RC3: problems with SSH

2000-03-11 Thread Mathew Kanner 

My colleague found these problems on a machine freshly installed with
RC3.  The machines on the other end are mix of sunos 2.5,6,7 on
sparcs.  Please flame me if this has already been discused.


Script started on Sun Mar 12 00:55:40 2000
bash-2.03$ slogin -v XXX
SSH Version OpenSSH-1.2.2, protocol version 1.5.
Compiled with SSL.
debug: Reading configuration data /etc/ssh/ssh_config
debug: ssh_connect: getuid 0 geteuid 0 anon 0
debug: Connecting to XXX.CS.McGill.CA [132.206.51.205] port 22.
debug: Allocated local port 978.
debug: Connection established.
debug: Remote protocol version 1.5, remote software version 1.2.26
debug: Waiting for server public key.
debug: Received server public key (1152 bits) and host key (1024 bits).
The authenticity of host 'XXX.cs.mcgill.ca' can't be established.
Key fingerprint is 1024 a4:5d:e5:6d:1b:a3:71:31:31:eb:cf:09:45:a1:97:3b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'XXX.cs.mcgill.ca' to the list of known hosts.
rsa_public_encrypt() failed
debug: Calling cleanup 0x8052d0c(0x0)


bash-2.03$ slogin -v ni ova
SSH Version OpenSSH-1.2.2, protocol version 1.5.
Compiled with SSL.
debug: Reading configuration data /etc/ssh/ssh_config
debug: ssh_connect: getuid 0 geteuid 0 anon 0
debug: Connecting to YYY.CS.McGill.CA [132.206.51.245] port 22.
debug: Allocated local port 977.
debug: Connection established.
debug: Remote protocol version 1.5, remote software version 1.2.26
debug: Waiting for server public key.
debug: Received server public key (1152 bits) and host key (1024 bits).
The authenticity of host 'YYY.cs.mcgill.ca' can't be established.
Key fingerprint is 1024 ab:33:ca:d0:51:4c:fa:26:1d:d4:ed:c0:72:b0:e4:bc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'YYY.cs.mcgill.ca' to the list of known hosts.
rsa_public_encrypt() failed
debug: Calling cleanup 0x8052d0c(0x0)


bash-2.03$ slogin -v Z
SSH Version OpenSSH-1.2.2, protocol version 1.5.
Compiled with SSL.
debug: Reading configuration data /etc/ssh/ssh_config
debug: ssh_connect: getuid 0 geteuid 0 anon 0
debug: Connecting to ZZZ.CS.McGill.CA [132.206.2.5] port 22.
debug: Allocated local port 976.
debug: Connection established.
debug: Remote protocol version 1.5, remote software version 1.2.17
debug: Waiting for server public key.
Warning: Server lies about size of server host key: actual size is 1023 bits vs. 
announced 1024.
Warning: This may be due to an old implementation of ssh.
debug: Received server public key (768 bits) and host key (1023 bits).
debug: Host 'ZZZ.cs.mcgill.ca' is known and matches the host key.
debug: Encryption type: 3des
debug: Sent encrypted session key.
debug: Installing crc compensation attack detector.
debug: Received encrypted confirmation.
debug: Remote: Server does not permit empty password login.
debug: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
debug: Server refused our rhosts authentication or host key.
debug: Trying RSA authentication with key '[EMAIL PROTECTED]'
debug: Server refused our key.
debug: Doing password authentication.
[EMAIL PROTECTED]'s password: 
debug: Requesting pty.
debug: Requesting shell.
debug: Entering interactive session.
Last login: Sat Mar 11 19:55:07 2000 from .cs.m
Sun Microsystems Inc.   SunOS 5.7   Generic October 1998
Path now includes  local/scripts Z/scripts ucb openwin
Library path includes  /usr/ucblib rvplayer
Whoa, I know vim
bash-2.03$ logout
Connection to ZZZ.CS.McGill.CA closed.
debug: Transferred: stdin 1, stdout 266, stderr 48 bytes in 1.0 seconds
debug: Bytes per second: stdin 1.0, stdout 254.7, stderr 46.0
debug: Exit status 0
bash-2.03$ exit


--Mat


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Re: RC3: problems with SSH

2000-03-11 Thread Kris Kennaway 

On Sat, 11 Mar 2000, Kris Kennaway wrote:

 I consider this a bug in openssh that it doesn't realise that it's using
 rsaref and give a helpful error message when it gets a key that is too
 long.

I'm also working on a patch to do just this..give me a few minutes :-)

Kris


In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe [EMAIL PROTECTED]



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Re: RC3: problems with SSH

2000-03-11 Thread Mathew Kanner 

[EMAIL PROTECTED]
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.94.15i
In-Reply-To: Kris Kennaway's message [Re: RC3: problems with SSH] as of Sat, Mar 1
1, 2000 at 05:10:07PM -0800
Organization: SOCS, McGill University, Montreal, CANADA
Status: RO
Content-Length: 815
Lines: 21

On Mar 11, Kris Kennaway wrote:
 On Sat, 11 Mar 2000, Mathew Kanner wrote:

  debug: Received server public key (1152 bits) and host key (1024 bits).

  rsa_public_encrypt() failed

 Are you using rsaref? rsaref can't handle keys longer than 1024 bits and
 we're not allowed to fix it so it can by the terms of the rsaref license.
 Since you're in Canada, you don't need rsaref and should be using the
 international version of openssl. See chapter 6.5 in the handbook for a
 longer description of the state of play.

Finally a benefit to living in Canada!  Anyway, I made the
port in /usr/ports/security/rsaref.  My mistake was thinking that it
would look at my make.conf and get the right one.  Sorry about that.
Also, just now when I look at the handbook, it appears to be chapter
7.5.

--Mat




To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Re: RC3: problems with SSH

2000-03-11 Thread Kris Kennaway 

On Sat, 11 Mar 2000, Mathew Kanner wrote:

 Finally a benefit to living in Canada!  Anyway, I made the
 port in /usr/ports/security/rsaref.  My mistake was thinking that it
 would look at my make.conf and get the right one.  Sorry about that.

You shouldn't need/use rsaref. Use the librsaintl port instead.

 Also, just now when I look at the handbook, it appears to be chapter
 7.5.

Grr, better update all the error messages :-( Thanks..

Kris


In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe [EMAIL PROTECTED]



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message