From quinot@inf.enst.fr  Thu Jul  5 08:17:25 2001
Return-Path: <quinot@inf.enst.fr>
Received: from infres.enst.fr (infres-192.enst.fr [137.194.192.1])
	by hub.freebsd.org (Postfix) with ESMTP id 59A4037B407
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  5 Jul 2001 08:17:25 -0700 (PDT)
	(envelope-from quinot@inf.enst.fr)
Received: from shalmaneser.enst.fr (shalmaneser.enst.fr [137.194.160.128])
	by infres.enst.fr (Postfix) with ESMTP id A5993189A
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  5 Jul 2001 17:17:23 +0200 (MET DST)
Received: by shalmaneser.enst.fr (Postfix, from userid 11117)
	id 803871143A; Thu,  5 Jul 2001 17:17:21 +0200 (CEST)
Message-Id: <20010705151721.803871143A@shalmaneser.enst.fr>
Date: Thu,  5 Jul 2001 17:17:21 +0200 (CEST)
From: Thomas Quinot <quinot@inf.enst.fr>
Reply-To: Thomas Quinot <quinot@inf.enst.fr>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: ssh client won't do RhostsRSAAuthentication
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         28724
>Category:       bin
>Synopsis:       ssh client won't do RhostsRSAAuthentication
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    green
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 05 08:20:02 PDT 2001
>Closed-Date:    Sat Jan 26 23:50:42 MST 2002
>Last-Modified:  Sat Jan 26 23:51:24 MST 2002
>Originator:     Thomas Quinot
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD shalmaneser.enst.fr 5.0-CURRENT FreeBSD 5.0-CURRENT #15: Thu Jun 7 17:54:30 CEST 2001 quinot@shalmaneser.enst.fr:/usr/obj/usr/src/sys/SHALMANESER i386


	
>Description:
	The ssh client as of -CURRENT won't do RhostsRSAAuthentication with
	an OpenSSH 2.3.0p1 server.

>How-To-Repeat:
/usr/bin/ssh -v -o RhostsRSAAuthentication=yes -o RSAAuthentication=no -o PasswordAuthentication=no remote.host.dom

-> permission denied, even though this host's public key is in
~/.ssh/known_hosts on the remote host.

The remote host does accept RhostsRSAAuthentication connections from
other machines. The -CURRENT client does not seem to even try
RhostsRSAAuthentication (when running it with '-1 -v' it does not
print 'Trying RSA rhosts...').

>Fix:

	None known.
>Release-Note:
>Audit-Trail:

From: Thomas Quinot <quinot@inf.enst.fr>
To: freebsd-gnats-submit@freebsd.org
Cc:  
Subject: Re: bin/28724: ssh client won't do RhostsRSAAuthentication
Date: Fri, 6 Jul 2001 18:15:10 +0200

 [ Resending followup after GNATS somehow killed the first one. ]
 
 Please note that the suid bit on /usr/bin/ssh is set.
 
 -- 
 Thomas Quinot ** Dpartement Informatique & Rseaux ** quinot@inf.enst.fr
               ENST   //   46 rue Barrault   //   75634 PARIS CEDEX 13 
Responsible-Changed-From-To: freebsd-bugs->green 
Responsible-Changed-By: kris 
Responsible-Changed-When: Sun Jul 8 14:59:36 PDT 2001 
Responsible-Changed-Why:  
Over to the ssh maintainer 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=28724 

From: David Wolfskill <david@catwhisker.org>
To: freebsd-gnats-submit@FreeBSD.org
Cc: quinot@inf.enst.fr
Subject: Re: bin/28724: ssh client won't do RhostsRSAAuthentication
Date: Sat, 28 Jul 2001 13:56:34 -0700 (PDT)

 In case it's of interest or use, here's the output from a couple of
 invocations of "ssh -v bunrab" (bunrab is one of the machines here at
 home) from my laptop -- once running today's 4.3-STABLE; the other running
 today's 5.0-CURRENT.  The home directory is the same in each case (for
 more info on how the laptop is set up, please see
 http://www.catwhisker.org/~david/FreeBSD/laptop.html).
 
