Bug#341781: ssh: Unable to use hostbased authentication due to hostname mistmatches
Package: ssh
Version: 1:3.8.1p1-8.sarge.4
Severity: important
After an upgrade of SSH, hostbased authentication stopped working.
I've spent some time recompiling the package with more debug
information and I believe I have found the rootcause, though I don't
know what part of the package changed.
The symptom is that the hostbased authentication always fails to
accept the host keys and instead either asks for a password, or for
the user's RSA key passphrase. The reason the remote machine
rejected the request is in check_rhosts_file(); the hostnames are
different. One has a trailing period and the other does not. By
adding a period to the .shosts hostname, the check succeeds.
Unfortunately, that isn't sufficient. Adding the period later breaks
the monitor_valid_hostbasedblob() call where again, one hostname ends
with a period and the other does not.
It is possible that this is the same problem as #115286.
The next place to look is in the code that passes the requestor's
hostname to check_rthosts_file().
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.7
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages ssh depends on:
ii adduser 3.63 Add and remove users and groups
ii debconf 1.4.30.13 Debian configuration management sy
ii dpkg 1.10.28 Package maintenance system for Deb
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libpam-modules 0.76-22 Pluggable Authentication Modules f
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libssl0.9.7 0.9.7e-3sarge1 SSL shared libraries
ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra
ii zlib1g 1:1.2.2-4.sarge.2 compression library - runtime
-- debconf information:
* ssh/privsep_tell:
ssh/insecure_rshd:
ssh/privsep_ask: true
ssh/ssh2_keys_merged:
ssh/user_environment_tell:
* ssh/forward_warning:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
* ssh/protocol2_only: true
ssh/encrypted_host_key_but_no_keygen:
* ssh/run_sshd: true
* ssh/SUID_client: true
ssh/disable_cr_auth: false
Reply to: