Bug 75338

Summary: hostbased authentication doesn't work
Product: [Retired] Red Hat Linux Reporter: Bastien Nocera <bnocera>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0CC: tedkaz, trondeg
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-02-04 13:04:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ssh(d)_config none

Description Bastien Nocera 2002-10-07 13:31:28 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;) Gecko/0

Description of problem:
hostbased authentication does not function with openssh.

client: openssh-3.4p1-2
server: openssh-3.1p1-6


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Log on the client:
==================

$ ssh -v test@bnocera
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to bnocera [172.16.10.53] port 22.
debug1: Connection established.
debug1: identity file /home/bnocera/.ssh/identity type -1
debug1: identity file /home/bnocera/.ssh/id_rsa type -1
debug1: identity file /home/bnocera/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.1p1
debug1: match: OpenSSH_3.1p1 pat OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.4p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 126/256
debug1: bits set: 1565/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'bnocera' is known and matches the DSA host key.
debug1: Found key in /home/bnocera/.ssh/known_hosts:1
debug1: bits set: 1525/3191
debug1: ssh_dss_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug1: next auth method to try is hostbased
debug1: ssh_keysign called
debug1: authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug1: ssh_keysign called
debug1: authentications that can continue:
publickey,password,keyboard-interactive,hostbased
debug1: userauth_hostbased: no more client hostkeys
debug1: next auth method to try is publickey
debug1: try privkey: /home/bnocera/.ssh/identity
debug1: try privkey: /home/bnocera/.ssh/id_rsa
debug1: try privkey: /home/bnocera/.ssh/id_dsa
debug1: next auth method to try is password
test@bnocera's password: 

Log on the server:
==================

# sshd -ddd
debug1: sshd version OpenSSH_3.1p1
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
socket: Address family not supported by protocol
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 172.16.10.120 port 32905
debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1
debug1: match: OpenSSH_3.4p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.1p1
debug1: list_hostkey_types: ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 122/256
debug1: bits set: 1525/3191
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 1565/3191
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user test service ssh-connection method none
debug1: attempt 0 failures 0
debug2: input_userauth_request: setting up authctxt for test
debug1: Starting up PAM with username "test"
debug3: Trying to reverse map address 172.16.10.120.
debug1: PAM setting rhost to "spilt.surrey.redhat.com"
debug2: input_userauth_request: try method none
Failed none for test from 172.16.10.120 port 32905 ssh2
debug1: userauth-request for user test service ssh-connection method hostbased
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method hostbased
debug1: userauth_hostbased: cuser bnocera chost spilt.surrey.redhat.com. pkalg
ssh-dss slen 55
debug2: userauth_hostbased: chost spilt.surrey.redhat.com. resolvedname
spilt.surrey.redhat.com ipaddr 172.16.10.120
debug2: stripping trailing dot from chost spilt.surrey.redhat.com.
debug2: auth_rhosts2: clientuser bnocera hostname spilt.surrey.redhat.com ipaddr
172.16.10.120
debug1: temporarily_use_uid: 3553/3553 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 3553/3553 (e=0)
debug1: restore_uid
debug2: userauth_hostbased: authenticated 0
Failed hostbased for test from 172.16.10.120 port 32905 ssh2
debug1: userauth-request for user test service ssh-connection method hostbased
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method hostbased
debug1: userauth_hostbased: cuser bnocera chost spilt.surrey.redhat.com. pkalg
ssh-rsa slen 143
debug2: userauth_hostbased: chost spilt.surrey.redhat.com. resolvedname
spilt.surrey.redhat.com ipaddr 172.16.10.120
debug2: stripping trailing dot from chost spilt.surrey.redhat.com.
debug2: auth_rhosts2: clientuser bnocera hostname spilt.surrey.redhat.com ipaddr
172.16.10.120
debug1: temporarily_use_uid: 3553/3553 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 3553/3553 (e=0)
debug1: restore_uid
debug2: userauth_hostbased: authenticated 0
Failed hostbased for test from 172.16.10.120 port 32905 ssh2


Actual Results:  Asks for password.

Expected Results:  Should log me in.

Additional info:

ssh_config and sshd_config attached below

Comment 1 Bastien Nocera 2002-10-07 13:36:50 UTC
Created attachment 79186 [details]
ssh(d)_config

Comment 2 Bastien Nocera 2002-10-15 12:52:14 UTC
Could I have some feedback on this ?
Is it supposed to work or not ?

Comment 3 Damien Miller 2002-10-23 00:58:52 UTC
Hostbased is broken on OpenSSH 3.4p1 with UsePrivilegeSeparation=yes, Try
upgrading to 3.5p1 or (bad) disable privsep.

Comment 4 Trond Eivind Glomsrød 2002-12-18 17:01:27 UTC
Seems broken here too... how long has it been broken? Getting similar errors on
other versions.

Comment 5 Ted Kaczmarek 2003-04-19 16:27:51 UTC
I have upgraded my RH8 openssh to the same version as RH9. RH9 to RH8 ssh  host
key exchange works, but RH8 to RH9 prompts for password. They both have
identical sshd_config. I also have no problems going RH9 to RH7.3. RH9 or RH7.3
to Solaris also works fine, but RH8 t Solaris is not.
Summarized
using dsa keys host key exchange not working
RH8 openssh-3.5p1-6 or 3.4p1-2 doesn't work
RH9 openssh-3.5p1-6 works fine
RH7.3 openssh-3.1p1-6 works fine


Comment 6 Tomas Mraz 2005-02-04 13:04:55 UTC
This should work with the current releases.