Board index Solaris

passwordless auth via sshd using .shosts - without keys?

passwordless auth via sshd using .shosts - without keys?

Post by Steve in Ph » Wed, 21 Nov 2001 13:29:49



I have a Sun Sparc server running Solaris 5.6 and sshd version 1.2.27
[sparc-sun-solaris2.6].
I have two user IDs trying to use ssh to login without a password.  One ID
can get in without a password using the .shosts verification, the other
can't.  They both try to ssh from the same remote server.  I verified this
by renaming the .shosts file and the user could no longer get in without a
password.  Debugging information is not very helpful:

debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'REMOTE_SERVER' is known and matches the RSA1 host key.
debug1: Found key in /home/steve/.ssh/known_hosts:2
debug1: Encryption type: 3des
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying rhosts or /etc/hosts.equiv with RSA host authentication.
debug1: Server refused our rhosts authentication or host key.

What do I need to setup to use .shosts verification for an ID?  Do I still
need to make the keys?  This is confusing.
I read  http://www.snailbook.com/faq/trusted-host-howto.auto.html but I'm
still confused.
I do not remember making any keys for the user ID that works...

Can I test this locally with one ID?  How?

Thanks in advance (for your patience!),
Steve.

 
 
 
Top

passwordless auth via sshd using .shosts - without keys?

Post by Richard E. Silverm » Wed, 21 Nov 2001 13:39:45


Do you have the client host key in the global known-hosts list on the
server?  If it's only in ~/.ssh/known_hosts for the account that works,
that would explain it...

--
  Richard Silverman


 
 
 
Top

passwordless auth via sshd using .shosts - without keys?

Post by Bill Unr » Thu, 22 Nov 2001 06:27:29



Quote:>I have a Sun Sparc server running Solaris 5.6 and sshd version 1.2.27
>[sparc-sun-solaris2.6].

Please replace with an ssh 2 system. ssh1 has a security hole and people
are getting attacked via that hole (see the latest CERT summary).

You have now announced to the world that you use a broken system.

 
 
 
Top

passwordless auth via sshd using .shosts - without keys?

Post by Nico Kadel-Garci » Thu, 22 Nov 2001 13:31:39





> >I have a Sun Sparc server running Solaris 5.6 and sshd version 1.2.27
> >[sparc-sun-solaris2.6].

> Please replace with an ssh 2 system. ssh1 has a security hole and people
> are getting attacked via that hole (see the latest CERT summary).

> You have now announced to the world that you use a broken system.

*sigh*. Please read the *entire* alert. Some older implementations of ssh1,
such as the ssh.com versions up through 1.2.29 or so and certain antique
versions of OpenSSH have the issue. And there were published patches for
1.2.27, although I agree that this should be addressed.

Simply updating to the latest OpenSSH or ssh1 will address that
vulnerability. Because there are not as many clients for ssh2 yet, and
because Steve's authorized_keys and host_keys are probably already up and
running using ssh1, I'd actually suggest taking the opportunity to switch to
OpenSSH and avoid having to use code that ssh.com and F-Secure don't want to
support anymore.

 
 
 
Top

passwordless auth via sshd using .shosts - without keys?

Post by Michael Schloh von Bennewit » Thu, 22 Nov 2001 19:04:56


This is not necessarily a solution, but I assume that you have
considered running ssh-agent to manage your id keys for uninteractive
ssh sessions. It is sort of a more elegant way of accomplishing your
.shost goal. If I could just make ssh-agent work for myself personally
:-( ...

Michael


> I have a Sun Sparc server running Solaris 5.6 and sshd version 1.2.27
> [sparc-sun-solaris2.6].
> I have two user IDs trying to use ssh to login without a password.  One ID
> can get in without a password using the .shosts verification, the other
> can't.  They both try to ssh from the same remote server.  I verified this
> by renaming the .shosts file and the user could no longer get in without a
> password.  Debugging information is not very helpful:

 
 
 
Top

1. .shosts: Your host key cannot be verified: unknown or invalid host key?

I've installed the ssh 1.2.6 rpms from ftp.reply.com on two machines
running RedHat Linux 5.2:


ssh-extras-1.2.26-1i
ssh-server-1.2.26-1i
ssh-clients-1.2.26-1i
ssh-1.2.26-1i

now when trying to log in from the one (helena) to the other (luthien),
with an appropriate .shosts file being in place, I get:

...
helena.physik.tu-berlin.de: Waiting for server public key.
helena.physik.tu-berlin.de: Received server public key (768 bits) and host
key (1024 bits).
helena.physik.tu-berlin.de: Host 'luthien' is known and matches the host
key.
helena.physik.tu-berlin.de: Initializing random; seed file
/root/.ssh/random_seed
helena.physik.tu-berlin.de: Encryption type: idea
helena.physik.tu-berlin.de: Sent encrypted session key.
helena.physik.tu-berlin.de: Installing crc compensation attack detector.
helena.physik.tu-berlin.de: Received encrypted confirmation.
helena.physik.tu-berlin.de: Trying rhosts or /etc/hosts.equiv with RSA
host authentication.
helena.physik.tu-berlin.de: Remote: Accepted by .shosts.
helena.physik.tu-berlin.de: Remote: Your host key cannot be verified:
unknown or invalid host key.
helena.physik.tu-berlin.de: Remote: The host name used to check the key
was 'helena.physik.tu-berlin.de'.
helena.physik.tu-berlin.de: Remote: Try logging back from the server
machine with the canonical host name using ssh, and then try again.
helena.physik.tu-berlin.de: Server refused our rhosts authentication or
host key.
helena.physik.tu-berlin.de: No agent.
helena.physik.tu-berlin.de: Doing password authentication.

what exactly is the remote server complaining about?
I'm not using an /etc/ssh/ssh_known_hosts on any machine. Might this be
the problem?
Loging into other machines where I have compiled sshd myself is no problem
without a machine-wide ssh_known_hosts on either client or server machine.
Did the maintainers of the ssh rpms use some specific options to enforce
some extra checks? Could I override it in sshd_config?
Could it be a resolve problem (hostname vs. FQDN)?
Any suggestions to clear the situation?
--

Institut fr Theoretische Physik  +49 30 314-24254   FAX -21130  IRC kuroi
Technische Universit?t Berlin            http://home.pages.de/~schwarz/

2. Stupid newbie kppp trick

3. entering tab in vi without using tab key

4. Xfree86 4.0 and Debian 2.2 (Potato) questions...

5. automate file access on server using SSH and passwordless access

6. Ipmasqurading and routing

7. Starting menu options (terminal) by just pressing 1 key without using return/enter.

8. CDE & RH5 fonts and color problems

9. ssh access not via IP but via "key" (or on another way) possible?

10. Booting VIA Eden via USB Key

11. filename completion via tab, command history via cursor keys etc.

12. sshd key generation error

13. sshd doesnt respond without internetaccess


All times are UTC
Board index