Date: Sat, 12 May 2001 22:40:35 -0700 (PDT) From: David Wolfskill <david@catwhisker.org> To: current@freebsd.org Subject: ssh public key auth. incompatible between 2.3.0 vs. 2.9? Message-ID: <200105130540.f4D5eZl71004@bunrab.catwhisker.org>
next in thread | raw e-mail | index | archive | help
OK; there's something about the (relatively) new ssh (2.9) in -CURRENT
I'm not understanding. I have hunted around for some clues (via man pages
& the like), but it could well be that I'm still failing to notice
something -- quite possibly something that should be obvious to even me
-- and I welcome a clue.
Basically, the setup I use in -STABLE, where I'm able to use my
public/private key pair for authentication, is not working in -CURRENT.
(ssh in -CURRENT is reverting to password authentication.)
On the machine (my laptop, where I have been tracking both -STABLE and
-CURRENT daily for the past 1.5 months or so, and each environment has
its own / and /usr, but /usr/local, /var, and my home directory are
common -- as is the local CVS respository), I have it set up to start X
(4.0.3) via xdm. Thus, my ~/.xsession script is run when I login.
The first part of that script reads:
#! /bin/csh
if { test -x `which ssh-askpass` } then
eval `ssh-agent`
ssh-add
set ssh_test = `ssh-add -l` || exit 1
echo "$ssh_test" | grep '@' >/dev/null
if ( $? ) then
echo "What part of 'Need passphrase' don't you understand?"
exit 2
endif
endif
set in_xdm = "1"
source ~/.cshrc
....
(I do *not* normally use csh for script-writing. However, since I use
it (well, tcsh) as my normal shell, there are some advantages to having
the ssh-agent stuff use csh semantics. And it allows a bit more
consistency forfiguring out things like my customized execution path.
And prior to ssh .29 in -CURRENT, this was also working in -CURRENT...
but it took a couple of days for things to get to a reasonably steady
state or ssh 2.9 in -CURRENT, which is why I didn't write about this
earlier: I figured it's sufficiently messy that it was a little
premature to do that just yet. But I certainly want folks to be aware
of what is going on, now that I've started seeing requested to MFC ssh
2.9.)
Now, as noted, my home directory is common between the 2 environments,
so I have a high degree of confidence that the files look the same from
either environment. And I built the first -CURRENT environment from
FreeBSD 4.3-STABLE near the 2nd week of March; that part's been tracking
-CURRENT since... and this was after /etc/ssh had been populated
originally, so the host keys are the same. Here's /etc/ssh on the
-STABLE side:
dhcp-140[1] ls -la /S1/etc/ssh
total 37
drwxr-xr-x 2 root wheel 512 May 3 06:57 .
drwxr-xr-x 17 root wheel 2560 May 12 07:07 ..
-rw-r--r-- 1 root wheel 26346 May 3 06:57 primes
-rw-r--r-- 1 root wheel 976 Mar 6 07:46 ssh_config
-rw------- 1 root wheel 668 Mar 6 09:33 ssh_host_dsa_key
-rw-r--r-- 1 root wheel 595 Mar 6 09:33 ssh_host_dsa_key.pub
-rw------- 1 root wheel 520 Mar 6 09:33 ssh_host_key
-rw-r--r-- 1 root wheel 324 Mar 6 09:33 ssh_host_key.pub
-rw-r--r-- 1 root wheel 1480 Mar 6 07:46 sshd_config
dhcp-140[2]
and the -CURRENT side:
dhcp-140[2] ls -la /etc/ssh
total 39
drwxr-xr-x 2 root wheel 512 May 9 10:18 .
drwxr-xr-x 16 root wheel 2560 May 11 09:56 ..
-rw-r--r-- 1 root wheel 26346 Mar 27 08:01 primes
-rw-r--r-- 1 root wheel 909 Mar 7 21:29 ssh_config
-rw------- 1 root wheel 668 Mar 6 09:33 ssh_host_dsa_key
-rw-r--r-- 1 root wheel 595 Mar 6 09:33 ssh_host_dsa_key.pub
-rw------- 1 root wheel 520 Mar 6 09:33 ssh_host_key
-rw-r--r-- 1 root wheel 324 Mar 6 09:33 ssh_host_key.pub
-rw------- 1 root wheel 529 May 9 10:18 ssh_host_rsa_key
-rw-r--r-- 1 root wheel 333 May 9 10:18 ssh_host_rsa_key.pub
-rw-r--r-- 1 root wheel 1776 May 6 09:41 sshd_config
dhcp-140[3]
and in particular:
dhcp-140[3] sudo cmp {/S1,}/etc/ssh/ssh_host_key
Password:
