Re: Problem with ssh
"David O'Brien" <[EMAIL PROTECTED]> writes: > so getting an OPIE formatted challenge on RELENG_4 immediately lets > someone know it is fake and bogus. I know. I told you it is a bug in the server. > > the client attempts challenge-response authentication, which is what > > is used for PAM. > I do not follow what you are saying. FreeBSD's OpenSSH 3.1 server now uses PAM for authentication, using SSH's challenge-response authentication protocol, which is used for S/Key or OPIE in older versions. > I thought 3.1 was imported due to a security problem with 3.0. No, the security problem was already fixed in our version of OpenSSH. 3.1 was imported to solve other problems, reduce the amount of local patches and allow us to use PAM on the server side. > > > Considering I DO want SKeyAuthentication (USENIX is comming up); what is > > > the real fix? > > Enable it only for servers that need it. > I just said "I need it". The user from "ssh user@server" does have a > properly setup S/Key entry in /etc/skeykeys The *client* should add "SKeyAuthentication yes" to his ~/.ssh/config only for those hosts that need it. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Problem with ssh
On Tue, Apr 02, 2002 at 01:48:56AM +0200, Dag-Erling Smorgrav wrote: > "David O'Brien" <[EMAIL PROTECTED]> writes: > > On Sat, Mar 30, 2002 at 01:14:07PM +0100, Dag-Erling Smorgrav wrote: > > > "David O'Brien" <[EMAIL PROTECTED]> writes: > > > > Uh, why does my sequence keep changing when I just hit ??? > > > Because it's generating fake S/Key challenges, and badly. > > Especially since RELENG_4 does NOT use OPIE. > > Who this "fake S/Key challenge" that and turned it on? > > OpenSSH in RELENG_4 does use S/Key, and generates fake challenges when Yes. But it is obvious it is fake: This is an S/Key challenge: s/key 90 re95460 this is an OPIE challenge: otp-md5 315 re7955 ext so getting an OPIE formatted challenge on RELENG_4 immediately lets someone know it is fake and bogus. > the client attempts challenge-response authentication, which is what > is used for PAM. I do not follow what you are saying. > > > No, I haven't seen it, but I've had similar reports. It's actually a > > > bug on the server side, in older OpenSSH servers, that is exposed by > > > newer OpenSSH clients. > > Will OpenSSH 3.1 be MFC'ed soon? > > Not likely. There are a number of problems that still need fixing. I thought 3.1 was imported due to a security problem with 3.0. > > Considering I DO want SKeyAuthentication (USENIX is comming up); what is > > the real fix? > > Enable it only for servers that need it. I just said "I need it". The user from "ssh user@server" does have a properly setup S/Key entry in /etc/skeykeys > It used to be disabled by default in the client, so this shouldn't make > much of a difference. I admit to having problems getting this working in the past. -- -- David ([EMAIL PROTECTED]) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Problem with ssh
"David O'Brien" <[EMAIL PROTECTED]> writes: > On Sat, Mar 30, 2002 at 01:14:07PM +0100, Dag-Erling Smorgrav wrote: > > "David O'Brien" <[EMAIL PROTECTED]> writes: > > > Uh, why does my sequence keep changing when I just hit ??? > > Because it's generating fake S/Key challenges, and badly. > Especially since RELENG_4 does NOT use OPIE. > Who this "fake S/Key challenge" that and turned it on? OpenSSH in RELENG_4 does use S/Key, and generates fake challenges when the client attempts challenge-response authentication, which is what is used for PAM. > > No, I haven't seen it, but I've had similar reports. It's actually a > > bug on the server side, in older OpenSSH servers, that is exposed by > > newer OpenSSH clients. > Will OpenSSH 3.1 be MFC'ed soon? Not likely. There are a number of problems that still need fixing. > Considering I DO want SKeyAuthentication (USENIX is comming up); what is > the real fix? Enable it only for servers that need it. It used to be disabled by default in the client, so this shouldn't make much of a difference. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Problem with ssh
