ssh v2 hostbased authentication after woody security upgrade
Hi all!
After the woody security fix of ssh (new version 3.4p1-1.1) we cannot
use HostBased Authentication for SSH V.2. There was no change in the
configuration files or the host keys, besides, interestingly the
/etc/ssh/ssh_host_key
(responsible for V.1 authentication, thus uninteresing for my problem I
guess) has a newer timestamp, while the corresponding .pub file has not
changed at all.
We have on both ssh ends the followng permission (in /etc/ssh)
-rw------- 1 root root 672 Feb 2 2002 ssh_host_dsa_key
-rw-r--r-- 1 root root 600 Feb 2 2002 ssh_host_dsa_key.pub
-rw------- 1 root root 883 Feb 2 2002 ssh_host_rsa_key
-rw-r--r-- 1 root root 220 Feb 2 2002 ssh_host_rsa_key.pub
in sshd_config:
HostbasedAuthentication yes
in ssh_config:
Host *
Protocol 2,1
HostbasedAuthentication yes
ssh-keysign is setuid root:
-rwsr-xr-x 1 root root 151496 Sep 16 13:33 /usr/lib/ssh-keysign
So I do not understand what is going on. The only thing I found in the
log files is:
sshd[26845]: error: ssh_rsa_verify: RSA_verify failed: error:0A071003:lib(10):func(113):reason(3)
sshd[26847]: error: ssh_rsa_verify: RSA_verify failed: error:0A071003:lib(10):func(113):reason(3)
sshd[26847]: Failed password for user from AAA.BBB.CCC.DDD port 1028 ssh2
I started the server with LogLevel DEBUG3 and this is what I got:
sshd[5432]: debug1: Bind to port 22 on 0.0.0.0.
sshd[5432]: Server listening on 0.0.0.0 port 22.
sshd[5432]: Generating 768 bit RSA key.
sshd[5432]: RSA key generation complete.
sshd[5440]: Connection from AAA.BBB.CCC.DDD port 3894
sshd[5432]: debug1: Forked child 5440.
sshd[5440]: debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 Debian 1:3.4p1-1.1
sshd[5440]: debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-1.1 pat OpenSSH*
sshd[5440]: Enabling compatibility mode for protocol 2.0
sshd[5440]: debug1: Local version string SSH-1.99-OpenSSH_3.4p1 Debian 1:3.4p1-1.1
sshd[5440]: debug2: Network child is on pid 5441
sshd[5440]: debug3: preauth child monitor started
sshd[5440]: debug3: mm_request_receive entering
sshd[5440]: debug3: monitor_read: checking request 0
sshd[5440]: debug3: mm_answer_moduli: got parameters: 1024 2048 8192
sshd[5440]: debug3: mm_request_send entering: type 1
sshd[5440]: debug2: monitor_read: 0 used once, disabling now
sshd[5440]: debug3: mm_request_receive entering
sshd[5440]: debug3: monitor_read: checking request 4
sshd[5440]: debug3: mm_answer_sign
sshd[5440]: debug3: mm_answer_sign: signature 0x8095650(143)
sshd[5440]: debug3: mm_request_send entering: type 5
sshd[5440]: debug2: monitor_read: 4 used once, disabling now
sshd[5440]: debug3: mm_request_receive entering
sshd[5440]: debug3: monitor_read: checking request 6
sshd[5440]: debug3: mm_answer_pwnamallow
sshd[5440]: debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
sshd[5440]: debug3: mm_request_send entering: type 7
sshd[5440]: debug2: monitor_read: 6 used once, disabling now
sshd[5440]: debug3: mm_request_receive entering
sshd[5440]: debug3: monitor_read: checking request 37
sshd[5440]: debug1: Starting up PAM with username "user"
sshd[5440]: debug3: Trying to reverse map address AAA.BBB.CCC.DDD.
sshd[5440]: debug1: PAM setting rhost to "origin.mydomain.foo"
sshd[5440]: debug2: monitor_read: 37 used once, disabling now
sshd[5440]: debug3: mm_request_receive entering
sshd[5440]: debug3: monitor_read: checking request 3
sshd[5440]: debug3: mm_answer_authserv: service=ssh-connection, style=
sshd[5440]: debug2: monitor_read: 3 used once, disabling now
sshd[5440]: debug3: mm_request_receive entering
sshd[5440]: debug3: monitor_read: checking request 10
sshd[5440]: debug3: mm_answer_authpassword: sending result 0
sshd[5440]: debug3: mm_request_send entering: type 11
sshd[5440]: Failed none for user from AAA.BBB.CCC.DDD port 3894 ssh2
sshd[5440]: debug3: mm_request_receive entering
sshd[5440]: debug3: monitor_read: checking request 20
sshd[5440]: debug3: mm_answer_keyallowed entering
sshd[5440]: debug3: mm_answer_keyallowed: key_from_blob: 0x809fd20
sshd[5440]: debug2: userauth_hostbased: chost origin.mydomain.foo. resolvedname origin.mydomain.foo ipaddr AAA.BBB.CCC.DDD
sshd[5440]: debug2: stripping trailing dot from chost origin.mydomain.foo.
sshd[5440]: debug2: auth_rhosts2: clientuser user hostname origin.mydomain.foo ipaddr AAA.BBB.CCC.DDD
sshd[5440]: debug1: temporarily_use_uid: 1045/1000 (e=0)
sshd[5440]: debug1: restore_uid
sshd[5440]: debug2: userauth_hostbased: access allowed by auth_rhosts2
sshd[5440]: debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
sshd[5440]: debug3: key_read: type mismatch
OK here we start with host based authentication:
sshd[5440]: debug3: check_host_in_hostfile: match line 18
sshd[5440]: debug2: check_key_in_hostfiles: key ok for origin.mydomain.foo
Found the right key
sshd[5440]: debug3: mm_answer_keyallowed: key 0x809fd20 is allowed
sshd[5440]: debug3: mm_append_debug: Appending debug messages for child
sshd[5440]: debug3: mm_request_send entering: type 21
sshd[5440]: debug3: mm_request_receive entering
sshd[5440]: debug3: monitor_read: checking request 22
sshd[5440]: debug1: ssh_dss_verify: signature incorrect
sshd[5440]: debug3: mm_answer_keyverify: key 0x809fd20 signature unverified
here it is, signature uncorrect. What can this be???
sshd[5440]: debug3: mm_request_send entering: type 23
sshd[5440]: Failed hostbased for user from AAA.BBB.CCC.DDD port 3894 ssh2
sshd[5440]: debug3: mm_request_receive entering
sshd[5440]: debug3: monitor_read: checking request 20
sshd[5440]: debug3: mm_answer_keyallowed entering
sshd[5440]: debug3: mm_answer_keyallowed: key_from_blob: 0x80a00e8
sshd[5440]: debug2: userauth_hostbased: chost origin.mydomain.foo. resolvedname origin.mydomain.foo ipaddr AAA.BBB.CCC.DDD
sshd[5440]: debug2: stripping trailing dot from chost origin.mydomain.foo.
sshd[5440]: debug2: auth_rhosts2: clientuser user hostname origin.mydomain.foo ipaddr AAA.BBB.CCC.DDD
sshd[5440]: debug1: temporarily_use_uid: 1045/1000 (e=0)
sshd[5440]: debug1: restore_uid
sshd[5440]: debug2: userauth_hostbased: access allowed by auth_rhosts2
sshd[5440]: debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
sshd[5440]: debug3: check_host_in_hostfile: match line 8
sshd[5440]: debug2: check_key_in_hostfiles: key ok for origin.mydomain.foo
sshd[5440]: debug3: mm_answer_keyallowed: key 0x80a00e8 is allowed
sshd[5440]: debug3: mm_append_debug: Appending debug messages for child
sshd[5440]: debug3: mm_request_send entering: type 21
sshd[5440]: debug3: mm_request_receive entering
sshd[5440]: debug3: monitor_read: checking request 22
sshd[5440]: error: ssh_rsa_verify: RSA_verify failed: error:0A071003:lib(10):func(113):reason(3)
sshd[5440]: debug1: ssh_rsa_verify: signature incorrect
sshd[5440]: debug3: mm_answer_keyverify: key 0x809ece0 signature unverified
sshd[5440]: debug3: mm_request_send entering: type 23
sshd[5440]: Failed hostbased for user from AAA.BBB.CCC.DDD port 3894 ssh2
sshd[5440]: debug3: mm_request_receive entering
sshd[5440]: debug3: monitor_read: checking request 10
sshd[5440]: debug3: mm_answer_authpassword: sending result 0
sshd[5440]: debug3: mm_request_send entering: type 11
sshd[5440]: Failed password for user from AAA.BBB.CCC.DDD port 3894 ssh2
sshd[5440]: debug3: mm_request_receive entering
sshd[5440]: debug3: monitor_read: checking request 10
sshd[5440]: debug3: mm_answer_authpassword: sending result 0
sshd[5440]: debug3: mm_request_send entering: type 11
sshd[5440]: Failed password for user from AAA.BBB.CCC.DDD port 3894 ssh2
sshd[5440]: debug3: mm_request_receive entering
sshd[5440]: debug3: monitor_read: checking request 10
sshd[5440]: debug3: mm_answer_authpassword: sending result 0
sshd[5440]: debug3: mm_request_send entering: type 11
sshd[5440]: Failed password for user from AAA.BBB.CCC.DDD port 3894 ssh2
sshd[5440]: debug3: mm_request_receive entering
sshd[5440]: debug1: Calling cleanup 0x8052b48(0x0)
sshd[5440]: debug1: Calling cleanup 0x806be4c(0x0)
If someone has any idea how to fix this problem we would be grateful!
Best wishes
Norbert
-------------------------------------------------------------------------------
Norbert Preining <preining AT logic DOT at> Technische Universität Wien
gpg DSA: 0x09C5B094 fp: 14DF 2E6C 0307 BE6D AD76 A9C0 D2BF 4AA3 09C5 B094
-------------------------------------------------------------------------------
FIUNARY (n.)
The safe place you put something and then forget where it was.
--- Douglas Adams, The Meaning of Liff
Reply to: