Date: Sun, 13 May 2001 05:45:12 -0700 (PDT) From: David Wolfskill <david@catwhisker.org> Cc: current@FreeBSD.ORG Subject: Re: ssh public key auth. incompatible between 2.3.0 vs. 2.9? Message-ID: <200105131245.f4DCjC371948@bunrab.catwhisker.org> In-Reply-To: <20010512234052.E18676@fw.wintelcom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[Replies to both responders to date: 2 replies for the cost of a single message. :-} dhw] >Date: Sat, 12 May 2001 23:40:52 -0700 >From: Alfred Perlstein <bright@wintelcom.net> >> So basically, I'm confused. ssh appears to work ok for password >> authentication, but not for public key authentication -- or at least, it >> doesn't appear to be (completely?) compatible with ssh 2.3.0. Or maybe >> I'm overlooking something...? >Brian Feldman switched the default to ssh2, for some reason it doesn't >back off and try version 1. you need to do this "ssh -1 <host>" which >is damn irritating, but I don't know of any other option. The "-1" flag does not appear to be valid for ssh 2.9; attempting its use generates a usage message. >Would it be possible to try version 1 before password? I'll give that a try later today. (I'm building today's -STABLE at the moment; I s'pose I could chroot to the -CURRENT root & try it out that way, but trying to explain the situation if it doesn't work sounds even messier than what I've done so far....) >Date: Sun, 13 May 2001 09:44:41 +0200 >From: Szilveszter Adam <sziszi@petra.hos.u-szeged.hu> >I am working on reproducing this, so I would like to ask for >clarification... Unless I am mistaken, you have 3.2-RELEASE on the machine >that you are connecting to with ssh2 port installed. Right? In this particular case, yes. And I had installed the ssh-2.0.12 port on it (soome time back). But I have observed similar behavior when the ssh server is any of several different machines -- running FreeBSD 4.2-STABLE or (SPARC) Solaris 2.6 or 8, for example. >And you are trying to use RSA Auth using ssh1 on purpose although both >sides could use ssh2 in theory. Not particularly. I'm trying to use public key authentication, vs. password authentication. Whether it's "RSA" or "DSA" isn't something I care about (except to get it working); mostly, I want the same functionality, and I'd prefer to at least know what steps I need to take, so that if & when OpenSSH 2.9 is MFCed, folks who are similarly-situated will be able to get a "heads up" on changes they may need to make to preserve equivalent function. >And you are seeing that -CURRENT's ssh does not fall back to RSA >key auth when it cannot use DSA. But you have already used ssh2 to this >host before. (Because it is contained in the known_hosts2 file). >Maybe this confuses ssh. Well, I've certainly used ssh 2.3.0 (under FreeBSD 4.3-STABLE, for example) to get to it. >In my setup, I have only one server that can do SSH2 (mine, the -CURRENT >box) all others are unable, because they use either older versions of >OpenSSH or the ssh1 from SSH Communications. But I have absolutely no >problem in connecting between them with RSA keys... although I have just >tried (almost) all combinations.:-) Even the -CURRENT server does well, >although ssh2 is the first option tried in the server config because some >windoze clients can do ssh2 already so why not use it? But admittedly I >have not tried RSA auth between two ssh2 capable hosts... will need the >help of a collegaue with it. (who will kindly reboot the machine on the >other end into FreeBSD-STABLE:-) Note that I do not have a known_hosts2 or >an authorized_keys2 file anywhere. Hmmm.... I just checked: I don't (happen to) have the laptop set up so that I can use public key authentication to use ssh to itself. (I checked this under -STABLE; OpenSSH 2.3.0.) After I boot -CURRRENT, I may play around with this a bit.... Thanks, david -- David H. Wolfskill david@catwhisker.org As a computing professional, I believe it would be unethical for me to advise, recommend, or support the use (save possibly for personal amusement) of any product that is or depends on any Microsoft product. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105131245.f4DCjC371948>