On Sat, Mar 30, 2002 at 01:14:07PM +0100, Dag-Erling Smorgrav wrote: > "David O'Brien" <[EMAIL PROTECTED]> writes: > > Something is still very wrong: > > > > ssh foo@releng4 > > otp-md5 350 re9786 ext > > S/Key Password: > > otp-md5 134 re2584 ext > > S/Key Password: > > otp-md5 417 re5381 ext > > S/Key Password: > > otp-md5 198 re2571 ext > > S/Key Password: > > > > Uh, why does my sequence keep changing when I just hit ??? > > Because it's generating fake S/Key challenges, and badly. Especially since RELENG_4 does NOT use OPIE. Who this "fake S/Key challenge" that and turned it on? > No, I haven't seen it, but I've had similar reports. It's actually a > bug on the server side, in older OpenSSH servers, that is exposed by > newer OpenSSH clients. Will OpenSSH 3.1 be MFC'ed soon? Considering I DO want SKeyAuthentication (USENIX is comming up); what is the real fix? -- -- David ([EMAIL PROTECTED]) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Problem with ssh
"David O'Brien" <[EMAIL PROTECTED]> writes: > Something is still very wrong: > > ssh foo@releng4 > otp-md5 350 re9786 ext > S/Key Password: > otp-md5 134 re2584 ext > S/Key Password: > otp-md5 417 re5381 ext > S/Key Password: > otp-md5 198 re2571 ext > S/Key Password: > > Uh, why does my sequence keep changing when I just hit ??? Because it's generating fake S/Key challenges, and badly. > And this will not accept my Unix password until I enter garbage _3_ times, > then I finally get a Unix password prompt. > > Hello, DES? Have you seen this thread? No, I haven't seen it, but I've had similar reports. It's actually a bug on the server side, in older OpenSSH servers, that is exposed by newer OpenSSH clients. I haven't yet determined a correct client-side solution, but a workaround is to disable S/Key authentication for those hosts where you don't actually want to use it, by adding the following to ~/.ssh/config: Host foo bar baz SKeyAuthentication no OpenSSH 3.1 servers on -CURRENT will DTRT since they use PAM. DES -- Dag-Erling Smorgrav - [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Problem with ssh
On Fri, Mar 29, 2002 at 11:01:25AM +0100, Thomas Quinot wrote: > Le 2002-03-29, Will Andrews écrivait : > > > SSH should just be fixed to DTRT when one doesn't have S/Key > > setup on the server... > > As far as I can understand the sources, this has been implemented > in rev. 1.10 of src/crypto/openssh/auth-skey.c. It is still wrong. A correct password prompt gives the S/Key(OPIE) challenge and accepts either the Unix or S/Key(OPIE) password. Something is still very wrong: ssh foo@releng4 otp-md5 350 re9786 ext S/Key Password: otp-md5 134 re2584 ext S/Key Password: otp-md5 417 re5381 ext S/Key Password: otp-md5 198 re2571 ext S/Key Password: Uh, why does my sequence keep changing when I just hit ??? And this will not accept my Unix password until I enter garbage _3_ times, then I finally get a Unix password prompt. Hello, DES? Have you seen this thread? To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Problem with ssh
Le 2002-03-29, Will Andrews écrivait : > SSH should just be fixed to DTRT when one doesn't have S/Key > setup on the server... As far as I can understand the sources, this has been implemented in rev. 1.10 of src/crypto/openssh/auth-skey.c. Thomas. -- [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Problem with ssh
hi, there! On Thu, Mar 28, 2002 at 11:43:58AM -0800, Julian Elischer wrote: > > On Thursday 28 March 2002 10:28 am, Michael L. Hostbaek wrote: > > > Beech Rintoul (akbeech) writes: > > > > > > 'ChallengeResponseAuthentication no' > > > > Thanks, that fixed the problem. > > just stops my sshd from working at all. > (machine is 4.1.1) I guess this config option was named differently in earlier sshd versions (SKeyAuthentication or something like that) /fjoe To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Problem with ssh
On Thu, Mar 28, 2002 at 12:03:17PM -0800, David O'Brien wrote: > That is NOT a fix. Some of us want S/Key (OPIE) support. > This is a temperary work around. And some of us want passphrase support. :-) SSH should just be fixed to DTRT when one doesn't have S/Key setup on the server... however, it continues to break POLA, several months after the change which caused this was committed. -- wca To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Problem with ssh
* David O'Brien <[EMAIL PROTECTED]> [2002-03-28 21:06]: > On Thu, Mar 28, 2002 at 10:40:04AM -0900, Beech Rintoul wrote: > > > > #ssh -l akbeech galaxy > > > > #otp-md5 336 ga3711 ext > > > > S/Key Password: > > > > > > Adding the following setting to sshd_config, should disable S/Key > > > functionality: > > > > > > 'ChallengeResponseAuthentication no' > > > > Thanks, that fixed the problem. > That is NOT a fix. Some of us want S/Key (OPIE) support. > This is a temperary work around. But adding PreferredAuthentications publickey,password,keyboard-interactive to ~/.ssh/config on the client side. Regards, Olli -- Department of Computing Science Federal Armed Forces University Munich http://ist.unibw-muenchen.de/People/obraun/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Problem with ssh
On Thu, Mar 28, 2002 at 10:40:04AM -0900, Beech Rintoul wrote: > > > #ssh -l akbeech galaxy > > > #otp-md5 336 ga3711 ext > > > S/Key Password: > > > > Adding the following setting to sshd_config, should disable S/Key > > functionality: > > > > 'ChallengeResponseAuthentication no' > > Thanks, that fixed the problem. That is NOT a fix. Some of us want S/Key (OPIE) support. This is a temperary work around. -- -- David ([EMAIL PROTECTED]) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Problem with ssh
On Thu, 28 Mar 2002, Beech Rintoul wrote: > On Thursday 28 March 2002 10:28 am, Michael L. Hostbaek wrote: > > Beech Rintoul (akbeech) writes: > > > > 'ChallengeResponseAuthentication no' > > Thanks, that fixed the problem. just stops my sshd from working at all. (machine is 4.1.1) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Problem with ssh
Beech Rintoul wrote: > I just updated -current (yesterday) and now I'm getting the following when I > try to use ssh: > > #ssh -l akbeech galaxy > #otp-md5 336 ga3711 ext > S/Key Password: > > Any suggestions? Downgrade, and submit a reverse diff to back out whatever change was made that's urinating in your cheerios. (e.g. the easiest fix for most problems is to undo whatever ill-considered change caused the breakage; if the change wasn't ill-considered, at least the upgrade path was). -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Problem with ssh
On Thursday 28 March 2002 10:28 am, Michael L. Hostbaek wrote: > Beech Rintoul (akbeech) writes: > > I just updated -current (yesterday) and now I'm getting the following > > when I try to use ssh: > > > > #ssh -l akbeech galaxy > > #otp-md5 336 ga3711 ext > > S/Key Password: > > Adding the following setting to sshd_config, should disable S/Key > functionality: > > 'ChallengeResponseAuthentication no' Thanks, that fixed the problem. Beech -- --- Beech Rintoul - IT Manager - Instructor - [EMAIL PROTECTED] /"\ ASCII Ribbon Campaign | Anchorage Gospel Rescue Mission \ / - NO HTML/RTF in e-mail | P.O. Box 230510 X - NO Word docs in e-mail | Anchorage, AK 99523-0510 / \ - To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Problem with ssh
Beech Rintoul (akbeech) writes: > I just updated -current (yesterday) and now I'm getting the following when I > try to use ssh: > > #ssh -l akbeech galaxy > #otp-md5 336 ga3711 ext > S/Key Password: > Adding the following setting to sshd_config, should disable S/Key functionality: 'ChallengeResponseAuthentication no' -- Best Regards, Michael Landin Hostbaek FreeBSDCluster.dk - an International Community */ PGP-key available upon request /* To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Problem with ssh
On Thu, Mar 28, 2002 at 09:37:36AM -0900, Beech Rintoul wrote: > I just updated -current (yesterday) and now I'm getting the following when I > try to use ssh: > > #ssh -l akbeech galaxy > #otp-md5 336 ga3711 ext > S/Key Password: > > Any suggestions? hit any set of letters until you get a real password prompt. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Problem with ssh
I just updated -current (yesterday) and now I'm getting the following when I try to use ssh: #ssh -l akbeech galaxy #otp-md5 336 ga3711 ext S/Key Password: Any suggestions? Beech -- --- Beech Rintoul - IT Manager - Instructor - [EMAIL PROTECTED] /"\ ASCII Ribbon Campaign | Anchorage Gospel Rescue Mission \ / - NO HTML/RTF in e-mail | P.O. Box 230510 X - NO Word docs in e-mail | Anchorage, AK 99523-0510 / \ - To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA problem with SSH ...
Great ... I added RANDOMDEV to the wrong kernel config file :( Thanks, fixed now ... On Fri, 21 Jul 2000, Alexander Langer wrote: > Thus spake The Hermit Hacker ([EMAIL PROTECTED]): > > > Just upgraded to the newest -current, and now can't use SSH: > > ssh: no RSA support in libssl and libcrypto. See ssl(8). > > options RANDOMDEV into kernel, or load randomdev.ko > > That solved it for me (though you mentioned it). > > I'M USA_RESIDENT=NO, though. > > Alex > -- > cat: /home/alex/.sig: No such file or directory > Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy Systems Administrator @ hub.org primary: [EMAIL PROTECTED] secondary: scrappy@{freebsd|postgresql}.org To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: RSA problem with SSH ...
Thus spake The Hermit Hacker ([EMAIL PROTECTED]): > Just upgraded to the newest -current, and now can't use SSH: > ssh: no RSA support in libssl and libcrypto. See ssl(8). options RANDOMDEV into kernel, or load randomdev.ko That solved it for me (though you mentioned it). I'M USA_RESIDENT=NO, though. Alex -- cat: /home/alex/.sig: No such file or directory To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
RE: RSA problem with SSH ...
Hi I had the same problem ... but in my case I did not have the RANDOMDEV compiled in ... so I loaded the kld and whala ... it worked ... Try loading the KLD .. also check that the lib's actually do include the RSA stuff (nm | grep RSA ) might help. Reinier On 21-Jul-00 The Hermit Hacker wrote: > > Just upgraded to the newest -current, and now can't use SSH: > > ssh: no RSA support in libssl and libcrypto. See ssl(8). > > Tried to read the 'ssl(8)' man page, but it comes back as: > >> man 8 ssl > No entry for ssl in section 8 of the manual >> man ssl > No manual entry for ssl >> > > Did mergemaster and saw the 'MAKE_RSAINTL' setting in > /etc/defaults/make.conf, so did that and did a new 'make world' ... > > Even saw the note about /usr/ports/security/rsaref and installed that, no > difference ... > > Read through /usr/src/UPDATING and can't seem to find anything that > applies other then the mentioning of RANDOMDEV, which I have configured in > ... > > So ... what am I missing that this missing man page seems to be indicated > as the answer? :) > > Thanks ... > > Marc G. Fournier ICQ#7615664 IRC Nick: > Scrappy > Systems Administrator @ hub.org > primary: [EMAIL PROTECTED] secondary: > scrappy@{freebsd|postgresql}.org > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-current" in the body of the message ### # # # R.N. Bezuidenhout NetSeq Firewall # # [EMAIL PROTECTED] http://www.nanoteq.co.za# # # ### -- Date: 21-Jul-00 Time: 13:50:54 This message was sent by XFMail -- To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
RSA problem with SSH ...
Just upgraded to the newest -current, and now can't use SSH: ssh: no RSA support in libssl and libcrypto. See ssl(8). Tried to read the 'ssl(8)' man page, but it comes back as: > man 8 ssl No entry for ssl in section 8 of the manual > man ssl No manual entry for ssl > Did mergemaster and saw the 'MAKE_RSAINTL' setting in /etc/defaults/make.conf, so did that and did a new 'make world' ... Even saw the note about /usr/ports/security/rsaref and installed that, no difference ... Read through /usr/src/UPDATING and can't seem to find anything that applies other then the mentioning of RANDOMDEV, which I have configured in ... So ... what am I missing that this missing man page seems to be indicated as the answer? :) Thanks ... Marc G. Fournier ICQ#7615664 IRC Nick: Scrappy Systems Administrator @ hub.org primary: [EMAIL PROTECTED] secondary: scrappy@{freebsd|postgresql}.org To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message