OpenSSH 3.0.2p1 configuration question

OpenSSH 3.0.2p1 configuration question

Post by Stuart Cracra » Sat, 05 Jan 2002 07:39:58



We've been looking and don't see a way to get
it to respect .shosts files and avoid requiring
passwords when ssh'ing between hosts

Obvious changes to

   /usr/local/etc/sshd_config

have failed.

Has anyone here done this?

Thanks ahead,

Stuart

 
 
 

OpenSSH 3.0.2p1 configuration question

Post by Rich Tee » Sat, 05 Jan 2002 08:25:18



Quote:> We've been looking and don't see a way to get
> it to respect .shosts files and avoid requiring
> passwords when ssh'ing between hosts

> Obvious changes to

>    /usr/local/etc/sshd_config

> have failed.

> Has anyone here done this?

I have the same thing running - but I don't use .shosts.
I prefer to use RSA authentication instead.

Try using the -v flag when you ssh to see if that helps.

--
Rich Teer                                           .  *   * . * .* .
                                                     .   *   .   .*
President,                                          * .  . /\ ( .  . *
Rite Online Inc.                                     . .  / .\   . * .
                                                    .*.  / *  \  . .
                                                      . /*   o \     .
Voice: +1 (250) 979-1638                            *   '''||'''   .
URL: http://www.rite-online.net                     ******************

 
 
 

OpenSSH 3.0.2p1 configuration question

Post by Stuart Cracra » Sun, 06 Jan 2002 00:53:19


Rich Teer <r...@rite-group.com> wrote in message <news:Pine.GSO.4.33.0201031524110.19389-100000@mars.rite-group.com>...
> On 3 Jan 2002, Stuart Cracraft wrote:

> > We've been looking and don't see a way to get
> > it to respect .shosts files and avoid requiring
> > passwords when ssh'ing between hosts

> > Obvious changes to

> >    /usr/local/etc/sshd_config

> > have failed.

> > Has anyone here done this?

> I have the same thing running - but I don't use .shosts.
> I prefer to use RSA authentication instead.

> Try using the -v flag when you ssh to see if that helps.

> --
> Rich Teer                                           .  *   * . * .* .
>                                                      .   *   .   .*
> President,                                          * .  . /\ ( .  . *
> Rite Online Inc.                                     . .  / .\   . * .
>                                                     .*.  / *  \  . .
>                                                       . /*   o \     .
> Voice: +1 (250) 979-1638                            *   '''||'''   .
> URL: http://www.rite-online.net                     ******************

Here is the output from a call to ssh from machine B to machine
A showing machine A's sshd_config file. This file needs configuration
to permit the ssh to avoid specifying a password but I don't know how.
Does anyone here? Have tried quite a few ideas but none worked. I
included the -v you suggested for debugging info.

--Stuart

Script started on Fri Jan 04 07:44:11 2002
$ /usr/local/bin/ssh -l utsadmin -v nefud
OpenSSH_3.0.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Seeded RNG with 48 bytes from programs
debug1: Seeded RNG with 3 bytes from system calls
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 676 geteuid 0 anon 1
debug1: Connecting to nefud [10.24.16.78] port 22.
debug1: temporarily_use_uid: 676/14 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 676/14 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /home/utsadmin/.ssh/identity type -1
debug1: identity file /home/utsadmin/.ssh/id_rsa type -1
debug1: identity file /home/utsadmin/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.0.2p1
debug1: match: OpenSSH_3.0.2p1 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.0.2p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 144/256
debug1: bits set: 1544/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
The authenticity of host 'nefud (10.24.16.78)' can't be established.
RSA key fingerprint is eb:cc:38:d8:82:e3:e0:86:89:fe:59:f4:ed:24:ee:07.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'nefud,10.24.16.78' (RSA) to the list of known hosts.
debug1: bits set: 1579/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try privkey: /home/utsadmin/.ssh/identity
debug1: try privkey: /home/utsadmin/.ssh/id_rsa
debug1: try privkey: /home/utsadmin/.ssh/id_dsa
debug1: next auth method to try is keyboard-interactive
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is password
utsadmin@nefud's password:
debug1: packet_send2: adding 48 (len 61 padlen 19 extra_pad 64)
debug1: ssh-userauth2 successful: method password
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: channel request 0: shell
debug1: channel 0: open confirm rwindow 0 rmax 16384
Last login: Fri Jan  4 07:41:22 2002 from netace1.idc.vzw
Sun Microsystems Inc.   SunOS 5.8       Generic February 2000
Sun Microsystems Inc.   SunOS 5.8       Generic February 2000
$ /usr/local/bin/ssh -v -l utsadmin nefud cat /usr/local/etc/sshd_config
OpenSSH_3.0.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Seeded RNG with 49 bytes from programs
debug1: Seeded RNG with 3 bytes from system calls
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 676 geteuid 0 anon 1
debug1: Connecting to nefud [10.24.16.78] port 22.
debug1: temporarily_use_uid: 676/14 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 676/14 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /home/utsadmin/.ssh/identity type -1
debug1: identity file /home/utsadmin/.ssh/id_rsa type -1
debug1: identity file /home/utsadmin/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.0.2p1
debug1: match: OpenSSH_3.0.2p1 pat ^OpenSSH
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.0.2p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 125/256
debug1: bits set: 1639/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'nefud' is known and matches the RSA host key.
debug1: Found key in /home/utsadmin/.ssh/known_hosts:2
debug1: bits set: 1603/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try privkey: /home/utsadmin/.ssh/identity
debug1: try privkey: /home/utsadmin/.ssh/id_rsa
debug1: try privkey: /home/utsadmin/.ssh/id_dsa
debug1: next auth method to try is keyboard-interactive
debug1: authentications that can continue: publickey,password,keyboard-interactive
debug1: next auth method to try is password
utsadmin@nefud's password:
debug1: packet_send2: adding 48 (len 61 padlen 19 extra_pad 64)
debug1: ssh-userauth2 successful: method password
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: ssh_session2_setup: id 0
debug1: Sending command: cat /usr/local/etc/sshd_config
debug1: channel 0: open confirm rwindow 0 rmax 16384
debug1: channel 0: rcvd eof
debug1: channel 0: output open -> drain
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: channel 0: rcvd close
debug1: channel 0: input open -> closed
debug1: channel 0: close_read
#       $OpenBSD: sshd_config,v 1.42 2001/09/20 20:57:51 mouring Exp $

