1: Received RSA challenge for host key from server.
debug1: Sending response to host key RSA challenge.
debug1: Remote: Rhosts with RSA host authentication accepted.
debug1: Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server.
debug1: Requesting pty.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: fd 3 setting TCP_NODELAY
debug1: Requesting shell.
debug1: Entering interactive session.
Last login: Tue Aug 24 09:15:42 2004 from XXXX
Unauthorised access forbidden (Computer Misuse Act 1990)
All IT Syndicate Rules apply to this system
Suse Linux release 9.1
"
Maybe this is a problem with the newer version of Openssh??
More information about the openssh-unix-dev
mailing list