gabriel rosenkoetter on Wed, 17 Jan 2001 12:57:27 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] ssh rsa authentication troubles


On Wed, Jan 17, 2001 at 10:49:28AM +0100, MaD dUCK wrote:
> scenario:
> 
>   client running openssh 2.1.1 protocol 2
>   3 servers (madduck, sccs, sirius) running ssh 1.2.27 protocol 1.5

Presuming the sirius you mean is mine, Martin, it's actually running
OpenSSH 2.1.1 too. (I know /usr/local/sbin/sshd still exists and is
SSH.com's 1.2.27, but it's not the one that's run out of rc.local,
and it'll get wiped when that machine is upgraded to NetBSD 1.5
later this week... especially since 1.5 ships with NetBSD's port of
OpenSSH 2.2.)

>   3 servers (ceylon, uriel, localhost) running openssh 2.1.1 protocol 2

This correct does give you a pattern below:

>                       ssh version          rsa works?
>   madduck@sccs        1.2.27               yes
>   madduck@uriel       2.1.1                no
    madduck@sirius      2.1.1                no
>   madduck@madduck     1.2.27               yes
>   madduck@ceylon      2.1.1                no
>   testuser@localhost  2.1.1                no

OpenSSH is pickier about syntax. (For instance, where SSH.com's ssh
will accept any white space in its /etc/ssh_config and ~/.ssh/config
files, OpenSSH insists on tabs.)

I have no problem connecting to any of those machines with RSA
authentication, using either 1.2.2x or 2.1.1 clients.

What does your authorized_keys file look like? (It's safe to post
that, don't worry... all we could do with it is let you into our
computers.)

> ssh_config@localhost:
> ========
>   Host *
>     ForwardAgent yes
>     ForwardX11 yes
>     RhostsAuthentication no
>     RhostsRSAAuthentication yes
>     RSAAuthentication yes
>     TISAuthentication no
>     PasswordAuthentication yes
>     FallBackToRsh no
>     UseRsh no
>     BatchMode no
>     CheckHostIP yes
>     StrictHostKeyChecking no
>     IdentityFile ~/.ssh/identity
>     Port 22
>     Protocol 2,1
>     Cipher 3des
>     EscapeChar ~
> ========

Presuming you're using OpenSSH 2.1.1 locally, this config file
simply won't work. All those spaces MUST be tabs. Btw, I strongly
disagree with allowing X11 and Agent forwarding to *... default
should be off, you should turn it on for specific, trusted hosts.

> sshd_config@localhost:
> ========
>   Port 22
>   ListenAddress 0.0.0.0
>   HostKey /etc/ssh/ssh_host_key
>   ServerKeyBits 768
>   LoginGraceTime 600
>   KeyRegenerationInterval 3600
>   PermitRootLogin yes
>   IgnoreRhosts yes
>   StrictModes yes
>   X11Forwarding yes
>   X11DisplayOffset 10
>   PrintMotd yes
>   KeepAlive yes
>   SyslogFacility AUTH
>   LogLevel INFO
>   RhostsAuthentication no
>   RhostsRSAAuthentication yes
>   RSAAuthentication yes
>   PasswordAuthentication yes
>   PermitEmptyPasswords no
>   UseLogin no
>   CheckMail no
> =========

I'm shocked that OpenSSH's sshd isn't bitching loudly about this.
(Have you checked your logs?)

Same goes for the files on madduck.

Fix the config files, see if that makes the problem go away.

       ~ g r @ eclipsed.net


______________________________________________________________________
Philadelphia Linux Users Group       -      http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug