OK; there's something about the (relatively) new ssh (2.9) in -CURRENT
I'm not understanding.  I have hunted around for some clues (via man pages
& the like), but it could well be that I'm still failing to notice
something -- quite possibly something that should be obvious to even me
-- and I welcome a clue.

Basically, the setup I use in -STABLE, where I'm able to use my
public/private key pair for authentication, is not working in -CURRENT.
(ssh in -CURRENT is reverting to password authentication.)

On the machine (my laptop, where I have been tracking both -STABLE and
-CURRENT daily for the past 1.5 months or so, and each environment has
its own / and /usr, but /usr/local, /var, and my home directory are
common -- as is the local CVS respository), I have it set up to start X
(4.0.3) via xdm.  Thus, my ~/.xsession script is run when I login.

The first part of that script reads:

#! /bin/csh

if { test -x `which ssh-askpass` } then
  eval `ssh-agent`
  set ssh_test = `ssh-add -l` || exit 1
  echo "$ssh_test" | grep '@' >/dev/null
  if ( $? ) then
    echo "What part of 'Need passphrase' don't you understand?"
    exit 2

set in_xdm = "1"
source ~/.cshrc


(I do *not* normally use csh for script-writing.  However, since I use
it (well, tcsh) as my normal shell, there are some advantages to having
the ssh-agent stuff use csh semantics.  And it allows a bit more
consistency forfiguring out things like my customized execution path.
And prior to ssh .29 in -CURRENT, this was also working in -CURRENT...
but it took a couple of days for things to get to a reasonably steady
state or ssh 2.9 in -CURRENT, which is why I didn't write about this
earlier:  I figured it's sufficiently messy that it was a little
premature to do that just yet.  But I certainly want folks to be aware
of what is going on, now that I've started seeing requested to MFC ssh

Now, as noted, my home directory is common between the 2 environments,
so I have a high degree of confidence that the files look the same from
either environment.  And I built the first -CURRENT environment from
FreeBSD 4.3-STABLE near the 2nd week of March; that part's been tracking
-CURRENT since... and this was after /etc/ssh had been populated
originally, so the host keys are the same.  Here's /etc/ssh on the
-STABLE side:

dhcp-140[1] ls -la /S1/etc/ssh
total 37
drwxr-xr-x   2 root  wheel    512 May  3 06:57 .
drwxr-xr-x  17 root  wheel   2560 May 12 07:07 ..
-rw-r--r--   1 root  wheel  26346 May  3 06:57 primes
-rw-r--r--   1 root  wheel    976 Mar  6 07:46 ssh_config
-rw-------   1 root  wheel    668 Mar  6 09:33 ssh_host_dsa_key
-rw-r--r--   1 root  wheel    595 Mar  6 09:33 ssh_host_dsa_key.pub
-rw-------   1 root  wheel    520 Mar  6 09:33 ssh_host_key
-rw-r--r--   1 root  wheel    324 Mar  6 09:33 ssh_host_key.pub
-rw-r--r--   1 root  wheel   1480 Mar  6 07:46 sshd_config

and the -CURRENT side:
dhcp-140[2] ls -la /etc/ssh
total 39
drwxr-xr-x   2 root  wheel    512 May  9 10:18 .
drwxr-xr-x  16 root  wheel   2560 May 11 09:56 ..
-rw-r--r--   1 root  wheel  26346 Mar 27 08:01 primes
-rw-r--r--   1 root  wheel    909 Mar  7 21:29 ssh_config
-rw-------   1 root  wheel    668 Mar  6 09:33 ssh_host_dsa_key
-rw-r--r--   1 root  wheel    595 Mar  6 09:33 ssh_host_dsa_key.pub
-rw-------   1 root  wheel    520 Mar  6 09:33 ssh_host_key
-rw-r--r--   1 root  wheel    324 Mar  6 09:33 ssh_host_key.pub
-rw-------   1 root  wheel    529 May  9 10:18 ssh_host_rsa_key
-rw-r--r--   1 root  wheel    333 May  9 10:18 ssh_host_rsa_key.pub
-rw-r--r--   1 root  wheel   1776 May  6 09:41 sshd_config

and in particular:

dhcp-140[3] sudo cmp {/S1,}/etc/ssh/ssh_host_key
dhcp-140[4] sudo cmp {/S1,}/etc/ssh/ssh_host_key.pub
dhcp-140[5] sudo cmp {/S1,}/etc/ssh/ssh_config
/S1/etc/ssh/ssh_config /etc/ssh/ssh_config differ: char 196, line 5
dhcp-140[6] sudo diff -u {/S1,}/etc/ssh/ssh_config
--- /S1/etc/ssh/ssh_config      Tue Mar  6 07:46:45 2001
+++ /etc/ssh/ssh_config Wed Mar  7 21:29:09 2001
@@ -2,7 +2,7 @@
 # defaults for users, and the values can be changed in per-user configuration
 # files or on the command line.
-# $FreeBSD: src/crypto/openssh/ssh_config,v 1.6 2000/09/10 09:35:38 kris Exp $
+# $FreeBSD$
 # Configuration data is parsed as follows:
 #  1. command line options