dhcp-140[4] sudo cmp {/S1,}/etc/ssh/ssh_host_key.pub
dhcp-140[5] sudo cmp {/S1,}/etc/ssh/ssh_config
/S1/etc/ssh/ssh_config /etc/ssh/ssh_config differ: char 196, line 5
dhcp-140[6] sudo diff -u {/S1,}/etc/ssh/ssh_config
--- /S1/etc/ssh/ssh_config Tue Mar 6 07:46:45 2001
+++ /etc/ssh/ssh_config Wed Mar 7 21:29:09 2001
@@ -2,7 +2,7 @@
# defaults for users, and the values can be changed in per-user configuration
# files or on the command line.
#
-# $FreeBSD: src/crypto/openssh/ssh_config,v 1.6 2000/09/10 09:35:38 kris Exp $
+# $FreeBSD$
# Configuration data is parsed as follows:
# 1. command line options
dhcp-140[7]
OK; I *think* that's a difference that ought not be relevant to the
issue I'm seeing.... :-}
[Sorry if things get disjointed at this point. My laptop re-booted; as
far as I know, I had just hit the "A" key. The /var filesystem needed a
manual fsck, which I did, then I re-booted. It seems to have done
Kirk's "background fsck" magic OK; I HUPped the process (which was still
hanging around on the machine where I was composing this note) and
recovered the buffer up to this parenthetical comment. dhw]
So, I tried an experiment to illustrate the issue. I booted -CURRENT,
and (under script) issued an "ssh -v bunrab". I then booted -STABLE,
and did it again (using a different filename). I then edited the script
files: I removed all of the ^Ms, and I then (in order to reduce the
number of irrelevant mis-matches) changed all of the "^debug: " lines in
the -STABLE file to read "^debug1: " instead. (License, I know. I'm
happy to provide complete files, but this is quite long enough as it
is.)
Here's the diff output:
--- ssh-stable Sat May 12 19:45:54 2001
+++ ssh-current Sat May 12 19:43:03 2001
@@ -1,34 +1,61 @@
-Script started on Sat May 12 19:35:12 2001
+Script started on Sat May 12 19:40:40 2001
dhcp-140[1] ssh -v bunrab
-SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0.
-Compiled with SSL (0x0090600f).
+OpenSSH_2.9 green@FreeBSD.org 20010503, SSH protocols 1.5/2.0, OpenSSL 0x00906010
debug1: Reading configuration data /etc/ssh/ssh_config
+debug1: Rhosts Authentication disabled, originating port will not be trusted.
+debug1: restore_uid
debug1: ssh_connect: getuid 1001 geteuid 1001 anon 1
debug1: Connecting to bunrab.catwhisker.org [172.16.8.11] port 22.
+debug1: temporarily_use_uid: 1001/20 (e=1001)
+debug1: restore_uid
+debug1: temporarily_use_uid: 1001/20 (e=1001)
+debug1: restore_uid
debug1: Connection established.
+debug1: identity file /home/david/.ssh/identity type 0
+debug1: identity file /home/david/.ssh/id_rsa type -1
+debug1: identity file /home/david/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version 2.0.12 (non-commercial)
debug1: match: 2.0.12 (non-commercial) pat ^2\.0\.
-
-debug1: Local version string SSH-1.5-OpenSSH_2.3.0 green@FreeBSD.org 20010321
-debug1: Waiting for server public key.
-debug1: Received server public key (768 bits) and host key (1024 bits).
-debug1: Host 'bunrab' is known and matches the RSA host key.
-debug1: Encryption type: 3des
-debug1: Sent encrypted session key.
-debug1: Installing crc compensation attack detector.
-debug1: Received encrypted confirmation.
-debug1: Trying RSA authentication via agent with 'david@dhcp-135.catwhisker.org'
-debug1: Received RSA challenge from server.
-debug1: Sending response to RSA challenge.
-debug1: Remote: RSA authentication accepted.
-debug1: RSA authentication accepted by server.
-debug1: Requesting pty.
-debug1: Requesting shell.
+Enabling compatibility mode for protocol 2.0
+debug1: Local version string SSH-2.0-OpenSSH_2.9 green@FreeBSD.org 20010503
+debug1: SSH2_MSG_KEXINIT sent
+debug1: SSH2_MSG_KEXINIT received
+debug1: kex: server->client 3des-cbc hmac-md5 none
+debug1: kex: client->server 3des-cbc hmac-md5 none
+debug1: dh_gen_key: priv key bits set: 210/384
+debug1: bits set: 544/1024
+debug1: sending SSH2_MSG_KEXDH_INIT
+debug1: expecting SSH2_MSG_KEXDH_REPLY
+debug1: Host 'bunrab.catwhisker.org' is known and matches the DSA host key.
