From owner-freebsd-questions Wed Sep 12 20: 5:15 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.gbch.net (gw.gbch.net [203.24.22.66]) by hub.freebsd.org (Postfix) with SMTP id E020637B414 for ; Wed, 12 Sep 2001 20:05:07 -0700 (PDT) Received: (qmail 50299 invoked by uid 1001); 13 Sep 2001 13:00:58 +1000 Message-ID: X-Posted-By: GJB-Post 2.21 16-Jun-2001 X-Operating-System: FreeBSD 4.2-RELEASE i386 X-Location: Brisbane, Australia; 27.49841S 152.98439E X-URL: http://www.gbch.net/gjb.html X-Image-URL: http://www.gbch.net/gjb/gjb-auug048.gif X-GPG-Fingerprint: EBB2 2A92 A79D 1533 AC00 3C46 5D83 B6FB 4B04 B7D6 X-PGP-Public-Keys: http://www.gbch.net/keys.html Date: Thu, 13 Sep 2001 13:00:58 +1000 From: Greg Black Mail-Followup-To: gjb@gbch.net, questions@FreeBSD.ORG To: Tony Wells Cc: questions@FreeBSD.ORG Subject: Re: Avoiding passwords with ssh under 4.3R References: <3B9F9263.71665CAA@camel.kdsi.net> In-reply-to: <3B9F9263.71665CAA@camel.kdsi.net> of Wed, 12 Sep 2001 11:50:43 EST Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Message re-formatted in the accepted format. Please don't just stick comments on the top of a quoted message. Tony Wells wrote: | Greg Black wrote: | | > I have recently installed 4.3-RELEASE on a system which needs | > ssh access to a couple 4.2-R boxes. I copied the ssh_config and | > sshd_config files from the 4.2 boxes to the new system. | > | > From the 4.2 boxes, I can ssh to any system without a password, | > but from the 4.3 box I am prompted for a password on every | > system, including the 4.3 box itself. | > | > The other anomaly is that root can ssh out to all hosts from the | > 4.3 box without a password; the password requirement is limited | > to non-root users. | > | > If anybody can tell me what I've missed in order to ssh out of | > that 4.3 box as an ordinary user without having to type a | > password, I'd be delighted. | | It sounds like you're looking for RSA/DSA based authentication, for | version 1 and 2 respectively. On your new box, you probably don't have | a key installed for the user that the server you're ssh'ing to | recognizes. The thing is that it was /not/ looking for the authentication I wanted unless it was run by root. As was made clear in the information above, it was nothing to do with keys. The following line did not appear in the debug log (it just went straight to password authentication): Trying rhosts or /etc/hosts.equiv with RSA host authentication | If you 'man ssh' there is a pretty clear explantion on how to get this | going. If that was true, I would not have asked the question. Anyway, I have discovered why it did not work under 4.3-R -- for some reason /usr/sbin/ssh is not setuid root as it is on the 4.2 boxes. My real question then is: why was this change made, since it appears to break ssh operation? And, for extra points, it there any reason why I should not restore the setuid bit on ssh? Please address replies to me as well as the list, as I'm not currently subscribed. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message