OK; I *think* that's a difference that ought not be relevant to the
issue I'm seeing....  :-}

[Sorry if things get disjointed at this point.  My laptop re-booted; as
far as I know, I had just hit the "A" key.  The /var filesystem needed a
manual fsck, which I did, then I re-booted.  It seems to have done
Kirk's "background fsck" magic OK; I HUPped the process (which was still
hanging around on the machine where I was composing this note) and
recovered the buffer up to this parenthetical comment.  dhw]

So, I tried an experiment to illustrate the issue.  I booted -CURRENT,
and (under script) issued an "ssh -v bunrab".  I then booted -STABLE,
and did it again (using a different filename).  I then edited the script
files:  I removed all of the ^Ms, and I then (in order to reduce the
number of irrelevant mis-matches) changed all of the "^debug: " lines in
the -STABLE file to read "^debug1: " instead.  (License, I know.  I'm
happy to provide complete files, but this is quite long enough as it

Here's the diff output:

--- ssh-stable  Sat May 12 19:45:54 2001
+++ ssh-current Sat May 12 19:43:03 2001
@@ -1,34 +1,61 @@
-Script started on Sat May 12 19:35:12 2001
+Script started on Sat May 12 19:40:40 2001
 dhcp-140[1] ssh -v bunrab
-SSH Version OpenSSH_2.3.0 [EMAIL PROTECTED] 20010321, protocol versions 1.5/2.0.
-Compiled with SSL (0x0090600f).
+OpenSSH_2.9 [EMAIL PROTECTED] 20010503, SSH protocols 1.5/2.0, OpenSSL 0x00906010
 debug1: Reading configuration data /etc/ssh/ssh_config
+debug1: Rhosts Authentication disabled, originating port will not be trusted.
+debug1: restore_uid
 debug1: ssh_connect: getuid 1001 geteuid 1001 anon 1
 debug1: Connecting to bunrab.catwhisker.org [] port 22.
+debug1: temporarily_use_uid: 1001/20 (e=1001)
+debug1: restore_uid
+debug1: temporarily_use_uid: 1001/20 (e=1001)
+debug1: restore_uid
 debug1: Connection established.
+debug1: identity file /home/david/.ssh/identity type 0
+debug1: identity file /home/david/.ssh/id_rsa type -1
+debug1: identity file /home/david/.ssh/id_dsa type -1
 debug1: Remote protocol version 1.99, remote software version 2.0.12 (non-commercial)
 debug1: match: 2.0.12 (non-commercial) pat ^2\.0\.
-debug1: Local version string SSH-1.5-OpenSSH_2.3.0 [EMAIL PROTECTED] 20010321
-debug1: Waiting for server public key.
-debug1: Received server public key (768 bits) and host key (1024 bits).
-debug1: Host 'bunrab' is known and matches the RSA host key.
-debug1: Encryption type: 3des
-debug1: Sent encrypted session key.
-debug1: Installing crc compensation attack detector.
-debug1: Received encrypted confirmation.
-debug1: Trying RSA authentication via agent with '[EMAIL PROTECTED]'
-debug1: Received RSA challenge from server.
-debug1: Sending response to RSA challenge.
-debug1: Remote: RSA authentication accepted.
-debug1: RSA authentication accepted by server.
-debug1: Requesting pty.
-debug1: Requesting shell.
+Enabling compatibility mode for protocol 2.0
+debug1: Local version string SSH-2.0-OpenSSH_2.9 [EMAIL PROTECTED] 20010503
+debug1: SSH2_MSG_KEXINIT sent
+debug1: SSH2_MSG_KEXINIT received
+debug1: kex: server->client 3des-cbc hmac-md5 none
+debug1: kex: client->server 3des-cbc hmac-md5 none
+debug1: dh_gen_key: priv key bits set: 210/384
+debug1: bits set: 544/1024
+debug1: sending SSH2_MSG_KEXDH_INIT
+debug1: expecting SSH2_MSG_KEXDH_REPLY
+debug1: Host 'bunrab.catwhisker.org' is known and matches the DSA host key.
+debug1: Found key in /home/david/.ssh/known_hosts2:1
+debug1: bits set: 493/1024
+debug1: len 40 datafellows 8831
+debug1: ssh_dss_verify: signature correct
+debug1: kex_derive_keys
+debug1: newkeys: mode 1
+debug1: SSH2_MSG_NEWKEYS sent
+debug1: waiting for SSH2_MSG_NEWKEYS