+debug1: Found key in /home/david/.ssh/known_hosts2:1
+debug1: bits set: 493/1024
+debug1: len 40 datafellows 8831
+debug1: ssh_dss_verify: signature correct
+debug1: kex_derive_keys
+debug1: newkeys: mode 1
+debug1: SSH2_MSG_NEWKEYS sent
+debug1: waiting for SSH2_MSG_NEWKEYS
+debug1: newkeys: mode 0
+debug1: SSH2_MSG_NEWKEYS received
+debug1: done: ssh_kex2.
+debug1: send SSH2_MSG_SERVICE_REQUEST
+debug1: buggy server: service_accept w/o service
+debug1: got SSH2_MSG_SERVICE_ACCEPT
+debug1: authentications that can continue: publickey,password
+debug1: next auth method to try is publickey
+debug1: try privkey: /home/david/.ssh/id_rsa
+debug1: try privkey: /home/david/.ssh/id_dsa
+debug1: next auth method to try is password
+david@bunrab.catwhisker.org's password:
+debug1: ssh-userauth2 successful: method password
+debug1: channel 0: new [client-session]
+debug1: channel_new: 0
+debug1: send channel open 0
debug1: Entering interactive session.
-Last login: Sat May 12 19:34:38 2001 from dhcp-140
-Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
- The Regents of the University of California. All rights reserved.
-
+debug1: client_init id 0 arg 0
+debug1: channel request 0: shell
+debug1: channel 0: open confirm rwindow 10000 rmax 16384
+Last login: Sat May 12 19:35:26 2001
FreeBSD 3.2-RELEASE (BUNRAB) #3: Sun Apr 30 19:44:37 PDT 2000
Welcome to FreeBSD! You will find security advisories and updated
@@ -51,11 +78,25 @@
configuration utility. Edit /etc/motd to change this login announcement.
You have mail.
-bunrab[1] ^Dexit
-Connection to bunrab closed.
-debug1: Transferred: stdin 0, stdout 1201, stderr 30 bytes in 1.7 seconds
-debug1: Bytes per second: stdin 0.0, stdout 712.8, stderr 17.8
+bunrab[1] ^Ddebug1: client_input_channel_req: channel 0 rtype exit-status reply 0
+debug1: channel 0: rcvd close
+debug1: channel 0: output open -> drain
+debug1: channel 0: input open -> closed
+debug1: channel 0: close_read
+exit
+debug1: channel 0: obuf empty
+debug1: channel 0: output drain -> closed
+debug1: channel 0: close_write
+debug1: channel 0: send close
+debug1: channel 0: is dead
+debug1: channel_free: channel 0: status: The following connections are open:
+ #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1)
+
+debug1: channel_free: channel 0: dettaching channel user
+Connection to bunrab.catwhisker.org closed.
+debug1: Transferred: stdin 0, stdout 0, stderr 45 bytes in 7.6 seconds
+debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 6.0
debug1: Exit status 0
dhcp-140[2] ^Dexit
-Script done on Sat May 12 19:35:46 2001
+Script done on Sat May 12 19:41:02 2001
So I note a couple of salient things that show up:
* Under ssh 2.9 (but not 2.3.0), the ssh server on bunrab engenders the
line "debug1: buggy server: service_accept w/o service".
* Under ssh 2.9, ssh appears to be looking for my private key in
/home/david/.ssh/id_rsa, then /home/david/.ssh/id_dsa. Now, I never
had either of those files; what I have in ~/.ssh is:
-rw------- 1 david wheel 544 Mar 27 08:55 identity
-rw-rw-r-- 1 david wheel 348 Mar 23 19:06 identity.pub
-rw-r--r-- 1 david wheel 5792 May 10 13:31 known_hosts
-rw-r--r-- 1 david wheel 3035 May 9 10:21 known_hosts2
I tried making "identity" a (hard) link to first id_rsa, then id_dsa,
and re-tried the experiment. The only difference I saw was that if
id_rsa existed (as a link to identity), ssh didn't claim it was trunig
to use it; same for id_dsa.
So basically, I'm confused. ssh appears to work ok for password
authentication, but not for public key authentication -- or at least, it
doesn't appear to be (completely?) compatible with ssh 2.3.0. Or maybe
I'm overlooking something...?
Help?
Thanks,
--
David H. Wolfskill david@catwhisker.org
As a computing professional, I believe it would be unethical for me to
advise, recommend, or support the use (save possibly for personal
amusement) of any product that is or depends on any Microsoft product.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105130540.f4D5eZl71004>