 Here's -STABLE:
 Script started on Sat Jul 28 13:24:49 2001
 dhcp-140[1] uname -a
 FreeBSD dhcp-140.catwhisker.org 4.3-STABLE FreeBSD 4.3-STABLE #123: Sat Jul 28 06:51:46 PDT 2001     root@dhcp-140.catwhisker.org:/common/S1/obj/usr/src/sys/LAPTOP_30W  i386
 dhcp-140[2] ssh-add -l
 1024 c5:c0:e1:e0:9c:28:65:75:e1:3d:9d:21:3b:b3:13:5a david@dhcp-135.catwhisker.org
 dhcp-140[3] ssh -v bunrab
 SSH Version OpenSSH_2.3.0 green@FreeBSD.org 20010321, protocol versions 1.5/2.0.
 Compiled with SSL (0x0090601f).
 debug: Reading configuration data /etc/ssh/ssh_config
 debug: ssh_connect: getuid 1001 geteuid 1001 anon 1
 debug: Connecting to bunrab.catwhisker.org [172.16.8.11] port 22.
 debug: Connection established.
 debug: Remote protocol version 1.99, remote software version 2.0.12 (non-commercial)
 debug: match: 2.0.12 (non-commercial) pat ^2\.0\.
 
 debug: Local version string SSH-1.5-OpenSSH_2.3.0 green@FreeBSD.org 20010321
 debug: Waiting for server public key.
 debug: Received server public key (768 bits) and host key (1024 bits).
 debug: Host 'bunrab' is known and matches the RSA host key.
 debug: Encryption type: 3des
 debug: Sent encrypted session key.
 debug: Installing crc compensation attack detector.
 debug: Received encrypted confirmation.
 debug: Trying RSA authentication via agent with 'david@dhcp-135.catwhisker.org'
 debug: Received RSA challenge from server.
 debug: Sending response to RSA challenge.
 debug: Remote: RSA authentication accepted.
 debug: RSA authentication accepted by server.
 debug: Requesting pty.
 debug: Requesting shell.
 debug: Entering interactive session.
 Last login: Sat Jul 28 13:19:53 2001 from dhcp-140.catwhis
 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
 	The Regents of the University of California.   All rights reserved.
 
 FreeBSD 3.2-RELEASE (BUNRAB) #3: Sun Apr 30 19:44:37 PDT 2000
 
 Welcome to FreeBSD!  You will find security advisories and updated
 errata information for all releases at http://www.FreeBSD.ORG/releases/
 
 Before asking for technical assistance:
  1.  Consult the ERRATA section for your release at the URL above.
 
  2.  Search the Handbook, FAQ, and mail archives at 
      http://www.FreeBSD.ORG/search.html. If the doc distribution is
      installed on this machine, you will also find the formatted FAQ
      and Handbook documents in /usr/share/doc/
 
  3.  If you still have a question or problem, collect the output of
      `uname -a' along with error messages from whatever part of the
      system you are having problems with and email it as a question
      to the questions@FreeBSD.ORG mailing list.
         
 You may also use `/stand/sysinstall' to re-enter the installation and
 configuration  utility.  Edit /etc/motd to change this login announcement.
 
 You have mail.
 bunrab[1] exit
 exit
 Connection to bunrab closed.
 debug: Transferred: stdin 0, stdout 1216, stderr 30 bytes in 4.3 seconds
 debug: Bytes per second: stdin 0.0, stdout 283.1, stderr 7.0
 debug: Exit status 0
 dhcp-140[4] exit
 
 Script done on Sat Jul 28 13:26:08 2001
 
 
 