+debug1: newkeys: mode 0
+debug1: SSH2_MSG_NEWKEYS received
+debug1: done: ssh_kex2.
+debug1: buggy server: service_accept w/o service
+debug1: authentications that can continue: publickey,password
+debug1: next auth method to try is publickey
+debug1: try privkey: /home/david/.ssh/id_rsa
+debug1: try privkey: /home/david/.ssh/id_dsa
+debug1: next auth method to try is password
[EMAIL PROTECTED]'s password: 
+debug1: ssh-userauth2 successful: method password
+debug1: channel 0: new [client-session]
+debug1: channel_new: 0
+debug1: send channel open 0
 debug1: Entering interactive session.
-Last login: Sat May 12 19:34:38 2001 from dhcp-140
-Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
-       The Regents of the University of California.   All rights reserved.
+debug1: client_init id 0 arg 0
+debug1: channel request 0: shell
+debug1: channel 0: open confirm rwindow 10000 rmax 16384
+Last login: Sat May 12 19:35:26 2001
 FreeBSD 3.2-RELEASE (BUNRAB) #3: Sun Apr 30 19:44:37 PDT 2000
 Welcome to FreeBSD!  You will find security advisories and updated
@@ -51,11 +78,25 @@
 configuration  utility.  Edit /etc/motd to change this login announcement.
 You have mail.
-bunrab[1] ^Dexit
-Connection to bunrab closed.
-debug1: Transferred: stdin 0, stdout 1201, stderr 30 bytes in 1.7 seconds
-debug1: Bytes per second: stdin 0.0, stdout 712.8, stderr 17.8
+bunrab[1] ^Ddebug1: client_input_channel_req: channel 0 rtype exit-status reply 0
+debug1: channel 0: rcvd close
+debug1: channel 0: output open -> drain
+debug1: channel 0: input open -> closed
+debug1: channel 0: close_read
+debug1: channel 0: obuf empty
+debug1: channel 0: output drain -> closed
+debug1: channel 0: close_write
+debug1: channel 0: send close
+debug1: channel 0: is dead
+debug1: channel_free: channel 0: status: The following connections are open:
+  #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1)
+debug1: channel_free: channel 0: dettaching channel user
+Connection to bunrab.catwhisker.org closed.
+debug1: Transferred: stdin 0, stdout 0, stderr 45 bytes in 7.6 seconds
+debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 6.0
 debug1: Exit status 0
 dhcp-140[2] ^Dexit
-Script done on Sat May 12 19:35:46 2001
+Script done on Sat May 12 19:41:02 2001

So I note a couple of salient things that show up:

* Under ssh 2.9 (but not 2.3.0), the ssh server on bunrab engenders the
  line "debug1: buggy server: service_accept w/o service".

* Under ssh 2.9, ssh appears to be looking for my private key in
  /home/david/.ssh/id_rsa, then /home/david/.ssh/id_dsa.  Now, I never
  had either of those files; what I have in ~/.ssh is:

  -rw-------  1 david  wheel   544 Mar 27 08:55 identity
  -rw-rw-r--  1 david  wheel   348 Mar 23 19:06 identity.pub
  -rw-r--r--  1 david  wheel  5792 May 10 13:31 known_hosts
  -rw-r--r--  1 david  wheel  3035 May  9 10:21 known_hosts2

  I tried making "identity" a (hard) link to first id_rsa, then id_dsa,
  and re-tried the experiment.  The only difference I saw was that if
  id_rsa existed (as a link to identity), ssh didn't claim it was trunig
  to use it; same for id_dsa.

So basically, I'm confused.  ssh appears to work ok for password
authentication, but not for public key authentication -- or at least, it
doesn't appear to be (completely?) compatible with ssh 2.3.0.  Or maybe
I'm overlooking something...?


David H. Wolfskill                              [EMAIL PROTECTED]
As a computing professional, I believe it would be unethical for me to
advise, recommend, or support the use (save possibly for personal
amusement) of any product that is or depends on any Microsoft product.

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to