Re: ssh public key auth. incompatible between 2.3.0 vs. 2.9?
>Date: Sun, 13 May 2001 05:45:12 -0700 (PDT)
>From: David Wolfskill <[EMAIL PROTECTED]>
>>Date: Sat, 12 May 2001 23:40:52 -0700
>>From: Alfred Perlstein <[EMAIL PROTECTED]>
>>> So basically, I'm confused. ssh appears to work ok for password
>>> authentication, but not for public key authentication -- or at least, it
>>> doesn't appear to be (completely?) compatible with ssh 2.3.0. Or maybe
>>> I'm overlooking something...?
>>Brian Feldman switched the default to ssh2, for some reason it doesn't
>>back off and try version 1. you need to do this "ssh -1 " which
>>is damn irritating, but I don't know of any other option.
>The "-1" flag does not appear to be valid for ssh 2.9; attempting its
>use generates a usage message.
Brain-o, there on my part -- that was 2.3.0 that didn't cope with "-1".
2.9 honored it OK, and once I responded affirmatively to:
The authenticity of host 'bunrab.catwhisker.org (172.16.8.11)' can't be established.
RSA1 key fingerprint is 42:a4:6d:32:b1:57:09:81:2c:c5:86:70:61:0b:7c:fe.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'bunrab.catwhisker.org' (RSA1) to the list of known hosts.
it seems to have allowed public key authentication.
However, the fact that I got that little dialog would appear to indicate
that this really isn't a V1 vs. V2 protocol issue per se, unless I'm confused.
>>Would it be possible to try version 1 before password?
>I'll give that a try later today. (I'm building today's -STABLE at the
>moment
-STABLE built OK; I'm building -CURRENT now.
So while it's building
I tried creating ~/.ssh/config, and specified "Protocol 1,2" in it.
Prior to doing this, attempting to use ssh from -CURRENT to a local
SPARCstation was handled same as ssh to my FreeBSD 3.2-R box: public
key authentication appeared to want a file I don't have (since my keys
are in ~/.ssh/identity{,.pub}, and it's looking for ~/.ssh/id_{r,d}sa:
dhcp-140[1] ssh -v pogo
OpenSSH_2.9 [EMAIL PROTECTED] 20010503, SSH protocols 1.5/2.0, OpenSSL 0x00906010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 1001 geteuid 1001 anon 1
debug1: Connecting to pogo.catwhisker.org [172.16.8.12] port 22.
debug1: temporarily_use_uid: 1001/20 (e=1001)
debug1: restore_uid
debug1: temporarily_use_uid: 1001/20 (e=1001)
debug1: restore_uid
debug1: Connection established.
debug1: identity file /home/david/.ssh/identity type 0
debug1: identity file /home/david/.ssh/id_rsa type -1
debug1: identity file /home/david/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.1p2
debug1: match: OpenSSH_2.5.1p2 pat ^OpenSSH_2\.5\.[012]
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_2.9 [EMAIL PROTECTED] 20010503
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 137/256
debug1: bits set: 1049/2049
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'pogo.catwhisker.org' is known and matches the DSA host key.
debug1: Found key in /home/david/.ssh/known_hosts2:2
debug1: bits set: 1044/2049
debug1: len 55 datafellows 49152
debug1: ssh_dss_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try privkey: /home/david/.ssh/id_rsa
debug1: try privkey: /home/david/.ssh/id_dsa
debug1: next auth method to try is password
[EMAIL PROTECTED]'s password:
Then:
dhcp-140[2] echo "Protocol 1,2" >~/.ssh/config
dhcp-140[3] cat ~/.ssh/config
Protocol 1,2
dhcp-140[4] ssh -v pogo
OpenSSH_2.9 [EMAIL PROTECTED] 20010503, SSH protocols 1.5/2.0, OpenSSL 0x00906010
debug1: Reading configuration data /home/david/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
...
debug1: Connection established.
debug1: identity file /home/david/.ssh/identity type 0
debug1: identity file /home/david/.ssh/id_rsa type -1
debug1: identity file /home/david/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.1p2
debug1: match: OpenSSH_2.5.1p2 pat ^OpenSSH_2\.5\.[012]
debug1: Local version string SSH-1.5-OpenSSH_2.9 [EMAIL PROTECTED] 20010503
debug1: Waiting for server public key.
de
Re: ssh public key auth. incompatible between 2.3.0 vs. 2.9?
[Replies to both responders to date: 2 replies for the cost of a single message. :-} dhw] >Date: Sat, 12 May 2001 23:40:52 -0700 >From: Alfred Perlstein <[EMAIL PROTECTED]> >> So basically, I'm confused. ssh appears to work ok for password >> authentication, but not for public key authentication -- or at least, it >> doesn't appear to be (completely?) compatible with ssh 2.3.0. Or maybe >> I'm overlooking something...? >Brian Feldman switched the default to ssh2, for some reason it doesn't >back off and try version 1. you need to do this "ssh -1 " which >is damn irritating, but I don't know of any other option. The "-1" flag does not appear to be valid for ssh 2.9; attempting its use generates a usage message. >Would it be possible to try version 1 before password? I'll give that a try later today. (I'm building today's -STABLE at the moment; I s'pose I could chroot to the -CURRENT root & try it out that way, but trying to explain the situation if it doesn't work sounds even messier than what I've done so far) >Date: Sun, 13 May 2001 09:44:41 +0200 >From: Szilveszter Adam <[EMAIL PROTECTED]> >I am working on reproducing this, so I would like to ask for >clarification... Unless I am mistaken, you have 3.2-RELEASE on the machine >that you are connecting to with ssh2 port installed. Right? In this particular case, yes. And I had installed the ssh-2.0.12 port on it (soome time back). But I have observed similar behavior when the ssh server is any of several different machines -- running FreeBSD 4.2-STABLE or (SPARC) Solaris 2.6 or 8, for example. >And you are trying to use RSA Auth using ssh1 on purpose although both >sides could use ssh2 in theory. Not particularly. I'm trying to use public key authentication, vs. password authentication. Whether it's "RSA" or "DSA" isn't something I care about (except to get it working); mostly, I want the same functionality, and I'd prefer to at least know what steps I need to take, so that if & when OpenSSH 2.9 is MFCed, folks who are similarly-situated will be able to get a "heads up" on changes they may need to make to preserve equivalent function. >And you are seeing that -CURRENT's ssh does not fall back to RSA >key auth when it cannot use DSA. But you have already used ssh2 to this >host before. (Because it is contained in the known_hosts2 file). >Maybe this confuses ssh. Well, I've certainly used ssh 2.3.0 (under FreeBSD 4.3-STABLE, for example) to get to it. >In my setup, I have only one server that can do SSH2 (mine, the -CURRENT >box) all others are unable, because they use either older versions of >OpenSSH or the ssh1 from SSH Communications. But I have absolutely no >problem in connecting between them with RSA keys... although I have just >tried (almost) all combinations.:-) Even the -CURRENT server does well, >although ssh2 is the first option tried in the server config because some >windoze clients can do ssh2 already so why not use it? But admittedly I >have not tried RSA auth between two ssh2 capable hosts... will need the >help of a collegaue with it. (who will kindly reboot the machine on the >other end into FreeBSD-STABLE:-) Note that I do not have a known_hosts2 or >an authorized_keys2 file anywhere. Hmmm I just checked: I don't (happen to) have the laptop set up so that I can use public key authentication to use ssh to itself. (I checked this under -STABLE; OpenSSH 2.3.0.) After I boot -CURRRENT, I may play around with this a bit Thanks, david -- David H. Wolfskill [EMAIL PROTECTED] As a computing professional, I believe it would be unethical for me to advise, recommend, or support the use (save possibly for personal amusement) of any product that is or depends on any Microsoft product. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ssh public key auth. incompatible between 2.3.0 vs. 2.9?
Hello David, On Sat, May 12, 2001 at 10:40:35PM -0700, David Wolfskill wrote: > OK; there's something about the (relatively) new ssh (2.9) in -CURRENT > I'm not understanding. I have hunted around for some clues (via man pages > & the like), but it could well be that I'm still failing to notice > something -- quite possibly something that should be obvious to even me > -- and I welcome a clue. I am working on reproducing this, so I would like to ask for clarification... Unless I am mistaken, you have 3.2-RELEASE on the machine that you are connecting to with ssh2 port installed. Right? And you are trying to use RSA Auth using ssh1 on purpose although both sides could use ssh2 in theory. And you are seeing that -CURRENT's ssh does not fall back to RSA key auth when it cannot use DSA. But you have already used ssh2 to this host before. (Because it is contained in the known_hosts2 file). Maybe this confuses ssh. In my setup, I have only one server that can do SSH2 (mine, the -CURRENT box) all others are unable, because they use either older versions of OpenSSH or the ssh1 from SSH Communications. But I have absolutely no problem in connecting between them with RSA keys... although I have just tried (almost) all combinations.:-) Even the -CURRENT server does well, although ssh2 is the first option tried in the server config because some windoze clients can do ssh2 already so why not use it? But admittedly I have not tried RSA auth between two ssh2 capable hosts... will need the help of a collegaue with it. (who will kindly reboot the machine on the other end into FreeBSD-STABLE:-) Note that I do not have a known_hosts2 or an authorized_keys2 file anywhere. -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
ssh public key auth. incompatible between 2.3.0 vs. 2.9?
OK; there's something about the (relatively) new ssh (2.9) in -CURRENT
I'm not understanding. I have hunted around for some clues (via man pages
& the like), but it could well be that I'm still failing to notice
something -- quite possibly something that should be obvious to even me
-- and I welcome a clue.
Basically, the setup I use in -STABLE, where I'm able to use my
public/private key pair for authentication, is not working in -CURRENT.
(ssh in -CURRENT is reverting to password authentication.)
On the machine (my laptop, where I have been tracking both -STABLE and
-CURRENT daily for the past 1.5 months or so, and each environment has
its own / and /usr, but /usr/local, /var, and my home directory are
common -- as is the local CVS respository), I have it set up to start X
(4.0.3) via xdm. Thus, my ~/.xsession script is run when I login.