 
 And here's -CURRENT:
 Script started on Sat Jul 28 13:30:28 2001
 dhcp-140[1] uname -a
 FreeBSD dhcp-140.catwhisker.org 5.0-CURRENT FreeBSD 5.0-CURRENT #84: Sat Jul 28 09:50:09 PDT 2001     root@dhcp-140.catwhisker.org:/common/C/obj/usr/src/sys/LAPTOP_30W  i386
 dhcp-140[2] ssh-add -l
 1024 c5:c0:e1:e0:9c:28:65:75:e1:3d:9d:21:3b:b3:13:5a david@dhcp-135.catwhisker.org (RSA1)
 dhcp-140[3] ssh -v bunrab
 OpenSSH_2.9 green@FreeBSD.org 20010608, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
 debug1: Reading configuration data /etc/ssh/ssh_config
 debug1: Rhosts Authentication disabled, originating port will not be trusted.
 debug1: restore_uid
 debug1: ssh_connect: getuid 1001 geteuid 1001 anon 1
 debug1: Connecting to bunrab.catwhisker.org [172.16.8.11] port 22.
 debug1: temporarily_use_uid: 1001/20 (e=1001)
 debug1: restore_uid
 debug1: temporarily_use_uid: 1001/20 (e=1001)
 debug1: restore_uid
 debug1: Connection established.
 debug1: identity file /home/david/.ssh/identity type 0
 debug1: identity file /home/david/.ssh/id_rsa type -1
 debug1: identity file /home/david/.ssh/id_dsa type -1
 debug1: Remote protocol version 1.99, remote software version 2.0.12 (non-commercial)
 debug1: match: 2.0.12 (non-commercial) pat ^2\.0\.
 Enabling compatibility mode for protocol 2.0
 debug1: Local version string SSH-2.0-OpenSSH_2.9 green@FreeBSD.org 20010608
 debug1: SSH2_MSG_KEXINIT sent
 debug1: SSH2_MSG_KEXINIT received
 debug1: kex: server->client 3des-cbc hmac-md5 none
 debug1: kex: client->server 3des-cbc hmac-md5 none
 debug1: dh_gen_key: priv key bits set: 183/384
 debug1: bits set: 537/1024
 debug1: sending SSH2_MSG_KEXDH_INIT
 debug1: expecting SSH2_MSG_KEXDH_REPLY
 debug1: Host 'bunrab.catwhisker.org' is known and matches the DSA host key.
 debug1: Found key in /home/david/.ssh/known_hosts2:1
 debug1: bits set: 497/1024
 debug1: len 40 datafellows 8831
 debug1: ssh_dss_verify: signature correct
 debug1: kex_derive_keys
 debug1: newkeys: mode 1
 debug1: SSH2_MSG_NEWKEYS sent
 debug1: waiting for SSH2_MSG_NEWKEYS
 debug1: newkeys: mode 0
 debug1: SSH2_MSG_NEWKEYS received
 debug1: done: ssh_kex2.
 debug1: send SSH2_MSG_SERVICE_REQUEST
 debug1: buggy server: service_accept w/o service
 debug1: got SSH2_MSG_SERVICE_ACCEPT
 debug1: authentications that can continue: publickey,password
 debug1: next auth method to try is publickey
 debug1: try privkey: /home/david/.ssh/id_rsa
 debug1: try privkey: /home/david/.ssh/id_dsa
 debug1: next auth method to try is password
 david@bunrab.catwhisker.org's password: 
 debug1: ssh-userauth2 successful: method password
 debug1: channel 0: new [client-session]
 debug1: channel_new: 0
 debug1: send channel open 0
 debug1: Entering interactive session.
 debug1: client_init id 0 arg 0
 debug1: channel request 0: shell
 debug1: channel 0: open confirm rwindow 10000 rmax 16384
 Last login: Sat Jul 28 13:25:59 2001
 FreeBSD 3.2-RELEASE (BUNRAB) #3: Sun Apr 30 19:44:37 PDT 2000
 
 Welcome to FreeBSD!  You will find security advisories and updated
 errata information for all releases at http://www.FreeBSD.ORG/releases/
 
 Before asking for technical assistance:
  1.  Consult the ERRATA section for your release at the URL above.
 
  2.  Search the Handbook, FAQ, and mail archives at 
      http://www.FreeBSD.ORG/search.html. If the doc distribution is
      installed on this machine, you will also find the formatted FAQ
      and Handbook documents in /usr/share/doc/
 
  3.  If you still have a question or problem, collect the output of
      `uname -a' along with error messages from whatever part of the
      system you are having problems with and email it as a question
      to the questions@FreeBSD.ORG mailing list.
         
 You may also use `/stand/sysinstall' to re-enter the installation and
 configuration  utility.  Edit /etc/motd to change this login announcement.
 
 You have mail.
 bunrab[1] exit
 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
 debug1: channel 0: rcvd close
 debug1: channel 0: output open -> drain
 debug1: channel 0: input open -> closed
 debug1: channel 0: close_read
 exit
 debug1: channel 0: obuf empty
 debug1: channel 0: output drain -> closed
 debug1: channel 0: close_write
 debug1: channel 0: send close
 debug1: channel 0: is dead
 debug1: channel_free: channel 0: status: The following connections are open:
   #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1)
 
 debug1: channel_free: channel 0: dettaching channel user
 Connection to bunrab.catwhisker.org closed.
 debug1: Transferred: stdin 0, stdout 0, stderr 45 bytes in 3.2 seconds
 debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 14.2
 debug1: Exit status 0
 dhcp-140[4] exit
 
 Script done on Sat Jul 28 13:31:06 2001
 
 
 
 Note that I needed to type my password in for -CURRENT, but not -STABLE,
 which is symptomatic of the problem in question.
 
 That it was not needed for -STABLE (and had not been needed in -CURRENT
 until ssh-2.9 was committed) is because I was doing the activity from
 an xterm, and I take the following actions:
 
 * I use xdm to create the X environment, so I use ~/.xsession for my
   customization.
 
 * Early on in ~/.xsession, I invoke ssh-agent, then ssh-add, so all child
   processes are able to take advantage of ssh-agent:
 
 dhcp-140: head ~/.xsession
 #! /bin/csh
 
 if { test -x `which ssh-askpass` } then
   eval `ssh-agent`
   ssh-add
   set ssh_test = `ssh-add -l` || exit 1
   echo "$ssh_test" | grep '@' >/dev/null
   if ( $? ) then
     echo "What part of 'Need passphrase' don't you understand?"
     exit 2
   endif
 endif
 ...
 
 
 I hope this is helpful in getting the issue resolved,
 david
 -- 
 David H. Wolfskill				david@catwhisker.org
 As a computing professional, I believe it would be unethical for me to
 advise, recommend, or support the use (save possibly for personal
 amusement) of any product that is or depends on any Microsoft product.

From: Thomas Quinot <thomas@cuivre.fr.eu.org>
To: freebsd-gnats-submit@freebsd.org, imp@village.org
Cc:  
Subject: bin/28724 ssh client won't do RhostsRSAAuthentication
Date: Thu, 6 Dec 2001 20:59:25 +0100

 In a not-so-surprising way, this problem turned out to be a
 misconfiguration of the client machine. UsePrivilegedPort is now
 necessary for the ssh client to use a privileged port, even when
 host-based authentication is enablde and the client has the setuid bit.
 
 Unfortunately, the default used to be "yes" (and still is in -STABLE), and
 the option is not mentioned in the -CURRENT version of the installed
 ssh_config.
 
 Perhaps this could be mentioned in UPDATING?
 
 Thomas.
 
 -- 
     Thomas.Quinot@Cuivre.FR.EU.ORG
State-Changed-From-To: open->closed 
State-Changed-By: imp 
State-Changed-When: Sat Jan 26 23:50:42 MST 2002 
State-Changed-Why:  
This was a documentation reading error.  Warnings have been added to 
UPDATING, per original submitters request. 


http://www.FreeBSD.org/cgi/query-pr.cgi?pr=28724 
>Unformatted:
