Re: ssh to freefall broken
On Thu, Apr 20, 2000 at 05:05:11PM -0700, Archie Cobbs wrote: Kris Kennaway writes: $ ssh [EMAIL PROTECTED] Warning: Server lies about size of server host key: actual size is 1023 bits vs. announced 1024. Warning: This may be due to an old implementation of ssh. Warning: identity keysize mismatch: actual 1023, announced 1024 Agent admitted failure to authenticate using the key. Authentication agent failed to decrypt challenge. Enter passphrase for RSA key '[EMAIL PROTECTED]': Are you still being asked for your passphrase? I noticed a couple of days ago that ssh to freefall wanted my passphrase, but I didn't need it yesterday or today. Sunspots? Full moon? Even before OpenSSH, I've had this problem in the past. Sometimes it seemed to be due to reverse DNS lookups not resolving correctly (my ISP wasn't always responding to reverse DNS lookups correctly). -Mike -- Mike Pritchard [EMAIL PROTECTED] or [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ssh to freefall broken
Mike Pritchard writes: Kris Kennaway writes: $ ssh [EMAIL PROTECTED] Warning: Server lies about size of server host key: actual size is 1023 bits vs. announced 1024. Warning: This may be due to an old implementation of ssh. Warning: identity keysize mismatch: actual 1023, announced 1024 Agent admitted failure to authenticate using the key. Authentication agent failed to decrypt challenge. Enter passphrase for RSA key '[EMAIL PROTECTED]': Are you still being asked for your passphrase? I noticed a couple of days ago that ssh to freefall wanted my passphrase, but I didn't need it yesterday or today. Sunspots? Full moon? Yes, that's what has changed.. before it never asked, now it always asks. For me it's not intermittent.. it's consistent. Even before OpenSSH, I've had this problem in the past. Sometimes it seemed to be due to reverse DNS lookups not resolving correctly (my ISP wasn't always responding to reverse DNS lookups correctly). That doesn't seem to be the problem.. I can resolve my IP address from freefall (in another window) at the same time it's failing.. This only happens when going from machine A - machine B - freefall. Machine A is 3.4-REL, machine B is either 4.0-stable or 5.0-current (as of a couple of days ago). When going directly from machine A - freefall it works fine... in this case no newer versions of FreeBSD are invovled. Previously, when machine B was 3.4-REL or pre-4.0-current (as of a few months ago), it worked fine. Since then, only 'machine B' has changed. Machine A (and presumably freefall) haven't. It may be something stupid I'm doing.. but if it is, then I was was doing it before and it used to work :-) It also may have to do with the warning 'Server lies about size of server host key: actual size is 1023 bits vs. announced 1024.' A complete trace is included below. -Archie ___ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com [machineA] $ ssh -v machineB SSH Version 1.2.26 [i386-unknown-freebsd3.1], protocol version 1.5. Standard version. Does not use RSAREF. machineA.whistle.com: Reading configuration data /usr/local/etc/ssh_config machineA.whistle.com: Applying options for * machineA.whistle.com: ssh_connect: getuid 1000 geteuid 0 anon 0 machineA.whistle.com: Connecting to machineB [207.76.205.132] port 22. machineA.whistle.com: Allocated local port 751. machineA.whistle.com: Connection established. machineA.whistle.com: Remote protocol version 1.5, remote software version OpenSSH-1.2.2 machineA.whistle.com: Waiting for server public key. machineA.whistle.com: Received server public key (768 bits) and host key (1024 bits). machineA.whistle.com: Host 'machineB' is known and matches the host key. machineA.whistle.com: Initializing random; seed file /home/archie/.ssh/random_seed machineA.whistle.com: IDEA not supported, using 3des instead. machineA.whistle.com: Encryption type: 3des machineA.whistle.com: Sent encrypted session key. machineA.whistle.com: Installing crc compensation attack detector. machineA.whistle.com: Received encrypted confirmation. machineA.whistle.com: Connection to authentication agent opened. machineA.whistle.com: Trying RSA authentication via agent with '[EMAIL PROTECTED]' machineA.whistle.com: Server refused our key. machineA.whistle.com: RSA authentication using agent refused. machineA.whistle.com: Trying RSA authentication with key '[EMAIL PROTECTED]' machineA.whistle.com: Server refused our key. machineA.whistle.com: Doing password authentication. archie@machineB's password: machineA.whistle.com: Requesting pty. machineA.whistle.com: Failed to get local xauth data. machineA.whistle.com: Requesting X11 forwarding with authentication spoofing. machineA.whistle.com: Remote: X11 forwarding disabled in server configuration file. Warning: Remote host denied X11 forwarding, perhaps xauth program could not be run on the server side. machineA.whistle.com: Requesting authentication agent forwarding. machineA.whistle.com: Requesting shell. machineA.whistle.com: Entering interactive session. Last login: Fri Apr 21 10:32:24 2000 from machineA.whistle.co Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.0-STABLE (MACHINEB) #0: Thu Apr 20 10:53:28 PDT 2000 Welcome to FreeBSD! Before seeking technical support, please use the following resources: o Security advisories and updated errata information for all releases are at http://www.FreeBSD.org/releases/ - always consult the ERRATA section for your release first as it's updated frequently. o The Handbook and FAQ documents are at http://www.freebsd.org/ and, along with the mailing lists, can be searched by going to http://www.FreeBSD.org/search.html. If the doc distribution has been installed, they're also available formatted
Re: ssh to freefall broken
Archie Cobbs wrote: I presume the public key at freefall matches the public key at machine-B. Try connecting back in the other direction so that the 'known machines' settings are tested. This only happens when going from machine A - machine B - freefall. Machine A is 3.4-REL, machine B is either 4.0-stable or 5.0-current (as of a couple of days ago). When going directly from machine A - freefall it works fine... in this case no newer versions of FreeBSD are invovled. Previously, when machine B was 3.4-REL or pre-4.0-current (as of a few months ago), it worked fine. The ssh in machine B is now different.. before it was ssh1 and now it is openssh. What happens if you use TELNET to get to machine B? does the ssh to freefall still misbehave? (in other words.. what if machine A is not involved?) Since then, only 'machine B' has changed. Machine A (and presumably freefall) haven't. _ -- __--_|\ Julian Elischer / \ [EMAIL PROTECTED] ( OZ) World tour 2000 --- X_.---._/ presently in: Perth v To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ssh to freefall broken
On Fri, 21 Apr 2000, Archie Cobbs wrote: This only happens when going from machine A - machine B - freefall. Machine A is 3.4-REL, machine B is either 4.0-stable or 5.0-current (as of a couple of days ago). Hmm. It works for me going 5.0-C - 5.0-C - freefall using openssh both times. Perhaps it's some bug in the ssh-openssh agent forwarding..I'll see if I can get it to fail with ssh. I noticed that you're running an old version of ssh, too, which may have some security problems (the 1.2.27 upgrade fixed some discovered problems, but I forget what they were). It also may have to do with the warning 'Server lies about size of server host key: actual size is 1023 bits vs. announced 1024.' That should be harmless. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ssh to freefall broken
On Fri, 21 Apr 2000, Archie Cobbs wrote: Machine A is 3.4-REL, machine B is either 4.0-stable or 5.0-current (as of a couple of days ago). Hmm, I've just tried it with ssh-1.2.27 - openssh-1.2.3 - freefall, and it still works. Maybe it's something about 1.2.26..let me know what happens after the upgrade. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ssh to freefall broken
Kris Kennaway writes: On Fri, 21 Apr 2000, Archie Cobbs wrote: Machine A is 3.4-REL, machine B is either 4.0-stable or 5.0-current (as of a couple of days ago). Hmm, I've just tried it with ssh-1.2.27 - openssh-1.2.3 - freefall, and it still works. Maybe it's something about 1.2.26..let me know what happens after the upgrade. I upgraded to ssh-1.2.27 on 'machineA' and the same problem happens. By the way.. machine B was compiled with USA_RESIDENT=YES. -Archie ___ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
ssh to freefall broken
