From archie@packetdesign.com  Fri Jun  1 13:46:30 2001
Return-Path: <archie@packetdesign.com>
Received: from mailman.packetdesign.com (dns.packetdesign.com [65.192.41.10])
	by hub.freebsd.org (Postfix) with ESMTP id 6F0D237B43C
	for <FreeBSD-gnats-submit@freebsd.org>; Fri,  1 Jun 2001 13:46:30 -0700 (PDT)
	(envelope-from archie@packetdesign.com)
Received: from bubba.packetdesign.com (bubba.packetdesign.com [192.168.0.223])
	by mailman.packetdesign.com (8.11.0/8.11.0) with ESMTP id f51KkU219723
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 1 Jun 2001 13:46:30 -0700 (PDT)
	(envelope-from archie@packetdesign.com)
Received: (from archie@localhost)
	by bubba.packetdesign.com (8.11.3/8.11.1) id f51KkUE41863;
	Fri, 1 Jun 2001 13:46:30 -0700 (PDT)
	(envelope-from archie)
Message-Id: <200106012046.f51KkUE41863@bubba.packetdesign.com>
Date: Fri, 1 Jun 2001 13:46:30 -0700 (PDT)
From: Archie Cobbs <archie@packetdesign.com>
Reply-To: archie@packetdesign.com
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: can't do RSA login via ssh to root account
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         27821
>Category:       bin
>Synopsis:       can't do RSA login via ssh to root account
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jun 01 13:50:00 PDT 2001
>Closed-Date:    Fri Jun 1 23:54:04 PDT 2001
>Last-Modified:  Fri Jun 01 23:54:32 PDT 2001
>Originator:     Archie Cobbs
>Release:        FreeBSD 4.3-RELEASE i386
>Organization:
Packet Design
>Environment:
System: FreeBSD bubba.packetdesign.com 4.3-RELEASE FreeBSD 4.3-RELEASE #0: Thu Apr 26 15:28:39 PDT 2001 root@bubba.packetdesign.com:/usr/obj/usr/src/sys/BUBBA i386


>Description:

	Normally, when you use ssh-add to add your identity, and
	the remote accout you're logging into has your public key
	in it's ${HOME}/.ssh/authorized_keys file, you are allowed
	to ssh into that machine without providing a password.

	However, it seems that this doesn't work if the account you
	are trying to ssh into is "root", though it works for other
	normal accounts. That is, with the root account only, ssh
	asks you for the root password instead of just letting you
	login automatically (with the correct password, the login
	does then succeed).

	This is either a bug or at least a documentation omission,
	as it makes the "PermitRootLogin without-password" setting
	useless.

>How-To-Repeat:

	Set up /root/.ssh/authorized_keys with your public key on
	machine A and try to ssh root@A from machine B after adding
	your public identity via ssh-agent and ssh-add.

	Of course, machine B needs "PermitRootLogin yes" in
	/etc/ssh/sshd_config.

	Both machines are FreeBSD 4.3.

>Fix:

	None.


>Release-Note:
>Audit-Trail:

From: Bill Fenner <fenner@research.att.com>
To: archie@packetdesign.com
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/27821: can't do RSA login via ssh to root account
Date: Fri, 1 Jun 2001 14:14:32 -0700

 I'm doing this with both RSA and DSA keys under stock FreeBSD 4.3 without
 a problem.  The RSA public key is in /root/.ssh/authorized_keys, the
 DSA public key is in /root/.ssh/authorized_keys2, both my RSA and DSA
 keys are loaded in my ssh-agent, and root logins "just work".
 
 mango% uname -a
 FreeBSD mango.attlabs.att.com 4.3-RC FreeBSD 4.3-RC #1: Wed Apr 18 10:33:41 PDT 2001     root@mango.attlabs.att.com:/usr/obj/usr/src/sys/MANGO  i386
 mango% ssh -v -l root cubix01
 SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0.
 Compiled with SSL (0x0090600f).
 ...
 debug: Trying RSA authentication via agent with 'William C. Fenner'
 debug: Received RSA challenge from server.
 debug: Sending response to RSA challenge.
 debug: Remote: RSA authentication accepted.
 debug: RSA authentication accepted by server.
 ...
 Last login: Fri Jun  1 14:06:57 2001 from mango.attlabs.at
 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
         The Regents of the University of California.  All rights reserved.
 FreeBSD 4.3-RELEASE (CUBIX) #1: Tue Apr 24 16:14:26 GMT 2001
 
 This system is part of HA178's network lab.
 Please contact Bill Fenner <fenner@research.att.com> if you have
  any questions.
 
             _     _       ___  _ 
   ___ _   _| |__ (_)_  __/ _ \/ |
  / __| | | | '_ \| \ \/ / | | | |
 | (__| |_| | |_) | |>  <| |_| | |
  \___|\__,_|_.__/|_/_/\_\\___/|_|
                                  
 
 cubix01# 
 ...
 
 mango% ssh -v -2 -l root cubix01
 SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0.
 Compiled with SSL (0x0090600f).
 ...
 debug: authentications that can continue: publickey,password
 debug: next auth method to try is publickey
 debug: trying DSA agent key /home/fenner/.ssh/id_dsa-cubix
 debug: ssh-userauth2 successfull: method publickey
 ...
 Last login: Fri Jun  1 14:09:12 2001 from mango.attlabs.at
 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
         The Regents of the University of California.  All rights reserved.
 FreeBSD 4.3-RELEASE (CUBIX) #1: Tue Apr 24 16:14:26 GMT 2001
 
 This system is part of HA178's network lab.
 Please contact Bill Fenner <fenner@research.att.com> if you have
  any questions.
 
             _     _       ___  _ 
   ___ _   _| |__ (_)_  __/ _ \/ |
  / __| | | | '_ \| \ \/ / | | | |
 | (__| |_| | |_) | |>  <| |_| | |
  \___|\__,_|_.__/|_/_/\_\\___/|_|
                                  
 
 cubix01# 
 

From: Archie Cobbs <archie@packetdesign.com>
To: Bill Fenner <fenner@research.att.com>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/27821: can't do RSA login via ssh to root account
Date: Fri, 01 Jun 2001 14:33:11 -0700

 Bill Fenner wrote:
 > I'm doing this with both RSA and DSA keys under stock FreeBSD 4.3 without
 > a problem.  The RSA public key is in /root/.ssh/authorized_keys, the
 > DSA public key is in /root/.ssh/authorized_keys2, both my RSA and DSA
 > keys are loaded in my ssh-agent, and root logins "just work".
 
 Hmm.. it looks like the problem doesn't have to do with root anymore,
 instead ssh is trying to use my ${HOME}/.ssh/identity instead of the
 identity I've chosen for the agent via ssh-add.. e.g., here's a trace
 
 Notice below it's trying to use the 'archie@bubba.whistle.com' RSA
 identity instead of the one I specified (~archie/ambit/rsakey/ambitkey).
 
 I even tried using the '-i' flag..
 
 The /etc/ssh/sshd_config file on the remote machine is the standard
 one with 'RSAAuthentication yes' in it.
 
 -Archie
 
 __________________________________________________________________________
 Archie Cobbs     *     Packet Design     *     http://www.packetdesign.com
 
 bubba 118 eval `ssh-agent`
 Agent pid 61927
 bubba 119 env|grep SSH
 SSH_AUTH_SOCK=/tmp/ssh-g47PGWOn/agent.61926
 SSH_AGENT_PID=61927
 bubba 120 ssh-add ~archie/ambit/rsakey/ambitkey
 Need passphrase for /home/archie/ambit/rsakey/ambitkey
 Enter passphrase for /home/archie/ambit/rsakey/ambitkey: 
 Identity added: /home/archie/ambit/rsakey/ambitkey
 (/home/archie/ambit/rsakey/ambitkey)
 bubba 121 ssh-add -l
 1024 31:ea:a7:af:40:dc:34:f5:84:78:df:46:2b:f1:a5:a2
 /home/archie/ambit/rsakey/ambitkey
 bubba 122 ssh -v  vernier@192.168.10.2
 SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0.
 Compiled with SSL (0x0090600f).
 debug: Reading configuration data /etc/ssh/ssh_config
 debug: ssh_connect: getuid 1000 geteuid 1000 anon 1
 debug: Connecting to (null) [192.168.10.2] port 22.
 debug: Connection established.
 debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0
 green@FreeBSD.org 20010321
 debug: match: OpenSSH_2.3.0 green@FreeBSD.org 20010321 pat ^OpenSSH[-_]2\.3
 
 debug: Local version string SSH-1.5-OpenSSH_2.3.0 green@FreeBSD.org 20010321
 debug: Waiting for server public key.
 debug: Received server public key (768 bits) and host key (1024 bits).
 debug: Host '192.168.10.2' is known and matches the RSA host key.
 debug: Encryption type: 3des
 debug: Sent encrypted session key.
 debug: Installing crc compensation attack detector.
 debug: Received encrypted confirmation.
 debug: RSA authentication using agent refused.
 debug: Trying RSA authentication with key 'archie@bubba.whistle.com'
 debug: Server refused our key.
 debug: Doing password authentication.
 vernier@192.168.10.2's password: 
 bubba 123 ssh -v -i /home/archie/ambit/rsakey/ambitkey vernier@192.168.10.2
 SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0.
 Compiled with SSL (0x0090600f).
 debug: Reading configuration data /etc/ssh/ssh_config
 debug: ssh_connect: getuid 1000 geteuid 1000 anon 1
 debug: Connecting to (null) [192.168.10.2] port 22.
 debug: Connection established.
 debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0
 green@FreeBSD.org 20010321
 debug: match: OpenSSH_2.3.0 green@FreeBSD.org 20010321 pat ^OpenSSH[-_]2\.3
 
