Possible problem with hostbased protocol 1 rhosts authentication
Mike Rose
mr349 at cam.ac.uk
Wed Aug 25 23:43:26 EST 2004
What about this section of man ssh:
"
SSH protocol version 1
First, if the machine the user logs in from is listed in /etc/hosts.equiv
or /etc/ssh/shosts.equiv on the remote machine, and the user names are the
same on both sides, the user is immediately permitted to log in. Second,
if .rhosts or .shosts exists in the user's home directory on the remote
machine and contains a line containing the name of the client machine and
the name of the user on that machine, the user is permitted to log in.
This form of authentication alone is normally not allowed by the server
because it is not secure.
"
Am I being silly or does this part of man ssh need to be edited slightly
to say that host keys also need to be used (/etc/ssh/ssh_known_hosts for
example):
"
debug1: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
debug1: Remote: Accepted for XXXX [XXXX] by /etc/hosts.equiv.
debug1: Remote: Your host key cannot be verified: unknown or invalid host
key.
debug1: Server refused our rhosts authentication or host key.
On Wed, 25 Aug 2004, Mike Rose wrote:
> > On Tue Aug 24 01:30:10 2004, Mike Rose wrote:
> > >
> > > I found this problem when working with the Suse9.1 distribution, but have
> > > since reproduced it with a vanilla build of Openssh
> > > (openssh-3.9p1.tar.gz). Basically I cannot get a command like this:
> > >
> > > XXXX>ssh -vvv -1 -o "RhostsAuthentication yes" AAAA
> > >
> > > to work. Yes the appropriate settings are in the servers sshd_config file.
> > >
> > > Hostbased protocol 1 ssh using rhosts between computers is something we
> > > normally do as we have some Dec Alphas, otherwise we would only be using
> > > protocol 2 which is fine for hostbased authent using rhosts.
> >
> > Do you mean RhostsRSAAuthentication? I believe that RhostsAuthentication was
> > dropped some time ago. Also, note that the ssh binary is no longer setuid root.
> > (It hasn't been for quite some time.)
>
> Darn, yes, you are quite right.
> ssh was setuid root for what I was trying.
> >
> > For version 2, ssh uses the setuid root binary, ssh-keysign, when doing
> > Hostbased authentication. However, ssh does not use this binary when
> > using protocol 1. To use RhostsRSAAuthentication for any user other than root,
> > you must make the ssh binary setuid root and accept any risks therof.
>
> Yup, we have had to until the last DEC stops.
>
> Many thanks for your reply to silly me.
>
>
> >
> > >
> > > "
> > > ssh -vvv -1 -o "RhostsAuthentication yes" AAAA
> > > OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004
> > > debug1: Reading configuration data /etc/ssh/ssh_config
> > > debug1: Applying options for *
> > > debug2: ssh_connect: needpriv 1
> > > debug1: Connecting to AAAA [AAAA] port 22.
> > > debug1: Allocated local port 1023.
> > > debug1: Connection established.
> > > debug1: read PEM private key done: type DSA
> > > debug1: read PEM private key done: type RSA
> > > debug1: identity file /u/XXXXXX/mr/.ssh/identity type -1
> > > debug1: Remote protocol version 1.5, remote software version 1.2.27
> > > debug1: no match: 1.2.27
> > > debug1: Local version string SSH-1.5-OpenSSH_3.8p1
> > > debug1: Waiting for server public key.
> > > debug1: Received server public key (768 bits) and host key (1024 bits).
> > > debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts
> > > debug3: check_host_in_hostfile: match line 73
> > > debug3: check_host_in_hostfile: filename /u/XXXXXX/mr/.ssh/known_hosts
> > > debug3: check_host_in_hostfile: match line 73
> > > debug1: Host 'AAAA' is known and matches the RSA1 host key.
> > > debug1: Found key in /u/XXXXXX/mr/.ssh/known_hosts:73
> > > debug1: Encryption type: 3des
> > > debug1: Sent encrypted session key.
> > > debug2: cipher_init: set keylen (16 -> 32)
> > > debug2: cipher_init: set keylen (16 -> 32)
> > > debug1: Installing crc compensation attack detector.
> > > debug1: Received encrypted confirmation.
> > > debug1: Doing password authentication.
> > > mr at tcm30's password:
> > > "
> > >
> > > # This is ssh server systemwide configuration file.
> > > "
> > > Port 22
> > > ListenAddress 0.0.0.0
> > > HostKey /etc/ssh_host_key
> > > RandomSeed /etc/ssh_random_seed
> > > ServerKeyBits 768
> > > LoginGraceTime 600
> > > KeyRegenerationInterval 7200
> > > PermitRootLogin yes
> > > IgnoreRhosts no
> > > StrictModes yes
> > > QuietMode no
> > > X11Forwarding yes
> > > X11DisplayOffset 10
> > > FascistLogging no
> > > PrintMotd yes
> > > KeepAlive yes
> > > SyslogFacility DAEMON
> > > RhostsAuthentication yes
> > > RhostsRSAAuthentication yes
> > > RSAAuthentication no
> > > PasswordAuthentication yes
> > > PermitEmptyPasswords no
> > > UseLogin no
> > > "
> > >
> > >
> > > The rest of the detail is in the attached text file.
> > >
> > >
> > > I hope that is enough info.
> > >
> > > regards,
> > >
> > > Mike Rose
> >
> >
> > --
> > Iain Morgan
> > NAS Desktop Support Group
> >
>
More information about the openssh-unix-dev
mailing list