The first part of that script reads:
#! /bin/csh
if { test -x `which ssh-askpass` } then
eval `ssh-agent`
ssh-add
set ssh_test = `ssh-add -l` || exit 1
echo "$ssh_test" | grep '@' >/dev/null
if ( $? ) then
echo "What part of 'Need passphrase' don't you understand?"
exit 2
endif
endif
set in_xdm = "1"
source ~/.cshrc
(I do *not* normally use csh for script-writing. However, since I use
it (well, tcsh) as my normal shell, there are some advantages to having
the ssh-agent stuff use csh semantics. And it allows a bit more
consistency forfiguring out things like my customized execution path.
And prior to ssh .29 in -CURRENT, this was also working in -CURRENT...
but it took a couple of days for things to get to a reasonably steady
state or ssh 2.9 in -CURRENT, which is why I didn't write about this
earlier: I figured it's sufficiently messy that it was a little
premature to do that just yet. But I certainly want folks to be aware
of what is going on, now that I've started seeing requested to MFC ssh
2.9.)
Now, as noted, my home directory is common between the 2 environments,
so I have a high degree of confidence that the files look the same from
either environment. And I built the first -CURRENT environment from
FreeBSD 4.3-STABLE near the 2nd week of March; that part's been tracking
-CURRENT since... and this was after /etc/ssh had been populated
originally, so the host keys are the same. Here's /etc/ssh on the
-STABLE side:
dhcp-140[1] ls -la /S1/etc/ssh
total 37
drwxr-xr-x 2 root wheel512 May 3 06:57 .
drwxr-xr-x 17 root wheel 2560 May 12 07:07 ..
-rw-r--r-- 1 root wheel 26346 May 3 06:57 primes
-rw-r--r-- 1 root wheel976 Mar 6 07:46 ssh_config
-rw--- 1 root wheel668 Mar 6 09:33 ssh_host_dsa_key
-rw-r--r-- 1 root wheel595 Mar 6 09:33 ssh_host_dsa_key.pub
-rw--- 1 root wheel520 Mar 6 09:33 ssh_host_key
-rw-r--r-- 1 root wheel324 Mar 6 09:33 ssh_host_key.pub
-rw-r--r-- 1 root wheel 1480 Mar 6 07:46 sshd_config
dhcp-140[2]
and the -CURRENT side:
dhcp-140[2] ls -la /etc/ssh
total 39
drwxr-xr-x 2 root wheel512 May 9 10:18 .
drwxr-xr-x 16 root wheel 2560 May 11 09:56 ..
-rw-r--r-- 1 root wheel 26346 Mar 27 08:01 primes
-rw-r--r-- 1 root wheel909 Mar 7 21:29 ssh_config
-rw--- 1 root wheel668 Mar 6 09:33 ssh_host_dsa_key
-rw-r--r-- 1 root wheel595 Mar 6 09:33 ssh_host_dsa_key.pub
-rw--- 1 root wheel520 Mar 6 09:33 ssh_host_key
-rw-r--r-- 1 root wheel324 Mar 6 09:33 ssh_host_key.pub
-rw--- 1 root wheel529 May 9 10:18 ssh_host_rsa_key
-rw-r--r-- 1 root wheel333 May 9 10:18 ssh_host_rsa_key.pub
-rw-r--r-- 1 root wheel 1776 May 6 09:41 sshd_config
dhcp-140[3]
and in particular:
dhcp-140[3] sudo cmp {/S1,}/etc/ssh/ssh_host_key
Password:
dhcp-140[4] sudo cmp {/S1,}/etc/ssh/ssh_host_key.pub
dhcp-140[5] sudo cmp {/S1,}/etc/ssh/ssh_config
/S1/etc/ssh/ssh_config /etc/ssh/ssh_config differ: char 196, line 5
dhcp-140[6] sudo diff -u {/S1,}/etc/ssh/ssh_config
--- /S1/etc/ssh/ssh_config Tue Mar 6 07:46:45 2001
+++ /etc/ssh/ssh_config Wed Mar 7 21:29:09 2001
@@ -2,7 +2,7 @@
# defaults for users, and the values can be changed in per-user configuration
# files or on the command line.
#
-# $FreeBSD: src/crypto/openssh/ssh_config,v 1.6 2000/09/10 09:35:38 kris Exp $
+# $FreeBSD$
# Configuration data is parsed as follows:
# 1. command line options
dhcp-140[7]
OK; I *think* that's a difference that ought not be relevant to the
issue I'm seeing :-}
[Sorry if things get disjointed at this point. My laptop re-booted; as
far as I know, I had just hit the "A" key. The /var filesystem needed a
manual fsck, which I did, then I re-booted. It seems to have done
Kirk's "background fsck" magic OK; I HUPped the process (which was still
hanging around on the machine where I was composing this note) and
recovered the buffer up to this parenthetical comment. dhw]
So, I tried an experiment to illustrate the issue. I booted -CURRENT,
and (under script) issued an "ssh -v bunrab".