Just updated to -current.. previously, when ssh'ing to freefall, no password was required at all -- it just worked. Now I get this: $ ssh [EMAIL PROTECTED] Warning: Server lies about size of server host key: actual size is 1023 bits vs. announced 1024. Warning: This may be due to an old implementation of ssh. Warning: identity keysize mismatch: actual 1023, announced 1024 Agent admitted failure to authenticate using the key. Authentication agent failed to decrypt challenge. Enter passphrase for RSA key '[EMAIL PROTECTED]': This wouldn't be a big problem except for CVS_RSH=ssh .. meaning every cvs operation requires a password. Any ideas what I'm doing wrong? Thanks, -Archie ___ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ssh to freefall broken
On Thu, Apr 20, 2000 at 12:58:42PM -0700, Archie Cobbs wrote: Just updated to -current.. previously, when ssh'ing to freefall, no password was required at all -- it just worked. Now I get this: $ ssh [EMAIL PROTECTED] Warning: Server lies about size of server host key: actual size is 1023 bits vs. announced 1024. Warning: This may be due to an old implementation of ssh. Warning: identity keysize mismatch: actual 1023, announced 1024 Agent admitted failure to authenticate using the key. Authentication agent failed to decrypt challenge. Enter passphrase for RSA key '[EMAIL PROTECTED]': This wouldn't be a big problem except for CVS_RSH=ssh .. meaning every cvs operation requires a password. Any ideas what I'm doing wrong? You're using OpenSSH - I think removing the approprate entry from your ~/.ssh/known_hosts, then logging in once and saving the "new" hostkey fixed that problem. bye, Harold -- Someone should do a study to find out how many human life spans have been lost waiting for NT to reboot. Ken Deboy on Dec 24 1999 in comp.unix.bsd.freebsd.misc To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ssh to freefall broken
On Thu, 20 Apr 2000, Archie Cobbs wrote: $ ssh [EMAIL PROTECTED] Warning: Server lies about size of server host key: actual size is 1023 bits vs. announced 1024. Warning: This may be due to an old implementation of ssh. Warning: identity keysize mismatch: actual 1023, announced 1024 Agent admitted failure to authenticate using the key. Authentication agent failed to decrypt challenge. Enter passphrase for RSA key '[EMAIL PROTECTED]': How long had it been since you updated? OpenSSH changed some defaults a while back, including defaulting to not do agent forwarding, I think. Check the config files and add it back if necessary. Kris In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ssh to freefall broken
Kris Kennaway writes: $ ssh [EMAIL PROTECTED] Warning: Server lies about size of server host key: actual size is 1023 bits vs. announced 1024. Warning: This may be due to an old implementation of ssh. Warning: identity keysize mismatch: actual 1023, announced 1024 Agent admitted failure to authenticate using the key. Authentication agent failed to decrypt challenge. Enter passphrase for RSA key '[EMAIL PROTECTED]': How long had it been since you updated? OpenSSH changed some defaults a while back, including defaulting to not do agent forwarding, I think. Check the config files and add it back if necessary. Hmm.. I set "ForwardAgent yes" in /etc/ssh/ssh_config but that didn't help.. from this verbose output it looks like the line saying "Agent admitted failure to authenticate using the key" is the root of the problem.. Warning: identity keysize mismatch: actual 1023, announced 1024 debug: Trying RSA authentication via agent with '[EMAIL PROTECTED]' debug: Received RSA challenge from server. Agent admitted failure to authenticate using the key. Authentication agent failed to decrypt challenge. debug: Sending response to RSA challenge. debug: Remote: Wrong response to RSA authentication challenge. debug: RSA authentication using agent refused. Maybe there's a problem with ssh-agent? FYI- here's what I'm doing 1. On machine A (3.4-REL): "ssh-agent tcsh" 2. On machine A (3.4-REL): "ssh-add" then enter passcode 3. On machine A (3.4-REL): "ssh machine B" 4. On machine B (5.0-current): enter password on machine B 5. On machine B (5.0-current): "ssh [EMAIL PROTECTED]" If I leave out steps #3 and #4 then it works fine as before. -Archie ___ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
