ssh RSA authentication problem

ssh RSA authentication problem

Post by Bill S » Fri, 12 Jul 2002 01:56:03



Dear all,

I am new to OpenSSH.  I run RH7.3 and OpenSSH 3.1p1 in both server and
client. sshd and ssh uses the default setting in RH7.3 for OpenSSH in
both server and client.

My set up is as follow:
1. generate user key in both client and server using: ssh-keygen -b 1024
-t RSA
2. copy the public keys to "authorized_keys2" file from client to server
and vice versa.
3. try connecting.  But I cannot use the RSA key to do authentication.
I can only use the Unix password of the account in the server.

When I look at /var/log/secure, it shows:
Jul 11 00:24:53 talent sshd[22007]: Could not reverse map address
192.168.0.1.
Jul 11 00:24:53 talent sshd[22007]: Authentication refused: bad
ownership or modes for file /home/bill/.ssh/authorized_keys2
Jul 11 00:24:56 talent sshd[22007]: Accepted password for bill from
192.168.0.1 port 32776 ssh2

The authorized_keys2 file's ownership is the user itself.  Modes are 664.

What should I do to enable RSA authenication?

Thanks for your help.

Bill
Computer engineering student, University of Hong Kong

 
 
 

ssh RSA authentication problem

Post by Greg Owe » Fri, 12 Jul 2002 02:51:24



> Jul 11 00:24:53 talent sshd[22007]: Authentication refused: bad
> ownership or modes for file /home/bill/.ssh/authorized_keys2
...
> The authorized_keys2 file's ownership is the user itself.  Modes are 664.

> What should I do to enable RSA authenication?

        Remove the group write bit (i.e., chmod 644) from the
authorized_keys2 file.  This is a normal security measure to make sure
that someone in your 'group' can't add his key to your auth file and log
in as you.

--

        79A7 4063 96B6 9974 86CA  3BEF 521C 860F 5A93 D66D

 
 
 

ssh RSA authentication problem

Post by Nico Kadel-Garci » Fri, 12 Jul 2002 08:49:20



Quote:> Dear all,

> I am new to OpenSSH.  I run RH7.3 and OpenSSH 3.1p1 in both server and
> client. sshd and ssh uses the default setting in RH7.3 for OpenSSH in
> both server and client.

> My set up is as follow:
> 1. generate user key in both client and server using: ssh-keygen -b 1024
> -t RSA
> 2. copy the public keys to "authorized_keys2" file from client to server
> and vice versa.
> 3. try connecting.  But I cannot use the RSA key to do authentication.
> I can only use the Unix password of the account in the server.

> When I look at /var/log/secure, it shows:
> Jul 11 00:24:53 talent sshd[22007]: Could not reverse map address
> 192.168.0.1.
> Jul 11 00:24:53 talent sshd[22007]: Authentication refused: bad
> ownership or modes for file /home/bill/.ssh/authorized_keys2
> Jul 11 00:24:56 talent sshd[22007]: Accepted password for bill from
> 192.168.0.1 port 32776 ssh2

> The authorized_keys2 file's ownership is the user itself.  Modes are 664.

First, get rid of "authorized_keys2". Just use authorized_keys: it'll work
fine with OpenSSH 3.1p1 with whatever protocl you happen to use, unless
you're in some weird situation where you want different keys for different
protocols.

Second, it should be permissions 600.

Third: look into your local /etc/hosts or DNS configuration to set up
reverse DNS for 192.168.0.1: that will speed up access a bit.

 
 
 

ssh RSA authentication problem

Post by Kasper Dupon » Fri, 12 Jul 2002 17:04:29



> Dear all,

> I am new to OpenSSH.  I run RH7.3 and OpenSSH 3.1p1 in both server and
> client.

Upgrade, a lot of bugs has been found in that version lately.

--
Kasper Dupont -- der bruger for meget tid p? usenet.

 
 
 

ssh RSA authentication problem

Post by Nico Kadel-Garci » Fri, 12 Jul 2002 21:15:56




> > Dear all,

> > I am new to OpenSSH.  I run RH7.3 and OpenSSH 3.1p1 in both server and
> > client.

> Upgrade, a lot of bugs has been found in that version lately.

Upgrade to the latest RedHat OpenSSH RPM, which has the 20-line patch
needed: the version 3.4p1 has proven to be extremely unstable and not worth
most people's time, unless they want to try and debug the new "Privilege
Separation" features.

A set of holes were discovered *before* 3.1p1: they seemed to be programming
errors, fencepost errors, that sort of thing. The hole for 3.1p1 relied on
either recompilation with the S/Key features enabled, or reconfiguration
with PAM usage enabled. Note that *neither* of those are part of OpenSSH: it
was the interface with those outside utilities that could be taken advantage
of. And RedHat's default RPM didn't have those enabled, so it was not at
risk from this particular hole without extra user effort.

 
 
 

ssh RSA authentication problem

Post by Kasper Dupon » Sat, 13 Jul 2002 00:23:30






> > > Dear all,

> > > I am new to OpenSSH.  I run RH7.3 and OpenSSH 3.1p1 in both server and
> > > client.

> > Upgrade, a lot of bugs has been found in that version lately.

> Upgrade to the latest RedHat OpenSSH RPM,

Sounds like a good piece of advice

Quote:> which has the 20-line patch
> needed: the version 3.4p1 has proven to be extremely unstable and not worth
> most people's time, unless they want to try and debug the new "Privilege
> Separation" features.

