Date: Sun, 13 May 2001 07:28:13 -0700 (PDT) From: David Wolfskill <david@catwhisker.org> Cc: current@FreeBSD.ORG Subject: Re: ssh public key auth. incompatible between 2.3.0 vs. 2.9? Message-ID: <200105131428.f4DESDF72226@bunrab.catwhisker.org> In-Reply-To: <200105131245.f4DCjC371948@bunrab.catwhisker.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>Date: Sun, 13 May 2001 05:45:12 -0700 (PDT)
>From: David Wolfskill <david@catwhisker.org>
>>Date: Sat, 12 May 2001 23:40:52 -0700
>>From: Alfred Perlstein <bright@wintelcom.net>
>>> So basically, I'm confused. ssh appears to work ok for password
>>> authentication, but not for public key authentication -- or at least, it
>>> doesn't appear to be (completely?) compatible with ssh 2.3.0. Or maybe
>>> I'm overlooking something...?
>>Brian Feldman switched the default to ssh2, for some reason it doesn't
>>back off and try version 1. you need to do this "ssh -1 <host>" which
>>is damn irritating, but I don't know of any other option.
>The "-1" flag does not appear to be valid for ssh 2.9; attempting its
>use generates a usage message.
Brain-o, there on my part -- that was 2.3.0 that didn't cope with "-1".
2.9 honored it OK, and once I responded affirmatively to:
The authenticity of host 'bunrab.catwhisker.org (172.16.8.11)' can't be established.
RSA1 key fingerprint is 42:a4:6d:32:b1:57:09:81:2c:c5:86:70:61:0b:7c:fe.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'bunrab.catwhisker.org' (RSA1) to the list of known hosts.
it seems to have allowed public key authentication.
However, the fact that I got that little dialog would appear to indicate
that this really isn't a V1 vs. V2 protocol issue per se, unless I'm confused.
>>Would it be possible to try version 1 before password?
>I'll give that a try later today. (I'm building today's -STABLE at the
>moment....
-STABLE built OK; I'm building -CURRENT now.
So while it's building....
I tried creating ~/.ssh/config, and specified "Protocol 1,2" in it.
Prior to doing this, attempting to use ssh from -CURRENT to a local
SPARCstation was handled same as ssh to my FreeBSD 3.2-R box: public
key authentication appeared to want a file I don't have (since my keys
are in ~/.ssh/identity{,.pub}, and it's looking for ~/.ssh/id_{r,d}sa:
dhcp-140[1] ssh -v pogo
OpenSSH_2.9 green@FreeBSD.org 20010503, SSH protocols 1.5/2.0, OpenSSL 0x00906010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 1001 geteuid 1001 anon 1
debug1: Connecting to pogo.catwhisker.org [172.16.8.12] port 22.
debug1: temporarily_use_uid: 1001/20 (e=1001)
debug1: restore_uid
debug1: temporarily_use_uid: 1001/20 (e=1001)
debug1: restore_uid
debug1: Connection established.
debug1: identity file /home/david/.ssh/identity type 0
debug1: identity file /home/david/.ssh/id_rsa type -1
debug1: identity file /home/david/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.1p2
debug1: match: OpenSSH_2.5.1p2 pat ^OpenSSH_2\.5\.[012]
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_2.9 green@FreeBSD.org 20010503
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 137/256
debug1: bits set: 1049/2049
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'pogo.catwhisker.org' is known and matches the DSA host key.
debug1: Found key in /home/david/.ssh/known_hosts2:2
debug1: bits set: 1044/2049
debug1: len 55 datafellows 49152
debug1: ssh_dss_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try privkey: /home/david/.ssh/id_rsa
debug1: try privkey: /home/david/.ssh/id_dsa
debug1: next auth method to try is password
david@pogo.catwhisker.org's password:
Then:
dhcp-140[2] echo "Protocol 1,2" >~/.ssh/config
dhcp-140[3] cat ~/.ssh/config
Protocol 1,2
dhcp-140[4] ssh -v pogo
OpenSSH_2.9 green@FreeBSD.org 20010503, SSH protocols 1.5/2.0, OpenSSL 0x00906010
debug1: Reading configuration data /home/david/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
...
debug1: Connection established.
debug1: identity file /home/david/.ssh/identity type 0
debug1: identity file /home/david/.ssh/id_rsa type -1
debug1: identity file /home/david/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.1p2
debug1: match: OpenSSH_2.5.1p2 pat ^OpenSSH_2\.5\.[012]
debug1: Local version string SSH-1.5-OpenSSH_2.9 green@FreeBSD.org 20010503
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
The authenticity of host 'pogo.catwhisker.org (172.16.8.12)' can't be established.
RSA1 key fingerprint is 1c:8a:cb:0f:4b:88:1b:02:84:e0:f6:af:38:82:9b:0e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'pogo.catwhisker.org' (RSA1) to the list of known hosts.
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying RSA authentication via agent with 'david@dhcp-135.catwhisker.org'
debug1: Received RSA challenge from server.
debug1: Sending response to RSA challenge.
debug1: Remote: RSA authentication accepted.
debug1: RSA authentication accepted by server.
debug1: Requesting pty.
debug1: Requesting shell.
debug1: Entering interactive session.
Last login: Sun May 13 07:07:17 2001 from dhcp-140.catwhi
Sun Microsystems Inc. SunOS 5.6 Generic August 1997
pogo[1] exit
Summing up(!), it appears that use of the V1 protocol allows the
communication to work, but the "cost" (or "heads up issue") is that the
ssh server hosts won't (necessarily?) be recognized (so automated
procedures may well not work before manual intervention).
Thanks,
david
--
David H. Wolfskill david@catwhisker.org
As a computing professional, I believe it would be unethical for me to
advise, recommend, or support the use (save possibly for personal
amusement) of any product that is or depends on any Microsoft product.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105131428.f4DESDF72226>