From owner-freebsd-stable  Sat Mar  3 15:17:10 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id DE9FB37B718
	for <stable@freebsd.org>; Sat,  3 Mar 2001 15:17:07 -0800 (PST)
	(envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com)
Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Sat, 3 Mar 2001 15:14:58 -0800
Received: (from cjc@localhost)
	by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f23NGnE25164;
	Sat, 3 Mar 2001 15:16:49 -0800 (PST)
	(envelope-from cjc)
Date: Sat, 3 Mar 2001 15:16:46 -0800
From: "Crist J. Clark" <cjclark@reflexnet.net>
To: John Polstra <jdp@polstra.com>
Cc: stable@FreeBSD.ORG
Subject: Re: Is RhostsRSAAuthentication broken?
Message-ID: <20010303151646.N89396@rfx-216-196-73-168.users.reflex>
Reply-To: cjclark@alum.mit.edu
References: <XFMail.010303133807.jdp@polstra.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <XFMail.010303133807.jdp@polstra.com>; from jdp@polstra.com on Sat, Mar 03, 2001 at 01:38:07PM -0800
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sat, Mar 03, 2001 at 01:38:07PM -0800, John Polstra wrote:
> Is ssh's RhostsRSAAuthentication using the ~/.shosts file broken in
> -stable?  On the server, OpenSSH on a FreeBSD-stable machine from Jan
> 30, /etc/ssh/sshd_config contains:
> 
>     IgnoreRhosts no
>     IgnoreUserKnownHosts no
>     RhostsRSAAuthentication yes
> 
> and the ~/.shosts file is set up correctly for the host+user that
> wants to connect.  Also, I have the client's public host key (RSA) in
> both ~/.ssh/known_hosts and /etc/ssh/ssh_known_hosts on the server
> machine.
> 
> On the client side, ~/.ssh/config contains:
> 
>     Host server.example.com
>         RhostsRSAAuthentication yes
> 
> When the client is OpenSSH on a FreeBSD-stable machine, "slogin -v
> server.example.com" shows no attempt at all by the client to use
> RhostsRSAAuthentication.

Is /usr/bin/ssh setuid root on the client? It no longer is by
default. Do it by hand or enable,

  # To enable installing ssh(1) with the setuid bit turned on
  ENABLE_SUID_SSH=       true

In your /etc/make.conf.

> When the client is ssh-1.2.27, "slogin -v server.example.com" says:
> 
>     Remote: Accepted by .shosts.
>     Remote: Your host key cannot be verified: unknown or invalid host key.

Looks like a key problem, probably a separate issue.
-- 
Crist J. Clark                           cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message