Privilege Separation is supposed to prevent some programming
errors from introducing exploits. It has proven to help once.
But I agree it is still does cause lots of other problems
with features not working.

Quote:

> A set of holes were discovered *before* 3.1p1: they seemed to be programming
> errors, fencepost errors, that sort of thing.

True.

Quote:> The hole for 3.1p1 relied on
> either recompilation with the S/Key features enabled, or reconfiguration
> with PAM usage enabled. Note that *neither* of those are part of OpenSSH: it
> was the interface with those outside utilities that could be taken advantage
> of. And RedHat's default RPM didn't have those enabled, so it was not at
> risk from this particular hole without extra user effort.

Aha, I don't know the details about the bug. All I know is
that it has a bug that in some configurations can be
exploited.

--
Kasper Dupont -- der bruger for meget tid p? usenet.

 
 
 

ssh RSA authentication problem

Post by Nico Kadel-Garci » Sat, 13 Jul 2002 11:46:25







>>>> Dear all,

>>>> I am new to OpenSSH.  I run RH7.3 and OpenSSH 3.1p1 in both server
>>>> and client.

>>> Upgrade, a lot of bugs has been found in that version lately.

>> Upgrade to the latest RedHat OpenSSH RPM,

> Sounds like a good piece of advice

>> which has the 20-line patch
>> needed: the version 3.4p1 has proven to be extremely unstable and
>> not worth most people's time, unless they want to try and debug the
>> new "Privilege Separation" features.

> Privilege Separation is supposed to prevent some programming
> errors from introducing exploits. It has proven to help once.
> But I agree it is still does cause lots of other problems
> with features not working.

As near as I can tell, the PrivSep provided no advantage against this recent
bug. The code with PrivSep just happened to be the next released OpenSSH
version, with the patch in place.

Quote:>> The hole for 3.1p1 relied on
>> either recompilation with the S/Key features enabled, or
>> reconfiguration with PAM usage enabled. Note that *neither* of those
>> are part of OpenSSH: it was the interface with those outside
>> utilities that could be taken advantage of. And RedHat's default RPM
>> didn't have those enabled, so it was not at risk from this
>> particular hole without extra user effort.

> Aha, I don't know the details about the bug. All I know is
> that it has a bug that in some configurations can be
> exploited.

Yeah, you're like most of us who didn't follow this closely. For about a
year, it was common to hear people screaming about OpenSSH vulnerabilities
in version 2.3.x that got patched *long* before the ssh.com codebase even
noticed the problem.
 
 
 

ssh RSA authentication problem

Post by Kasper Dupon » Sat, 13 Jul 2002 17:13:55




> > Privilege Separation is supposed to prevent some programming
> > errors from introducing exploits. It has proven to help once.
> > But I agree it is still does cause lots of other problems
> > with features not working.

> As near as I can tell, the PrivSep provided no advantage against this recent
> bug. The code with PrivSep just happened to be the next released OpenSSH
> version, with the patch in place.

The original announcement of the bug stated that it could
not be exploited if Privilege Separation was being used.

--
Kasper Dupont -- der bruger for meget tid p? usenet.

 
 
 

ssh RSA authentication problem

Post by Nico Kadel-Garci » Sun, 14 Jul 2002 14:26:45





> > > Privilege Separation is supposed to prevent some programming
> > > errors from introducing exploits. It has proven to help once.
> > > But I agree it is still does cause lots of other problems
> > > with features not working.

> > As near as I can tell, the PrivSep provided no advantage against this
recent
> > bug. The code with PrivSep just happened to be the next released OpenSSH
> > version, with the patch in place.

> The original announcement of the bug stated that it could
> not be exploited if Privilege Separation was being used

I'll look for the announcement again: I do remember PrivSep not being in
3.3, and 3.4p1 being the patched release with the fix. Let's see, I find:

    http://www.openssh.com/txt/preauth.adv

Interesting: you seem to be right, it says:

    3. Short-Term Solution:

            Disable ChallengeResponseAuthentication in sshd_config.

     and

     Disable PAMAuthenticationViaKbdInt in sshd_config.

     Alternatively you can prevent privilege escalation
     if you enable UsePrivilegeSeparation in sshd_config.

So I'll take that part back.

 
 
 

1. ssh RSA authentication problem

Hi,
   I use ssh-keygen to generate RSA keys into my .ssh/id_rsa and
.ssh/id_rsa.pub files. I copied the .ssh/id_rsa.pub into
.ssh/authorized_keys and I can login with RSA authentication now.

$ssh localhost
Enter passphrase for key '/home/wy/.ssh/id_rsa':

Then I copied .ssh/authorized_keys into a remote machine "hp4", a HP
station running Linux on IA-64. And I do:
$ssh hp4

I get the response:

It didn't use RSA authentication mechanism!
I copied my id_rsa into identity and do a
$ssh hp4

I get the prompt:
Enter passphrase for key '/home/wy/.ssh/identity':

I enter the password and I get the prompt:

It ask me for password again!
why?

2. Random lockups - help!

3. ssh login with rsa/dsa authentication

4. Can OSS share /dev/dsp amongst more than one app?

5. RSA Authentication on ssh

6. netatalk-1.3.3 setup

7. Can't get RSA authentication with ssh

8. Damn LILO

9. ssh and RSA Authentication password prompt

10. SSH Remote access Always getting: Disconnected; authentication error (No further authentication methods available).

11. RSA SecurID authentication for Linux?

12. Authentication with RSA Radius server

13. sshd_config: Not allowing RSA key authentication