Possible problem with hostbased protocol 1 rhosts authentication
Mike Rose
mr349 at cam.ac.uk
Wed Aug 25 22:46:13 EST 2004
> On Tue Aug 24 01:30:10 2004, Mike Rose wrote:
> >
> > I found this problem when working with the Suse9.1 distribution, but have
> > since reproduced it with a vanilla build of Openssh
> > (openssh-3.9p1.tar.gz). Basically I cannot get a command like this:
> >
> > XXXX>ssh -vvv -1 -o "RhostsAuthentication yes" AAAA
> >
> > to work. Yes the appropriate settings are in the servers sshd_config file.
> >
> > Hostbased protocol 1 ssh using rhosts between computers is something we
> > normally do as we have some Dec Alphas, otherwise we would only be using
> > protocol 2 which is fine for hostbased authent using rhosts.
>
> Do you mean RhostsRSAAuthentication? I believe that RhostsAuthentication was
> dropped some time ago. Also, note that the ssh binary is no longer setuid root.
> (It hasn't been for quite some time.)
Darn, yes, you are quite right.
ssh was setuid root for what I was trying.
>
> For version 2, ssh uses the setuid root binary, ssh-keysign, when doing
> Hostbased authentication. However, ssh does not use this binary when
> using protocol 1. To use RhostsRSAAuthentication for any user other than root,
> you must make the ssh binary setuid root and accept any risks therof.
Yup, we have had to until the last DEC stops.
Many thanks for your reply to silly me.
>
> >
> > "
> > ssh -vvv -1 -o "RhostsAuthentication yes" AAAA
> > OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004
> > debug1: Reading configuration data /etc/ssh/ssh_config
> > debug1: Applying options for *
> > debug2: ssh_connect: needpriv 1
> > debug1: Connecting to AAAA [AAAA] port 22.
> > debug1: Allocated local port 1023.
> > debug1: Connection established.
> > debug1: read PEM private key done: type DSA
> > debug1: read PEM private key done: type RSA
> > debug1: identity file /u/XXXXXX/mr/.ssh/identity type -1
> > debug1: Remote protocol version 1.5, remote software version 1.2.27
> > debug1: no match: 1.2.27
> > debug1: Local version string SSH-1.5-OpenSSH_3.8p1
> > debug1: Waiting for server public key.
> > debug1: Received server public key (768 bits) and host key (1024 bits).
> > debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts
> > debug3: check_host_in_hostfile: match line 73
> > debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts
> > debug3: check_host_in_hostfile: match line 73
> > debug1: Host 'AAAA' is known and matches the RSA1 host key.
> > debug1: Found key in /u/XXXXXX/mr/.ssh/known_hosts:73
> > debug1: Encryption type: 3des
> > debug1: Sent encrypted session key.
> > debug2: cipher_init: set keylen (16 -> 32)
> > debug2: cipher_init: set keylen (16 -> 32)
> > debug1: Installing crc compensation attack detector.
> > debug1: Received encrypted confirmation.
> > debug1: Doing password authentication.
> > mr at tcm30's password:
> > "
> >
> > # This is ssh server systemwide configuration file.
> > "
> > Port 22
> > ListenAddress 0.0.0.0
> > HostKey /etc/ssh_host_key
> > RandomSeed /etc/ssh_random_seed
> > ServerKeyBits 768
> > LoginGraceTime 600
> > KeyRegenerationInterval 7200
> > PermitRootLogin yes
> > IgnoreRhosts no
> > StrictModes yes
> > QuietMode no
> > X11Forwarding yes
> > X11DisplayOffset 10
> > FascistLogging no
> > PrintMotd yes
> > KeepAlive yes
> > SyslogFacility DAEMON
> > RhostsAuthentication yes
> > RhostsRSAAuthentication yes
> > RSAAuthentication no
> > PasswordAuthentication yes
> > PermitEmptyPasswords no
> > UseLogin no
> > "
> >
> >
> > The rest of the detail is in the attached text file.
> >
> >
> > I hope that is enough info.
> >
> > regards,
> >
> > Mike Rose
>
>
> --
> Iain Morgan
> NAS Desktop Support Group
>
More information about the openssh-unix-dev
mailing list