Problems with RhostRSAAuthecntication and UsePrivilegeSeparation (RH9, 2.4.20-42.9.legacybigmem)

Martin Knoblauch spamtrap at knobisoft.de
Thu May 19 04:05:27 EST 2005 

Hi,

 for some days now I am/was fighting with an annoying problem. I have
to support an environment where RhostRSAAuthecntication  via
/etc/ssh/sshd_known_hosts is used for password-less login.

 This works fine with RH7.3 (and RH8) and openssh versions
openssh-3.1p1-3 (and openssh-3.4p1-2).

 Our customer has now requested an upgrade to RH9. That comes with
openssh-3.5p-11 and the password-less stuff (from the outside) does not
work any more.

$ ssh -v lpsdm05 date
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 43922 geteuid 0 anon 1
debug1: Connecting to lpsdm05 [160.48.88.26] port 22.
debug1: temporarily_use_uid: 43922/1000 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 43922/1000 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /home/qx29340/.ssh/identity type -1
debug1: identity file /home/qx29340/.ssh/id_rsa type 1
debug1: identity file /home/qx29340/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.9p1
debug1: match: OpenSSH_3.9p1 pat OpenSSH*
debug1: Local version string SSH-1.5-OpenSSH_3.1p1
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'lpsdm05' is known and matches the RSA1 host key.
debug1: Found key in /etc/ssh/ssh_known_hosts:4450
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: cipher_init: set keylen (16 -> 32)
debug1: cipher_init: set keylen (16 -> 32)
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
debug1: Remote: Accepted for lpsdm21.muc [160.48.88.10] by
/etc/hosts.equiv.
debug1: Remote: Your host key cannot be verified: unknown or invalid
host key.
debug1: Server refused our rhosts authentication or host key.
debug1: Doing challenge response authentication.
debug1: No challenge.
debug1: Doing password authentication.
qx29340 at lpsdm05's password:

 The interesting part is the "unknown or invalid host key". The
ssh-known_hosts file ist maintained centrally and is good.

 First I suspected reverse lookup and added the IP-Adress of the client
to ssh_known_hosts. And password-less started to work again. But all
other tests I did showed that reverse lookup was working for all other
purposes. 

 So I played a bit more and found that setting "UsePrivilegeSeparation
no" in sshd_config "solved" my problem. Unfortunatelly that option is
not documented very well. Any ideas why it should make RhostsRSAA fail?
While I am kind of happy now, I like to understand what goes on :-)

 The problem also happens when I am running a plain 2.4.30 kernel and
openssh-3.9p1.


Thanks a lot in advance
Please CC me, as I am not on the list
Martin

------------------------------------------------------
Martin Knoblauch
email: k n o b i AT knobisoft DOT de
www:   http://www.knobisoft.de

More information about the openssh-unix-dev mailing list