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

# This is the sshd server system-wide configuration file.  See sshd(8)
# for more information.

Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
HostKey /usr/local/etc/ssh_host_key
# HostKeys for protocol version 2
HostKey /usr/local/etc/ssh_host_rsa_key
HostKey /usr/local/etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO
#obsoletes QuietMode and FascistLogging

# Authentication:

LoginGraceTime 600
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# rhosts authentication should not be used
RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /usr/local/etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no

# Uncomment to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd yes
#PrintLastLog no
KeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem       sftp    /usr/local/libexec/sftp-server
debug1: channel 0: obuf empty
debug1: channel 0: output drain -> closed
debug1: channel ...

read more »

 
 
 

OpenSSH 3.0.2p1 configuration question

Post by Rich Tee » Sun, 06 Jan 2002 02:21:57


On 4 Jan 2002, Stuart Cracraft wrote:

> Here is the output from a call to ssh from machine B to machine
> A showing machine A's sshd_config file. This file needs configuration
> to permit the ssh to avoid specifying a password but I don't know how.
> Does anyone here? Have tried quite a few ideas but none worked. I
> included the -v you suggested for debugging info.

Here's my sshd.conf file:

        # This is ssh server systemwide configuration file.

        AllowTCPForwarding                      no
        #Banner                                         /etc/issue.net
        HostKey                                         /etc/ssh/ssh_host_key
        HostKey                                         /etc/ssh/ssh_host_rsa_key
        HostKey                                         /etc/ssh/ssh_host_dsa_key
        IgnoreRhosts                            yes
        KeepAlive                                       yes
        KeyRegenerationInterval         3600
        PasswordAuthentication          yes
        PermitEmptyPasswords            no
        PermitRootLogin                         no
        Port                                            22
        PrintMotd                                       no
        RSAAuthentication                       yes
        RhostsAuthentication            no
        RhostsRSAAuthentication         no
        ServerKeyBits                           768
        StrictModes                                     yes
        Subsystem                                       sftp    /opt/local/sbin/sftp-server
        SyslogFacility                          AUTH
        X11Forwarding                           yes
        DenyUsers                                       root daemon bin sys adm lp uucp nuucp listen nobody noaccess nobody4

To get password-less logins to work, you have to run
ssh-keygen and put the resulting key in your
~/.ssh/knownhosts[2] file on the target machine.

Here's what my session looks like:

        rich@mars4468# ssh -v zen
        OpenSSH_3.0.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
        debug1: Seeded RNG with 46 bytes from programs
        debug1: Seeded RNG with 3 bytes from system calls
        debug1: Rhosts Authentication disabled, originating port will not be trusted.
        debug1: restore_uid
        debug1: ssh_connect: getuid 1001 geteuid 1001 anon 1
        debug1: Connecting to zen [192.168.0.1] port 22.
        debug1: temporarily_use_uid: 1001/10 (e=1001)
        debug1: restore_uid
        debug1: temporarily_use_uid: 1001/10 (e=1001)
        debug1: restore_uid
        debug1: Connection established.
        debug1: identity file /home/rich/.ssh/identity type 0
        debug1: identity file /home/rich/.ssh/id_rsa type 1
        debug1: identity file /home/rich/.ssh/id_dsa type 2
        debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9.9p2
        debug1: match: OpenSSH_2.9.9p2 pat ^OpenSSH
        Enabling compatibility mode for protocol 2.0
        debug1: Local version string SSH-2.0-OpenSSH_3.0.2p1
        debug1: SSH2_MSG_KEXINIT sent
        debug1: SSH2_MSG_KEXINIT received
        debug1: kex: server->client aes128-cbc hmac-md5 none
        debug1: kex: client->server aes128-cbc hmac-md5 none
        debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
        debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
        debug1: dh_gen_key: priv key bits set: 130/256
        debug1: bits set: 1610/3191
        debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
        debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
        debug1: Host 'zen' is known and matches the RSA host key.
        debug1: Found key in /home/rich/.ssh/known_hosts2:4
        debug1: bits set: 1537/3191
        debug1: ssh_rsa_verify: signature correct
        debug1: kex_derive_keys
        debug1: newkeys: mode 1
        debug1: SSH2_MSG_NEWKEYS sent
        debug1: waiting for SSH2_MSG_NEWKEYS
        debug1: newkeys: mode 0
        debug1: SSH2_MSG_NEWKEYS received
        debug1: done: ssh_kex2.
        debug1: send SSH2_MSG_SERVICE_REQUEST
        debug1: service_accept: ssh-userauth
        debug1: got SSH2_MSG_SERVICE_ACCEPT
        debug1: authentications that can continue: publickey,password,keyboard-interactive
        debug1: next auth method to try is publickey
        debug1: try pubkey: /home/rich/.ssh/id_rsa
        debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 6bdc0 hint 1
        debug1: read PEM private key done: type RSA
        debug1: ssh-userauth2 successful: method publickey
        debug1: channel 0: new [client-session]
        debug1: send channel open 0
        debug1: Entering interactive session.
        debug1: ssh_session2_setup: id 0
        debug1: channel request 0: shell
        debug1: channel 0: open confirm rwindow 0 rmax 16384
        Last login: Fri Jan  4 09:20:51 2002 from mars
        Sun Microsystems Inc.   SunOS 5.8       Generic February 2000
        You have mail.
        rich@zen4469#

HTH,

--
Rich Teer                                           .  *   * . * .* .
                                                     .   *   .   .*
President,                                          * .  . /\ ( .  . *
Rite Online Inc.                                     . .  / .\   . * .
                                                    .*.  / *  \  . .
                                                      . /*   o \     .
Voice: +1 (250) 979-1638                            *   '''||'''   .
URL: http://www.rite-online.net                     ******************

 
 
 

OpenSSH 3.0.2p1 configuration question

Post by Michael Schloh von Bennewit » Tue, 08 Jan 2002 20:08:56



> To get password-less logins to work, you have to run
> ssh-keygen and put the resulting key in your
> ~/.ssh/knownhosts[2] file on the target machine.

Actually, you will still need to login with a passphrase (to unlock your
new public key) unless you create the public key with an empty
passphrase. Just type return twice when ssh-keygen asks you for a
passphrase if you want to do this, but don't complain later if you have
security problems.

A much better solution, however, is to use ssh-agent. Empty passphrases
are insecure.

Regards,
Michael

 
 
 

1. Problems compiling OpenSSH 3.0.2p1 on OpenBSD 3.0 i386

Hello.  I downloaded the source .tar.gz file for OpenSSH 3.0.2p1 off
ftp.openbsd.org.  I was able to uncompress and run ./configure just
fine.  Then when I ran make, it went through compiling many objects
but then halted on readpass.c with the following output:

readpass.c: In function `read_passphrase':
readpass.c:100: `RPP_ECHO_ON' undeclared (first use in this function)
readpass.c:100: (Each undeclared identifier is reported only once
readpass.c:100: for each function it appears in.)
readpass.c:100: `RPP_ECHO_OFF' undeclared (first use in this function)
readpass.c:105: `RPP_REQUIRE_TTY' undeclared (first use in this
function)
readpass.c:121: warning: implicit declaration of function
`readpassphrase'
*** Error code 1

Stop in /root/openssh-3.0.2p1.

I downloaded, uncompressed, ./configure(d), and ran make all under
root again and had the same problem.  I installed the comps package
during OpenBSD 3.0's install and have compiled things like Postfix and
updates to dhcpd from source.  I'm just having problems with compiling
OpenSSH.  Thanks in advance for any help.

Syed N. Ahmad
(Please don't email me, it's a dummy address)

2. Need tip: Hiding configuration details from users

3. OpenSSH 3.0.2p1 binary pkg for Solaris

4. XFree and gray-monitors.. HOWTO?

5. Upgrade OpenSSH 2.9p2 to OpenSSH-4.2p1 on Solaris 8 for SPARC

6. Linux supported printer

7. openssh-1.2.2p1

8. Make and Squid (URGENT)

9. Installing OpenSSH-3.0.2p1 - Socklen_t ERROR

10. openssh-3.0.2p1-1 and RedHat 7.1 and RPM hell

11. Problem with Openssh 4.2p1; libcrypto.so.0.9.8: Permission denied

12. OpenSSH 3.0 really brief (and maybe really dumb) question...

13. problems with X over ssh (openssh-2.3.0 on Mandrake 7.2)