 debug: Local version string SSH-1.5-OpenSSH_2.3.0 green@FreeBSD.org 20010321
 debug: Waiting for server public key.
 debug: Received server public key (768 bits) and host key (1024 bits).
 debug: Host '192.168.10.2' is known and matches the RSA host key.
 debug: Encryption type: 3des
 debug: Sent encrypted session key.
 debug: Installing crc compensation attack detector.
 debug: Received encrypted confirmation.
 debug: RSA authentication using agent refused.
 debug: Bad key file /home/archie/ambit/rsakey/ambitkey.
 debug: Doing password authentication.
 vernier@192.168.10.2's password:

From: Bill Fenner <fenner@research.att.com>
To: archie@packetdesign.com
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/27821: can't do RSA login via ssh to root account
Date: Fri, 1 Jun 2001 14:47:22 -0700

 I admit I used my one and only RSA key, but I did use a custom DSA key.
 I removed all the keys from my agent, then readded them with my normal
 DSA key first, and it tried both:
 
 mango% ssh-add -l
 1024 91:30:d8:8d:e6:5d:65:3d:95:1a:81:57:41:8c:2c:3b William C. Fenner
 1024 b2:79:a8:38:8a:73:db:3e:60:56:d6:83:95:72:e7:85 /home/fenner/.ssh/id_dsa
 1024 ba:95:7d:6e:74:f8:ac:28:5c:29:43:96:d3:90:8a:20 /home/fenner/.ssh/id_dsa-cubix
 mango% ssh -v -2 -l root cubix01
 SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0.
 Compiled with SSL (0x0090600f).
 ...
 debug: authentications that can continue: publickey,password
 debug: next auth method to try is publickey
 debug: trying DSA agent key /home/fenner/.ssh/id_dsa
 debug: authentications that can continue: publickey,password
 debug: next auth method to try is publickey
 debug: trying DSA agent key /home/fenner/.ssh/id_dsa-cubix
 debug: ssh-userauth2 successfull: method publickey
 ...
 
 So, maybe a workaround is to use DSA keys.
 
   Bill

From: Archie Cobbs <archie@packetdesign.com>
To: Bill Fenner <fenner@research.att.com>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/27821: can't do RSA login via ssh to root account
Date: Fri, 01 Jun 2001 15:01:18 -0700

 Bill Fenner wrote:
 > I admit I used my one and only RSA key, but I did use a custom DSA key.
 > I removed all the keys from my agent, then readded them with my normal
 > DSA key first, and it tried both:
 > 
 > mango% ssh-add -l
 > 1024 91:30:d8:8d:e6:5d:65:3d:95:1a:81:57:41:8c:2c:3b William C. Fenner
 > 1024 b2:79:a8:38:8a:73:db:3e:60:56:d6:83:95:72:e7:85 /home/fenner/.ssh/id_dsa
 > 1024 ba:95:7d:6e:74:f8:ac:28:5c:29:43:96:d3:90:8a:20 /home/fenner/.ssh/id_dsa-cubix
 > mango% ssh -v -2 -l root cubix01
 > SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0.
 > Compiled with SSL (0x0090600f).
 > ...
 > debug: authentications that can continue: publickey,password
 > debug: next auth method to try is publickey
 > debug: trying DSA agent key /home/fenner/.ssh/id_dsa
 > debug: authentications that can continue: publickey,password
 > debug: next auth method to try is publickey
 > debug: trying DSA agent key /home/fenner/.ssh/id_dsa-cubix
 > debug: ssh-userauth2 successfull: method publickey
 > ...
 
 Yep, the '-2' flag is what makes it work. Oh, maybe that makes sense,
 I'm using a DSA key.. are they only supported by version 2? I thought
 that ssh+sshd would automatically negotiate version 2 but maybe I assume
 too much.
 
 -Archie
 
 __________________________________________________________________________
 Archie Cobbs     *     Packet Design     *     http://www.packetdesign.com

From: Archie Cobbs <archie@packetdesign.com>
To: Bill Fenner <fenner@research.att.com>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: bin/27821: can't do RSA login via ssh to root account
Date: Fri, 01 Jun 2001 15:05:17 -0700

 OK, now it works with version 1 and an RSA (instead of DSA) key as well.
 Sorry for all the fuss.
 
 -Archie
 
 __________________________________________________________________________
 Archie Cobbs     *     Packet Design     *     http://www.packetdesign.com
State-Changed-From-To: open->closed 
State-Changed-By: roam 
State-Changed-When: Fri Jun 1 23:54:04 PDT 2001 
State-Changed-Why:  
Looks like this one was solved :) 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=27821 
>Unformatted:
